Slashdot Mirror
Cloud Security: What You Need To Know To Lock It Down
Nerval's Lobster writes "IT security writer Steve Ragan writes: 'The word "cloud" is sometimes overused in IT—and lately, it's been tossed around more than a football during a tailgating party. Be that as it may, organizations still want to implement cloud-based initiatives. But securing assets once they're in the cloud is often easier said than done.' He then walks through some of the core concepts of cloud security, along with the companies operating in the space."
the only safe cloud is a dead cloud.
Easy solution: Don't do it. There, I saved you having to RTFA which is just spam to drive hits to Slashdot's Cloud page.
If you want something to be secure, you have to store it in house.
There is no guarantee that once you put it out on "the cloud" that someone else won't reach for it.
In the "beginning" was the text terminal connected to a server through a cable. Fast forward half a century. Now its the mobile smartphone connected to a server cluster via radiowaves. What's the big deal?
From the article:
"When you sign a Business Associate agreement, there's a level of liability that the business associate accepts. They openly acknowledge they have to operate within the HIPAA security rule like any covered entity. Understandably, none of the current cloud providers are willing to do that."
That says it all. The major cloud providers won't accept responsibility for security in their own systems.
'it's been tossed around more than a football during a tailgating party'
The hell does that even mean? I need a car analogy, STAT.
The cloud provider effectively has physical access to your machine, which is game over for any sort of security. Even if you use full disk encryption, you're going to have to decrypt it, and that means your key will be in RAM. A motivated spy in the cloud provider would have little trouble dumping your VM's RAM and decrypting everything.
You might be able to get away with running machines locally, and using the cloud for storage, if you encrypt everything locally and only store encrypted data in the cloud. But that removes most of the benefits of using the cloud in the first place.
Give me Classic Slashdot or give me death!
I thought people ate bad food and drank bad drinks at these so-called tailgating parties. Do they really also throw a ball around?
Is it my intranet-cloud managed by my IT department?
Is it a dedicated cloud that my company out-sources, but which is not used by anyone else? If the servers in this dedicated cloud are virtual, are the real servers also dedicated to just my company? To the extend that there is un-encrypted communication between virtual or real servers, is the physical network the traffic travels on dedicated only to me, as it might be if all the equipment was on the same rack?
If the servers are outside of my physical control, is all persistent storage encrypted? If not, do I care if it leaks?
If the network traffic is not encrypted, what assurance do I have that nobody who isn't on my company's payroll can snoop it, or that if they do I can live with the consequences?
That's just for security from leaks.
There's a whole other set of issues related to downtime and other issues that are different with "cloud" data storage vs. in-house data storage.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Don't use the cloud.
Step #2
We don't need no stinking step #2.
White paper, shite paper.
What really counts are their actions when the shit hits the fan.
In-house computing is like having a corporate car or fleet of cars owned or leased by your company, dedicated to its use.
Shared-cloud (vs. intranet-cloud, managed in-house) computing is as if you paid a car-rental company $X/year for the right to have any of your employees walk up to the rental counter and be issued a car at any time day or night, without any additional payment and without any lack of availability beyond what was negotiated in the master contract.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Locally-encrypted backup-to-the-cloud is a viable, marketable service. This works both on an "intranet" basis for departments that don't, or for legal reasons can't,* trust IT with access to their data but who want the physical security of their backups managed by IT as well as on the "internet" as an outsourced-backup arrangement.
* Human Resources and departments that have certain external contractual obligations may not want to allow anyone outside of their department to have access to un-encrypted data or encryption keys. In certain industries like defense or medical care, the entire business may function like this.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I outsource my tech-news aggregation services to a trusted outside vendor and I suspect you do too.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Cloud Security: What You Need To Know To Lock It Down
You spray it with a silver lining.
"The most important thing to remember when you’re storing or processing sensitive data in the cloud is that you are still fully responsible for the security of the data, and you are fully accountable if that data is lost or stolen,” Shaul concluded. “Even if your cloud provider offers some security services or indemnifies you for losses resulting from a breach, if your data is stolen, it’s still your problem.”
This is a resounding vote for private cloud. At the very least, if you're thinking of deploying an application to a public cloud provider, better make sure that you have the cloud implementation fully operational in your own data center. Then, if you like how it works, you can incrementally migrate pieces of it to the public cloud. There may be a core component that has to remain in house for security reasons, and that's fine, that's simply being realistic.
Parity: What to do when the weekend comes.
If you run a server room (or rooms) then you can put a couple "retired" Marines at the door and have them SHOOT anyone not authorized to enter.
with THE CLOUD you don't know exactly which door (or even which BUILDING currently has your data.
(hint 10/10 is the Marine Corp Birthday)
Any person using FTFY or editing my postings agrees to a US$50.00 charge
"The word “cloud” is sometimes overused in IT" = Understatement Of The Year
Unequivocally the realest of the realz...
