Cloud Security for the Masses

Thirty years ago, a little wooden hut sat in the parking lot of my local Jersey strip mall. I would drive up to the hut, pay a few bucks, and a teenager would hand over a packet of developed photos, including a nice shot taken during that era of a Bulls rookie named Michael Jordan. After glancing through these photos once or twice, I would toss them into a shoebox, along with dozens of other packets. That box still sits up in the closet somewhere – I think.

Twenty years ago, a clunky PC sat on the desk of my Jersey office. I would log into the PC, click on the HP icon, and then digitally scan my printed photos into local memory. This included a nice shot taken during that era of a Yankee rookie named Derek Jeter. The scans would be arranged into a folder on my Windows system, and before long, I had hundreds of photos stored on this PC which I looked at occasionally. I have no idea where they are today. No clue.

Ten years ago, an iPhone found its way into my Jersey pocket. Soon, I was using this device to take zillions of pictures, including one from that era of a promising young college basketball player named Stephen Curry. Like all of you, I would click on a couple of icons, and the iPhone would then shove these pictures into something called the cloud. With so many cloud-accessible photos, I began to illustrate my conversations (quite annoyingly) with photos.

Jump to the present, and the cloud introduces a couple of security considerations – but perhaps not what you would guess. First, it should be clear that moving from printed photos in a shoebox to iPhone images in the cloud greatly reduces the likelihood of a hacker intentionally destroying your precious photos. This implies that with the progression to cloud, the risk of lost data is reduced. Ransomware attacks, for example, are less dangerous when you use cloud.

But also, with this progression to cloud comes the concern that with photos sitting up in some Apple or Microsoft or Google data center (yes, the cloud is just an assortment of data centers), perhaps someone might gain unauthorized access to embarrassing or private photos. This implies that we must trust the administrators at cloud services companies to make sure this doesn’t happen. And that is not always so easy.

All this implies that cloud security involves a collage of activities that are mostly the responsibility of the service provider. They accomplish this using advanced protection techniques, including creating many little private virtual shoeboxes (ahem) that keep my photos separate from yours. Security experts call this method segmentation, and the ability to run many operating systems on one machine (called virtualization) makes it efficient.

Businesses (and Boards) have been slow to embrace the cloud and its security methods, because they involve a shift in protection control. Some businesses are more comfortable recently, as cloud providers have begun to allow inspections and audits by experts who attest that everything is being done according to best practices. This is good news for all of us, because most cloud providers are quite capable when it comes to security.

Now, if you ask where I’ll be storing my photos ten years from now, I guess my answer is that I don’t know. Perhaps some autonomous virtual robot will sense what I am thinking and snap the pictures for me – just in case I might want them. And if you ask me which sports stars in ten years will be the next Jordan, Jeter, or Curry – well, if I knew that, then I assure you I wouldn’t be spending my time trying to write 600-word tutorials on cloud security.

About the Author:

Dr. Ed Amoroso is Chief Executive Officer of TAG Cyber LLC, a global cyber security advisory, training, consulting, and media services company supporting hundreds of companies across the world. Ed recently retired from AT&T after thirty-one years of service, beginning in Unix security R&D at Bell Labs and culminating as Senior Vice President and Chief Security Officer of AT&T from 2004 to 2016.

 Ed has been Adjunct Professor of Computer Science at the Stevens Institute of Technology for the past twenty-seven years, where he has introduced nearly two thousand graduate students to the topic of information security. He is also affiliated with the Tandon School of Engineering at NYU as a Research Professor, and the Applied Physics Laboratory at Johns Hopkins University as a senior advisor. He is author of six books on cyber security and dozens of major research and technical papers and articles in peer-reviewed and major publications.

Ed holds a BS degree in physics from Dickinson College, MS/PhD degrees in Computer Science from the Stevens Institute of Technology, and is a graduate of the Columbia Business School. He holds ten patents in the area of cyber security and media technology and he has served as a Member of the Board of Directors for M&T Bank, as well as on the NSA Advisory Board (NSAAB).

Ed’s work has been highlighted on CNN, the New York Times, and the Wall Street Journal. He has worked directly with four Presidential administrations on issues related to national security, critical infrastructure protection, and cyber policy.