Can the Cloud Be More Secure Than Your Own Servers?

Sarah Lahav, CEO of Sysaid, believes "the cloud" can be more secure than keeping your software and data behind your firewall and administering it yourself, especially for small and medium-sized firms. Why? Because Amazon, Rackspace, and other major cloud and SaaS providers probably have lots more security experts and other IT people at their command than you do.

We've talked to Sarah before, and probably will again. She has strong opinions based on her experience in IT, and is happy to share those opinions. So take it away, Sarah...

No

Next question.

Re:No

[halivar]

Here's the next question: which room do I have a better shot at breaking into: your server closet, or Amazon's data center?

Re:No

[OverlordQ]

Amazon's data center. Since they have more security experts and IT people there's more points of failure.

Re:No

[halivar]

Is it? That's 3 layers of armed security, the each one under 24/7 surveillance. You have to get through each one. You would define worth rather by a risk/reward ratio, which makes that rinky-dink server closet a lot more tempting. Criminals seek low-risk opportunity targets.

Re:No

[johnwallace123]

Not necessarily. Think about Edward Snowden, who had to pass through all kinds of security to get access to the data that he leaked. Would it have been easier for him to go to Initech and be their lead sysadmin, leaking all of their proprietary data? Certainly, but the perceived reward to him wasn't worth the risk of doing that. However, his perceived reward in leaking the NSA documents was so great that he undertook a concerted effort to undermine the many levels of security they had in place.

Note: I'm not advocating for/against Snowden. Just using him as an example that not every person goes for the lowest hanging fruit.

Re:No

[bickerdyke]

Depends on who you want to protect your data from. NSA may be guzzling every bit from any Amazon datacenter, but they won't (well, usually) ruin your company by selling your patent application to the highest chinese bidder a few weeks before you file it. And likewise, it does not take large scale data seizing to ruin you. It only needs getting hold of YOUR data.

But of course you're right if your data is of interest to the NSA more than to regular criminals. There is never such a thing as "more secure". There is only "more secure against X"

Re:No

[RLiegh]

Yes, your criminal organization has different requirements than an honest business,

You're saying HIPAA compliance is criminal, are you? You're saying that protecting client/lawyer confidentiality is criminal, are you?

I don't think you've thought this out very far...

Re:No

[tnk1]

Breaking into your server closet is definitely worth it, if they have decided that you have data that they need. And you are no more able to resist the NSA than AWS would be. In fact, AWS probably has a better chance of fighting back against pseudo-legal actions that the NSA takes. Your company, unless it is another megacorp, would roll over almost immediately. That is, if they even needed to ask you for permission, which they probably don't.

AWS may be be less secure than we would like, but the safety of in-house security cannot be taken for granted.

I wouldn't use AWS for something I wanted to keep away from the government, but since I imagine most corporations are operating in a more or less legal fashion, the NSA is a non-factor for just about any business doing business on the Internet. And it is almost certain that they do as good or better at security than most in-house security teams because it is their business, not just a line item on the IT budget.

Re:No

[tnk1]

I don't see why you think more admins are equivalent to more failure points. You need more admins and audit staff to have a proper program to secure data. Using fewer admins is the equivalent of wishful thinking. You're hoping that your few admins are more trustworthy, but you lack the resources to enforce it because you can't separate duties. A large cloud company can enforce that precisely because they have more staff.

I've worked for companies where there were only a few admins, period. There was no separation of duties for their data center, except maybe on paper. Any of the admins had complete power to grab anything they wanted and there was no staff that could adequately audit the logging and monitoring infrastructure to prevent the admins from simply disabling the logging and security monitoring. Extrusion of data was a piece of cake. All that was needed was motive to do so. Luckily, no one really cared to do so, but that was mere luck, not a security program.

Larger cloud companies run regular compliance audits and have enough staff that separation of duties is something that really happens and can be made to work. For small and medium businesses, those cloud companies have objectively better security precisely because they can specialize their staff and realistically only grant access based on least privilege. There are checks and balances, and not all rights are in the hands of all powerful admins.

Now, if you work for a big company, your IT staff may be at a level to support a comparable security program, but that will be because you have more admins, not less.

As for "pre-compromised" open source, do you really inspect and compile all your OSS software? Extremely doubtful. Do you think that a large provider would purposely install compromised binaries or allow them to be installed by someone else?

