Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security

Video Can the Cloud Be More Secure Than Your Own Servers? (Video) 220

Sarah Lahav, CEO of Sysaid, believes "the cloud" can be more secure than keeping your software and data behind your firewall and administering it yourself, especially for small and medium-sized firms. Why? Because Amazon, Rackspace, and other major cloud and SaaS providers probably have lots more security experts and other IT people at their command than you do.

We've talked to Sarah before, and probably will again. She has strong opinions based on her experience in IT, and is happy to share those opinions. So take it away, Sarah...

Robin Miller for Slashdot: We are talking with Sarah, and she is founder, CEO and high muckety muck for SysAid based in Israel which is where she is not shockingly. Sarah maintains that the best reason to move your company’s software and data to the cloud is that the cloud is more secure. Talk to us.

Sarah Lahav, Sysaid : What I am saying is that 90% same challenges you are having now you will have when you put yourself in the cloud. Because I am not saying more secure but I am saying it is challenging. But if you look at infrastructure and what the cloud has to offer you, I am saying that it is a better substantial way to be secure in the cloud if you trust your provider like Amazon with the money they can invest because it is their business to keep you secure. The services with information in fact they have lots of people that’s what - their job to do is to keep your data secure. I am saying you have better chances of being secure in the cloud.

Slashdot: Alright. But in the cloud – the public cloud -- isn’t it possible that many attackers could try to get at your data, while having most of your corporate data stored on a server behind your firewall, and in fact, one that is not behind your firewall because you have disconnected it from the internet, is more secure? You have taken that piece of Cat 5 cable and pulled it out and you only plug it in for updates when you are watching.

Sarah: Yes, but I don't think that's something companies in this day and age can actually do. I mean most of their services as an organization work with applications like Salesforce. that requires you to be open to the internet. If you are the military you would not have regular connections to the internet but that’s not most of the corporate world. Most of the corporate world with customer services employs Salesforce, other SaaS providers, SaaS services you are buying. You are already out there, you can actually use that exposure to the internet. The only thing I am saying is that Amazon has more resources than any organization to invest in the cloud. Firewall is a firewall so you can get firewall from Amazon. I think that most probably having security app

I think the most security risk we have are people. The knowledge of what they do, and that wouldn’t change if it is locally or in the cloud. You just have to get knowledge and use it as a skill around Amazon and other SaaS providers in order to know what to do to protect the information. I really think from the cost effective side of things, if you don’t have the infrastructure, you want to keep updating you have better chances of cost effective in the cloud in Amazon than you have locally. The security, everybody agrees is the challenge. It is where the war is. And I really think that Amazon has better chances with the money we invest to keep us updated in all times and give us tool to check it.

Slashdot: I just want to say something: You are pushing Amazon hard. I have several good friends, who are fine, excellent programmers and security guys who work for Rackspace, out of Texas.

Sarah: Also good, also good, also good if you have government and regulation, and you are familiar with the services they provide, Rackspace it is just an ocean, Amazon as long as you know, we had a brief conversation before this conversation about the internet of things, and how it is a huge security breach, which I agree, but the internet of things is a breach because the IT person doesn’t know, so more conversation we have about security with IT people, it is not about what they know, it is about what they don’t know like if you buy a teapot and put it in the organization, it has internet on it, it is very simple to protect it, the fact you don’t know it puts you to all, and that is not even in the cloud yet. So I am saying it falls on people more on technology and I really think in regards with investing and money, it is worth to put it in the cloud, in the public cloud. You have better chances of keeping it secure. It is our business. Because we will be out of business if your data is not secure. That’s what we do.

Slashdot: Okay, let me, I don’t know how to say this.

Sarah: Because you want to give me a hard time.

