Slashdot Mirror
Can the Cloud Be More Secure Than Your Own Servers? (Video)
Sarah Lahav, CEO of Sysaid, believes "the cloud" can be more secure than keeping your software and data behind your firewall and administering it yourself, especially for small and medium-sized firms. Why? Because Amazon, Rackspace, and other major cloud and SaaS providers probably have lots more security experts and other IT people at their command than you do.
We've talked to Sarah before, and probably will again. She has strong opinions based on her experience in IT, and is happy to share those opinions. So take it away, Sarah...
We've talked to Sarah before, and probably will again. She has strong opinions based on her experience in IT, and is happy to share those opinions. So take it away, Sarah...
Next question.
"...probably have lots more security experts and other IT people at their command than you do" well, i'm convinced ... here's all my data!
Can the cloud be more secure than your own servers? Yes.
Can the cloud be less secure than your own servers? Yes.
Guess what it costs me to have a connection so stable that it never goes down?
As it turns out, it is far more (measured over 5 years, the length of our ISP contracts) than proper redundancy in my equipment costs.
Airgap security is the only true way to keep system's secure from external threats.
Words like 'probably' and 'lots' sure do inspire confidence.
Amazon, Rackspace, et-al don't give a shit about your data.
They care about the data your data generates. That is backed-up, carefully guarded and controlled. Your data on the other hand, it stored on the B and C grade disks, tapes and run on any old CPU in the farm that is past it's prime.
Centralized data is great, for hackers. One target, lots of data, lots of reward. Targeting that one user, with the firewall? Not so much.
If you are managing your own server and have a 24/7 *dedicated* security team, then you probably can keep your servers as safe as Amazon and other serious cloud providers.
If you think you are safe because you are a master of setting up and updating your Linux distro of choice, you are not.
While a cloud server has more security resources, they also have more professional hackers targeting them, since a single exploit has a good chance of bagging all the cloud provider's customer data. Think attacks like the Sony breach were bad? Just wait until you can get Sony, Microsoft, Facebook and the state of Ohio all at once because they happen to be hosted by the same cloud provider.
OTOH, perhaps that might just be the best place to be when a zero day drops. A cyber criminal won't likely bother with a small business and just go straight for the 23 terabytes of customer data on the next rack over...
HA! I just wasted some of your bandwidth with a frivolous sig!
Oh wait, they do. Never mind. The (overused buzzword) Cloud is safer if you presently hire delinquent Nigerian children to protect your data and you host it on Brazilian porn servers.
That is where I get all of my information about how to operate securely: videos produced by security professionals and distributed through Flash.
Somebody flashes a badge, and they just hand your shit over, no questions asked... if they know what's good for them.
“He’s not deformed, he’s just drunk!”
In aggregate, it's probably true. Now, I'm sure *your* servers are more secure.
To make a transportation analogy, it is far safer to fly somewhere on a commercial airline than it is to fly a private plane. Heck, It's even safer to fly commercial than it is to drive. And yet I know a lot of people who are terrified of flying.
Don't get me wrong...someone is going to die in a commercial plane crash this year. And if you fly a private aircraft, your chances of dying in a crash of your own plane are exceptionally small - you'll probably never die in a plan crash if you fly yourself, tbh. But, from a statistical standpoint, you're still better off flying commercial.
Is it just my observation, or are there way too many stupid people in the world?
Where have the past 2 years major data breaches occurred: Off-Cloud.
But what about adjusting for Cloud vs Off-Cloud %-usage: Still no contest.
Science & open-source build trust from peer review. Learn systems you can trust.
Most drivers consider themselves to be above average. Why would that not extend to server operators?
Is it just my observation, or are there way too many stupid people in the world?
Because Amazon, Rackspace, and other major cloud and SaaS providers probably have lots more security experts and other IT people at their command than you do.
But those experts aren't regularly upgrading software I run on their cloud systems to fix security holes, nor monitoring my sites for exploits. So their expertise buys me little--other than the underlying infrastructure hopefully will be sound. That's all. That's not lot. The majority of security bugs/holes I've had experience seeing exploited were holes in application packages (think WordPress). Unless you mean hosting your resources on a specific application hosting provider who handles all upgrades (i.e. a hosted WordPress provider in this example, who guarantees up-to-date bug fixes on WordPress and some set of commonly used plugins).
