Video Can the Cloud Be More Secure Than Your Own Servers? (Video) 220
We've talked to Sarah before, and probably will again. She has strong opinions based on her experience in IT, and is happy to share those opinions. So take it away, Sarah...
Robin Miller for Slashdot: We are talking with Sarah, and she is founder, CEO and high muckety muck for SysAid based in Israel which is where she is not shockingly. Sarah maintains that the best reason to move your company’s software and data to the cloud is that the cloud is more secure. Talk to us.
Sarah Lahav, Sysaid : What I am saying is that 90% same challenges you are having now you will have when you put yourself in the cloud. Because I am not saying more secure but I am saying it is challenging. But if you look at infrastructure and what the cloud has to offer you, I am saying that it is a better substantial way to be secure in the cloud if you trust your provider like Amazon with the money they can invest because it is their business to keep you secure. The services with information in fact they have lots of people that’s what - their job to do is to keep your data secure. I am saying you have better chances of being secure in the cloud.
Slashdot: Alright. But in the cloud – the public cloud -- isn’t it possible that many attackers could try to get at your data, while having most of your corporate data stored on a server behind your firewall, and in fact, one that is not behind your firewall because you have disconnected it from the internet, is more secure? You have taken that piece of Cat 5 cable and pulled it out and you only plug it in for updates when you are watching.
Sarah: Yes, but I don't think that's something companies in this day and age can actually do. I mean most of their services as an organization work with applications like Salesforce. that requires you to be open to the internet. If you are the military you would not have regular connections to the internet but that’s not most of the corporate world. Most of the corporate world with customer services employs Salesforce, other SaaS providers, SaaS services you are buying. You are already out there, you can actually use that exposure to the internet. The only thing I am saying is that Amazon has more resources than any organization to invest in the cloud. Firewall is a firewall so you can get firewall from Amazon. I think that most probably having security app
I think the most security risk we have are people. The knowledge of what they do, and that wouldn’t change if it is locally or in the cloud. You just have to get knowledge and use it as a skill around Amazon and other SaaS providers in order to know what to do to protect the information. I really think from the cost effective side of things, if you don’t have the infrastructure, you want to keep updating you have better chances of cost effective in the cloud in Amazon than you have locally. The security, everybody agrees is the challenge. It is where the war is. And I really think that Amazon has better chances with the money we invest to keep us updated in all times and give us tool to check it.
Slashdot: I just want to say something: You are pushing Amazon hard. I have several good friends, who are fine, excellent programmers and security guys who work for Rackspace, out of Texas.
Sarah: Also good, also good, also good if you have government and regulation, and you are familiar with the services they provide, Rackspace it is just an ocean, Amazon as long as you know, we had a brief conversation before this conversation about the internet of things, and how it is a huge security breach, which I agree, but the internet of things is a breach because the IT person doesn’t know, so more conversation we have about security with IT people, it is not about what they know, it is about what they don’t know like if you buy a teapot and put it in the organization, it has internet on it, it is very simple to protect it, the fact you don’t know it puts you to all, and that is not even in the cloud yet. So I am saying it falls on people more on technology and I really think in regards with investing and money, it is worth to put it in the cloud, in the public cloud. You have better chances of keeping it secure. It is our business. Because we will be out of business if your data is not secure. That’s what we do.
Slashdot: Okay, let me, I don’t know how to say this.
Sarah: Because you want to give me a hard time.
Slashdot: Not really. I just want to learn as much as I can to help our listeners, our viewers, learn as much as they can. So I am going to give them a link to your website of course, the company website so they could see that and go in there. But the point is well taken, and I have heard it before that if you are a small company you don’t have the need to have a full time systems administrator on staff. It is just plain cheaper to hire your company or the one in Texas, Spiceworks, or any of the many others. So you are saying quite correctly -- I think I heard it once in an ad for something else--“We live and breathe this stuff.” That you just have more people, and probably smarter people working on security than a small company can have—I agree with that. Now, isn’t it inherently safer to have everything you can behind your firewall and connect with VPNs back and forth?
