I grew up in Long Island, New York and pretty much took it for granted that when you flushed the toilet, the waste products went down a pipe out the front of your house to a bigger pipe where professionals handled it all from there. When I moved to Maryland and bought a house, I learned about something called a “septic system” where all that stuff went down a pipe, out the back of your house to another pipe and then stayed in your back yard!
Pretty scary to a New Yorker, but over the years I learned septic systems were as reliable and often more reliable than city-sewer. It turns out in both approaches, the weakest link is not the end destination of the nasty stuff, the key is the pipes between the house and the final destination, which for purposes of illustration, I will call Portapotty as a Service (PPaaS). And I will call the nasty stuff “data” to clean up the analogy I will eventually get around to making.
You see, if the house settles, or a sinkhole forms in your yard under the pipes, or tree roots invade those pipes, or the guy pumping out your septic tank damages the pipe or if the city sidewalk repair cracks the pipe, or if many other scenarios happen where the pipe is no longer reliably carrying the “data” to the PPaaS “cloud” service – well, the data hits the fan is what happens. Never good, never career (or marriage) enhancing.
I’ve noticed that this scenario has been behind a lot of major security incidents that have occurred where cloud-based services are used. It’s not that the cloud service wasn’t secure enough, the problem was that the business processes (the “gazouta” pipes) didn’t align with the cloud service provider processes (the “gazinda pipes”) and the data went spilling out onto the yard, making quite a stink.
I pointed this out in a Gartner Research Note back in March: “HBGary’s Gmail Hack Shows Process Is Vital in Managing Cloud Risk” HB Gary Federal’s CEO at the time had made statements about infiltrating hacking groups, and one of those groups targeted them and compromised HB Gary’s web site, which HB Gary shut down. Realizing this compromise also put their Google Mail accounts at risk, HB Gary attempted to turn off their Google service, but the process Google used for that made sense for a web search company, not so much sense for actual companies. It took so long to shut down the email service, that thousands of HB Gary Federal emails were exposed.
The “pipes” didn’t line up right – the data was flying out of the “PPaaS” service, but the shutoff valve wasn’t working. Google Mail wasn’t vulnerable or hacked, but part of their incident response process couldn’t connect to their customer’s processes. HB Gary was trying to turn the shut-off valve, but nothing was happening – and all that “data” out in their yard made quite a mess.
Now, part of the reason is that Google Apps is still primarily driven by consumer mail demands, not enterprises. Connecting a business HQ building to a “pipe” designed to carry out a family of four’s “data” would like not have a happy ending, either. There is, and will always be, a huge difference in both how much security consumers want and how much businesses need – and those consumer-grade pipes really, really need to be inspected by businesses attempting to use those consumer-oriented services.
Category: Uncategorized Tags: