Data, Data everywhere and not a drop to drink, why cloud hosters will change security forever

Scott Andersen by Scott Andersen, CGI
Monday, January 30, 2012

In teaching someone to read we often turn to Dr. Seuss and his colorful presentations of concepts and ideas. Often however the ideas are presented as nonsensical or even bizarre adaptations of what is real in the world around us. We are amazed at the rhymes (one fish[1], two fish, red fish, blue fish) that he produced.

Buried, however in some of his works are messages. Not simple messages for children to consume and discard but actually rather complex messages. The Lorax and the "Butter Battle Book" both have embedded meaning that is complex and complicated. As adults we find there are many more works of literature that have embedded or buried meanings as well, such as "Moby Dick" or the play "Waiting for Godot."

Meaning buried in the flow of conversation and in the minds of the characters that comprise the story. Computing has a similar concept, one that to date hasn't come out of the dark room it's been in for a long time. The concept is security for information by obscurity of information.

As if a Dr. Seuss rhyme built to hide the information being sought. It happens without planning or knowledge in many cases, but it happens. It's offered as an unknown service by most "Cloud Hosting" organizations.

You see, if I know your company name I can find your network fairly quickly. I don't have to work very hard to figure out where your information is. I simply find your firewall and then over time work my way into your network.

In a hosting scenario there are two new layers of complexity that offer interesting albeit not stronger security scenarios. If there are 100 servers running 100 different companies, how do you find the specific server and disk that the specific company you are seeking is actually running their solution on? In fact it's not impossible, simply a little harder than looking up a domain name and hitting the nearest Domain Name Server (DNS) with a "Who owns this query?"

The information is obscured by the fact that there are hundreds of solutions hosted by the hoster each running in their own little world.  Security provided by the fact that there are hundreds of solutions running on thousands of disks and you cannot easily search them.

On the other hand, the hosters will also have trained staff to provide baseline security, that over time will become better than anything any one company could produce. The hoster's staff will have a chance to see many more advanced persistent threats (APTs) over time and be ready to solve them effectively. This will reduce further the overall surface space for attacks.

Of course like all leaps forward, if you stop moving it's little more than a broad jump. It is nice to have some distance but security is like a shark, it has to keep moving.


[1]  Theodore Geisel "aka Dr. Seuss"

More information

Post a comment

Sign in to comment.

Not yet registered? Join the debate