Cloud Security: What You Need To Know To Lock It Down 74
Nerval's Lobster writes "IT security writer Steve Ragan writes: 'The word "cloud" is sometimes overused in IT—and lately, it's been tossed around more than a football during a tailgating party. Be that as it may, organizations still want to implement cloud-based initiatives. But securing assets once they're in the cloud is often easier said than done.' He then walks through some of the core concepts of cloud security, along with the companies operating in the space."
Insecure, and the cloud providers know it. (Score:5, Insightful)
From the article:
"When you sign a Business Associate agreement, there's a level of liability that the business associate accepts. They openly acknowledge they have to operate within the HIPAA security rule like any covered entity. Understandably, none of the current cloud providers are willing to do that."
That says it all. The major cloud providers won't accept responsibility for security in their own systems.
Re:Can't be done. (Score:2, Insightful)
There's always someone who can compromise your secret data. In a typical non-cloud in-house datacenter who is it? The 7 guys in the IT department, the 4 other guys in the network department, 5 or 6 key developers who have privileges to debug realtime production problems, a few high-level VPs and Execs. Oh and let's not forget all of the hardware vendors you're trusting not to plant hardware backdoors in the servers and network gear they ship you (it has happened before!). You're already putting a lot of faith (and/or contractual threats) into those people. Now you get to add Amazon to the list of people you have to trust. For *most* companies of a reasonable size, you're actually gaining security by handing off some of the risk to a larger and probably more-responsible organization like Amazon.
Step #1 (Score:4, Insightful)
Don't use the cloud.
Step #2
We don't need no stinking step #2.
Re:Insecure, and the cloud providers know it. (Score:4, Insightful)
Did you actually read that whitepaper? Amazon says you should encrypt the data BEFORE uploading it to S3. Doesn't that tell you everything you need to know about S3's security? And to top it all off, at the end:
Disclaimer
This white paper is not intended to constitute legal advice. You are advised to seek the advice
of counsel regarding compliance with HIPAA and other laws that may be applicable to you
and your business. Amazon Web Services LLC. and its affiliated entities make no
representations or warranties that your use of Amazon Web Services will assure compliance
with applicable laws, including but not limited to HIPAA.