Sarah: Again, I am not just talking about the small company, a lot of the currently best services is by Salesforce but you will say I am pushing again Salesforce, but that was just an example. The services that if you want to be – the sales team that have the right tool, then you want to move forward, you have to consume services from the cloud. Salesforce with the timing, the company organization name means what kind of data they are holding for you. In which organization there are sales, there are numbers, there are orders, there are contacts, that’s one of the most valuable assets they have; so if an organization would be like to be competitive in this day and age, most of the services they are consuming are cloud based. The experienced organization expects to have multiple updates for the year currently making the task of people that want to keep their services on premise impossible. We have an on-premise version and SaaS solution and I can tell you that the SaaS is relatively more advanced than the in-house. Because the challenges are the in-house are enormous but we understand that people -- not all of them – are ready to adopt the cloud. If you want to be a competitive organization, if you want to give your workers the tools to do their job and to keep the organization in line with the competition, SaaS is the only way to go. What exactly I was talking about is secure unless you are a health, services provider or you hold credit card numbers for people who purchase some stuff for you, or if you have got health information, or you are military, and also around there the regulations, like HIPAA compliance or government set boundaries, and the SaaS people understand this is a business need. Not an IT need. The IT, you are giving them a headache, and they have a lot of headaches between BYOD and the internet of things, but they understand it is a business need, they would have to consume services in the cloud. Sometimes you all will be out there and that’s what you are doing so just know about it. The problem is knowledge. What services are out there? We are talking about VPN... even to install VPN you want to have security and you have to have knowledge. I think people are more afraid to get new knowledge than to consume stuff from the cloud.
No (Score:2, Insightful)
Next question.
Re: (Score:3)
Here's the next question: which room do I have a better shot at breaking into: your server closet, or Amazon's data center?
Re:No (Score:4, Interesting)
Amazon's data center. Since they have more security experts and IT people there's more points of failure.
Re:No (Score:4, Insightful)
Is it? That's 3 layers of armed security, the each one under 24/7 surveillance. You have to get through each one. You would define worth rather by a risk/reward ratio, which makes that rinky-dink server closet a lot more tempting. Criminals seek low-risk opportunity targets.
Re: (Score:2)
Not necessarily. Think about Edward Snowden, who had to pass through all kinds of security to get access to the data that he leaked. Would it have been easier for him to go to Initech and be their lead sysadmin, leaking all of their proprietary data? Certainly, but the perceived reward to him wasn't worth the risk of doing that. However, his perceived reward in leaking the NSA documents was so great that he undertook a concerted effort to undermine the many levels of security they had in place.
Note: I'm
Re: (Score:2)
Amazon's lunks aren't allowed to shoot you for trespassing.
A homeowner is.
Re: (Score:3)
Breaking into your server closet is definitely worth it, if they have decided that you have data that they need. And you are no more able to resist the NSA than AWS would be. In fact, AWS probably has a better chance of fighting back against pseudo-legal actions that the NSA takes. Your company, unless it is another megacorp, would roll over almost immediately. That is, if they even needed to ask you for permission, which they probably don't.
AWS may be be less secure than we would like, but the safety o
Re: (Score:2)
Wrong question. Which one has many more failure points and more potential admins to go rogue. Inside jobs account many more security issues than outside hacks. With my stuff in my rack I can use open source and be relatively sure that it isn't pre-compromised from the day I install it like most hosted platforms and most big name software. I can encrypt using the encryption of my choice BEFORE it leaves my premises or touches any corporate client software that claims to encrypt it for me but still allows the
Re:No (Score:5, Insightful)
I don't see why you think more admins are equivalent to more failure points. You need more admins and audit staff to have a proper program to secure data. Using fewer admins is the equivalent of wishful thinking. You're hoping that your few admins are more trustworthy, but you lack the resources to enforce it because you can't separate duties. A large cloud company can enforce that precisely because they have more staff.
I've worked for companies where there were only a few admins, period. There was no separation of duties for their data center, except maybe on paper. Any of the admins had complete power to grab anything they wanted and there was no staff that could adequately audit the logging and monitoring infrastructure to prevent the admins from simply disabling the logging and security monitoring. Extrusion of data was a piece of cake. All that was needed was motive to do so. Luckily, no one really cared to do so, but that was mere luck, not a security program.
Larger cloud companies run regular compliance audits and have enough staff that separation of duties is something that really happens and can be made to work. For small and medium businesses, those cloud companies have objectively better security precisely because they can specialize their staff and realistically only grant access based on least privilege. There are checks and balances, and not all rights are in the hands of all powerful admins.
Now, if you work for a big company, your IT staff may be at a level to support a comparable security program, but that will be because you have more admins, not less.
As for "pre-compromised" open source, do you really inspect and compile all your OSS software? Extremely doubtful. Do you think that a large provider would purposely install compromised binaries or allow them to be installed by someone else?
