Secure computing

One of the key principles of cloud computing is that because the resources are accessible from anywhere on the internet, security becomes a major consideration. If you have not already studied our page on Security you should do so now and return here later.

Personal computing

When your applications ran on your desktop or laptop computer, you were usually the only person with physical access to the computer, and thus the resources it contains. Sure, you kept your computer inside your house or your office and did not just leave it laying around. But, sometimes you carried it out in public like a coffee shop or restaurant or a public room in your companies office building. In those cases you were strongly advised to lock your computer with a login password and a screensaver to lock it after some reasonable period of inactivity.

Another consideration is that most applications, and especially browsers and email access requires that your computer have a wifi or even cellular connection to the internet. If your computer is connected to the internet then there is a good chance that someone could access your computer through the network. To prevent that you usually had to install and activate a program called a firewall. Such a program restricts almost all in coming connections.

Corporate computing

If your computer was used for corporate work then you usually had to access servers inside your corporate network. When you do so, the information you are sending or receiving is traveling through the internet. That opens the possibility that someone could access the data as it travels. One solution for that is secure communication.

Originally, you accessed web servers with addresses like http://myCompany.com. The http was the original internet protocol, but it was not secure. By implementing the https protocol, your computer and the service you accessed would arrange security by exchanging ssl keys. The protocol designator on the URL is visible and it should be https. But, that is not usually good enough. A malicious site could trick you into connecting to it with a URL similar but not exactly the same as the site you thought you were accessing. One clue to that is that the URL starts the same as the URL for you online banking service, but ends with a different top level domain. So, you think you are accessing https://myBank.com when in fact it is https://myBank.net or .cn. When that top level domain is a foreign country, particularly one that is not friendly with your country, then you have lost your information or been hacked.

An additional security method used to prevent that sort of thing is called a network certificate. It is similar to an ssl public/private key pair, but it is a cryptographic certificate that is validated by network authorities to only be usable on the expected website. See our blog post on security lesson #2 for more on this topic.

Why is this so complicated??

  1. The internet was built on a community of trust. Originally university researchers sharing academic papers. Those papers were not private. The whole point was to give that information freely. You have no motivation to steal research information. Most internet addresses in those days were something like http://www.cmu.edu
  2. When the internet became open to commercial sites many of the URLs were http://www.ibm.com or https://www.BofA.com and now electronic funds transfer or credit card accounts were abundant.
  3. When the general public was accessing their financial or personal information then the commercial servers demanded that people create usernames and passwords. Believe it or not most people are not very imaginative in creating passwords. Many people used the same username and password for many of their accounts. If they tried to remember their passwords they kept them simple. See our blog post So, you want to be a pro do you?
  4. When professionals had secure access to valuable resources, the managers of those resources demanded much more secure authentication in the form of SSL public/private keys. Some computer professionals, but certainly not most, have the technical prowess to generate and install those keys so that they were activated when their ssl login or sftp connections were triggered. There is no way that most non-professionals would want to, or have the ability to use such keys.
  5. Many web servers, or application servers are installed in a corporate data center along with internal applications and stored data. As new applications or data are added, the security requirements get more and more complicated. It is very difficult to keep such a data center secure and the risks are very high. Security systems need to be professional engineers who are trained in security, and frequent security audits are required.

So, what is the solution?

Simply: containerized applications and dev-ops deployment.

Stay tuned for our next episode: Deployment containers.