Can the Cloud Be More Secure Than Your Own Servers?

Sarah Lahav, CEO of Sysaid, believes "the cloud" can be more secure than keeping your software and data behind your firewall and administering it yourself, especially for small and medium-sized firms. Why? Because Amazon, Rackspace, and other major cloud and SaaS providers probably have lots more security experts and other IT people at their command than you do.

We've talked to Sarah before, and probably will again. She has strong opinions based on her experience in IT, and is happy to share those opinions. So take it away, Sarah...

No

Next question.

Re:No

[halivar]

Is it? That's 3 layers of armed security, the each one under 24/7 surveillance. You have to get through each one. You would define worth rather by a risk/reward ratio, which makes that rinky-dink server closet a lot more tempting. Criminals seek low-risk opportunity targets.

Re:No

[tnk1]

I don't see why you think more admins are equivalent to more failure points. You need more admins and audit staff to have a proper program to secure data. Using fewer admins is the equivalent of wishful thinking. You're hoping that your few admins are more trustworthy, but you lack the resources to enforce it because you can't separate duties. A large cloud company can enforce that precisely because they have more staff.

I've worked for companies where there were only a few admins, period. There was no separation of duties for their data center, except maybe on paper. Any of the admins had complete power to grab anything they wanted and there was no staff that could adequately audit the logging and monitoring infrastructure to prevent the admins from simply disabling the logging and security monitoring. Extrusion of data was a piece of cake. All that was needed was motive to do so. Luckily, no one really cared to do so, but that was mere luck, not a security program.

Larger cloud companies run regular compliance audits and have enough staff that separation of duties is something that really happens and can be made to work. For small and medium businesses, those cloud companies have objectively better security precisely because they can specialize their staff and realistically only grant access based on least privilege. There are checks and balances, and not all rights are in the hands of all powerful admins.

Now, if you work for a big company, your IT staff may be at a level to support a comparable security program, but that will be because you have more admins, not less.

As for "pre-compromised" open source, do you really inspect and compile all your OSS software? Extremely doubtful. Do you think that a large provider would purposely install compromised binaries or allow them to be installed by someone else?

I understand that physical access is everything, but are you actually carrying out your carefully scrutinized software checks, or are you simply pointing out that it is possible to do so. Because, while anyone can compile their own OSS code, rarely have I seen anyone actually do that unless they need to, let alone run a code audit for vulnerabilities unless you're talking about the very highest security levels. For most SMBs, your argument is bogus precisely because they never actually take advantage of their ability to do so. They don't have the time or the staff or the expertise to do so.

The worst part of all of this is that many in-house IT groups understand that they theoretically have more ability to control their own environments, but utterly fail to actually do so, because they can't get the resources nor do they have the motivation to do so. In the end, it just engenders a false sense of security.

If you take the great number of SMBs in the market and add them to AWS or Azure or whatever, even though you might be theoretically opening them up to some issues, you will be realistically improving their actual security posture by a significant amount because now there is actually a real security program in place for their assets and data where there was not one before.

Connection stability

Guess what it costs me to have a connection so stable that it never goes down?

As it turns out, it is far more (measured over 5 years, the length of our ISP contracts) than proper redundancy in my equipment costs.

Your Data is worthless

Amazon, Rackspace, et-al don't give a shit about your data.

They care about the data your data generates. That is backed-up, carefully guarded and controlled. Your data on the other hand, it stored on the B and C grade disks, tapes and run on any old CPU in the farm that is past it's prime.

Centralized data is great, for hackers. One target, lots of data, lots of reward. Targeting that one user, with the firewall? Not so much.

Most drivers are above average

[Overzeetop]

Most drivers consider themselves to be above average. Why would that not extend to server operators?

Um.... maybe... sometimes.... it depends

Because Amazon, Rackspace, and other major cloud and SaaS providers probably have lots more security experts and other IT people at their command than you do.

But those experts aren't regularly upgrading software I run on their cloud systems to fix security holes, nor monitoring my sites for exploits. So their expertise buys me little--other than the underlying infrastructure hopefully will be sound. That's all. That's not lot. The majority of security bugs/holes I've had experience seeing exploited were holes in application packages (think WordPress). Unless you mean hosting your resources on a specific application hosting provider who handles all upgrades (i.e. a hosted WordPress provider in this example, who guarantees up-to-date bug fixes on WordPress and some set of commonly used plugins).

Cloud is less secure in one critical way

[alispguru]

If data is on my personal server and the US government wants to see it, they need a warrant.

If it's on a cloud server, they don't.

Why the fuck is this a video

Why is this taking megabytes of bandwidth to convey a message that could take kilobytes? Is there something visual about this concept that can't be communicated in writing? Stop the dumbing down of of /.

wow

[PopeRatzo]

This is like saying that Budweiser has better beer than a local brewery because they have bigger vats and more distributors.

I think the trick to security is not in how many experts you have, but in how willing you are to cut corners to increase profits.

In the words of John McEnroe...

[erp_consultant]

YOU CANNOT BE SERIOUS!!!!

She is the CEO of a cloud based company. What the fuck do you expect her to say?

The real question is not...is the cloud secure? The question is...who is more likely to be a target of hackers?

Can cloud services be made secure? Of course it can. But it doesn't necessary mean that it is. It all depends on policies and procedures which you, as an end user, have absolutely no say in. And what happens if there is a data breach? You get a year of free credit monitoring. Thanks for playing. There is no implicit guarantee, or liability, on their part.

If you are a hacker who will you target? Me - with maybe a few credit card details or Amazon with millions or credit card details. The answer is obvious.

When it comes to the cloud I am reminded of the Tony Montano (Scarface) quote: "Who do I trust? ME!".