We're Doomed to Insecurity In the Cloud and On Thin Clients
Working in the IT security field, you spend every waking hour stvriving to improve protection and lower risk. Then another computing technology emerges -- the Internet, wireless networking, mobile computing, social networking, and so on -- and you have to learn every security lesson all over, as if something new and surprising has come along.
In the past few weeks, we've seen authentication token leaks from Facebook; a rise in mobile malware; major networks running without a firewall and with unpatched major software; and an array of security appliance vulnerabilities. Secunia, which doesn't track every software product, is still publishing 250 to 350 vulnerabilities announcements per week. Some of the exploited technologies may be relatively new, but in terms of security, it's really more of the same.
[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]
Now some people think cloud computing and thin clients will decrease security risks and usher in an age of fewer exploits. I'm not so hopeful.
Thin clients have the potential to be less exploitable, simply because they have fewer lines of code, which should in turn mean fewer bugs, fewer security vulnerabilities, and less attack surface. However, thin clients rely on browsers to do the heavy lifting -- and browsers are the most exploitable pieces of software ever created.
Many readers might still think that Microsoft (my full-time employer) has the most vulnerable browser on the market in Internet Explorer. Surprise, surprise -- every major vendor that has tried to make a significantly less vulnerable browser has failed. Chrome, Firefox, and Safari have vulnerabilities numbering in the hundreds -- far more than Internet Explorer in the same time periods. It turns out making a truly secure browser is harder than it looks.
Further, the forthcoming thin client OSes use these same browsers to do most of the end-user work. How can we expect an entire OS platform to be more secure if the major single application they rely on has hundreds of bugs?
One good argument could be that these forthcoming client computers will have less functionality. They won't allow users to save files (or even states) locally. If the end-user can't save to their machines, it's going to be a lot tougher for malware writers and hackers to manipulate those computers, right? Probably not.
First, just as users aren't supposed to care where their data or profiles are located, malware writers won't care either. Wherever you are allowed to write data, the bad guy will follow. It's merely a change in locale, and as bank robbers break into banks because that's where the money is, the same principle applies here.
Second, I'm already hearing hedges. For example, end-users are asking how they will be able to work on their data files when they aren't connected to the Internet or the vendor cloud. The thin client vendors are replying that the users can work with a locally cached copy while offline. Get that? Users can't save files to their computer, but their computer will save cached copies locally. What's the difference between that computing model and the current PC model? Not much.