Slashdot Mirror

← Back to Stories (view on slashdot.org)

Can the Cloud Be More Secure Than Your Own Servers? (Video)

Posted by Roblimo on from the if-you-give-me-your-password-I-will-love-you-forever dept.

Sarah Lahav, CEO of Sysaid, believes "the cloud" can be more secure than keeping your software and data behind your firewall and administering it yourself, especially for small and medium-sized firms. Why? Because Amazon, Rackspace, and other major cloud and SaaS providers probably have lots more security experts and other IT people at their command than you do.

We've talked to Sarah before, and probably will again. She has strong opinions based on her experience in IT, and is happy to share those opinions. So take it away, Sarah...

17 of 220 comments (clear)

  1. well, i'm convinced by fattmatt · · Score: 3, Funny

    "...probably have lots more security experts and other IT people at their command than you do" well, i'm convinced ... here's all my data!

  2. This is stupid. by SecurityGuy · · Score: 5, Funny

    Can the cloud be more secure than your own servers? Yes.
    Can the cloud be less secure than your own servers? Yes.

  3. Re:No by OverlordQ · · Score: 3, Interesting

    Amazon's data center. Since they have more security experts and IT people there's more points of failure.

    --
    Your hair look like poop, Bob! - Wanker.
  4. But... by TiggertheMad · · Score: 3, Interesting

    While a cloud server has more security resources, they also have more professional hackers targeting them, since a single exploit has a good chance of bagging all the cloud provider's customer data. Think attacks like the Sony breach were bad? Just wait until you can get Sony, Microsoft, Facebook and the state of Ohio all at once because they happen to be hosted by the same cloud provider.

    OTOH, perhaps that might just be the best place to be when a zero day drops. A cyber criminal won't likely bother with a small business and just go straight for the 23 terabytes of customer data on the next rack over...

    --

    HA! I just wasted some of your bandwidth with a frivolous sig!
  5. How can the "Cloud" be more secure? by fustakrakich · · Score: 4, Interesting

    Somebody flashes a badge, and they just hand your shit over, no questions asked... if they know what's good for them.

    --
    “He’s not deformed, he’s just drunk!”
  6. Most drivers are above average by Overzeetop · · Score: 4, Insightful

    Most drivers consider themselves to be above average. Why would that not extend to server operators?

    --
    Is it just my observation, or are there way too many stupid people in the world?
  7. Um.... maybe... sometimes.... it depends by Anonymous Coward · · Score: 5, Insightful

    Because Amazon, Rackspace, and other major cloud and SaaS providers probably have lots more security experts and other IT people at their command than you do.

    But those experts aren't regularly upgrading software I run on their cloud systems to fix security holes, nor monitoring my sites for exploits. So their expertise buys me little--other than the underlying infrastructure hopefully will be sound. That's all. That's not lot. The majority of security bugs/holes I've had experience seeing exploited were holes in application packages (think WordPress). Unless you mean hosting your resources on a specific application hosting provider who handles all upgrades (i.e. a hosted WordPress provider in this example, who guarantees up-to-date bug fixes on WordPress and some set of commonly used plugins).

  8. Re:No by halivar · · Score: 3, Insightful

    Is it? That's 3 layers of armed security, the each one under 24/7 surveillance. You have to get through each one. You would define worth rather by a risk/reward ratio, which makes that rinky-dink server closet a lot more tempting. Criminals seek low-risk opportunity targets.

  9. Cloud is less secure in one critical way by alispguru · · Score: 5, Insightful

    If data is on my personal server and the US government wants to see it, they need a warrant.

    If it's on a cloud server, they don't.

    --

    To a Lisp hacker, XML is S-expressions in drag.
  10. Why the fuck is this a video by Anonymous Coward · · Score: 3, Insightful

    Why is this taking megabytes of bandwidth to convey a message that could take kilobytes? Is there something visual about this concept that can't be communicated in writing? Stop the dumbing down of of /.

  11. wow by PopeRatzo · · Score: 4, Insightful

    This is like saying that Budweiser has better beer than a local brewery because they have bigger vats and more distributors.

    I think the trick to security is not in how many experts you have, but in how willing you are to cut corners to increase profits.

    --
    You are welcome on my lawn.
  12. In the words of John McEnroe... by erp_consultant · · Score: 4, Insightful

    YOU CANNOT BE SERIOUS!!!!

    She is the CEO of a cloud based company. What the fuck do you expect her to say?

    The real question is not...is the cloud secure? The question is...who is more likely to be a target of hackers?

    Can cloud services be made secure? Of course it can. But it doesn't necessary mean that it is. It all depends on policies and procedures which you, as an end user, have absolutely no say in. And what happens if there is a data breach? You get a year of free credit monitoring. Thanks for playing. There is no implicit guarantee, or liability, on their part.