I understand that physical access is everything, but are you actually carrying out your carefully scrutinized software checks, or are you simply pointing out that it is possible to do so. Because, while anyone can compile their own OSS code, rarely have I seen anyone actually do that unless they need to, let alone run a code audit for vulnerabilities unless you're talking about the very highest security levels. For most SMBs, your argument is bogus precisely because they never actually take advantage of their ability to do so. They don't have the time or the staff or the expertise to do so.
The worst part of all of this is that many in-house IT groups understand that they theoretically have more ability to control their own environments, but utterly fail to actually do so, because they can't get the resources nor do they have the motivation to do so. In the end, it just engenders a false sense of security.
If you take the great number of SMBs in the market and add them to AWS or Azure or whatever, even though you might be theoretically opening them up to some issues, you will be realistically improving their actual security posture by a significant amount because now there is actually a real security program in place for their assets and data where there was not one before.
Re: (Score:3)
What does it matter if Amazon has 100 or 1000 more IT personal than you?
The more I hear about cloud, the more I realize that everyone isn't talking about the same thing and truly doesn't understand it. Are you hosting your applications in someone else's datacenter and still maintaining them yourself? Are you paying someone else to support them? Or are you using hosted applications such as Salesforce.com?
The bottleneck in most part isn't the IT resources, its the failure of management to let their resources
Re: (Score:2)
> With my stuff in my rack I can use open source
I'm sorry to say this, but "so what"? Many vulnerabilities are due to tardy or inconsistently applied software updates, architecture, shared passwords, plaintext stored passwords, and unsanitized inputs. And many business, educational, and private environments say "we trust the people we work with" and apply _no_ security steps beyond their own border. The base OS images templates are reasonably good, reasonably well integrated, and their ability to handle
Re: (Score:2)
Re: (Score:2)
Here's the next question: which room do I have a better shot at breaking into: your server closet, or Amazon's data center?
Breaking into a room doesn't get you access to a machine. Since it is on the cloud, you can feel free to break into the machine anywhere with internet access. Their IT staff might be better versed in how to secure a server, but part of the problem that I have with cloud services is the could service provider. How do I obfuscate my server such that Amazon can't get into it. The answer probably is: you can't. In my closet, I absolutely can.
Re: (Score:2)
Amazon's data center.
- Known location.
- Many employees susceptible to bribery, trickery, and extortion.
- No one would question someone snooping around at night since it's a busy 24/7 operation.
- No one will shoot you when you break in.
- No dogs guarding the area.
- Susceptible to all manner of attacks ranging from cutting power, cutting data, tampering with cooling, etc. that would result in easier access (everyone running around trying to fix the problem, card
Re: (Score:2)
Re: (Score:2)
Who do you have a better chance of using social engineering against, for the purposes of gaining access to my data? Me at my home, or Amazon employee #43225 at Amazon's data center?
Of course, you mean Amazon "Independent Contractor" #43225.
Re: (Score:2)
I am guessing the home user (maybe not you specifically).
At least the Amazon employee has to sit through some security training on this stuff. Also, I am sure that the nameless Amazon drone does not have access to anything important anyway.
Re: (Score:2)
Re: (Score:2)
There was a vulnerability found in Xen a couple of weeks ago that allowed any PV guest running on any version of Xen released in the last 7 years, to map the whole of physical memory and tamper with the contents of any other VMs. This is, what, the fourth such exploit in Xen in the last year? Many of the others came from QEMU code, which was never intended to be used in security-critical situations. VMWare and HyperV almost certainly have similar issues, though they may not be so public about announcing
Re:No (Score:4, Interesting)
Depends on who you want to protect your data from. NSA may be guzzling every bit from any Amazon datacenter, but they won't (well, usually) ruin your company by selling your patent application to the highest chinese bidder a few weeks before you file it. And likewise, it does not take large scale data seizing to ruin you. It only needs getting hold of YOUR data.
But of course you're right if your data is of interest to the NSA more than to regular criminals. There is never such a thing as "more secure". There is only "more secure against X"
Re: (Score:2)
Re: (Score:2)
The original point was that the NSA doesn't even HAS to hack anything.
Re: (Score:2)
You are right, the NSA probably already have legal access Amazon:
https://media.ccc.de/v/31c3_-_... [media.ccc.de]
https://media.ccc.de/v/27c3-42... [media.ccc.de]
Re:No (Score:5, Interesting)
Yes, your criminal organization has different requirements than an honest business,
You're saying HIPAA compliance [hhs.gov] is criminal, are you? You're saying that protecting client/lawyer confidentiality is criminal, are you?
