Chris Dixon

  • October 3, 2009

The cloud is a powder keg

This post is about computer security.  Before your eyes glaze over, let me say that – without using any security jargon - I’m going to try to convince you there is a significant security issue on the horizon that will affect every almost every business that stores valuable data on computers.

Willie Sutton was a bank robber who, when asked “Why do you rob banks?” replied “because that’s where the money is.”  This quote is famous enough that some people call it Sutton’s law.  On the internet, Sutton’s law means the bad guys will try to hack where the valuable data is stored.

One of the major trends in the technology world is “cloud computing” or a related concept “Software-as-a-Service (Saas)”.  The idea is instead of installing software within your company’s own network it is hosted by a service provider and you access it via a web browser.   SaaS applications are popular because they are much easier to use, install, maintain, and access.  The most prominent examples are probably Salesforce and Google Apps.  But the SaaS revolution is happening to almost every corporate application – HR, accounting, project management, bug tracking, and so on.

As a result, there is a giant migration of data going on.  We are moving from a world where everyone kept valuable data within their network to a world where all of their data is in SaaS providers’ databases.

Sutton’s 2nd law is that where there is lots of money, bad guys find a way to get to it (ok I made up the name for this law – but it should have a name).  When kings had piles of gold in their castles, people found a way across the moats and through the gates.   The same is true of people robbing banks, and the same will be true of SaaS providers’ databases.  It could be an inside job, someone leaving a “door” open, or just clever hacking – but you can rest assured if with a giant pile of gold sitting there, the bad guys will get it (in fact it’s already started).

We have gone from a world where everyone hid money under their mattress and protected it with an alarm system and shotgun to a world where all the money is in just a few places, run by people who have no particular expertise providing security, who for the most part deny there is any risk.   SaaS providers like Salesforce just dismiss the security risk, saying, in essence, that they have alarms and shotguns too.

It’s a powder keg waiting to explode.

Disclosure:  I invested in a stealth mode security company that addresses this problem.  Perhaps that makes me biased.  I prefer to think of it as evidence that I believe what I’m writing here.

  • http://lmframework.com/blog/about David Semeria

    How is this any different than the security concerns around a browser interface to a banking service? Lots of people seem comfortable banking online, and even pre-internet fraud was an ongoing issue in many sectors.

    • http://www.cdixon.org chris dixon

      The bank already had your money/data. Going online just created a new path to the bank. There was (IMO) never a big security risk there, as long as proper controls were put in place.

      What is happening with SaaS is that companies are taking their customer lists, payroll – their most valuable data – and trusting a 3rd party with no security expertise to hold and secure it.

      • http://lmframework.com/blog/about David Semeria

        So you're saying that the security issue is not do with the cloud/SaaS model per se, but with the expertise and approaches employed by many cloud/SaaS operators?

        If so, I agree.

        • http://www.cdixon.org chris dixon

          yes, but also the mere fact that all the valuable data is now being centralized makes a much juicier target for the hackers. Hacking into each business one by one was much more tedious. The first hacker to get the everyone's customer lists on salesforce will get rich/infamous.

          • http://lmframework.com/blog/about David Semeria

            Okay – what this boils down to is database segmentation. Just because all the data is in one logical (perhaps physical) place doesn't mean any one account has universal access.

            In other words: no root user on the DB. At that point, acquiring all the individual credentials (needed to do a full dump) is equivalent to hacking all the individual users' systems.

  • http://twitter.com/davidsmuts David Smuts

    Interesting post Chris- I think we rename Sutton's Law to Dixon's Law.

    I tend to agree with your security concerns but in an environment where the herd mentality prevails this viewpoint is not shared- and in some instances considered heretical. You're going to get some bite back from the geeks no doubt.

    Anyway, I'm concerned too!

    • http://www.cdixon.org chris dixon

      I'm really surprised how little this is talked about re the cloud. Partly this is because a lot of institutions that have the most valuable data haven't adopted SaaS. E.g. I guarantee you Goldman Sach doesn't use SaaS for any important data. When SaaS vendors try to reach financial, legal, healthcare etc security will become a much more prominent issue.

