Over the last week, we’ve seen a major outage at Amazon, at least one and possibly two security events have been reported at Sony, Bestbuy is claiming that one of their 3rd party providers has compromised customer email addresses (and this before the Epsilon dust fully clears), and cloud-based password management service LastPass has warned their customers that their passwords might sort of be compromised (so if you’ve stored a couple hundred weak passwords there, you should consider changing them all). There was also a reported compromise of the X Factor contestant database, but given that this is less than 1% the population of Playstation, and we don’t yet know where it is hosted, I’ll leave Simon out of the cloud for now.
The size of these incidents makes publicity inevitable. When a million people receive an emailed warning about ID theft, somebody is going to talk about it. But size also contributes to the desirability of these as attack targets. Attackers have to deal with economic realities, too. Even if it is a difficult basket to crack, the return on investment for the compromise of a cloud with 25 million eggs is more than compelling for a cyber criminal. And the bigger the cloud, the harder the consumer fallout.
Is a breach inevitable? Anybody with a useful level of experience in any security domain recognizes that perfect security is impossible. But no human or natural phenomenon can ever be perfect, so a better question should be whether security can ever be good enough that the benefit of a system outweighs the risk. Clearly, there are management efficiencies to be had through mass production, standardization, and in the IT realm, a centralized management capability that reduces costs by enabling a smaller number of people to manage more resources. Hackers recognize the benefits of cloud leverage, also.
Cloud economies of scale do apply to the protective domain. I am confident that a higher level of protection can be provided for less money when comparing a small system to a large one. What I’m not confident about is an expectation that protective benefits continue to accrue indefinitely. A cloud service with 10,000 organizations customers could be a lot more secure than what the majority of those 10,000 organizations could do on their own. But that doesn’t mean that such a service is 10,000 times less likely to suffer a security breach than a small business that happens to luck into a high school kid who enjoys configuring Linux.
To avoid spoiling the ending of the final Harry Potter novel, let it suffice to say that the villain had a crucially important quantity, which he split into multiple pieces, hiding each in an obscure and separate place. A succesful attack required obtaining and cracking each of the pieces, all of which were protected in different ways and in different places. The Voldemort approach ensures no single point of failure, while the cloud approach almost guarantees it. It would have been a much shorter book if Potter’s nemesis had put all his eggs into one magic basket. Voldemort’s prudent use of portfolio management is the exact opposite of the approach that takes some valuable information, makes duplicates of it, each of which would result in equal damage if compromised, and then storing those duplicates in multiple clouds. The brutal fact is that nobody knows how to determine the optimal tradeoffs between size and security efficiency. A second brutal fact is that putting all of your eggs into a single cloudy basket is the most effective way to break as many of them as possible.