I don't think you've thought this out very far...
Re: (Score:2)
actually, turn the question around: "Can your servers be less secure than the cloud?" That's pretty much got to be "yes", though it would be rather embarassing.
Re: (Score:2)
It doesn't matter how good the network security team at Amazon is when management is actively designing around the use case of the most security compromising end users: Software Developers.
The funny thing I can't believe is that the smaller, mo
Re: (Score:2)
As an aside.
Amazon Web Services would cost $150,000 a MONTH for the computing power we bought about two years ago - with nowhere near that in initial investment.
So talking "cost effectiveness" is bullshit to.
Well that is bullshit. $150k a month is about 1000 m3.2 x-large EC2 machines. That is the equivalent of about 800 XEON E-5 2670 v2 processors, 30 TB RAM, and 160 TB SSD. Double that for similar availability, and you are looking at about $4 million to buy equivalent hardware. That comes out to $110k per month amortized over three years (standard for a data center). And considering server cost is about half the cost of running a data center, not counting personnel, that comes closer to $220k per month to do i
well, i'm convinced (Score:3, Funny)
This is stupid. (Score:5, Funny)
Can the cloud be more secure than your own servers? Yes.
Can the cloud be less secure than your own servers? Yes.
Re: (Score:2)
Re: (Score:3)
Q:Can the cloud be more secure than your own servers?
A:Of course it can
A much more important question is:
Q:Is the cloud more secure than your own servers?
A:That all depends on how hard you are willing to work to make your servers secure.
Connection stability (Score:2, Insightful)
Guess what it costs me to have a connection so stable that it never goes down?
As it turns out, it is far more (measured over 5 years, the length of our ISP contracts) than proper redundancy in my equipment costs.
Your Data is worthless (Score:2, Insightful)
Amazon, Rackspace, et-al don't give a shit about your data.
They care about the data your data generates. That is backed-up, carefully guarded and controlled. Your data on the other hand, it stored on the B and C grade disks, tapes and run on any old CPU in the farm that is past it's prime.
Centralized data is great, for hackers. One target, lots of data, lots of reward. Targeting that one user, with the firewall? Not so much.
Re: (Score:3)
Amazon, Rackspace, et-al don't give a shit about your data.
They care about the data your data generates. That is backed-up, carefully guarded and controlled. Your data on the other hand, it stored on the B and C grade disks, tapes and run on any old CPU in the farm that is past it's prime.
Centralized data is great, for hackers. One target, lots of data, lots of reward. Targeting that one user, with the firewall? Not so much.
I don't care what grade disks my data is on as long as they don't use it. I several hundred TB's of data on EBS volumes (magnetic and SSD) and haven't lost any of it in the 3+ years it's been there. I have thousands of terabytes of data on S3 volumes and haven't lost any of that either.
I have, on the other hand, lost data that was stored on local ephemeral volumes when instances stopped working and had to be restarted, but that was no surprise since they is a reason they are called "ephemeral" disks.
If AWS
But... (Score:4, Interesting)
OTOH, perhaps that might just be the best place to be when a zero day drops. A cyber criminal won't likely bother with a small business and just go straight for the 23 terabytes of customer data on the next rack over...
Re: (Score:2)
So... Sony got breached in-house. Are you saying the Cloud companies would do a *worse* job?
Also, it is a fallacy that access to the AWS "datacenter" gives you access to everything. They have numerous network segments, firewalls, loads of servers, and multiple actual physical locations. Chances are, your hacker who does get access gets access to a segment that they don't even know what that segment contains.
And there is petabytes of data. I suppose they can spend a few years trying to figure out which s
How can the "Cloud" be more secure? (Score:4, Interesting)
Somebody flashes a badge, and they just hand your shit over, no questions asked... if they know what's good for them.
Re: (Score:2)
And you better believe that Amazon/Microsoft/Google are much better at telling the government "no" than your average small business.
Re: (Score:2)
Fighting a lengthy court battle in the name of privacy of their clients is quite telling.
Re: (Score:2)
I'm inclined to give them the benefit of doubt. There's not too many companies out there that just throw shareholder earnings at lawyers because they have too much cash burning a hole in their pocket.
Statistically, it's probably true (Score:2)
In aggregate, it's probably true. Now, I'm sure *your* servers are more secure.