What... a terrible... interviewer. "Talk to us" -- What kind of an interview question is that? Geez this was painful to listen to. I think this is the first /. video I've bothered to watch; is this typical?
If data is on my personal server and the US government wants to see it, they need a warrant.
If it's on a cloud server, they don't.
To a Lisp hacker, XML is S-expressions in drag.
Do they have:
-Rotating port knocking sequences?
-Logs?
-Custom firewall rules - ip blocking?
-Encryption?
-Reporting?
-Use Non-standard ports?
-hardware and software watchdogs?
-carefully controlled software?
-read only filesystems?
-Security Cameras?
Because these are a -few- of the security techniques I use.
More than likely though the are just as vulnerable to social engineering, probably even more so, than the average savvy user.
Show a badge, any badge, and some official looking paper work, and data/access is yours. All without any oversight too!
That's true, but if a hacker figures out how to crack one system in the host's server farm, they can probably crack many of the rest because the hoster probably uses the same equipment, setups, and conventions.
Whether that factor outweighs the extra expertise is hard to say.
Table-ized A.I.
Why is this taking megabytes of bandwidth to convey a message that could take kilobytes? Is there something visual about this concept that can't be communicated in writing? Stop the dumbing down of of /.
This is like saying that Budweiser has better beer than a local brewery because they have bigger vats and more distributors.
I think the trick to security is not in how many experts you have, but in how willing you are to cut corners to increase profits.
You are welcome on my lawn.
But I wouldn't be thrilled about it.
The problem with most of these providers do business in the US, or have assets there. This means that the quantity and quality of there security experts is meaningless, since they can be asked to step aside at any time, and must keep this fact secret from the customer.
Most of our NDA's force us to keep data as secure as we would keep our own private data, which makes it impossible to use these services, and notify immediately if there is a data breach. If we host data ourselves (using server software that we can inspect for backdoors), and a (local) judge orders us to give up the data, at least we know about it.
By now it's public knowledge that _all_ countries use espionage primarily for economic espionage, to give there own companies an advantage, so as a non-US company, you are the target, terrorist are just an excuse.
YOU CANNOT BE SERIOUS!!!!
She is the CEO of a cloud based company. What the fuck do you expect her to say?
The real question is not...is the cloud secure? The question is...who is more likely to be a target of hackers?
Can cloud services be made secure? Of course it can. But it doesn't necessary mean that it is. It all depends on policies and procedures which you, as an end user, have absolutely no say in. And what happens if there is a data breach? You get a year of free credit monitoring. Thanks for playing. There is no implicit guarantee, or liability, on their part.
If you are a hacker who will you target? Me - with maybe a few credit card details or Amazon with millions or credit card details. The answer is obvious.
When it comes to the cloud I am reminded of the Tony Montano (Scarface) quote: "Who do I trust? ME!".
Depends, do you have a dedicated security team?
The security grunts are paid in Alpo, and the supervisors are paid in Meow Mix. I also pay their medical.
Start with the fact that cloud services are big, ripe, juicy targets for anyone and everyone. Continue that there's probably never a time when their service isn't under some kind of attack in one way or another. Add in the fact that my server contains nothing of any real value to anyone but me. And extrapolate that to a very low likelihood that anyone would bother to take the time to attack my server. Consider also the fact that the cloud provider has to succeed 100% of the time to make my data secure while the hackers can fail almost forever and only have to succeed once.
I'm going to go with the fact that my data is more secure in my server at home than it would be in the cloud.
Of course, small businesses without a dedicated security teams are legitimate targets. But whether they store their data in the cloud or in company servers, their business internet connection is vulnerable to attack and provides a much easier road into the cloud storage than trying to directly attack the cloud servers. So realistically, the businesses accessing the cloud servers in bulk are a significant vector for attacking a cloud service. As a result, it doesn't matter where the business stores its data, it is no more or less vulnerable to attack in either location.
When it comes to large corporations, they are bigger targets but they have the budget to hire security experts just like the cloud provider has. So while they too are probably under constant attack 24/7/365, they are not necessarily any more or less vulnerable than the cloud provider.
So on balance, I'm going to go with no, the cloud does not necessarily make your data any more (or less for that matter) secure than not using it.
