Can Security Be A Single Point Of Failure

RSS

The cloud is supposed to offer users a number of features including accessibility from almost anywhere. It, in theory, offers more storage and compute power than might normally be available if you have the electronic cash to pay for it. It is typically touted as being secure and there are any number of methodologies employed to make that true. Unfortunately there can be problems.

Microsoft’s issues with its Azure cloud services is just one example and this particular outage is different than what happened earlier with a portion of Amazon’s cloud services. In the latter case, it was a hardware issue. In Azure’s case, it was an expired SSL security certificate.

For those that don’t know, most web security is based on sets of keys and certificates that are used to encrypt and authenticate data. This prevents unwanted access and control of devices. The public key digital certificate system employs a hierarchical approach with root certificate authorities guaranteeing certificates they sign. If you trust the root then you should, in theory, trust certificates signed by the root or possibly anywhere down the chain. I won’t get into those details but essentially you can wind up with a certificate that lets your users know that communication with you will be secure.

The certificates also have an expiration date. There is also supposed to be a revocation list from a root that includes certificates that should expire prior to this date. Unfortunately, access to this list is not always possible and its update is typically something the root needs to handle. The expiration dates allow the system to work most of the time because someone must renew a certificate (actually they must a acquire a new certificate) before it expires.

What happened with Azure was its certificate expired before a new one was put in place with a later expiration date. Administrators could not access their applications. It was an administrative issue but it highlights a single point of failure within the system because the rest of Azure was based on it.

I’ve taken a few liberties on the explanation of the technology but in general it is an issue that everyone must be concerned with because these same techniques are employed with embedded and consumer applications. The same problem that Azure had can arise in other environments. This can have implications on features such as updates and even regular operation of a device Something that works today may not work tomorrow and determining why might be a challenge especially if the method of secure communication is the problem area.

Newsletter Signup

Please or Register to post comments.

What's alt.embedded?

Blogs focusing on embedded, software and systems

Contributors

William Wong

Bill Wong covers Digital, Embedded, Systems and Software topics at Electronic Design. He writes a number of columns, including Lab Bench and alt.embedded, plus Bill's Workbench hands-on column....
Commentaries and Blogs
Guest Blogs
Nov 11, 2014
blog

How to Outsource Your Project to Failure 3

This article will address failure to carefully vet a potential manufacturing or “turnkey” partner and/or failure to transfer sufficient information and requirements to such a partner, a very common problem I have seen again and again with my clients over the years, and have been the shoulder cried upon by several relatives and clients in the past....More
Nov 11, 2014
blog

Transition from the Academe to the Industry Unraveled 1

There have been many arguments here and there about how short-comings of universities and colleges yield engineers with skill sets that do not cater to the demands of the industry. There have been many arguments here and there about an imminent shortage of engineers lacking knowledge in the sciences. There have been many arguments here and there about how the experience and know-how of engineers in the industry may vanish due to the fact that they can’t be passed on because the academic curriculum deviates from it....More
Nov 11, 2014
blog

Small Beginnings 5

About 10 years ago I received a phone call from an acquaintance. He had found a new opportunity selling some sort of investments and he wanted to share it with me in case I was interested. Ken had done fairly well for many years as a contract software developer primarily in the financial services sector. His specialty was writing RPG code. (RPG is often referred to as a write only language.) But he was seeing the handwriting on the wall as the industry moved on to other methods, and saw himself becoming a fossil....More

Sponsored Introduction Continue on to (or wait seconds) ×