To make a transportation analogy, it is far safer to fly somewhere on a commercial airline than it is to fly a private plane. Heck, It's even safer to fly commercial than it is to drive. And yet I know a lot of people who are terrified of flying.
Don't get me wrong...someone is going to die in a commercial plane crash this year. And if you fly a private aircraft, your chances of dying in a crash of your own plane are exceptional
Global Touble-Makers Vote: Yes (Score:3)
Where have the past 2 years major data breaches occurred: Off-Cloud.
But what about adjusting for Cloud vs Off-Cloud %-usage: Still no contest.
Re: (Score:2)
FTFY.
Um.... maybe... sometimes.... it depends (Score:5, Insightful)
Because Amazon, Rackspace, and other major cloud and SaaS providers probably have lots more security experts and other IT people at their command than you do.
But those experts aren't regularly upgrading software I run on their cloud systems to fix security holes, nor monitoring my sites for exploits. So their expertise buys me little--other than the underlying infrastructure hopefully will be sound. That's all. That's not lot. The majority of security bugs/holes I've had experience seeing exploited were holes in application packages (think WordPress). Unless you mean hosting your resources on a specific application hosting provider who handles all upgrades (i.e. a hosted WordPress provider in this example, who guarantees up-to-date bug fixes on WordPress and some set of commonly used plugins).
Re: (Score:3)
But those experts aren't regularly upgrading software I run on their cloud systems to fix security holes, nor monitoring my sites for exploits. So their expertise buys me little--other than the underlying infrastructure hopefully will be sound. That's all. That's not lot. .
Then by a plan where they do! If you rent out only infrastructure and still run your stuff yourself, there's not much difference to .. well.. running your stuff yourself. With all pros and cons.
Re: (Score:2)
Actually they *do* upgrade your software, if you know how to do it.
They provide upgraded images for you to use for your servers all the time. You just have to rip down your old servers and replace with the new images.
Sure, if you didn't write your app so it could handle coming up on new anonymous VMs every time, this is less possible, but to be honest, they provide huge capabilities for you to keep your OS and software up to date, you just need to be able to make use of the capabilities that are there.
Yes,
Cloud is less secure in one critical way (Score:5, Insightful)
If data is on my personal server and the US government wants to see it, they need a warrant.
If it's on a cloud server, they don't [wikipedia.org].
Re: (Score:2)
But you encrypted your sensitive cloud^H^H^H^H^H data because you care about regulatory compliance and best practices, right?
Re: (Score:2)
Not to worry. Encryption is going to be illegal soon!
Cloud is less secure in another critical way (Score:2)
Clouds may have better defenses, but they are also bigger targets.
Re: (Score:2)
It's cute how you think that a warrant is going to stop them, or that it's not trivially easy for them to get if they want one.
Re: (Score:2)
Re: (Score:2)
That is all well and good for you personally, or even a one man business. However, no business I know of that has more than a few people is going to shut off their internet when someone goes on vacation. I don't think that's really a case that this person is trying to make.
Of course, in the cloud you're much, much less likely to permanently lose your data through misplacing it, or by theft, or search warrant in.
Cops want your physical data devices and PC? No copy of the data elsewhere? You're done. Cop
Why the fuck is this a video (Score:3, Insightful)
Why is this taking megabytes of bandwidth to convey a message that could take kilobytes? Is there something visual about this concept that can't be communicated in writing? Stop the dumbing down of of /.
wow (Score:5, Insightful)
This is like saying that Budweiser has better beer than a local brewery because they have bigger vats and more distributors.
I think the trick to security is not in how many experts you have, but in how willing you are to cut corners to increase profits.
Re: (Score:3)
That is something completly differnt. Your example aims on size, but the article aims on expertise.
But even budweiser tastes better than my first homebrew. Not because they are big or small, but because I'm a bloody amateur (even if I had some decent brews by now) but they have people who learned how to make beer.
Re: (Score:2)
Budweiser sucks because the goal of the company's management is to make it taste like that, but their brewmasters are actually very good brewers. (I have some friends who work at AB, so I've been able to try some of their small batches and little project brews.)
Expertise only counts for so much when the management hamstrings you and insists that you cut corners.
Re: (Score:3)
Who is more likely to cut corners on a security budget?
A company that will live and die based on it's IT security reputation....
or the IT department of some random company that doesn't have IT as a source of revenue and IT security is therefore overhead.