I understand that physical access is everything, but are you actually carrying out your carefully scrutinized software checks, or are you simply pointing out that it is possible to do so. Because, while anyone can compile their own OSS code, rarely have I seen anyone actually do that unless they need to, let alone run a code audit for vulnerabilities unless you're talking about the very highest security levels. For most SMBs, your argument is bogus precisely because they never actually take advantage of their ability to do so. They don't have the time or the staff or the expertise to do so.

The worst part of all of this is that many in-house IT groups understand that they theoretically have more ability to control their own environments, but utterly fail to actually do so, because they can't get the resources nor do they have the motivation to do so. In the end, it just engenders a false sense of security.

If you take the great number of SMBs in the market and add them to AWS or Azure or whatever, even though you might be theoretically opening them up to some issues, you will be realistically improving their actual security posture by a significant amount because now there is actually a real security program in place for their assets and data where there was not one before.

Re:No

[Stone316]

What does it matter if Amazon has 100 or 1000 more IT personal than you?

The more I hear about cloud, the more I realize that everyone isn't talking about the same thing and truly doesn't understand it. Are you hosting your applications in someone else's datacenter and still maintaining them yourself? Are you paying someone else to support them? Or are you using hosted applications such as Salesforce.com?

The bottleneck in most part isn't the IT resources, its the failure of management to let their resources do the job properly. So in alot of cases it doesn't matter if you maintain your own server room or in the cloud. If your management won't allow downtime for security patches, or what not, then it doesn't really matter where your applications are. Unless your used hosted applications and have no control.

Cloud has nothing to do with who can do it better, but management taking a layer of risk off their own shoulders and making someone else liable. Speaking as someone who supports applications hosted in the "cloud".

well, i'm convinced

[fattmatt]

"...probably have lots more security experts and other IT people at their command than you do" well, i'm convinced ... here's all my data!

This is stupid.

[SecurityGuy]

Can the cloud be more secure than your own servers? Yes.
Can the cloud be less secure than your own servers? Yes.

Re:This is stupid.

[Attila+Dimedici]

That is close to what I wanted to post.

Q:Can the cloud be more secure than your own servers?
A:Of course it can

A much more important question is:

Q:Is the cloud more secure than your own servers?
A:That all depends on how hard you are willing to work to make your servers secure.

Connection stability

Guess what it costs me to have a connection so stable that it never goes down?

As it turns out, it is far more (measured over 5 years, the length of our ISP contracts) than proper redundancy in my equipment costs.

Your Data is worthless

Amazon, Rackspace, et-al don't give a shit about your data.

They care about the data your data generates. That is backed-up, carefully guarded and controlled. Your data on the other hand, it stored on the B and C grade disks, tapes and run on any old CPU in the farm that is past it's prime.

Centralized data is great, for hackers. One target, lots of data, lots of reward. Targeting that one user, with the firewall? Not so much.

Re:Your Data is worthless

[hawguy]

Amazon, Rackspace, et-al don't give a shit about your data.

They care about the data your data generates. That is backed-up, carefully guarded and controlled. Your data on the other hand, it stored on the B and C grade disks, tapes and run on any old CPU in the farm that is past it's prime.

Centralized data is great, for hackers. One target, lots of data, lots of reward. Targeting that one user, with the firewall? Not so much.

I don't care what grade disks my data is on as long as they don't use it. I several hundred TB's of data on EBS volumes (magnetic and SSD) and haven't lost any of it in the 3+ years it's been there. I have thousands of terabytes of data on S3 volumes and haven't lost any of that either.

I have, on the other hand, lost data that was stored on local ephemeral volumes when instances stopped working and had to be restarted, but that was no surprise since they is a reason they are called "ephemeral" disks.

If AWS can store data on cheap disks while still providing reasonable access times and durability, well good for them and good for me.

But...

[TiggertheMad]

While a cloud server has more security resources, they also have more professional hackers targeting them, since a single exploit has a good chance of bagging all the cloud provider's customer data. Think attacks like the Sony breach were bad? Just wait until you can get Sony, Microsoft, Facebook and the state of Ohio all at once because they happen to be hosted by the same cloud provider.

OTOH, perhaps that might just be the best place to be when a zero day drops. A cyber criminal won't likely bother with a small business and just go straight for the 23 terabytes of customer data on the next rack over...

How can the "Cloud" be more secure?

[fustakrakich]

Somebody flashes a badge, and they just hand your shit over, no questions asked... if they know what's good for them.

Global Touble-Makers Vote: Yes

[snadrus]

Where have the past 2 years major data breaches occurred: Off-Cloud.
But what about adjusting for Cloud vs Off-Cloud %-usage: Still no contest.

Most drivers are above average

[Overzeetop]

Most drivers consider themselves to be above average. Why would that not extend to server operators?