Slashdot: Not really. I just want to learn as much as I can to help our listeners, our viewers, learn as much as they can. So I am going to give them a link to your website of course, the company website so they could see that and go in there. But the point is well taken, and I have heard it before that if you are a small company you don’t have the need to have a full time systems administrator on staff. It is just plain cheaper to hire your company or the one in Texas, Spiceworks, or any of the many others. So you are saying quite correctly -- I think I heard it once in an ad for something else--“We live and breathe this stuff.” That you just have more people, and probably smarter people working on security than a small company can have—I agree with that. Now, isn’t it inherently safer to have everything you can behind your firewall and connect with VPNs back and forth?

Sarah: Again, I am not just talking about the small company, a lot of the currently best services is by Salesforce but you will say I am pushing again Salesforce, but that was just an example. The services that if you want to be – the sales team that have the right tool, then you want to move forward, you have to consume services from the cloud. Salesforce with the timing, the company organization name means what kind of data they are holding for you. In which organization there are sales, there are numbers, there are orders, there are contacts, that’s one of the most valuable assets they have; so if an organization would be like to be competitive in this day and age, most of the services they are consuming are cloud based. The experienced organization expects to have multiple updates for the year currently making the task of people that want to keep their services on premise impossible. We have an on-premise version and SaaS solution and I can tell you that the SaaS is relatively more advanced than the in-house. Because the challenges are the in-house are enormous but we understand that people -- not all of them – are ready to adopt the cloud. If you want to be a competitive organization, if you want to give your workers the tools to do their job and to keep the organization in line with the competition, SaaS is the only way to go. What exactly I was talking about is secure unless you are a health, services provider or you hold credit card numbers for people who purchase some stuff for you, or if you have got health information, or you are military, and also around there the regulations, like HIPAA compliance or government set boundaries, and the SaaS people understand this is a business need. Not an IT need. The IT, you are giving them a headache, and they have a lot of headaches between BYOD and the internet of things, but they understand it is a business need, they would have to consume services in the cloud. Sometimes you all will be out there and that’s what you are doing so just know about it. The problem is knowledge. What services are out there? We are talking about VPN... even to install VPN you want to have security and you have to have knowledge. I think people are more afraid to get new knowledge than to consume stuff from the cloud.

This discussion has been archived. No new comments can be posted.

Can the Cloud Be More Secure Than Your Own Servers? (Video)

Comments Filter:
  • No (Score:2, Insightful)

    by Anonymous Coward

    Next question.

    • by halivar ( 535827 )

      Here's the next question: which room do I have a better shot at breaking into: your server closet, or Amazon's data center?

      • Re:No (Score:4, Interesting)

        by OverlordQ ( 264228 ) on Wednesday November 04, 2015 @03:48PM (#50865595) Journal

        Amazon's data center. Since they have more security experts and IT people there's more points of failure.

      • Wrong question. Which one has many more failure points and more potential admins to go rogue. Inside jobs account many more security issues than outside hacks. With my stuff in my rack I can use open source and be relatively sure that it isn't pre-compromised from the day I install it like most hosted platforms and most big name software. I can encrypt using the encryption of my choice BEFORE it leaves my premises or touches any corporate client software that claims to encrypt it for me but still allows the

        • Re:No (Score:5, Insightful)

          by tnk1 ( 899206 ) on Wednesday November 04, 2015 @06:18PM (#50866819)

          I don't see why you think more admins are equivalent to more failure points. You need more admins and audit staff to have a proper program to secure data. Using fewer admins is the equivalent of wishful thinking. You're hoping that your few admins are more trustworthy, but you lack the resources to enforce it because you can't separate duties. A large cloud company can enforce that precisely because they have more staff.

          I've worked for companies where there were only a few admins, period. There was no separation of duties for their data center, except maybe on paper. Any of the admins had complete power to grab anything they wanted and there was no staff that could adequately audit the logging and monitoring infrastructure to prevent the admins from simply disabling the logging and security monitoring. Extrusion of data was a piece of cake. All that was needed was motive to do so. Luckily, no one really cared to do so, but that was mere luck, not a security program.