There's always going to be some business or agency that needs to keep things in-house, but in no way is the Cloud model inferior to the laughable efforts of most IT shops today.
In the words of John McEnroe... (Score:5, Insightful)
YOU CANNOT BE SERIOUS!!!!
She is the CEO of a cloud based company. What the fuck do you expect her to say?
The real question is not...is the cloud secure? The question is...who is more likely to be a target of hackers?
Can cloud services be made secure? Of course it can. But it doesn't necessary mean that it is. It all depends on policies and procedures which you, as an end user, have absolutely no say in. And what happens if there is a data breach? You get a year of free credit monitoring. Thanks for playing. There is no implicit guarantee, or liability, on their part.
If you are a hacker who will you target? Me - with maybe a few credit card details or Amazon with millions or credit card details. The answer is obvious.
When it comes to the cloud I am reminded of the Tony Montano (Scarface) quote: "Who do I trust? ME!".
Re: (Score:2)
I will target *you* if I suspect that you have credit cards and a shitty security program. You personally may not be bad at security, but if you're working at an SMB, chances are that you have an insufficient program. It's the whole "look to the left and look to the right... two of the three of you have a bad security posture."
Sure, AWS has more credit cards, but all you need to have are *enough* credit card numbers for me to steal. Hacking AWS is real work and AWS doesn't have one file where its million
Re: (Score:2)
So what if she's a CEO of a cloud services company - it doesn't mean she's incorrect.
If you hack into Amazon's AWS you won't get a directory with "creditcards.xls" and "passwords.txt" in it, you'll be faced with a network architecture you won't understand, with hundreds of thousands of servers you won't recognize, virtualized and sequestered in ways you've never heard of.
It would help if you understood what's being discussed before leaping into a rant about your imagination.
Probably not (Score:5, Interesting)
Start with the fact that cloud services are big, ripe, juicy targets for anyone and everyone. Continue that there's probably never a time when their service isn't under some kind of attack in one way or another. Add in the fact that my server contains nothing of any real value to anyone but me. And extrapolate that to a very low likelihood that anyone would bother to take the time to attack my server. Consider also the fact that the cloud provider has to succeed 100% of the time to make my data secure while the hackers can fail almost forever and only have to succeed once.
I'm going to go with the fact that my data is more secure in my server at home than it would be in the cloud.
Of course, small businesses without a dedicated security teams are legitimate targets. But whether they store their data in the cloud or in company servers, their business internet connection is vulnerable to attack and provides a much easier road into the cloud storage than trying to directly attack the cloud servers. So realistically, the businesses accessing the cloud servers in bulk are a significant vector for attacking a cloud service. As a result, it doesn't matter where the business stores its data, it is no more or less vulnerable to attack in either location.
When it comes to large corporations, they are bigger targets but they have the budget to hire security experts just like the cloud provider has. So while they too are probably under constant attack 24/7/365, they are not necessarily any more or less vulnerable than the cloud provider.
So on balance, I'm going to go with no, the cloud does not necessarily make your data any more (or less for that matter) secure than not using it.
Re: (Score:2)
An exposed server is scanned, if not "attacked" almost immediately anymore. Before moving the default port for my ssh server from 22 I had nearly a constant flow of attempts to break into my "home server". Seeing attempts to log in with usernames of administrator, oracle, mysql, dba, etc as well as common names always made me chuckle. Now I consider it a really lame attempt at breaking into my server
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Continue that there's probably never a time when their service isn't under some kind of attack in one way or another.
But this statement goes to prove that their security is better tested than yours. You're just hoping no black hats notice you, because if they do, you're toast.
Re: (Score:2)
Re: (Score:2)
Add in the fact that my server contains nothing of any real value to anyone but me.
So what you're saying is, it doesn't matter at all if you get hacked. Why talk about security if nobody wants to look at your data?
Re: (Score:3)
Start with the fact that cloud services are big, ripe, juicy targets for anyone and everyone. Continue that there's probably never a time when their service isn't under some kind of attack in one way or another. Add in the fact that my server contains nothing of any real value to anyone but me. And extrapolate that to a very low likelihood that anyone would bother to take the time to attack my server.
That was a good argument in the past, maybe, but today the attacks are all automated (and the ones that aren't are against high value targets that don't meet your criteria anyway).
Low value or not, your server get hammered against every day simply for being on the internet.
Of course it can be more secure. (Score:2)
Of course it can be more secure.
Unplug it and bury it in cement. It works for all servers, but Amazon has deeper holes in which to bury them.
