Slashdot Mirror
Security In the Ether
theodp writes "Technology Review's David Talbot says IT's next grand challenge will be to secure the cloud — and prove we can trust it. 'The focus of IT innovation has shifted from hardware to software applications,' says Harvard economist Dale Jorgenson. 'Many of these applications are going on at a blistering pace, and cloud computing is going to be a great facilitative technology for a lot of these people.' But there's one little catch. 'None of this can happen unless cloud services are kept secure,' notes Talbot. 'And they are not.' Fully ensuring the security of cloud computing, says Talbot, will inevitably fall to emerging encryption technologies."
Part of the problem is that with Cloud Computing you have a much broader set of "enemies" to secure your data from. It's naturally in the interests of cloud/SaaS providers, who are selling an increasingly commodity product, to look for ways to cut their costs. They have price pressure from consumers and competitors so like any business you can bet they're looking for the cheapest providers they can for the services they require. Unfortunately that cost-cutting and corner-cutting will lead to new and different security challenges.
:-) Uh huh.
For example: all but the largest will be outsourcing their data centers. And when they outsource that storage will they find the same sort of pricing structures, perhaps on a different scale, that everybody else does - it is attractive, from a price perspective, to off-shore that data to places where it's just cheaper to run. One of the strengths of the Internet is how it shrinks the planet in that regard. But there has recently been a big debate about whether or not the 4th Amendment in the U.S. protects hosted e-mail from search and seizure by the U.S. government. What does the 4th Amendment in Malaysia protect against?
What if your biggest competitor in your particular industry is a Chinese company and your Cloud provider decides to store your data on a server located in China. Do you suppose the Chinese gov't might be able to access (or monitor) your data and provide any of it to their company?
Even if your data stays on a domestic server and your business is entirely legitimate - most Cloud providers are multi-tenant (that's the economy of scale that helps them keep prices down). What if one of the other tenants on that server is doing something naughty and the government decides to seize the server to go after them. Will your data be safe and protected? They're the government, right? OF COURSE your data will be handled properly.
Another big topic is document retention. You want to keep documents as long as you need to and then expire those documents. Will your SaaS/Cloud provider respect your document retention policies? Or are you going to discover, hopefully not after being served with a discovery request, that they actually have copies of your expired documents in cache or on backups somewhere that they never destroyed?
There are a LOT of new security issues that come up when you essentially put your data at arm's length with no real idea of where it's physically stored or who has access to those servers. I'll close with a quote:
"If (CIO) Randy Mott told me 'Put the general ledger up in the Cloud' I'd say 'Go back to work, we're not doing that."
-Mark Hurd, CEO of Hewlett Packard-
-B-
Would you trust other companies to manage your electronic secrets?
I would never, no matter what promise.
Besides, we all know the track-records of the companies offering this and they are real bad at least in my opinion.
We already trust the cloud a bit. We use the internet to move stuff around. Do we trust intermediate nodes not to eavesdrop or
steal our data? No... we use SSL. Do we trust the intermediate nodes to deliver our packets on time? No... we wait for ACKs and use timeouts.
Seems to be this is just like cloud storage. Use it but don't just it all. Encrypt everything. Periodically pull the data back to make sure its OK, etc.
While they may sound different, the Cloud Computing security problem seems to be almost identical to any other Digital Rights Management problem. Both are concerned with only exposing what the information owner wants exposed to the underlying hardware/provider/user/etc.
It's just a question of whose "Cloud" you are trying to secure information on, and who the "user" of said information is supposed to be.
Microsoft today implemented its 100% Data Confidentiality package for T-Mobile Sidekick, comprehensively protecting users’ contacts, email and messages from any possible attacker.
“Our data security is impenetrable,” said Steve Ballmer, “and will reassure everyone of the data integrity of our Windows Azure Screen Of Death cloud computing and Windows Mobile initiatives.”
Microsoft plans to leverage the new confidentiality mechanism to finally purge the horror of Vista from the face of the earth, in the same manner as firing all the contractors who knew how to build Windows 2000 and having to reconstruct Windows XP from bits of NT 4.
