Every month (since at least 10 years ago), I have read Bruce Schneier’s CRYPTO-GRAM newsletter. If you’re a security professional of any kind the only excuse not to be doing this is if you already know everything he writes about and it’s pretty safe to assume you don’t. With this in mind, it’s not every day that hubris gets the better of me such that I am ready to completely repudiate Schneier’s wisdom on a rather important and topical security issue. However, today is that day.
In a series of articles in the Economist, Schneier asks the question "Should Companies Do Most Of Their Computing in the Cloud?" Since I am a bespoke cloud computing craftsman you may think my arguments are similar to the normal ones that the "non-cloud" partisans support. (Which Bruce competently covers in the articles.)
No. Not at all. I’m actually pretty sympathetic to cloud advantages. As you’ll see, it’s probably better than a normal local set up. In this entire debate, I feel that both sides (cloud is good/could is bad) have largely missed the most glaring and important security issue. Interestingly I’ve felt this way for nearly 20 years, since "cloud" was still a weather feature. With the exception of a negligible number of insane people I’ve never found anyone who seems to have given my perspective any thought at all. That’s why I feel it might be good to clearly state my personal rule of cloud security.
If you can not audit the software you use for privileged tasks and you connect that system to the internet then your system is potentially as insecure as possible.
I’m not quibbling with a detail here. Bruce Schneier is wrong. Let me demonstrate the absurdity of the current argument by using Schneier’s own computer habits. Here Bruce provides a pretty bog standard run down of "cloud is bad" thinking.
In contrast, I personally use the cloud as little as possible. My e-mail is on my own computer — I am one of the last Eudora users — and not at a web service like Gmail or Hotmail. I don’t store my contacts or calendar in the cloud. I don’t use cloud backup. I don’t have personal accounts on social networking sites like Facebook or Twitter. (This makes me a freak, but highly productive.) And I don’t use many software and hardware products that I would otherwise really like, because they force you to keep your data in the cloud: Trello, Evernote, Fitbit.
My cloud computing avoidance closely follows his. The problem here is that if you think it’s important to improve security by doing things this way you can not use an operating system like Microsoft Windows. (Or OS X). If you use a proprietary operating system you have completely failed at the objective of not trusting the exact same companies that you would need to trust to use the cloud. Notice I’m not advocating for one thing or the other. I’m just pointing out that the security concerns about trusting the cloud are nothing new. If you didn’t feel the need to scrutinize your dependence on proprietary software, then congratulations! You don’t need to worry about cloud security either. It couldn’t possibly be worse.
Interestingly Schneier knows he’s wrong. In the same CRYPTO-GRAM he quotes, without argument, Micah Lee who points out what has always been obvious to me.
Whatever you choose, if trusting a proprietary operating system not to be malicious doesn’t fit your threat model, maybe it’s time to switch to Linux.
We can defer the question of "should we trust proprietary OS vendors to not compromise users' security in unwanted ways?" (The quick answer is no and no and no and OMGNO !!!)
If you can’t trust Azure to safely do whatever you want done with your data, you can’t trust Windows itself for the exact same reasons. But it’s not merely an equivalent threat. Your Windows (or OS X) non-cloud local system is worse against the threat of a compromised or untrustworthy service provider. Yes worse. The reason is the same answer to why criminals would much rather break into my Linux cluster to mine BTC than to physically break into the supercomputer center and haul it away in a truck. Why would the perpetrator want to pay for electricity, hardware, facilities, etc? If the NSA wanted all data, it’s far more efficient for them to let you host it. All they would need is a key to pop in to your computer at any time. Are you sure there is no back door on your computer? For me, that’s a theoretically testable hypothesis. I fear that for Schneier it’s magical thinking.