Of course it can be more secure.
Unplug it and bury it in cement. It works for all servers, but Amazon has deeper holes in which to bury them.
There's often a lot of focus on actual/active security, and a lot less on determining the need for that security. Think of security like a power-to-weight ratio for performance.
The goal isn't to have great security. The goal is to have no successful attacks. "no successful attacks" is approachable from two primary vectors: "successful" and "attacks". Security focuses on the successful vector, by resisting.
Certainly, when it comes to contracting a provider, or rolling my own, a big provider might be better than I am. Of course, I can hire a consultant and get the best of both, and a big bill to match.
Obfiscation is not security. But it is a reduction in the actual number of attacks -- so long as it's working, of course.
I've been with small providers, I've been with large providers, I've been with Rackspace, and I've rolled my own.
The truth is that all four scenarios have had plenty of attempted attacks. But dive a little deeper, and something way more interesting appears.
When I rolled my own, I got loads of random attacks, mostly from China. Nothing persisted for very long. Nothing was particularly focused. And nothing was complicated. Almost all were easily dodged with standard surface-area-of-attack controls, like closing unused ports and not having general server bloat.
When I was with Rackspace, I had loads of help from their excellent support teams, and on occasion, wow did I ever need it! Persistant attacks, lasting for days, targeted attacks, ddos attacks with large systems on the other end. At one point we had over a dozen rackspace support personnel just fighting to kill stuff fast enough to keep performance up long enough to identify and resolve the issue without needing to take the server entirely offline.
I was very happy with Rackspace, and was with them for a decade. Now I'm rolling my own again, things are just much more stable that way.
So what's your preference? Being in a military compound, protected by a thousand soldiers in the middle of a war-zone; or being completely unprotected, on a mountain side, in upstate montana?
I'm choosing big-sky country, personally.
Also, I believe that Rackspace is partnered with a very familiar government spy agency quite directly -- since they both moved campuses at the same time the other year, and I was greeted quite aggressively, as you would imagine, when I visited Rackspace for a tour, and accidentally pulled up to the unmarked neighbour. Probably appropriately so, given that it was on a september 10th.
Haven't you already insourced your operations to the lowest bidder?
"probably"
*sigh*
"If any question why we died, Tell them because our fathers lied."
Our company contracted with an external supplier to manage an application for us that we had been managing in house. We got the usual assurances about their data centre, nailed down the SLA, and did a PIA. All good. As we were working with them to get our data moved over one of our sysadmins came upon a SQL Server admin id/password, unencrypted, in one of their .ini files. It was pretty generic (the name of the application with a few numbers instead of letters). That looked suspicious to us, so we contacted another one of the same vendor's hosted customers and said,"I'll bet we can guess your SQL Server admin password in one try." Turned out they were using the same admin credentials for all their hosted customers databases. Which they kept unencrypted in an .ini file.
So yeah,maybe their data centre was secure, but their application level management was amateur hour. And it was a bit of a fluke we discovered that.
Needless to say, we never did move the application into the cloud. They promised to fix the problem when we brought it to their attention, but we didn't trust them after that. And even though they arguably violated the terms of our SLA, they were such small potatoes that there was no point getting the lawyers involved.
since when number make it for skill in IT security ?
It is also easy to secure a base image, try to secure the customer code. this is where it fail you're code does not become secure if you run it at amazon....
Her entire view is accurately reflected in the summary: cloud providers "probably have lots more security experts and other IT people at their command than you do." Of course, if you talk to a "security expert," they will tell you many things about what you can do that you can't do when you move to a commercial cloud. Things such as monitor all traffic going into and out of your servers, and perform forensics on systems you believe might be compromised. It is much easier for cloud providers to stay quiet about small intrusions (that is, intrusions that are small to them, but not necessarily to you), and they have a financial incentive to do exactly that.
There are many good reasons to occasionally put services and data in clouds, but that doesn't make stupid claims like this valid.
BEGIN SARCASM
The preceding is the opinion of our sponsor, Amazon.com. Slashdot makes no claims as to the veracity of the content contained therein.
END SARCASM
Clouds may have better defenses, but they are also bigger targets.
enough said.
Please elaborate.