  • chrisyeh

    Chris, the issue of data concentration is real, but I don't think that the issue is a lack of security expertise on the cloud/SaaS providers. I'm pretty sure that any credible providers in the space are much more serious about security than most of their customers.

    But the Willie Sutton effect is very real. The question is, do the superior security of cloud/SaaS providers make up for that effect?

    I don't know what your portfolio company does, but if it helps cloud/SaaS companies provide better security, it's simply ameliorating the Willie Sutton effect, not eliminating it.

    • http://www.cdixon.org chris dixon

      I agree. All security products only ameliorate the problem. Security threats will simply never go away.

  • kevinmsmith

    I'm of two minds on this topic. While I completely agree that SaaS apps can be a security risk and that needs to be seriously considered before moving key data to the cloud, I also feel that people have ignored security risks that are much more likely scenarios. Each day, companies have employees walking around the streets carrying laptops full of critical business information – some of which ONLY resides on that laptop. They have employee who may be purposefully or inadvertently sending confidential information to their personal gmail accounts so they can work from home. They are using the public wi-fi connection at the local coffee shop to check their corporate email.

    So, while I really do agree that SaaS systems need to be examined and locked-down to whatever degree possible, I also think that we need to get the basic security holes plugged too.

    (disclosure: we create SaaS software, so I *may* be slightly biased here…)

  • http://shanacarp.com/essays ShanaC

    Chris, is there a way for me to email you offline about this issue? There are some major secondary effects and pluses and minuses that I don't want to talk about, mainly because I know the characters involved in person, and I don't like besmirching people.

    • http://www.cdixon.org chris dixon

      sure. my email is on my about page.

  • shansinha79

    Chris- Agree this is an issue, but I think the point that you're highlighting is that the severity of breaches are increasing, not that security is a big problem with “web applications”.

    Online retailing has been around for a while, with credit card numbers and all kinds of PII data involved. I would say that “security of online applications” is not exactly a new problem.

    Furthermore, I think that in recent years, the delivery of “cloud” applications has substantially evolved and matured into an ecosystem of specialized providers.

    As an application provider who is hosting customer documents, we rely on other hosting providers to maintain and specialize in physical security, we rely on services like AWS to make sure that breaches into their network are protected, we rely on third party data security providers to ensure protection of data.

    So my thought is that what we are going to see is an evolution of the “security provider ecosystem” for cloud applications.. I don't think the growing availability of cloud applications implies that we are about to enter a “wild wild west of security breaches”.

  • http://b.b3k.us/ Benjamin Black

    Chris, I'm afraid that horse has already bolted, no cloud required. Many companies already trust their payroll (and much other sensitive, HR data along with it) to ADP and PayChoice, among others. You can also look to the massive breach at Heartland Payment Systems reported in January of this year. Such breaches are reported regularly, and the scale beggars belief with each revelation. These people aren't using cloud infrastructure and they are, allegedly, security experts.

    As with so many other 'problems' of the 'cloud', this one does nothing but shine a light on a problem that existed before the 'cloud' was sucking out brain cells and inserting marketing slogans the world over. That's a good thing, in my opinion. Not cause for alarm, but an opportunity reasoned debate on the issues people have long ignored and underestimated.

    -b

    A couple of links to refresh memories:

    http://www.sfgate.com/cgi-bin/article.cgi?f=/g/…
    http://voices.washingtonpost.com/securityfix/20…
    http://www.ihealthbeat.org/Articles/2007/7/25/I…

  • http://twitter.com/vsagarv Vijaya Sagar

    Quite a provocative post there :) Your concerns are obviously very relevant and valid. However …

    Time and again, hackers (black hat / white hat – colour is irrelevant) have proven that they can break into the most elaborate of the security schemes one can dream of. Am not suggesting that we shouldn't take care – just that there is always a small loophole unnoticed somewhere.