Re: (Score:2)
Umm, no. Surface area? (Score:3)
There's often a lot of focus on actual/active security, and a lot less on determining the need for that security. Think of security like a power-to-weight ratio for performance.
The goal isn't to have great security. The goal is to have no successful attacks. "no successful attacks" is approachable from two primary vectors: "successful" and "attacks". Security focuses on the successful vector, by resisting.
Certainly, when it comes to contracting a provider, or rolling my own, a big provider might be better than I am. Of course, I can hire a consultant and get the best of both, and a big bill to match.
Obfiscation is not security. But it is a reduction in the actual number of attacks -- so long as it's working, of course.
I've been with small providers, I've been with large providers, I've been with Rackspace, and I've rolled my own.
The truth is that all four scenarios have had plenty of attempted attacks. But dive a little deeper, and something way more interesting appears.
When I rolled my own, I got loads of random attacks, mostly from China. Nothing persisted for very long. Nothing was particularly focused. And nothing was complicated. Almost all were easily dodged with standard surface-area-of-attack controls, like closing unused ports and not having general server bloat.
When I was with Rackspace, I had loads of help from their excellent support teams, and on occasion, wow did I ever need it! Persistant attacks, lasting for days, targeted attacks, ddos attacks with large systems on the other end. At one point we had over a dozen rackspace support personnel just fighting to kill stuff fast enough to keep performance up long enough to identify and resolve the issue without needing to take the server entirely offline.
I was very happy with Rackspace, and was with them for a decade. Now I'm rolling my own again, things are just much more stable that way.
So what's your preference? Being in a military compound, protected by a thousand soldiers in the middle of a war-zone; or being completely unprotected, on a mountain side, in upstate montana?
I'm choosing big-sky country, personally.
Also, I believe that Rackspace is partnered with a very familiar government spy agency quite directly -- since they both moved campuses at the same time the other year, and I was greeted quite aggressively, as you would imagine, when I visited Rackspace for a tour, and accidentally pulled up to the unmarked neighbour. Probably appropriately so, given that it was on a september 10th.
And if it's not secure, you probably won't know (Score:2, Interesting)
Our company contracted with an external supplier to manage an application for us that we had been managing in house. We got the usual assurances about their data centre, nailed down the SLA, and did a PIA. All good. As we were working with them to get our data moved over one of our sysadmins came upon a SQL Server admin id/password, unencrypted, in one of their .ini files. It was pretty generic (the name of the application with a few numbers instead of letters). That looked suspicious to us, so we contacte
Re: (Score:2)
Won't you be a dear and tell us what provider that was?
Is there a transcript? (Score:2)
Is there a transcript? I don't have time to watch the video as I'm getting my hair cut on my barber's advice.
Re: (Score:2)
Recommend clicking on "Show transcript"
Video Stories (Score:2)
Re: (Score:2)
Read the transcript. We provide one for almost every video.
experts like those at Experian? (Score:2)
That "answer" is nonsense; having more minimally paid and competent "security" staff is no indication of the quality of the actual security.
You want security? Make the bosses go to jail if a business is breached. THEN they'll spend the time and money to provide security.
Bunk (Score:3)
Bunk. BS.
1) She has a vested interest in presenting that her systems are secure.
2) She offers a weak link in the data chain. Every time any link is added the system gets LESS secure. Adding a weak link further weakens the system.
Only non-secure data gets stored on the cloud. Remember, it's like a postcard.
I'll provide my own security.
Can the cloud make you more ignorant? Yes. (Score:2)
Because Amazon, Rackspace, and other major cloud and SaaS providers probably have lots more security experts and other IT people at their command than you do.
Oh yes, and because of this, your cloud environment is automagically more secure.
Did we suddenly become ignorant of these things called contracts? More often than not, I've found that the devil is in the details as to just how much "other IT people" actually have to give a shit about your cloud environment when it goes down for any reason.
YES Most in-house security is an afterthought (Score:2)
If you are a supreme security expert perhaps 'you' could make a more secure system. Now ask yourself, how many third rate hacks think they are a supreme security expert, or worse how many companies don't even have that.
Oh if I had a dollar... (Score:2)
for every time some one told me that their on-premise is more secure than cloud. To be very fair, the first thing you should look at it is where your security risks, threats, and exploits are arising. If we look at most security failures its almost exclusively due to disgruntled current or former employees within the IT organization or misconfigured external-facing software that is easily broken into. While yes the Chinese, North Koreans, or NSA are probably trying to hack the AWS, Azure, SoftLayer, and Rac
The only secure server... (Score:2)
Is unplugged, encased in concrete, at the bottom of the ocean.