Um.... maybe... sometimes.... it depends

Because Amazon, Rackspace, and other major cloud and SaaS providers probably have lots more security experts and other IT people at their command than you do.

But those experts aren't regularly upgrading software I run on their cloud systems to fix security holes, nor monitoring my sites for exploits. So their expertise buys me little--other than the underlying infrastructure hopefully will be sound. That's all. That's not lot. The majority of security bugs/holes I've had experience seeing exploited were holes in application packages (think WordPress). Unless you mean hosting your resources on a specific application hosting provider who handles all upgrades (i.e. a hosted WordPress provider in this example, who guarantees up-to-date bug fixes on WordPress and some set of commonly used plugins).

Re:Um.... maybe... sometimes.... it depends

[bickerdyke]

But those experts aren't regularly upgrading software I run on their cloud systems to fix security holes, nor monitoring my sites for exploits. So their expertise buys me little--other than the underlying infrastructure hopefully will be sound. That's all. That's not lot. .

Then by a plan where they do! If you rent out only infrastructure and still run your stuff yourself, there's not much difference to .. well.. running your stuff yourself. With all pros and cons.

Cloud is less secure in one critical way

[alispguru]

If data is on my personal server and the US government wants to see it, they need a warrant.

If it's on a cloud server, they don't.

Why the fuck is this a video

Why is this taking megabytes of bandwidth to convey a message that could take kilobytes? Is there something visual about this concept that can't be communicated in writing? Stop the dumbing down of of /.

wow

[PopeRatzo]

This is like saying that Budweiser has better beer than a local brewery because they have bigger vats and more distributors.

I think the trick to security is not in how many experts you have, but in how willing you are to cut corners to increase profits.

Re:wow

[bickerdyke]

That is something completly differnt. Your example aims on size, but the article aims on expertise.

But even budweiser tastes better than my first homebrew. Not because they are big or small, but because I'm a bloody amateur (even if I had some decent brews by now) but they have people who learned how to make beer.

Re:wow

[tnk1]

Who is more likely to cut corners on a security budget?

A company that will live and die based on it's IT security reputation....
or the IT department of some random company that doesn't have IT as a source of revenue and IT security is therefore overhead.

There's always going to be some business or agency that needs to keep things in-house, but in no way is the Cloud model inferior to the laughable efforts of most IT shops today.

In the words of John McEnroe...

[erp_consultant]

YOU CANNOT BE SERIOUS!!!!

She is the CEO of a cloud based company. What the fuck do you expect her to say?

The real question is not...is the cloud secure? The question is...who is more likely to be a target of hackers?

Can cloud services be made secure? Of course it can. But it doesn't necessary mean that it is. It all depends on policies and procedures which you, as an end user, have absolutely no say in. And what happens if there is a data breach? You get a year of free credit monitoring. Thanks for playing. There is no implicit guarantee, or liability, on their part.

If you are a hacker who will you target? Me - with maybe a few credit card details or Amazon with millions or credit card details. The answer is obvious.

When it comes to the cloud I am reminded of the Tony Montano (Scarface) quote: "Who do I trust? ME!".

24/7 dedicated security teams...

[tlambert]

Depends, do you have a dedicated security team?

The security grunts are paid in Alpo, and the supervisors are paid in Meow Mix. I also pay their medical.

Probably not

[grimmjeeper]

Start with the fact that cloud services are big, ripe, juicy targets for anyone and everyone. Continue that there's probably never a time when their service isn't under some kind of attack in one way or another. Add in the fact that my server contains nothing of any real value to anyone but me. And extrapolate that to a very low likelihood that anyone would bother to take the time to attack my server. Consider also the fact that the cloud provider has to succeed 100% of the time to make my data secure while the hackers can fail almost forever and only have to succeed once.

I'm going to go with the fact that my data is more secure in my server at home than it would be in the cloud.

Of course, small businesses without a dedicated security teams are legitimate targets. But whether they store their data in the cloud or in company servers, their business internet connection is vulnerable to attack and provides a much easier road into the cloud storage than trying to directly attack the cloud servers. So realistically, the businesses accessing the cloud servers in bulk are a significant vector for attacking a cloud service. As a result, it doesn't matter where the business stores its data, it is no more or less vulnerable to attack in either location.

When it comes to large corporations, they are bigger targets but they have the budget to hire security experts just like the cloud provider has. So while they too are probably under constant attack 24/7/365, they are not necessarily any more or less vulnerable than the cloud provider.