If you don't trust your cloud provider then, no matter how many expert they have your data is not secure
Is there a transcript? I don't have time to watch the video as I'm getting my hair cut on my barber's advice.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Why are we talking to Sarah The CEO again and again? Let her buy advertising.
Could you at least get some decent audio if you are going to do these? I listened to the first 10 seconds and could not stand the sound. Also you have a smart audience, we would much prefer to just read the story. We all thought the book was better.
It doesn't matter how good your security is if your endpoint is not protected.
Wow, you have a server farm with a staff of PHD's. Good for you.
The guy who bought some space on your cloud service runs windows xp and likes to look at doggy porn.
He is still going to get hacked and there is nothing your cloud security can do about it.
That "answer" is nonsense; having more minimally paid and competent "security" staff is no indication of the quality of the actual security.
You want security? Make the bosses go to jail if a business is breached. THEN they'll spend the time and money to provide security.
If you make physical backups and transport of-site I would still go local. If not maybe your better off in the cloud. Still you are a much bigger target in the cloud than on your own little box.
Do the cloud providers make any kind of offline backups?
Bunk. BS.
1) She has a vested interest in presenting that her systems are secure.
2) She offers a weak link in the data chain. Every time any link is added the system gets LESS secure. Adding a weak link further weakens the system.
Only non-secure data gets stored on the cloud. Remember, it's like a postcard.
I'll provide my own security.
Joe-Bob, You sell Gee-wiz-bang-product. Do you think everyone in the world should buy it?
Answer: Of course they should.
Duh.
Because Amazon, Rackspace, and other major cloud and SaaS providers probably have lots more security experts and other IT people at their command than you do.
Oh yes, and because of this, your cloud environment is automagically more secure.
Did we suddenly become ignorant of these things called contracts? More often than not, I've found that the devil is in the details as to just how much "other IT people" actually have to give a shit about your cloud environment when it goes down for any reason.
The IT and security experts just protect the cloud infrastructure, but cannot do anything if your "cloud" app (be it a web app or a vm instance) gets hacked and all your data stolen....
"Because Amazon, Rackspace, and other major cloud and SaaS providers probably have lots more security experts and other IT people at their command than you do."
That has to be one of the stupidest statements ever. Bimbo does not even cover it. Hey blondie, how many security experts did the NSA have when Edward Snowden walked out the door with a flash drive full files.
"Were more secure because we employ more security experts." Tell that the China...
Her second sentence in the video 00:48 she says:
I'm not saying more secure.
Roblimo you just suck. You;re WAY past your expiration date.
Do you really trust the competition, (specifically Amazon ), to keep your data secure?
If you're in business, you're selling something and Amazon is competing--remember they "Sell Everything from A to Z".
Where Amazon and Microsoft at least know and cover the basics, and make a serious effort most companies haven't the resources, people, or expertise to keep their servers even remotely secure.
If you are a supreme security expert perhaps 'you' could make a more secure system. Now ask yourself, how many third rate hacks think they are a supreme security expert, or worse how many companies don't even have that.
(If at first you don't succeed, do it different next time!)
Sure, they likely have more security people on the payroll but they have a ton of data mining jackasses on the payroll also.
for every time some one told me that their on-premise is more secure than cloud. To be very fair, the first thing you should look at it is where your security risks, threats, and exploits are arising. If we look at most security failures its almost exclusively due to disgruntled current or former employees within the IT organization or misconfigured external-facing software that is easily broken into. While yes the Chinese, North Koreans, or NSA are probably trying to hack the AWS, Azure, SoftLayer, and Rackspace clouds where is the likelihood of failure, a disgruntled employee walking out with data or one of the above attacking a large cloud provider.
This really akin to the argument of local gun control versus a terrorist threat. The terrorist threat is absolutely a scarier and much large potential loss, but more likely then not if you have a gun in your house - you are much more likely to be killed with it.
So it comes down to the following: would you rather be checking for a very large threat that impacts not just your organization, but many others and the solvency of an Amazon, IBM, Microsoft or Rackspace or would you rather be doing it all yourself in a very small environment that is much less a target likely much easier to penetrate especially by internal employees. BTW, last time I checked you get a bill when you try to move data out of S3 so you have trail whereas someone can stick a USB drive directly on your server and walk out.
Is unplugged, encased in concrete, at the bottom of the ocean.