Microsoft Sharepoint users looked forward to a similar denouement as the only safe way to scour their hopelessly incompetent organisations from the world in a manner that would not infect successor organisations.
Microsoft is putting together an outsourcing proposal to the UK government for data protection.
http://rocknerd.co.uk
The cloud is not safe. Period. You might secure parts of your data. You can keep other internet users from illegally accessing your data. But as we just discussed, anyone with (virtual) fysical access to a server can break his way in. You may make it harder by installing full disk encryption software, but you can't even be sure that the bootloader of your virtual server isn't messed with. If you build a bookstore that costs amazon millions of turnover a year, hosting it at ec2 might not be the smartest idea...
.sig: No such file or directory
For crissakes, people who say something needs to be secure before it can be trusted really get on my nerves. Anyone who's waded out of the shallow end of the pool on security (of any kind) knows one of the fundamentals of security is that it isn't perfect. No matter how good you make your mouse-trap, there will someday be a better mouse. The more realistic analysis is to ask yourself what the acceptable risk is. Or, put another way, you should strive to ensure that the security is more difficult to break than the value of whatever it is that is being protected.
#fuckbeta #iamslashdot #dicemustdie
Would you truth other companies to manage your physical secrets? Well, lots of people do. They're called banks.
I may be wrong here but I'm still convinced my super secret stuff will be safer in a safety deposit box (where I have the only copy of one the two keys needed to open it), which is located behind a massive steel door, encased in layers upon layers of concrete in the cellar of a bank than those secrets will be if I store them on "the cloud". It takes a court order (which isn't easy to get in most places since the banks tend to fight them tooth and nail) or a gang of seasoned bank robbers with a lot of time on their hands and some very heavy equipment to lift my secrets from that vault. On "the cloud" the only thing standing between my secrets and Russian mafia hackers is a badly paid marginally competent sysadmin in an IT sweatshop in India.
Only to idiots, are orders laws.
-- Henning von Tresckow
The problem is you can't trust anyone with your data. For the systems to do something (other than store) your data it must be unencrypted. If it's unencrypted, it's not safe from prying eyes. (Internal sysadmins and external eavesdroppers who have compromised systems in the cloud.) End of story.
Remember there's two kinds of trust, "I'm giving you they keys to the kingdom and I believe you won't do anything bad while I'm not looking," and "I've locked everything and I trust the locks will hold against malicious attackers." You will never get trust #1 from anyone, especially not a corporation. And I don't trust locks will hold ; )
It's not a buzzword, it's a filterword. A buzzword is a word that describes a broad range of technologies and is useful for setting the scene, although a real technical discussion requires more focussed terminology. A filterword is a word used let you know that the person talking is an idiot and that you can safely disregard everything else that they say. Other examples include 'beowulf cluster,' and 'first post.'
I am TheRaven on Soylent News
Full homeomorphic encryption is, contrary to IBMs press team, still far from useable. In fact, there is no method in sight that could do the job.
What you Linux lovers really want is full homoerotic encryption. So you can hide your gay porn.
Shouldn't it have been the FIRST great challenge once things were up and running?
The future of technology depends greatly on the future of technology. Hooray for buzzwords
right...
Its more than a fad; its a rehash of thin-client computing.
My karma is not a Chameleon.
"Emerging encryption technologies" such as Gentry's doubly-homomorphic encryption (which is what the link points to) tend to have a major disadvantage: they tend to be horribly inefficient. We're talking 6 orders of magnitude minimum, probably more like 12 orders. Unless there's a major breakthrough, this is not going to help.
Cryptographic engineering solutions, like DRM, might help. But then again, they might not: they require lots of engineering effort from the cloud providers, which they have little incentive to perform; and even then, DRM technologies don't have the greatest security record.
Operating system security measures will probably be very useful to protect against attacks, not from the hosting provider, but from other clients. These measures are tricky and unlikely to provide "perfect" security, but can definitely make attacks much more difficult.
I predict that after conventional defenses are applied, the solution will be either be less paranoid, or don't move to the cloud.
And yes, I am a cryptographer.
I hereby place the above post in the public domain.
