Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cloud Security: What You Need To Know To Lock It Down

Posted by samzenpus on from the better-safe-than-sorry dept.

Nerval's Lobster writes "IT security writer Steve Ragan writes: 'The word "cloud" is sometimes overused in IT—and lately, it's been tossed around more than a football during a tailgating party. Be that as it may, organizations still want to implement cloud-based initiatives. But securing assets once they're in the cloud is often easier said than done.' He then walks through some of the core concepts of cloud security, along with the companies operating in the space."

7 of 74 comments (clear)

  1. Lock it down by colinrichardday · · Score: 5, Interesting

    the only safe cloud is a dead cloud.

  2. Insecure, and the cloud providers know it. by Animats · · Score: 5, Insightful

    From the article:

    "When you sign a Business Associate agreement, there's a level of liability that the business associate accepts. They openly acknowledge they have to operate within the HIPAA security rule like any covered entity. Understandably, none of the current cloud providers are willing to do that."

    That says it all. The major cloud providers won't accept responsibility for security in their own systems.

    1. Re:Insecure, and the cloud providers know it. by rgbrenner · · Score: 3, Insightful

      Did you actually read that whitepaper? Amazon says you should encrypt the data BEFORE uploading it to S3. Doesn't that tell you everything you need to know about S3's security? And to top it all off, at the end:

      Disclaimer

      This white paper is not intended to constitute legal advice. You are advised to seek the advice
      of counsel regarding compliance with HIPAA and other laws that may be applicable to you
      and your business. Amazon Web Services LLC. and its affiliated entities make no
      representations or warranties that your use of Amazon Web Services will assure compliance
      with applicable laws, including but not limited to HIPAA.

  3. Can't be done. by Hatta · · Score: 4, Informative

    The cloud provider effectively has physical access to your machine, which is game over for any sort of security. Even if you use full disk encryption, you're going to have to decrypt it, and that means your key will be in RAM. A motivated spy in the cloud provider would have little trouble dumping your VM's RAM and decrypting everything.

    You might be able to get away with running machines locally, and using the cloud for storage, if you encrypt everything locally and only store encrypted data in the cloud. But that removes most of the benefits of using the cloud in the first place.

    --
    Give me Classic Slashdot or give me death!
  4. Step #1 by Nadaka · · Score: 3, Insightful

    Don't use the cloud.

    Step #2
    We don't need no stinking step #2.

  5. Not all the benefits by davidwr · · Score: 5, Informative

    Locally-encrypted backup-to-the-cloud is a viable, marketable service. This works both on an "intranet" basis for departments that don't, or for legal reasons can't,* trust IT with access to their data but who want the physical security of their backups managed by IT as well as on the "internet" as an outsourced-backup arrangement.

    * Human Resources and departments that have certain external contractual obligations may not want to allow anyone outside of their department to have access to un-encrypted data or encryption keys. In certain industries like defense or medical care, the entire business may function like this.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  6. Relevance of responses by dave562 · · Score: 3, Interesting

    (Go ahead and mod this flamebait. I just need to rant)

    When I read the replies that always come up in these cloud discussions, I often wonder how many people on this forum are real IT professionals and how many are just people with opinions that were formed in a vacuum. When I read these cloud articles, I think about them in the context of large corporations with many divisions that are consolidating IT operations. I think of application silos, and business continuity/disaster recovery. I think of internal IT provisioning resources to departments and using technology like hardware and storage virtualization to be smarter about how they allocate resources. I think about rapid provisioning of test/dev and QA environments, or rapidly spinning up new servers to meet unanticipated growth or to address seasonal growth trends.

    So many of the comments seem to be coming from people whose entire concept of IT revolves around their home music collections, or working in a very small company that handles everything in house. The idea of giving up control to a cloud provider in that context seems reasonable. But there are large uses for "cloud" technologies that far surpass the tiny use cases in the SMB market. Denouncing everything to do with "cloud" shows a really immature understanding of how the technology is being deployed in the real world.

    If you are not up to speed on how virtualization and distributed computing environments can improve IT operations, your skills are probably stagnant and you either need to sharpen your skills, or pick another field. Whining about cloud being a buzzword is not doing you any good. It just making you look irrelevant and out of touch. Having said that, I will be the first to admit that it is an annoying buzzword. But pointing it out is lame at this point. Even a broken clock tells the right time twice a day. If you cannot see how cloud technologies are relevant to IT, you are probably in the wrong discipline.