And even then...
It is pitch black. You are likely to be eaten by a grue.
"We've talked to Sarah before, and probably will again...So take it away, Sarah..."
Overfamiliarity kills professionalism.
Someone who sells cloud storage advocates that it's safer than doing it yourself. The question isn't worth much until it's answered by someone with no horse in the race.
BeauHD. Worst editor since kdawson.
To suggest that the larger number of staff at a cloud data company proves the operation is more secure is completely illogical because the more staff there are the greater the probability that one of them is corruptible or likely to turn on their masters, just ask the CIA.
The bigger question is, is it still your data in the cloud? If you miss a bill payment will you be able to access it? If the cloud owner doesn't pay the telecom provider or the data center will you be able to access it? What if they file for bankruptcy? Or have their servers repossessed? How ironclad is that contract? They may have oodles of security but is that really what you would base your business decision on? Just some things to think about...
*narf!*
She's not talking to YOU. She's talking to Your Boss who think's he's hip with IT because he reads Slashdot. Or Your Boss' Boss. Or Your Boss' Golfing Buddy. She's a CEO, so she's aiming to get her name higher with other CEO's who thinks it is his/her job to raise the latest Bullshit Bingo Buzzwords to those who will be in the know.
Is based in a nation and its laws and legal amendments:
Staff are very willing work for the government when asked, requested or have always worked for the government.
An enthusiastic surveillance partner going back decades or years?
How good is the legal department when facing paper work thats not a fax from a law enforcement official? That national security letter (NSL) with a request to add hardware on site long term?
Got some FISA Amendments Act (FAA) paperwork, ready for the FREEDOM Act?
Domestic spying is now "Benign Information Gathering"
Betteridge's law of headlines applies here.
Okay, while it's theoretically possible to configure a home server to be less secure than a "cloud" solution you would almost have to go out of your way to do so.
It's lovely that a spokesperson from a Cloud provider wants to reassure us that using their services is secure, but:
What assurances do you have that they're not sharing your data with their partners or anyone else with enough cash?
What co-operation will they provide when a TLA (three-letter agency) shows up at their door, and will they tell you?
Is their replication/backup strategy as robust as they say it is?
What happens to your data when their company goes belly up?
How many security breaches have they had in the past 24 months? Would they tell you?
What scope is there for expansion should your needs grow?
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
Cloud insecurity is similar in scope to large corporation security. The more folks have access to your hardware or your network, the less secure it becomes.
Sure it may have stellar PHYSICAL security, but your systems are merely one cash payment to an employee ( that you didn't get to screen ) who has a debt problem away from compromise.
At least if you own the data center and the hardware, you get to pick the employees and what level of access they will have to it.
In " The Cloud ", those choices are no longer made by you or even your company. You just have to hope your Cloud Provider is up to the task.
That said, I think I would keep my hardware and data under my direct control.
The multi-tenant nature of the public cloud is fundamentally less secure than an on-premises single-tenant environemtn. Why? One example is a class of security exploits which allow a guest Virtual Machine to gain control of its hosting hypervisor operating system. Since anyone can setup a VM on the public cloud, which may run on the same physical machines as your company's VMs, this exposes you to an attack vector that simply does not exist on-premises. Here is one such example:
https://securityintelligence.c...
No amount of bug fixes, hand waving, and certifications can make this problem disappear; it is fundamental to the design choices of cloud hosting companies.
Most drivers consider themselves to be above average. Why would that not extend to server operators?
It's worse than that. Servers are much, much, much more complex than cars. If you have the secret formula for coca-cola, sure, keep it in house and put a billion dollars into securing it, although it really shouldn't be on any internet connected machines at all. But 99% of other stuff, who gives a crap?
See the number of massive public breaches we've had in the last few years? The guys at those companies thought their systems were okay, too.
1. Place an infected document in a .zip file and put it on the cloud (wan) and download it back down to your corp network (lan) and run it, same outcome.
2. Build a XSS or JS Framework Hack impacted website and put it in the cloud, still has the same risk hack problem.
Somethings need more security, somethings don't. Don't put your trust in something when the something has no control over the trust.
Law #101 of security in a insecure world.
Yes, you do need a data center of your own. Trusting the people who run cloud providers or their security is utter foolishness.
