Earlier this year, an employee who had been terminated from his job at a car dealership disabled more than 100 cars using a cloud-based application. The app evidently worked in conjunction with a device that dealers attached to the car to disable it or make it start honking as an incentive to get dead-beat car loan holders to pay up.
The people who bought cars from that dealership felt violated, humiliated, and angry. Allegedly, the horns were only supposed to honk between 9:00 AM and 5:00 PM, instead of the middle of the night as some owners claimed. Other owners said that they had to have their “disabled” cars towed in the morning, which also made them late for work.
Sure, these folks accepted a device like this on a car purchase because financial difficulties would have prevented them from securing a loan otherwise. But we can expect to see more cases where the most vulnerable members of society find themselves exploited the worst by emerging cloud technologies.
This particular case is a little unusual, because the person who exploited the system was an employee of the car dealership, not the cloud provider who offered the service. However, I still think this is a liability that is – at the very least – made worse by cloud-based apps.
An internally-hosted application could be designed to be unavailable over the public network. As a matter of fact, the challenge with internally-based apps that makes the cloud so attractive is making those internal apps available to remote employees who have a legitimate need to access them.
If the only way to get into the aforementioned system was to be at the dealership on a trusted machine, authenticated on the dealership's LAN, this story would not have made national news, because the former, disgruntled employee wouldn’t have been able to carry out his plans. It also means that this application is accessible through the public network to any hacker who might want to try his or her hand at some mischief.
I’ve already expressed my concern about cloud start-ups with great ideas and horrible execution (ma.gnolia's data loss of user online bookmarks, which led them to close their operations last year). I predicted that this kind of failure was not necessarily limited to small start-ups with good ideas and poorly implemented technology.
T-Mobile, Microsoft, and the Sidekick also found themselves in the middle of a high-profile controversy when there was serious data loss for Sidekick users. This was just another example of the risks that companies and individuals take when they adopt a cloud-based solution and trust another company to treat their data with the same care as in-house IT staff. And while these weren’t huge disasters that made everyone pause and consider the cloud a little more carefully, unfortunate examples like that will come.
In the discussion following my post about hybrid computing, we brought up some of the security concerns that wise companies are considering when contemplating a move to cloud-based providers like Google. Most of these are either unique to cloud-based providers or made potentially more severe by using cloud-based solutions.
The risk of rogue employees planting back doors into a network or systems and then activating them after leaving the organization is always a risk, but I would argue that by maintaining control of your own data, systems, and networks, you have better assurance that all due diligence is being taken to avoid that kind of situation.
My shop has a security response policy for when anyone from the IT department with privileged access departs, either voluntarily or involuntarily. An immediate flurry of secure password changes for all admin and domain admin accounts takes place, departed accounts are disabled, and all security policies are reviewed. This isn't a guarantee that a skilled employee who has been plotting won’t find some way to bypass our security measures, but it is a measure of control.
Each person on my team is also held personally accountable, and because of the size of my organization, any employee who leaves is fully aware that his or her actions are easily traced. The nature of having a close knit team is that the departing employee often leaves behind friends and colleagues, professional networks, and possibly poker buddies.
In a large cloud-based corporation, there are hundreds and perhaps thousands of faceless IT engineers, some of whom are under appreciated, bitter, and disenchanted. They have no personal ties or obligations. In their eyes, I’m just a faceless customer of a company they believe has wronged them.
There are lots of inherent benefits of having your IT staff part of your local team of employees, and I think this is a lesson that’s going to be hard learned over the next few years by companies looking to increase profits and decrease IT headaches by seeking outsourced and off-shored cloud-based solutions.
The way I see it, I've been predicting these situations for a couple of years now, and much of the tech industry has been gleefully riding into the sunset, proclaiming the cloud-based future of PC computing. This doesn't mean that I'm right, but it does mean that I'm thinking about it, which is more than a lot of the industry is doing.
While most people are hoping for the dust to settle with a clear and obvious path to follow for the future, each mishap or incident makes the future look that much more obscured. There are a lot of compelling reasons to consider cloud-based solutions, and like everyone in the IT industry, I'm looking at where the cloud fits into my IT road map for the future. I think it would be irresponsible for any IT manager not to.
The cloud will affect the way we all do business, the models we implement, and the economic impact those solutions have on our IT shops and our companies. At the same time, the cloud pushes us forward into a future where the checks and balances and best security practices of the past are simply ineffectual, and the only real alternative is, "jump in, hope for safety in numbers, and know that while some of the herd might get taken down, it will unlikely be you."
The success of the cloud depends on us adopting certain attitudes. After all, security is mostly an illusion – locks that keep the honest people honest. The fact is that even among the most talented IT shops in the world, a single human error lets the bad guys in. The bad guys, on the other hand, just sit back, and try and try again, confident that eventually they'll find an unlocked door or a lock that isn't any good. Anyone who works in security must acknowledge that fact.
I'm also well aware that the bad guys are far smarter than I am. I've known brilliant guys in the security industry, but I don't think any of them have broken 1024 bit RSA encryption by strangling the CPU of voltage. My fear is that the keyholes you find in the cloud could be large enough to fit a Mac truck.
So, what do you think? Am I being overly paranoid and too conservative in my opinion about adopting cloud strategies? I really want more feedback and dialog about this, because I’m strongly considering advocating several cloud solutions in my day job. Do we just all jump in and trust these large faceless corporations with purposefully limited SLAs and tons of plausible deniability to be good shepherds of our electronic data? Please share your feedback in the discussion thread.See also
Donovan Colbert has over 16 years of experience in the IT Industry. He's worked in help-desk, enterprise software support, systems administration and engineering, IT management, and is a regular contributor for TechRepublic. Currently, his professional role is as a Linux support engineer for a fast-growing Linux/FOSS consultancy group. You can follow him @dcolbert on Twitter or his personal blog, located at http://donovancolbert.blogspot.com.