And even then...
There's a shocker (Score:2)
Someone who sells cloud storage advocates that it's safer than doing it yourself. The question isn't worth much until it's answered by someone with no horse in the race.
Is it still "your" data in the cloud? (Score:2)
The bigger question is, is it still your data in the cloud? If you miss a bill payment will you be able to access it? If the cloud owner doesn't pay the telecom provider or the data center will you be able to access it? What if they file for bankruptcy? Or have their servers repossessed? How ironclad is that contract? They may have oodles of security but is that really what you would base your business decision on? Just some things to think about...
The cloud (Score:2)
Staff are very willing work for the government when asked, requested or have always worked for the government.
An enthusiastic surveillance partner going back decades or years?
How good is the legal department when facing paper work thats not a fax from a law enforcement official? That national security letter (NSL) with a request to add hardware on site long term?
Got some FISA Amendments Act (FAA) paperwork, ready for the FREEDOM Act?
Betteridge's law of headlines (Score:2)
Betteridge's law of headlines applies here.
Okay, while it's theoretically possible to configure a home server to be less secure than a "cloud" solution you would almost have to go out of your way to do so.
It's lovely that a spokesperson from a Cloud provider wants to reassure us that using their services is secure, but:
What assurances do you have that they're not sharing your data with their partners or anyone else with enough cash?
What co-operation will they provide when a TLA (three-letter agency) shows u
Re: (Score:2)
> Okay, while it's theoretically possible to configure a home server to be less secure than a "cloud" solution you would almost have to go out of your way to do so.
Or just think you're smarter than the folks doing real security. I can no longer count the number of "professionals" with passphrase free SSH keys on accessable network drives, or who insist on putting passphrase free SSH keys with root access on all their servers "so they can do backups". Couple this with people who run private tunnels to, an
Cloud Insecurity (Score:2)
Cloud insecurity is similar in scope to large corporation security. The more folks have access to your hardware or your network, the less secure it becomes.
Sure it may have stellar PHYSICAL security, but your systems are merely one cash payment to an employee ( that you didn't get to screen ) who has a debt problem away from compromise.
At least if you own the data center and the hardware, you get to pick the employees and what level of access they will have to it.
In " The Cloud ", those choices are no long
Yes but the big targets are so juicy (Score:2)
Most drivers are above average (Score:5, Insightful)
Most drivers consider themselves to be above average. Why would that not extend to server operators?
24/7 dedicated security teams... (Score:4, Funny)
Depends, do you have a dedicated security team?
The security grunts are paid in Alpo, and the supervisors are paid in Meow Mix. I also pay their medical.
Re: (Score:2)
Re: (Score:3)
Problem being that if you do not take care of your security, you are also likely to not take care of your own security in your cloud instances.
For example, not too long ago some company got bit by leaving something wide open in how they set up their EC2 instances.
You cannot sprinkle on security as an afterthought either way, security is a factor that must be kept in mind as you do the design.
Re: (Score:2)
True. A cloud provider protects *part* of what would be considered a data center, but it does not protect your poor software configurations or shitty code from compromise. And if you open up your security groups/ACLs to everyone, you will be open to attack.
You still need competent IT security for a cloud installation. What you don't need is a data center of your own.
Re: (Score:2)
Stuxnet, anyone? How safe were those centrifuge controllers from infection? Not at all. No one infected them from the Internet.
Re: (Score:2)
I take it you have never been to a real data center if you honestly believe someone can just sort of walk into a cloud data center. You can't just walk into a secure facility with a security guard, man-trap and biometric scanners by flashing a badge. And that is just to get you into the general access area. The cages are usually individually locked too.
And yes, everything you listed is done by Cloud providers except perhaps the items that would need to be done by the tenant. And nothing stops you from
Re: (Score:2)
I've seen someone talk their way into real data centers so many times, i've lost count. One case the guy talked his way into the building then talked his way into the data center and then removed a servers from a rack that he didn't have a key for and took the server away.
Re: (Score:2)
> I take it you have never been to a real data center if you honestly believe someone can just sort of walk into a cloud data center.
I've done it, mostly by pretending interest in starting a contract there. "The cloud" does not necessarily mean data centers as robust, and expensive, as AWS.