Slashdot Mirror

← Back to Stories (view on slashdot.org)

Can the Cloud Be More Secure Than Your Own Servers? (Video)

Posted by Roblimo on from the if-you-give-me-your-password-I-will-love-you-forever dept.

Sarah Lahav, CEO of Sysaid, believes "the cloud" can be more secure than keeping your software and data behind your firewall and administering it yourself, especially for small and medium-sized firms. Why? Because Amazon, Rackspace, and other major cloud and SaaS providers probably have lots more security experts and other IT people at their command than you do.

We've talked to Sarah before, and probably will again. She has strong opinions based on her experience in IT, and is happy to share those opinions. So take it away, Sarah...

7 of 220 comments (clear)

  1. Re:No by OverlordQ · · Score: 3, Interesting

    Amazon's data center. Since they have more security experts and IT people there's more points of failure.

    --
    Your hair look like poop, Bob! - Wanker.
  2. But... by TiggertheMad · · Score: 3, Interesting

    While a cloud server has more security resources, they also have more professional hackers targeting them, since a single exploit has a good chance of bagging all the cloud provider's customer data. Think attacks like the Sony breach were bad? Just wait until you can get Sony, Microsoft, Facebook and the state of Ohio all at once because they happen to be hosted by the same cloud provider.

    OTOH, perhaps that might just be the best place to be when a zero day drops. A cyber criminal won't likely bother with a small business and just go straight for the 23 terabytes of customer data on the next rack over...

    --

    HA! I just wasted some of your bandwidth with a frivolous sig!
  3. How can the "Cloud" be more secure? by fustakrakich · · Score: 4, Interesting

    Somebody flashes a badge, and they just hand your shit over, no questions asked... if they know what's good for them.

    --
    “He’s not deformed, he’s just drunk!”
  4. Probably not by grimmjeeper · · Score: 4, Interesting

    Start with the fact that cloud services are big, ripe, juicy targets for anyone and everyone. Continue that there's probably never a time when their service isn't under some kind of attack in one way or another. Add in the fact that my server contains nothing of any real value to anyone but me. And extrapolate that to a very low likelihood that anyone would bother to take the time to attack my server. Consider also the fact that the cloud provider has to succeed 100% of the time to make my data secure while the hackers can fail almost forever and only have to succeed once.

    I'm going to go with the fact that my data is more secure in my server at home than it would be in the cloud.

    Of course, small businesses without a dedicated security teams are legitimate targets. But whether they store their data in the cloud or in company servers, their business internet connection is vulnerable to attack and provides a much easier road into the cloud storage than trying to directly attack the cloud servers. So realistically, the businesses accessing the cloud servers in bulk are a significant vector for attacking a cloud service. As a result, it doesn't matter where the business stores its data, it is no more or less vulnerable to attack in either location.

    When it comes to large corporations, they are bigger targets but they have the budget to hire security experts just like the cloud provider has. So while they too are probably under constant attack 24/7/365, they are not necessarily any more or less vulnerable than the cloud provider.

    So on balance, I'm going to go with no, the cloud does not necessarily make your data any more (or less for that matter) secure than not using it.

  5. And if it's not secure, you probably won't know by Anonymous Coward · · Score: 2, Interesting

    Our company contracted with an external supplier to manage an application for us that we had been managing in house. We got the usual assurances about their data centre, nailed down the SLA, and did a PIA. All good. As we were working with them to get our data moved over one of our sysadmins came upon a SQL Server admin id/password, unencrypted, in one of their .ini files. It was pretty generic (the name of the application with a few numbers instead of letters). That looked suspicious to us, so we contacted another one of the same vendor's hosted customers and said,"I'll bet we can guess your SQL Server admin password in one try." Turned out they were using the same admin credentials for all their hosted customers databases. Which they kept unencrypted in an .ini file.

    So yeah,maybe their data centre was secure, but their application level management was amateur hour. And it was a bit of a fluke we discovered that.

    Needless to say, we never did move the application into the cloud. They promised to fix the problem when we brought it to their attention, but we didn't trust them after that. And even though they arguably violated the terms of our SLA, they were such small potatoes that there was no point getting the lawyers involved.

  6. Re:No by bickerdyke · · Score: 3, Interesting

    Depends on who you want to protect your data from. NSA may be guzzling every bit from any Amazon datacenter, but they won't (well, usually) ruin your company by selling your patent application to the highest chinese bidder a few weeks before you file it. And likewise, it does not take large scale data seizing to ruin you. It only needs getting hold of YOUR data.

    But of course you're right if your data is of interest to the NSA more than to regular criminals. There is never such a thing as "more secure". There is only "more secure against X"

    --
    bickerdyke
  7. Re:No by RLiegh · · Score: 4, Interesting

    Yes, your criminal organization has different requirements than an honest business,

    You're saying HIPAA compliance is criminal, are you? You're saying that protecting client/lawyer confidentiality is criminal, are you?

    I don't think you've thought this out very far...