    Curious: Any statistics on how many business critical systems are actually compromised each year? Say the number of attempts+successful intrusions, no-cloud vs on-cloud? Hard data anyone?

    From a practical / financial point of view, on-demand compute, storage & geo-aware delivery draws me to the cloud. AWS has changed the landscape totally. With EC2, S3, SQS and CloudFront, medium/large scale web application development and deployment is now a reality even for us bootstrapped / seedfunded entrepreneurs.

    Disclosure: I have no investment in Amazon / any cloud company :-) I use Gmail, Google Docs, Basecamp, RepositoryHosting and few such other cloud apps.

  • http://twitter.com/ekehat Elad Kehat

    I'd like to argue that on average data security is going to get better, not worse, due to cloud services.
    In the world where everyone hid money under their mattress too few used a really good alarm system and fewer still had a shotgun ready. Some did, and their security probably tops that offered by cloud services, but on average the security level was low.
    While cloud-based services won't necessarily offer the best security possible, the fact that they're centralized means that they'll be able to dedicate more effort than most of their clients to data security. That means that for the average client the security of their data will be higher with a cloud provider.
    As a startup founder, I have no time and resources to have the R&D team invest a lot in security. This is just a fact of life. We care about it and take the necessary precautions, but there are more burning issues. I believe that storing our stuff on S3 actually elevates our general data security level because Amazon have their dedicated staff taking care of some risks that we wouldn't have had the resources to.
    Finally, as some well-publicized security breaches are going to take place sooner or later, cloud services will be pushed to invest more heavily in security and thus security level will be elevated further – way beyond what even security-minded companies have today.

    • http://shanacarp.com/essays ShanaC

      Somehow I get the feeling from the Art of War that all you would have to do in a highly centralized system is draw the person out and then wiplash them with a lot of very indirect pinpoint attacks before hitting them with a full brunt.

      If you are saying that cloud storage is better because now we are walled- even the mightiest stone walls are at peril to water over time.

    • http://www.cdixon.org chris dixon

      Well, with SaaS you now have an additional point of attack – in addition to the SaaS datacenter you can still put a keyboard logger on the client machine to get data. I agree however that long term SaaS vendors will deal with this better. Hence my investment in a technology I think will help them.

    • http://laughingmeme.org kellan

      My mind immediately went to the money under the mattress metaphor as well. Banks have centralized the risk, and yet we still use them, for a combination of efficiency and security. In a world where everyone rolled their own security, home break ins would sky rocket.

      And lets be clear, right now with technology startups 95% of them are in the hiding the money under the mattress stage. It's is only that much of the data is less liquid/desirable then money that has kept the relative rate of break in so low.

      Security is something that you should never roll your own. You can get this by following best practices diligently, and ceaseless vigilance on your own hardware (I wonder if we could quantify “ceaseless” in terms of person/hour impact on a startup), or you can outsource it to the cloud.

  • FabriceCathala

    Hi Chris,

    Nice post here. I am considering myself as a Cloud Computing evangelist but one among those who prefer to face the issues and address them than hide them under the carpet (oh, and disclosure: “working for a SaaS vendor”).

    These 2 laws certainly are valid but they are not enough to assess the overall security level of both camps (on-premise vs. SaaS) and no conclusion can be taken at this stage.

    You say that security skills are on the customer side more than on the vendor. Well, while this is 'nice reading' for any IT guys out there this is not necessarily true and not for technical reasons but financial reasons!!! In SaaS, the Security is part of the core business model (I am talking here about Enterprise Type Cloud Computing here not Twitter or Facebook). In this world, an attack = bankrupt. Money to hire the best skills is no issue as [lack of] security can send the whole company bankrupt… Same with gear and staffing level. On the other hand, all IT departments have fixed budgets and I doubt many can compete with the type of effort a SaaS vendor put in it.

