Security is hard

Home/Blog/Article 03

Security is hard

Looking back on the high profile security failures of 2014 (Sony, Target, Home Depot), enterprise IT organizations have some significant challenges ahead of them in 2015. Barb Darrow tell us in a recent gigaom article :

"Security is hard, and as we've heard over and over, it requires a mix of technologies from different providers, constant vigilance and good end-user practices to safeguard a company's crown jewels."

Everything Barb, says is true when you're using the web. Let's take a look at the technologies that lay behind this statement and how these technologies and assumptions about these technologies can significantly impact the workload of CIOs, Chief Information Security Officers (CISOs) and Chief Security Officers (CSOs). And their budgets.

Web Security is hard

Barb interviewed the director of security for a Fortune 100 health provider, and he said his organization will be deploying Dropbox to their company, combined with a third-party encryption product. Dropbox is built on web technologies: the http protocol, for moving stuff around, MySQL for storing data, and Amazon S3/EC2 for storage and serving of files. There are lots of other pieces of open source technology that Dropbox makes use of in their stack, but it all uses the same basic web protocols.

As I pointed out in Open Data Economy, the web is built on top of a Hierarchical File System, and all http servers take advantage of an interesting property inherent in all file systems used on Mac, Linux and Windows computers: once a file leaves on computer (via the copy the web server makes and shares on the wire), the owner of the copy is the recipient. All previous access controls maintained by the host server are lost. Once the file is on the wire, all data security is lost. And any application that uses web technologies is 100% vulnerable to this property. The only way around it is to make heroic efforts to try to regain control of the file after it has left the server. First stop is cryptography, or the math underlying encryption technology.

Encryption is cool (but really, really hard)

So why is the Fortune 100 director of security is using a third-party encryption product? Why not use the one offered by Dropbox? Because Dropbox doesn't offer one. Dropbox uses https to transfer your files, so the file is transmitted over a secure line. Unless there is a man in the middle between the user and dropbox, and they get the file. And Dropbox doesn't guarantee that your files are safe, if the user is so foolish to share a link with somebody that isn't to be trusted, or if the link is passed along to somebody else, or if the servers that store the files at Amazon are compromised. Basically, Dropbox file storage is a security director's worst nightmare.

So that's why he's going to train his people on how to use a third-party encryption package. He'll teach them how to carefully encrypt files before placing them in Dropbox, and how they can only be sent to authorized users that have exchanged their public keys, and how to share public keys, and how if they get frustrated doing their own explicit encryption they shouldn't just push the encrypted file up to Dropbox even if it's really, really simple and easy to do and nobody will notice.

The probability of human error here is pretty much a sure thing. And while encryption may be cool, it's really, really hard, and a total pain, and people won't use it because it's so difficult to use. Requiring users to be trained in just basic cryptography and asking them to always use a specific work-flow that asks them to do a lot of extra work is the opposite of what users are used to. They want their devices and their software to just work. This is what we call a heroic effort to workaround a basic property of the web: the 3rd party encryption suite is a heroic effort, and asking your users to be heroes is even more heroic.

Authentication is hard too

One more question: who is receiving the file on the other end? How do we know that our good users are who they say they are? Does this Fortune 100 health company also need a secure user management system that verifies recipients for files that are transferred via Dropbox? He probably shouldn't trust Dropbox, because their user authentication system is not very transparent, and it's probably managed by MySQL (see above), and those databases are notoriously easy to hack into. So how do I authenticate my users and detect man-in-the-middle attacks and Sybil attacks and lazy users? All good questions for those CIO's, CSIO's and CSO's.

We can summarize some of these issues by concluding that using public cloud services built on web technologies results in:

  • Unlimited Copying of files
  • Loss of control over access to files
  • 3rd party encryption tools are heroic (and error-prone) efforts
  • Unreliable user authentication services are also vulnerable
  • Multiple points of attack, requiring significant security audit resources

What our Director of Security needs is a system that doesn't use web technologies at all. A software suite that handles data transport, user authentication and access authorization securely and automatically, without any extra work for end users. That's CloudMoDe 2.0.