    If you are a hacker who will you target? Me - with maybe a few credit card details or Amazon with millions or credit card details. The answer is obvious.

    When it comes to the cloud I am reminded of the Tony Montano (Scarface) quote: "Who do I trust? ME!".

  13. 24/7 dedicated security teams... by tlambert · · Score: 3, Funny

    Depends, do you have a dedicated security team?

    The security grunts are paid in Alpo, and the supervisors are paid in Meow Mix. I also pay their medical.

  14. Probably not by grimmjeeper · · Score: 4, Interesting

    Start with the fact that cloud services are big, ripe, juicy targets for anyone and everyone. Continue that there's probably never a time when their service isn't under some kind of attack in one way or another. Add in the fact that my server contains nothing of any real value to anyone but me. And extrapolate that to a very low likelihood that anyone would bother to take the time to attack my server. Consider also the fact that the cloud provider has to succeed 100% of the time to make my data secure while the hackers can fail almost forever and only have to succeed once.

    I'm going to go with the fact that my data is more secure in my server at home than it would be in the cloud.

    Of course, small businesses without a dedicated security teams are legitimate targets. But whether they store their data in the cloud or in company servers, their business internet connection is vulnerable to attack and provides a much easier road into the cloud storage than trying to directly attack the cloud servers. So realistically, the businesses accessing the cloud servers in bulk are a significant vector for attacking a cloud service. As a result, it doesn't matter where the business stores its data, it is no more or less vulnerable to attack in either location.

    When it comes to large corporations, they are bigger targets but they have the budget to hire security experts just like the cloud provider has. So while they too are probably under constant attack 24/7/365, they are not necessarily any more or less vulnerable than the cloud provider.

    So on balance, I'm going to go with no, the cloud does not necessarily make your data any more (or less for that matter) secure than not using it.

  15. Re:No by bickerdyke · · Score: 3, Interesting

    Depends on who you want to protect your data from. NSA may be guzzling every bit from any Amazon datacenter, but they won't (well, usually) ruin your company by selling your patent application to the highest chinese bidder a few weeks before you file it. And likewise, it does not take large scale data seizing to ruin you. It only needs getting hold of YOUR data.

    But of course you're right if your data is of interest to the NSA more than to regular criminals. There is never such a thing as "more secure". There is only "more secure against X"

    --
    bickerdyke
  16. Re:No by RLiegh · · Score: 4, Interesting

    Yes, your criminal organization has different requirements than an honest business,

    You're saying HIPAA compliance is criminal, are you? You're saying that protecting client/lawyer confidentiality is criminal, are you?

    I don't think you've thought this out very far...

  17. Re:No by tnk1 · · Score: 4, Insightful

    I don't see why you think more admins are equivalent to more failure points. You need more admins and audit staff to have a proper program to secure data. Using fewer admins is the equivalent of wishful thinking. You're hoping that your few admins are more trustworthy, but you lack the resources to enforce it because you can't separate duties. A large cloud company can enforce that precisely because they have more staff.

    I've worked for companies where there were only a few admins, period. There was no separation of duties for their data center, except maybe on paper. Any of the admins had complete power to grab anything they wanted and there was no staff that could adequately audit the logging and monitoring infrastructure to prevent the admins from simply disabling the logging and security monitoring. Extrusion of data was a piece of cake. All that was needed was motive to do so. Luckily, no one really cared to do so, but that was mere luck, not a security program.

    Larger cloud companies run regular compliance audits and have enough staff that separation of duties is something that really happens and can be made to work. For small and medium businesses, those cloud companies have objectively better security precisely because they can specialize their staff and realistically only grant access based on least privilege. There are checks and balances, and not all rights are in the hands of all powerful admins.

    Now, if you work for a big company, your IT staff may be at a level to support a comparable security program, but that will be because you have more admins, not less.

    As for "pre-compromised" open source, do you really inspect and compile all your OSS software? Extremely doubtful. Do you think that a large provider would purposely install compromised binaries or allow them to be installed by someone else?

    I understand that physical access is everything, but are you actually carrying out your carefully scrutinized software checks, or are you simply pointing out that it is possible to do so. Because, while anyone can compile their own OSS code, rarely have I seen anyone actually do that unless they need to, let alone run a code audit for vulnerabilities unless you're talking about the very highest security levels. For most SMBs, your argument is bogus precisely because they never actually take advantage of their ability to do so. They don't have the time or the staff or the expertise to do so.

    The worst part of all of this is that many in-house IT groups understand that they theoretically have more ability to control their own environments, but utterly fail to actually do so, because they can't get the resources nor do they have the motivation to do so. In the end, it just engenders a false sense of security.

    If you take the great number of SMBs in the market and add them to AWS or Azure or whatever, even though you might be theoretically opening them up to some issues, you will be realistically improving their actual security posture by a significant amount because now there is actually a real security program in place for their assets and data where there was not one before.