Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Cloud Security IT

Cloud Security: What You Need To Know To Lock It Down 74

Nerval's Lobster writes "IT security writer Steve Ragan writes: 'The word "cloud" is sometimes overused in IT—and lately, it's been tossed around more than a football during a tailgating party. Be that as it may, organizations still want to implement cloud-based initiatives. But securing assets once they're in the cloud is often easier said than done.' He then walks through some of the core concepts of cloud security, along with the companies operating in the space."
This discussion has been archived. No new comments can be posted.

Cloud Security: What You Need To Know To Lock It Down

Comments Filter:
  • Lock it down (Score:5, Interesting)

    by colinrichardday ( 768814 ) <colin.day.6@hotmail.com> on Monday July 09, 2012 @02:07PM (#40595009)

    the only safe cloud is a dead cloud.

  • Easy (Score:2, Interesting)

    by Anonymous Coward

    Easy solution: Don't do it. There, I saved you having to RTFA which is just spam to drive hits to Slashdot's Cloud page.

  • by Anonymous Coward
    If you want something to be secure, you have to store it in house.
    There is no guarantee that once you put it out on "the cloud" that someone else won't reach for it.
    • by dgatwood ( 11270 )

      Or encrypt it before you put it out on "the cloud". AES-128 ought to provide at least three or four years of protection.

      • by Anonymous Coward

        ROT-13 encryption should be good enough for anyone. ROT-26 if you absolutely NEED the extra security...

    • by hawguy ( 1600213 )

      If you want something to be secure, you have to store it in house.

      There is no guarantee that once you put it out on "the cloud" that someone else won't reach for it.

      But don't you already encrypt your sensitive data at rest? If that's the case, is the cloud really any less secure than having it in-house? Your secret data is more likely to leave your facility through your internet connection than from someone taking a hard drive from your server.

  • by Anonymous Coward

    In the "beginning" was the text terminal connected to a server through a cable. Fast forward half a century. Now its the mobile smartphone connected to a server cluster via radiowaves. What's the big deal?

    • by Kenja ( 541830 )
      There is a major difference. Unlike a "real" server a cloud server is an image of a system that exists in multiple locations. Its like if you took a server, and put it on a flash drive that you could stick in your pocket and walk out the door with. There is a much higher security risk as a result, since your data does not exist only in a physical location that you can control.
    • How many people could access that server?

  • by Animats ( 122034 ) on Monday July 09, 2012 @02:13PM (#40595071) Homepage

    From the article:

    "When you sign a Business Associate agreement, there's a level of liability that the business associate accepts. They openly acknowledge they have to operate within the HIPAA security rule like any covered entity. Understandably, none of the current cloud providers are willing to do that."

    That says it all. The major cloud providers won't accept responsibility for security in their own systems.

  • by Anonymous Coward

    'it's been tossed around more than a football during a tailgating party'

    The hell does that even mean? I need a car analogy, STAT.

    • In-house computing is like having a corporate car or fleet of cars owned or leased by your company, dedicated to its use.

      Shared-cloud (vs. intranet-cloud, managed in-house) computing is as if you paid a car-rental company $X/year for the right to have any of your employees walk up to the rental counter and be issued a car at any time day or night, without any additional payment and without any lack of availability beyond what was negotiated in the master contract.

    • It's been tossed around more than a Fiesta in a Ken Block video.

    • 'it's been tossed around more than a football during a tailgating party'

      The hell does that even mean? I need a car analogy, STAT.

      It's an alogy to help you in case you couldn't understand the previous line: 'The word "cloud" is sometimes overused in IT'. And quite frankly, anyone who doesn't already know the term is overused, and after upon being informed of that fact needs an analogy to help them understand it, really shouldn't be directly in charge of anything IT related.

  • Can't be done. (Score:5, Informative)

    by Hatta ( 162192 ) on Monday July 09, 2012 @02:17PM (#40595103) Journal

    The cloud provider effectively has physical access to your machine, which is game over for any sort of security. Even if you use full disk encryption, you're going to have to decrypt it, and that means your key will be in RAM. A motivated spy in the cloud provider would have little trouble dumping your VM's RAM and decrypting everything.

    You might be able to get away with running machines locally, and using the cloud for storage, if you encrypt everything locally and only store encrypted data in the cloud. But that removes most of the benefits of using the cloud in the first place.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      There's always someone who can compromise your secret data. In a typical non-cloud in-house datacenter who is it? The 7 guys in the IT department, the 4 other guys in the network department, 5 or 6 key developers who have privileges to debug realtime production problems, a few high-level VPs and Execs. Oh and let's not forget all of the hardware vendors you're trusting not to plant hardware backdoors in the servers and network gear they ship you (it has happened before!). You're already putting a lot of

    • Not all the benefits (Score:5, Informative)

      by davidwr ( 791652 ) on Monday July 09, 2012 @02:33PM (#40595297) Homepage Journal

      Locally-encrypted backup-to-the-cloud is a viable, marketable service. This works both on an "intranet" basis for departments that don't, or for legal reasons can't,* trust IT with access to their data but who want the physical security of their backups managed by IT as well as on the "internet" as an outsourced-backup arrangement.