And thin-client computing is a rehash of greens screens connected to a mainframe.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
All that you need to do is encrypt the data portion with a key that's generated from two one-time pads of 256-bit random keys, and then wipe out all traces of the pads.
They the data will be secure, even from you. :-)
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
I understand that many people here are critical towards cloud computing. But the majority of people who use computers are not like the people on /. .
Most people do not know how to make their machines secure. Most people do not know how to encrypt their hard drives. Most people do not know how to protect against viruses or trojans. Most people even do not have backups.
I agree that for us geeks, the kind of security measures that we apply to our machines make our data safer than they would be in the cloud. However, I doubt that this is true for the majority of people who use computers.
I believe that cloud computing is more secure for most people. Of course it is right to improve the technology, make it better and even more secure. But it is wrong to assume that data is secure just because it is stored locally.
I just bought a terabyte drive for $79. Why would I want to store data in the cloud, when I can put it on a drive and have access to it immediately, and at a vastly higher bandwidth than any "cloud"? Why would I want some company to hold my files when I can hold them locally and at incredibly cheap rates and super high bandwidth? Why would I use software in the cloud, when it is dependent on an internet connection, when my internet connection is completely dependent on whether or not my next door neighbour pays his phone bills? And when will my mom let me out of the basement?
Shoes for Industry. Shoes for the Dead.
Amazon EC2 runs Ubuntu ... as does the Ubuntu on-site KVM-based "internal cloud." The sales point is being able to bounce your stuff from your own internal cluster to EC2 when you need a quick burst of capacity.
So it's as secure as Linux on the Internet ... or that the attacker has access to the hardware of.
OpenBSD anyone?
http://rocknerd.co.uk
It's not so much a rehash as an extraordinarily bad reimplementation of the client-server model. Look at the horror stories like AJAX you have to use to do it. The whole is papered together and the only thing that makes it even remotely usable is that the speed of computers and networks are such that it makes your average "Cloud" app feel like a slow version of a Windows 3.1 program running on a 386DX-33.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Since when have niggers been allowed to own property? Tell the truth; you stole that computer from a white person.
I make spelling errors despite my good intentions.
But my basic attitude is, that if you don't care about what you're saying enough to spell it, then don't write it. There are plenty of insightful people, who will write readable text.
Every problem has a solution that is simple, easy and wrong. Selling our Liberty for a little Security is a much too de
Cloud is a bit like "Smurf". It means whatever the speaker or listener wants it to mean.
Cloud computing is all vapour anyway.
The current system of "meta-moderation" is absolutely worthless. Deciding whether a post is good or not has no effect on whoever moderated it. Until they go back to a system where the moderations themselves are meta-modded, I, for one, refuse to participate. Maybe that's why I never get mod points any more, but if that's their attitude it's OK by me. Moderation is a responsibility that I took seriously, and I always meta-modded honestly. If that's not the type of moderator they want, it just means less work for me.
Good, inexpensive web hosting
Man... nobody remembers Al Bundy’s 10 commandments anymore?? :((
Please hand in your NO-MA'AM member cards right now.
Oh, and we get an Apple slashvertisement *every single freaking day* for a long time now. Nobody cares. Stop it.
And if you objected to point 1... please hand in your geek card, and prepare for a ass-kicking shitstorm. ^^
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Improvments to Craig's original work are already starting to come out. Smart and Vercauteren use integer arithmetic to obtain a more efficient scheme (though still not widly practical yet). Dijk, Gentry, Halevi and Vaikuntanathan show an even simpler (though not more efficient) scheme using integer arithmetics. In fact it's probably a good first paper to read for cryptographers interested in the area.
In light of these developments hardly a year since craig first released his results i see reason to hope for more improvments also towards efficiency (and basing the security on different and more common assumptions).
never the less for cloud computing applications where resource usage is carefully counted out and billed its hard to imagen such encryption technology being for a long time to come. neiche markets and applications could be another matter. for example something like a freenets/cloud where you can securely (privatly and correctly) farm out computation to be accessed from any client device with your key (for a comparable hit to performance). still, like freenet today the extent of the performance hit will most likely force it to remain generally unused for quite a while still.