So on balance, I'm going to go with no, the cloud does not necessarily make your data any more (or less for that matter) secure than not using it.

Re:Probably not

[cascadingstylesheet]

Start with the fact that cloud services are big, ripe, juicy targets for anyone and everyone. Continue that there's probably never a time when their service isn't under some kind of attack in one way or another. Add in the fact that my server contains nothing of any real value to anyone but me. And extrapolate that to a very low likelihood that anyone would bother to take the time to attack my server.

That was a good argument in the past, maybe, but today the attacks are all automated (and the ones that aren't are against high value targets that don't meet your criteria anyway).

Low value or not, your server get hammered against every day simply for being on the internet.

Umm, no. Surface area?

[holophrastic]

There's often a lot of focus on actual/active security, and a lot less on determining the need for that security. Think of security like a power-to-weight ratio for performance.

The goal isn't to have great security. The goal is to have no successful attacks. "no successful attacks" is approachable from two primary vectors: "successful" and "attacks". Security focuses on the successful vector, by resisting.

Certainly, when it comes to contracting a provider, or rolling my own, a big provider might be better than I am. Of course, I can hire a consultant and get the best of both, and a big bill to match.

Obfiscation is not security. But it is a reduction in the actual number of attacks -- so long as it's working, of course.

I've been with small providers, I've been with large providers, I've been with Rackspace, and I've rolled my own.

The truth is that all four scenarios have had plenty of attempted attacks. But dive a little deeper, and something way more interesting appears.

When I rolled my own, I got loads of random attacks, mostly from China. Nothing persisted for very long. Nothing was particularly focused. And nothing was complicated. Almost all were easily dodged with standard surface-area-of-attack controls, like closing unused ports and not having general server bloat.

When I was with Rackspace, I had loads of help from their excellent support teams, and on occasion, wow did I ever need it! Persistant attacks, lasting for days, targeted attacks, ddos attacks with large systems on the other end. At one point we had over a dozen rackspace support personnel just fighting to kill stuff fast enough to keep performance up long enough to identify and resolve the issue without needing to take the server entirely offline.

I was very happy with Rackspace, and was with them for a decade. Now I'm rolling my own again, things are just much more stable that way.

So what's your preference? Being in a military compound, protected by a thousand soldiers in the middle of a war-zone; or being completely unprotected, on a mountain side, in upstate montana?

I'm choosing big-sky country, personally.

Also, I believe that Rackspace is partnered with a very familiar government spy agency quite directly -- since they both moved campuses at the same time the other year, and I was greeted quite aggressively, as you would imagine, when I visited Rackspace for a tour, and accidentally pulled up to the unmarked neighbour. Probably appropriately so, given that it was on a september 10th.

And if it's not secure, you probably won't know

Our company contracted with an external supplier to manage an application for us that we had been managing in house. We got the usual assurances about their data centre, nailed down the SLA, and did a PIA. All good. As we were working with them to get our data moved over one of our sysadmins came upon a SQL Server admin id/password, unencrypted, in one of their .ini files. It was pretty generic (the name of the application with a few numbers instead of letters). That looked suspicious to us, so we contacted another one of the same vendor's hosted customers and said,"I'll bet we can guess your SQL Server admin password in one try." Turned out they were using the same admin credentials for all their hosted customers databases. Which they kept unencrypted in an .ini file.

So yeah,maybe their data centre was secure, but their application level management was amateur hour. And it was a bit of a fluke we discovered that.

Needless to say, we never did move the application into the cloud. They promised to fix the problem when we brought it to their attention, but we didn't trust them after that. And even though they arguably violated the terms of our SLA, they were such small potatoes that there was no point getting the lawyers involved.

Re:Depends, do you have a dedicated security team?

[Junta]

Problem being that if you do not take care of your security, you are also likely to not take care of your own security in your cloud instances.

For example, not too long ago some company got bit by leaving something wide open in how they set up their EC2 instances.

You cannot sprinkle on security as an afterthought either way, security is a factor that must be kept in mind as you do the design.

Video Stories

[RendonWI]

Could you at least get some decent audio if you are going to do these? I listened to the first 10 seconds and could not stand the sound. Also you have a smart audience, we would much prefer to just read the story. We all thought the book was better.

Bunk

[pubwvj]

Bunk. BS.

1) She has a vested interest in presenting that her systems are secure.

2) She offers a weak link in the data chain. Every time any link is added the system gets LESS secure. Adding a weak link further weakens the system.

Only non-secure data gets stored on the cloud. Remember, it's like a postcard.

I'll provide my own security.