          Larger cloud companies run regular compliance audits and have enough staff that separation of duties is something that really happens and can be made to work. For small and medium businesses, those cloud companies have objectively better security precisely because they can specialize their staff and realistically only grant access based on least privilege. There are checks and balances, and not all rights are in the hands of all powerful admins.

          Now, if you work for a big company, your IT staff may be at a level to support a comparable security program, but that will be because you have more admins, not less.

          As for "pre-compromised" open source, do you really inspect and compile all your OSS software? Extremely doubtful. Do you think that a large provider would purposely install compromised binaries or allow them to be installed by someone else?

          I understand that physical access is everything, but are you actually carrying out your carefully scrutinized software checks, or are you simply pointing out that it is possible to do so. Because, while anyone can compile their own OSS code, rarely have I seen anyone actually do that unless they need to, let alone run a code audit for vulnerabilities unless you're talking about the very highest security levels. For most SMBs, your argument is bogus precisely because they never actually take advantage of their ability to do so. They don't have the time or the staff or the expertise to do so.

          The worst part of all of this is that many in-house IT groups understand that they theoretically have more ability to control their own environments, but utterly fail to actually do so, because they can't get the resources nor do they have the motivation to do so. In the end, it just engenders a false sense of security.

          If you take the great number of SMBs in the market and add them to AWS or Azure or whatever, even though you might be theoretically opening them up to some issues, you will be realistically improving their actual security posture by a significant amount because now there is actually a real security program in place for their assets and data where there was not one before.

          • What does it matter if Amazon has 100 or 1000 more IT personal than you?

            The more I hear about cloud, the more I realize that everyone isn't talking about the same thing and truly doesn't understand it. Are you hosting your applications in someone else's datacenter and still maintaining them yourself? Are you paying someone else to support them? Or are you using hosted applications such as Salesforce.com?

            The bottleneck in most part isn't the IT resources, its the failure of management to let their resources

        • > With my stuff in my rack I can use open source

          I'm sorry to say this, but "so what"? Many vulnerabilities are due to tardy or inconsistently applied software updates, architecture, shared passwords, plaintext stored passwords, and unsanitized inputs. And many business, educational, and private environments say "we trust the people we work with" and apply _no_ security steps beyond their own border. The base OS images templates are reasonably good, reasonably well integrated, and their ability to handle

      • It's not just physical security. If your servers are connected to the Internet, and no security expert is reviewing your configuration, it's extremely likely that a cloud provider is more secure. Of course in-house servers with no Internet connection are the most secure, but most businesses seem to be Internet-connected these days, and too few focus on security.
      • Here's the next question: which room do I have a better shot at breaking into: your server closet, or Amazon's data center?

        Breaking into a room doesn't get you access to a machine. Since it is on the cloud, you can feel free to break into the machine anywhere with internet access. Their IT staff might be better versed in how to secure a server, but part of the problem that I have with cloud services is the could service provider. How do I obfuscate my server such that Amazon can't get into it. The answer probably is: you can't. In my closet, I absolutely can.

      • Amazon's data center.
        - Known location.
        - Many employees susceptible to bribery, trickery, and extortion.
        - No one would question someone snooping around at night since it's a busy 24/7 operation.
        - No one will shoot you when you break in.
        - No dogs guarding the area.
        - Susceptible to all manner of attacks ranging from cutting power, cutting data, tampering with cooling, etc. that would result in easier access (everyone running around trying to fix the problem, card

      • by ichthus ( 72442 )
        Who do you have a better chance of using social engineering against, for the purposes of gaining access to my data? Me at my home, or Amazon employee #43225 at Amazon's data center?
        • Who do you have a better chance of using social engineering against, for the purposes of gaining access to my data? Me at my home, or Amazon employee #43225 at Amazon's data center?

          Of course, you mean Amazon "Independent Contractor" #43225.

        • I am guessing the home user (maybe not you specifically).