    Also, as per Law #2 if/when an attack occurs on a SaaS vendor there are more chances to hear about it than when it is managed internally. So, it is real bad habit to compare the reliability of systems from both camps from the noise heard in the press or online.

    I am not saying that on-premise is less secure as there are so many factors to take into consideration. But I think that if you balance the added risk due to the laws you mention with the added security brought by the SaaS business model it's difficult to take a conclusion at this stage…

    Cheers,

    • http://www.cdixon.org chris dixon

      I agree your average SaaS vendor has better security than their average client. I'm just really doubt that outweighs the Sutton rule. Salesforce has one of the juiciest data sets in existence. They better guard that like Fort Knox. Their website says they use SSL and have a firewall. Not reassuring.

  • Adrian Ionel

    Yes, most smaller SaaS (or cloud) providers don't have the security expertise, processes and infrastructure of a Fortune 500. Yet as you point out – they're now holding Fortune 500 core data. Furthermore the biggest security risks come from within. Rogue employees, weak internal control, poor training. This will likely apply to new cloud providers as well. Few young companies are set up to deal with that. I wonder though if emerging cloud companies is a big enough market for new security players.

  • Adrian Ionel

    Yes, most smaller SaaS (or cloud) providers don't have the security expertise, processes and infrastructure of a Fortune 500. Yet as you point out – they're now holding Fortune 500 core data. Furthermore the biggest security risks come from within. Rogue employees, weak internal control, poor training. This will likely apply to new cloud providers as well. Few young companies are set up to deal with that. I wonder though if emerging cloud companies is a big enough market for new security players.

  • http://www.nextwaveperformance.com/ Kevin

    Along the same line of thinking… I wonder about the security of so-called “mash-up” apps. Let's say you have a HR SaaS app that mashes up with a payroll SaaS app that mashes up with Salesforce, etc. Is there the potential for one of these SaaS apps to be the weak link in the chain and allow access into the others? I don't know the answer, I'm just posing the question as these types of scenarios become more prevalent.

    • http://www.cdixon.org chris dixon

      This is why the attacker always has the advantage in security – all you need is one weak link for them to exploit.

  • http://www.remindo.com/ Prateek

    Disclosure: I work for a SaaS project management tool called Remindo.com.

    Being a SaaS provider myself, I agree with the Salesforce position that you can at best get better shotguns and better alarm bells, nevertheless dismissing security concerns seems like a bad idea to me. We have tried to fortify ourselves by using AWS and VeriSign SSL, this does ensure that there won't be data loss but frankly everyone knows that no security measure can be 100% failproof. And as far as internal threats(rogue employees etc) are concerned, its like asking bank employees why they won't steal money from your accounts. The business of the bank depends on the fact that it won't ever happen

  • http://www.remindo.com/ Prateek

    Disclosure: I work for a SaaS project management tool called Remindo.com.

    Being a SaaS provider myself, I agree with the Salesforce position that you can at best get better shotguns and better alarm bells, nevertheless dismissing security concerns seems like a bad idea to me. We have tried to fortify ourselves by using AWS and VeriSign SSL, this does ensure that there won't be data loss but frankly everyone knows that no security measure can be 100% failproof. And as far as internal threats(rogue employees etc) are concerned, its like asking bank employees why they won't steal money from your accounts. The business of the bank depends on the fact that it won't ever happen

  • http://laughingmeme.org kellan

    My mind immediately went to the money under the mattress metaphor as well. Banks have centralized the risk, and yet we still use them, for a combination of efficiency and security. In a world where everyone rolled their own security, home break ins would sky rocket.

    And lets be clear, right now with technology startups 95% of them are in the hiding the money under the mattress stage. It's is only that much of the data is less liquid/desirable then money that has kept the relative rate of break in so low.

    Security is something that you should never roll your own. You can get this by following best practices diligently, and ceaseless vigilance on your own hardware (I wonder if we could quantify “ceaseless” in terms of person/hour impact on a startup), or you can outsource it to the cloud.

  • Pingback: The cloud is a powder keg | Igniting Startups - nPost