Too squeaky, didn't listen..
The big targets are so very juicy. I can't see a team of world class hackers attacking my usedshoes.com site with $80 in annual sales. With a major cloud provider I can see national governments sponsoring hacks so robust that they may very well get agents hired on as staff within the provider themselves. Then once you are in the rewards are so very massive.
Yes, you do need a data center of your own. Trusting the people who run cloud providers or their security is utter foolishness.
If you have the very significant resources to manage and protect your own data centers at similar level (in this scenario you definitely not have only one data center location), then yes that is an option. Most people - and especially medium scale Linux admins who think they are very good -- seriously underestimate what resources and investments they need to have locally to match or exceed this level.
First, let's get the one thing out of the way. Anybody who makes money from "the cloud" (i.e. the 1960's client-server+leased time/storage model re-branded for gullible millennials) is going to promote the idea that it's better than the alternative. Nothing new there. Now for the fail:
With the "cloud":
1. Your data is vulnerable when you ship it via the internet from your own (possibly improperly-secured) systems, through your ISP's (possibly insecure) systems and all the intermediate (possibly insecure) systems.
2. Your data sits on some unknown number of (possibly insecure) servers you do not control or own or even have access to. You have no idea how often your data is replicated, moved between servers etc potentially being lost/corrupted/stolen/copied and no idea where all the copies generated physically are stored and who has access to them.
3. Your data is vulnerable when you ship it via the internet through all the intermediate (possibly insecure) systems and through your ISP's (possibly insecure) systems back to your own (possibly improperly-secured) systems.
Without the "cloud":
Your data is under your control secure within your hardware at your site and only as vulnerable as you decide to make it.
What SHOULD be obvious, but apparently is not to many people:
1. If you do not have physical control of your data, it may not be your data anymore.
2. "The Cloud" is a marketing breakthrough that was created to help the new giant computer monopolies (Microsoft/Apple/Google...) make more money to make Wall St happy about "earnings projections" and "growth forecasts". When you have near monopoly in your traditional marketspace, you have no room to grow by expanding your customer base, so the new task is to squeeze more money out of your existing customers. This is what all these companies are doing (it's why Adobe has gone this route too). They are going to the very business models they became rich by destroying. They knocked the old big companies off their thrones by selling the idea that you buy software and hardware ONCE and then own and control it back in the 70's and early 80's when the dinosaurs were living large on the leased systems and monthly maintenance fees model. Now that the old rebels are on the thrones, they have discovered that they like the dinosaur model and have duped an entire generation into thinking it's good for them, by calling it a fluffy white cloud - only it's FAR WORSE than the old model because now it's far more vulnerable since it sits atop an insecure internet AND they are data-mining. They have become the very evil corporate titans they once fought to tear down, but with an even more evil spying soul.
As soon as your data is put into a "cloud" then it's already been compromised as it's now in the possession of a third party.
Even if it's heavily encrypted then it's just a matter of somebody wanting to spend the money/time to break it.
"The cloud" is a totally stupid idea for anything but public domain or lightly copyrighted data (e.g. Wikipedia, Archive.org etc. etc.)
Anyone putting their actual business or personal data into "the cloud" is a total idiot.
With all the NSA, CIA, FBI, DOD, and other TLAs snooping EVERYTHING on the internet the actual movement of the data MUST be included in the security analysis. Unless one uses some rather extreme and hardened encryption the data will available for the TLAs to peruse. So it comes down to using 2K or 4K encryption keys and keeping those key private, only using known secure methods of transmittal, mail or courier to disburse them. The Constitution and Bill of Rights protections seem to have been thrown away even though the "oath of office" clearly says "support and defend the constitution of the US" it seems that it has been ignored. Like someone said "it's only a piece of paper" When will someone bring charges on these high and mighty Gov. officers, take them to court and take back our Constitutional rights?
Ah, I see, you're merely trolling. Well, alright. Have fun with that.
This is funny we have this video, then we have this http://yro.slashdot.org/story/15/11/04/2059230/nine-out-of-ten-of-the-internets-top-websites-are-leaking-your-data
only a few hours apart.
2/10 would bang
Harsh Dude. She's easily a 5/10.
P.S. How desperate are you that you're willing to take 2/10? 5/10 is my minimum requirement.