          At least the Amazon employee has to sit through some security training on this stuff. Also, I am sure that the nameless Amazon drone does not have access to anything important anyway.

          • Having worked in that sort of places, there's a mandatory 1 hour training once a year. The contents of which are promptly forgotten about 1 hour after the mandatory test happening at the end of the training.
      • There was a vulnerability found in Xen a couple of weeks ago that allowed any PV guest running on any version of Xen released in the last 7 years, to map the whole of physical memory and tamper with the contents of any other VMs. This is, what, the fourth such exploit in Xen in the last year? Many of the others came from QEMU code, which was never intended to be used in security-critical situations. VMWare and HyperV almost certainly have similar issues, though they may not be so public about announcing

    • by suutar ( 1860506 )

      actually, turn the question around: "Can your servers be less secure than the cloud?" That's pretty much got to be "yes", though it would be rather embarassing.

    • You're too late. Her message isn't for the technology elite and knowledgeable implementers. It's meant for the technologically moderately literate and illiterate CIOs and CTOs who have enough ethics still to question outsourcing to South-East Asia and Cloud hosting.

      It doesn't matter how good the network security team at Amazon is when management is actively designing around the use case of the most security compromising end users: Software Developers.

      The funny thing I can't believe is that the smaller, mo
  • by fattmatt ( 1042156 ) on Wednesday November 04, 2015 @03:45PM (#50865567)
    "...probably have lots more security experts and other IT people at their command than you do" well, i'm convinced ... here's all my data!
  • by SecurityGuy ( 217807 ) on Wednesday November 04, 2015 @03:46PM (#50865577)

    Can the cloud be more secure than your own servers? Yes.
    Can the cloud be less secure than your own servers? Yes.

    • by creimer ( 824291 )
      Quantum security - just what we needed.
    • That is close to what I wanted to post.

      Q:Can the cloud be more secure than your own servers?
      A:Of course it can

      A much more important question is:

      Q:Is the cloud more secure than your own servers?
      A:That all depends on how hard you are willing to work to make your servers secure.
  • by Anonymous Coward

    Guess what it costs me to have a connection so stable that it never goes down?

    As it turns out, it is far more (measured over 5 years, the length of our ISP contracts) than proper redundancy in my equipment costs.

  • by Anonymous Coward

    Amazon, Rackspace, et-al don't give a shit about your data.

    They care about the data your data generates. That is backed-up, carefully guarded and controlled. Your data on the other hand, it stored on the B and C grade disks, tapes and run on any old CPU in the farm that is past it's prime.

    Centralized data is great, for hackers. One target, lots of data, lots of reward. Targeting that one user, with the firewall? Not so much.

    • by hawguy ( 1600213 )

      Amazon, Rackspace, et-al don't give a shit about your data.

      They care about the data your data generates. That is backed-up, carefully guarded and controlled. Your data on the other hand, it stored on the B and C grade disks, tapes and run on any old CPU in the farm that is past it's prime.

      Centralized data is great, for hackers. One target, lots of data, lots of reward. Targeting that one user, with the firewall? Not so much.

      I don't care what grade disks my data is on as long as they don't use it. I several hundred TB's of data on EBS volumes (magnetic and SSD) and haven't lost any of it in the 3+ years it's been there. I have thousands of terabytes of data on S3 volumes and haven't lost any of that either.

      I have, on the other hand, lost data that was stored on local ephemeral volumes when instances stopped working and had to be restarted, but that was no surprise since they is a reason they are called "ephemeral" disks.

      If AWS

  • But... (Score:4, Interesting)

    by TiggertheMad ( 556308 ) on Wednesday November 04, 2015 @03:52PM (#50865619) Homepage Journal
    While a cloud server has more security resources, they also have more professional hackers targeting them, since a single exploit has a good chance of bagging all the cloud provider's customer data. Think attacks like the Sony breach were bad? Just wait until you can get Sony, Microsoft, Facebook and the state of Ohio all at once because they happen to be hosted by the same cloud provider.