All that's needed to make a cloud acceptably secure is to manage the cloud infrastructure in-house. As long as the employees with access to the data are your own and the software and data are on servers that belong to you, you're good. In fact, all you really have to do is start calling your current IT department "the cloud" to get whatever ignorant asshat keeps bothering you about "moving to the cloud" off your back.
I don't understand the need to state the obvious. Are so many people jumping on the "cloud" just to say it in marketing material that they don't even have common sense? Anyone this stupid deserves to have their data stolen.
For some guys like me the cloud has its uses. It lets my little company setup an automated backup of our critical server data to a 2nd provider (encrypt then forward). For a large company though the operations should be an in-house "cloud" for data backup. Anything requiring real security needs to be stored on raw hardware. I'd be less concerned about compliance with regulation if a small company is taking care of something than a large company. A small company with limited data might end up compromised although the damage will be minimal. That's why you get insurance. However a large company has no excuses. That scaling that is done means you should have the money to do things in house with background checks of employees.. etc. If you control 1/10 of the countries customers or more you should be complaint with regulations. If it's less I'd be not so terribly concerned. It's when you end up with monopolies (as we almost always seem to) is when I'd be concerned.
Why would you be throwing a 'foot'ball around with your hands instead of your feet, and why would you do that at a tailgating party?
And what exactly is a tailgating party?
What *is* this nonsense you are spouting?
Maybe before securing the cloud, we should secure millions of vulnerable desktops ...
The cloud is subject to arbitrary USA enforcement procedures; usually involving punishment before any proper judicial process.
Guantanamo, MegaUpload, ... all the same ... punishment without a trial. And you only need to watch programs like "Cops" to see it in action.
Yet, the US constitution says "... all people ..". It doesn't say "... only US citizens ...". But I am still trying to find the part that says "... guilty until proven innocent ...".
Period. There is no securing it, there are no workarounds to this. I own the hypervisor, I own the metal I can look at what everything that goes in there, I can do with your ass what I want. I can steal your data, I can falsify your data, I can impersonate as you, you have no control and can not defend against me.
It does not matter whether you encrypt your data IF you decrypt it on my machines. I can capture your decryption key. The only thing you could do is store encrypted data and never put the key on any of my machines. However that makes me your backup service, not "your" cloud.
There is NO SECURITY in the cloud beyond what I let you have.
WE OWN YOUR ASSES (tm).
i can encrypt my database and querie it without having to decrypt it.* so yes i can.
*(http://www.forbes.com/sites/andygreenberg/2011/12/19/an-mit-magic-trick-computing-on-encrypted-databases-without-ever-decrypting-them/)
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
(Go ahead and mod this flamebait. I just need to rant)
When I read the replies that always come up in these cloud discussions, I often wonder how many people on this forum are real IT professionals and how many are just people with opinions that were formed in a vacuum. When I read these cloud articles, I think about them in the context of large corporations with many divisions that are consolidating IT operations. I think of application silos, and business continuity/disaster recovery. I think of internal IT provisioning resources to departments and using technology like hardware and storage virtualization to be smarter about how they allocate resources. I think about rapid provisioning of test/dev and QA environments, or rapidly spinning up new servers to meet unanticipated growth or to address seasonal growth trends.
So many of the comments seem to be coming from people whose entire concept of IT revolves around their home music collections, or working in a very small company that handles everything in house. The idea of giving up control to a cloud provider in that context seems reasonable. But there are large uses for "cloud" technologies that far surpass the tiny use cases in the SMB market. Denouncing everything to do with "cloud" shows a really immature understanding of how the technology is being deployed in the real world.
If you are not up to speed on how virtualization and distributed computing environments can improve IT operations, your skills are probably stagnant and you either need to sharpen your skills, or pick another field. Whining about cloud being a buzzword is not doing you any good. It just making you look irrelevant and out of touch. Having said that, I will be the first to admit that it is an annoying buzzword. But pointing it out is lame at this point. Even a broken clock tells the right time twice a day. If you cannot see how cloud technologies are relevant to IT, you are probably in the wrong discipline.
The only cloud service I use is OwnCloud, hosted on my own Linux server out of my own basement. I'm quite happy with it and the client side sync utility. It's a pretty nice product... leaving a LOT to be desired from other services like Dropbox. Though, Google Docs still takes the cake for online real time collaborative editing from multiple people at once.
I had a conversation with my dad on Clouds and in the end came up with only one really good reason for a cloud, public data that isn’t sensitive to the point of business failure. Everything else is going to be an issue with how much you spend on your cloud or how much risk you are willing to live with.
Just don't plan to stand on your cloud, you might fall through.
We had a security consulting firm look at EC2 for use in a HIPAA compliant application. For the most part there were no showstopping issues. One of the difficulties with the EC2 would have been that their built in firewall does not allow you to log incoming traffic for threats, it only lets you block them. We would have had to implement and maintain our own software firewall on every host just for logging.