Question for the day: What can the turn-of-the century cattle industry teach us about cloud security? Quite a lot, I believe – especially by the ways in which driving cattle and keeping data secure are so very different.
Back in the 1880s driving cattle across the US was big business. Millions of head of cattle were moved vast distances by rugged individuals powered by nothing more than a love for wide open spaces and a plentiful supply of beans. At least according to Hollywood.
Losing cattle on the way was something that the cow hands worked hard to avoid; it seriously cut into profits for both the cattle owners and the people doing the driving. But life on the trail was tough, and any number of things could cause cattle to go missing – stampedes, heel flies, drought, flooding, rustling, and just plain getting lost. However, with the exception of extreme bad luck, losses tended to average around 1.5% to 2% per drive.
Which is why cattle driving and data security are, well, so different.
(OK and yes, usually there aren't all that many cows in your typical data center…and less people wear cowboy hats. Generally.)
You see, when driving cows across the Midwest you can expect to lose a small number gradually over a period of time. The losses can spike unpredictably, but on the whole there's a gradual attrition that can be, and was, planned for. Data just doesn't behave that way. Data doesn't leak slowly like water from a rusty bucket. Generally one of two things will happen – either everything is fine or, well, everything is lost. Sony has been learning this the hard way of late. Breach after breach has hit the press , and the losses in data continue to mount. The financial losses come later, of course.
The really successful data thieves (and here I'm using the term 'successful' in a fairly specific way), people like Albert Gonzalez for example, become very good at identifying where they can position themselves to quietly steal as much data as possible. To continue the cowboy theme, Gonzalez didn’t want to take just a few head of cattle, he wanted the whole herd. And not just one herd; once he had the process perfected, he repeated it, time and time again.
And that's the second way that cattle rustling is different from data theft: When you steal a cow, someone notices. When you steal a credit card record, well, it can be a while before anyone knows. So you can keep doing it. In fact, the only thing that really slows you down is the pesky business of having to figure out how to breach the organization in the first place, set up shop, and start siphoning information.
Which brings us, surprise, surprise, to cloud.
Cloud computing services are like the central stockyards in towns like Abilene and Dodge City, processing hundreds of thousands of head of cattle. Now, imagine if I could steal all those cows, and no one would notice until I was long gone...
And there is the big risk. Because if I'm going to start stealing cows (or data) I'm going to steal if from the places where there is the highest concentration available most quickly.
Of course, information isn't just wandering around cloud infrastructures in great unmanaged herds, and there is plenty of security in place (and every reason to believe that it will keep getting better). But again, let me be clear: no security is perfect, and when a breach occurs at one of the big providers, it has the potential to impact a lot of people's data.
In the old days, cowboys would deliver their herds to the railhead, take their money, and ride off into the sunset (usually after defeating the bad guy and winning the girl). These days, you better make sure your gunslingers stay right with the data, all the time. Because sooner or later, someone's going to figure out a way in, and when they do, your data could be swept up with everyone else's. Cloud providers are going to make very big targets for data thieves, so layering your own protection is essential to staying secure.
Organizations must, and increasingly do, understand that the providers can only do so much to keep information secure. In the end, responsibility will still rest with the data owner. Data-centric security, controlled and monitored by the customer, will replace wishful thinking and finger pointing as a way to keep information safe.
Building your own controls into the day-to-day management of information will limit your exposure when the inevitable breach occurs, and that's the best way to keep them doggies rollin'.
As Rowdy Yates would say...