    OTOH, perhaps that might just be the best place to be when a zero day drops. A cyber criminal won't likely bother with a small business and just go straight for the 23 terabytes of customer data on the next rack over...
    • by tnk1 ( 899206 )

      So... Sony got breached in-house. Are you saying the Cloud companies would do a *worse* job?

      Also, it is a fallacy that access to the AWS "datacenter" gives you access to everything. They have numerous network segments, firewalls, loads of servers, and multiple actual physical locations. Chances are, your hacker who does get access gets access to a segment that they don't even know what that segment contains.

      And there is petabytes of data. I suppose they can spend a few years trying to figure out which s

  • by fustakrakich ( 1673220 ) on Wednesday November 04, 2015 @03:53PM (#50865633) Journal

    Somebody flashes a badge, and they just hand your shit over, no questions asked... if they know what's good for them.

    • And you better believe that Amazon/Microsoft/Google are much better at telling the government "no" than your average small business.

  • In aggregate, it's probably true. Now, I'm sure *your* servers are more secure.

    To make a transportation analogy, it is far safer to fly somewhere on a commercial airline than it is to fly a private plane. Heck, It's even safer to fly commercial than it is to drive. And yet I know a lot of people who are terrified of flying.

    Don't get me wrong...someone is going to die in a commercial plane crash this year. And if you fly a private aircraft, your chances of dying in a crash of your own plane are exceptional

  • by snadrus ( 930168 ) on Wednesday November 04, 2015 @04:00PM (#50865685) Homepage Journal

    Where have the past 2 years major data breaches occurred: Off-Cloud.
    But what about adjusting for Cloud vs Off-Cloud %-usage: Still no contest.

  • by Anonymous Coward on Wednesday November 04, 2015 @04:01PM (#50865695)

    Because Amazon, Rackspace, and other major cloud and SaaS providers probably have lots more security experts and other IT people at their command than you do.

    But those experts aren't regularly upgrading software I run on their cloud systems to fix security holes, nor monitoring my sites for exploits. So their expertise buys me little--other than the underlying infrastructure hopefully will be sound. That's all. That's not lot. The majority of security bugs/holes I've had experience seeing exploited were holes in application packages (think WordPress). Unless you mean hosting your resources on a specific application hosting provider who handles all upgrades (i.e. a hosted WordPress provider in this example, who guarantees up-to-date bug fixes on WordPress and some set of commonly used plugins).

    • But those experts aren't regularly upgrading software I run on their cloud systems to fix security holes, nor monitoring my sites for exploits. So their expertise buys me little--other than the underlying infrastructure hopefully will be sound. That's all. That's not lot. .

      Then by a plan where they do! If you rent out only infrastructure and still run your stuff yourself, there's not much difference to .. well.. running your stuff yourself. With all pros and cons.

    • by tnk1 ( 899206 )

      Actually they *do* upgrade your software, if you know how to do it.

      They provide upgraded images for you to use for your servers all the time. You just have to rip down your old servers and replace with the new images.

      Sure, if you didn't write your app so it could handle coming up on new anonymous VMs every time, this is less possible, but to be honest, they provide huge capabilities for you to keep your OS and software up to date, you just need to be able to make use of the capabilities that are there.

      Yes,

  • by alispguru ( 72689 ) <{moc.tsg} {ta} {enab}> on Wednesday November 04, 2015 @04:02PM (#50865705) Journal

    If data is on my personal server and the US government wants to see it, they need a warrant.

    If it's on a cloud server, they don't [wikipedia.org].

    • by halivar ( 535827 )

      But you encrypted your sensitive cloud^H^H^H^H^H data because you care about regulatory compliance and best practices, right?

    • Clouds may have better defenses, but they are also bigger targets.

    • by cdrudge ( 68377 )

      It's cute how you think that a warrant is going to stop them, or that it's not trivially easy for them to get if they want one.

