Cloud computing is insecure because security's not sexy

I was reading Bill Buchan's thoughts on cloud computing and the News International phone hacking case, and he mentioned that voicemail was the first cloud system most people used.

He mused that cloud systems need more security - that they must consider using two-factor passwords, forcing pass{word|phrase} expiration, and so forth.

I don't disagree with him at all. I've had the same password for some cloud services for years now, and I really need to change it. It's on my to-do list, and when I get a quiet moment I'll be doing a massive sweep of my various cloud systems and changing passwords en masse. It's long overdue.

But strict checking at the door doesn't protect you from cookie hijacking or many other man-in-the-middle/credential theft attacks. If I steal your cookies for a website and put them onto my machine, I'm now you. For a while, at least.

What can we do about that?


Well, the three pillars of security are Authentication, Authorisation and Audit.

Bill's approached the problem from an Authentication aspect. Which is valid. But I think we should focus a lot more on Audit, too.

Audit is basically logging. The age old questions of "what happened, when did it happen, where did it happen?".

I can only think of one cloud service which gets even close to providing decent auditing, and that's not the one you'd think it is. It's Facebook.

Facebook forces me to name new machines when I log in to it, and they send me an email informing me of my login. And because everything I do on Facebook is, perversely, pretty much its own audit trail - I have one screen (my profile) where I can figure out what I've done on Facebook recently.

Facebook are ahead of the pack here, because they're trying to keep track of which machines I use them from. It's not perfect, but they're doing well.


Contrast that with webmail systems I use. No logs. I don't know when or where from "Philip Storry" logged in to read his email. I don't know what "I" did, and if "I" deleted something then there may well be no record of it at all.

This is not secure. No audit trail means no security.

Companies like Google, Facebook, Yahoo! and others have some great minds working for them. In some cases, those minds specialise in building systems that sift for relevant data, and deliver it. I can't believe that they're not up to the challenge of decent logging that a consumer could use.


Imagine, next time you log into your webmail system, seeing a notification that says something like:
You have used webmail from two familiar computers and your phone in the past 24 hours. Click here if that sounds suspicious.

That'd be great. It would tell you what you already know easily. If you saw "new computer" in the message, you could click through and look at the logs. Does it match a time when you were checking emails? If not then check if they read, sent or deleted mails. And then react accordingly.

Decent logs should be immutable to the user (that is, you can't edit or delete them), private (only you can see them) and last seven to fourteen days before being purged. Being able to export them for law enforcement purposes if you find anything would also be useful.

If logs are presented well, and if they flag up the abnormal politely enough, users may well become better educated in watching "their" usage and recognising attacks. Which must be good. It would also remind would-be attackers that their activities will be monitored, which again must be good.

The only possible downside is that logs are, by definition, what has happened. I know some people will say it's no good telling people they've been hacked after the fact. I disagree. Knowing you've been attacked is better than not knowing. You cannot address what you don't know.


Look at it this way. Our best minds in real world law enforcement work in detection and forensics - looking at incidents after they happen. Those less, er, mentally able are usually the ones who get to stand by doors and try to stop people from getting in. Computing changes the equation because an authentication system (a very smart guard) can serve a million people as well as it can serve one. But that's no reason to fire all the detectives and forensic scientists.

The cloud lives in a world where it has mediocre door security, and no CCTV or police detectives. If you're lucky, you get a guestbook at the door that people are forced to sign. And that's it.

We should demand better. A decent audit trail isn't hard. We were producing them in the 60's on mainframes, and can produce them just as easily today.

The challenge is in presenting them in a way that assists users without confusing them. And even that's not too challenging.


So why are our cloud systems missing this important aspect of security?

My theory is that within the computer industry, security is usually sold on authentication and authorisation. Things like two-factor authentication, unusual authentication methods like picture selection [PDF link!] and the like make for great demonstrations. They can be made, if not sexy, at least interesting.

Plus, they usually cost a ton of money to implement, and salesmen will always try to sell you the expensive one.

Logging is, unfortunately, just a bunch of text you have to read. And it's cheap, too.

Basically, the computing industry doesn't know how to sell logging, or want to know how to sell it.

That needs to change before we can truly trust the cloud.

Addendum: When I wrote this, I was unaware that Google Mail does have a basic recent usage summary, available as usage details in the bottom left-hand corner. It's a good start, but it's neither visible enough to educate users nor quite useful enough for them to want to read it. But still, it's a good start...