Some days ago, on a Facebook.com group about Italian startups, a smart guy said he had a breakthrough product he is going to develop: a cloud based solution to store people sensitive health-related information.

As a wise appsec guy I asked him something about how is going to protect customers’ data.

Something we have: a physical device

Lombardia, the Italian region around Milan, Bergamo, Brescia and so on, uses a smartcard and a centralized datacenter to make all doctors and hospital in its territory to share the health history for a given person.

The smartcard is bounded to each physical person and it is also the assigned code for fiscal related issues. This to say, that every person has a different code and then a different smartcard.

People, can ask a personal PIN to unlock data contained in the smartcard and either access to the centralized datacenter information about their medical history.

We consider it a strong and a secure system by now, it’s out of scope today. We just want to notice that Lombardia already has in production that guy’s idea execpt for the cloud part.

Something we don’t have: the cloud

Cloud… when I see this word in slideware I feel myself like after a strong kick on the stomach. Cloud is by definition a place somewhere on the Internet that we can threat as a huge mass storage system.

It’s not important neither the operating system, the database running or how many machines are running a particular service. It’s the cloud, baby.

gmail.com stores your email in the cloud. This means that they are physically stored somewhere in Mountain view Google datacenter, but also in India, Pakistan, Italy, France, Alaska… yes we can continue. gmail.com security relies on the security of the web application people use as frontend.

There is of course physical security and data would be ciphered but, we can’t make for sure that every single machine in google.com cloud has the same patchlevel, the same releases for software and database, the same hardware configuration, the same perimetral security (firewalls, web application firewalls, biometrical access to the server farm, password policy).

Mails are sensitive information but health data is even more. Out of scope by now all laws about privacy and data jurisdition that makes the idea illegal in most countries. We focus the discussion over the clous and its security level

An appsec guy would ask

I write my doubts in a polite and constructive way. I don’t want to kill other people ideas, but I can figure it out why on hell a person would be fine publishing on the Internet his health related sensitive data.

I asked which kind of security features would this startup proactive implement in order to secure those data. I asked which kind of vulnreability management policies they would adopt, which tool of vulnerability assessment they would use, which secure coding guidelines, how much often they would perform code reviews and similiar questions.

I putted in doubt that “in the cloud” was used there as buzzword just to describe something that it is supposed to be cool. Another guy, I suspect he owns a company providing cloud based services, said to me that “Vulnerability management” is either a buzzword and security would be the core business for the company providing cloud services for that startup.

No technical details. No further comments. Thread is dead from my point of view.

The key point is that cloud is a word spent during pre sales but you must take really care about how strong is your security policy when you put data in the cloud.

Vulnerability management is a process in place to take care about vulnerabilities and the risk level associated with them. I think it’s a real concern.

And you? What do you think about it? Is Vulnerability Management a buzz word?

photo courtesy by Wikipedia