      * Human Resources and departments that have certain external contractual obligations may not want to allow anyone outside of their department to have access to un-encrypted data or encryption keys. In certain industries like defense or medical care, the entire business may function like this.

    • Too bad you couldn't have made first post, that's all that needs to be said on the subject.

    • The cloud provider effectively has physical access to your machine, which is game over for any sort of security. Even if you use full disk encryption, you're going to have to decrypt it, and that means your key will be in RAM. A motivated spy in the cloud provider would have little trouble dumping your VM's RAM and decrypting everything.

      You might be able to get away with running machines locally, and using the cloud for storage, if you encrypt everything locally and only store encrypted data in the cloud. But that removes most of the benefits of using the cloud in the first place.

      You could still 'cloud' anything not sensitive, and keep anything considered sensitive local -

    • There are plenty of things you can do to take advantage of computational resources in the cloud while remaining secure i.e. private information retrieval, secure multiparty computation, homomorphic encryption, etc.
      • There are plenty of things you can do to take advantage of computational resources in the cloud while remaining secure i.e. private information retrieval, secure multiparty computation, homomorphic encryption, etc.

        I think fully homomorphic encryption is still in the PoC stage and is too resource-intensive to be practical.

        • Nobody said fully homomorphic. You can do a lot with just multiplication or just addition. There was a paper by Microsoft Research about a year ago with a list of real world applications for partially homomorphic encryption. One of the big ones is statistical analysis (sum, mean, regression all require only additions). There are also almost-fully homomorphic ciphers that can do an unbounded number of additions and a small number of multiplications efficiently.
  • Is it my intranet-cloud managed by my IT department?

    Is it a dedicated cloud that my company out-sources, but which is not used by anyone else? If the servers in this dedicated cloud are virtual, are the real servers also dedicated to just my company? To the extend that there is un-encrypted communication between virtual or real servers, is the physical network the traffic travels on dedicated only to me, as it might be if all the equipment was on the same rack?

    If the servers are outside of my physical con

  • Step #1 (Score:4, Insightful)

    by Nadaka ( 224565 ) on Monday July 09, 2012 @02:25PM (#40595217)

    Don't use the cloud.

    Step #2
    We don't need no stinking step #2.

  • "The most important thing to remember when you’re storing or processing sensitive data in the cloud is that you are still fully responsible for the security of the data, and you are fully accountable if that data is lost or stolen,” Shaul concluded. “Even if your cloud provider offers some security services or indemnifies you for losses resulting from a breach, if your data is stolen, it’s still your problem.”

    This is a resounding vote for private cloud. At the very least, i
  • "The word “cloud” is sometimes overused in IT" = Understatement Of The Year
  • by dave562 ( 969951 ) on Tuesday July 10, 2012 @12:18AM (#40599529) Journal

    (Go ahead and mod this flamebait. I just need to rant)

    When I read the replies that always come up in these cloud discussions, I often wonder how many people on this forum are real IT professionals and how many are just people with opinions that were formed in a vacuum. When I read these cloud articles, I think about them in the context of large corporations with many divisions that are consolidating IT operations. I think of application silos, and business continuity/disaster recovery. I think of internal IT provisioning resources to departments and using technology like hardware and storage virtualization to be smarter about how they allocate resources. I think about rapid provisioning of test/dev and QA environments, or rapidly spinning up new servers to meet unanticipated growth or to address seasonal growth trends.

    So many of the comments seem to be coming from people whose entire concept of IT revolves around their home music collections, or working in a very small company that handles everything in house. The idea of giving up control to a cloud provider in that context seems reasonable. But there are large uses for "cloud" technologies that far surpass the tiny use cases in the SMB market. Denouncing everything to do with "cloud" shows a really immature understanding of how the technology is being deployed in the real world.

    If you are not up to speed on how virtualization and distributed computing environments can improve IT operations, your skills are probably stagnant and you either need to sharpen your skills, or pick another field. Whining about cloud being a buzzword is not doing you any good. It just making you look irrelevant and out of touch. Having said that, I will be the first to admit that it is an annoying buzzword. But pointing it out is lame at this point. Even a broken clock tells the right time twice a day. If you cannot see how cloud technologies are relevant to IT, you are probably in the wrong discipline.

Genius is ten percent inspiration and fifty percent capital gains.

Working...