  • by Anonymous Coward on Wednesday November 04, 2015 @04:08PM (#50865745)

    Why is this taking megabytes of bandwidth to convey a message that could take kilobytes? Is there something visual about this concept that can't be communicated in writing? Stop the dumbing down of of /.

  • wow (Score:5, Insightful)

    by PopeRatzo ( 965947 ) on Wednesday November 04, 2015 @04:09PM (#50865753) Journal

    This is like saying that Budweiser has better beer than a local brewery because they have bigger vats and more distributors.

    I think the trick to security is not in how many experts you have, but in how willing you are to cut corners to increase profits.

    • That is something completly differnt. Your example aims on size, but the article aims on expertise.

      But even budweiser tastes better than my first homebrew. Not because they are big or small, but because I'm a bloody amateur (even if I had some decent brews by now) but they have people who learned how to make beer.

      • by chihowa ( 366380 )

        Budweiser sucks because the goal of the company's management is to make it taste like that, but their brewmasters are actually very good brewers. (I have some friends who work at AB, so I've been able to try some of their small batches and little project brews.)

        Expertise only counts for so much when the management hamstrings you and insists that you cut corners.

    • by tnk1 ( 899206 )

      Who is more likely to cut corners on a security budget?

      A company that will live and die based on it's IT security reputation....
      or the IT department of some random company that doesn't have IT as a source of revenue and IT security is therefore overhead.

      There's always going to be some business or agency that needs to keep things in-house, but in no way is the Cloud model inferior to the laughable efforts of most IT shops today.

  • by erp_consultant ( 2614861 ) on Wednesday November 04, 2015 @04:13PM (#50865785)

    YOU CANNOT BE SERIOUS!!!!

    She is the CEO of a cloud based company. What the fuck do you expect her to say?

    The real question is not...is the cloud secure? The question is...who is more likely to be a target of hackers?

    Can cloud services be made secure? Of course it can. But it doesn't necessary mean that it is. It all depends on policies and procedures which you, as an end user, have absolutely no say in. And what happens if there is a data breach? You get a year of free credit monitoring. Thanks for playing. There is no implicit guarantee, or liability, on their part.

    If you are a hacker who will you target? Me - with maybe a few credit card details or Amazon with millions or credit card details. The answer is obvious.

    When it comes to the cloud I am reminded of the Tony Montano (Scarface) quote: "Who do I trust? ME!".

    • by tnk1 ( 899206 )

      I will target *you* if I suspect that you have credit cards and a shitty security program. You personally may not be bad at security, but if you're working at an SMB, chances are that you have an insufficient program. It's the whole "look to the left and look to the right... two of the three of you have a bad security posture."

      Sure, AWS has more credit cards, but all you need to have are *enough* credit card numbers for me to steal. Hacking AWS is real work and AWS doesn't have one file where its million

    • by dave420 ( 699308 )

      So what if she's a CEO of a cloud services company - it doesn't mean she's incorrect.

      If you hack into Amazon's AWS you won't get a directory with "creditcards.xls" and "passwords.txt" in it, you'll be faced with a network architecture you won't understand, with hundreds of thousands of servers you won't recognize, virtualized and sequestered in ways you've never heard of.

      It would help if you understood what's being discussed before leaping into a rant about your imagination.

  • Probably not (Score:5, Interesting)

    by grimmjeeper ( 2301232 ) on Wednesday November 04, 2015 @04:13PM (#50865793) Homepage

    Start with the fact that cloud services are big, ripe, juicy targets for anyone and everyone. Continue that there's probably never a time when their service isn't under some kind of attack in one way or another. Add in the fact that my server contains nothing of any real value to anyone but me. And extrapolate that to a very low likelihood that anyone would bother to take the time to attack my server. Consider also the fact that the cloud provider has to succeed 100% of the time to make my data secure while the hackers can fail almost forever and only have to succeed once.

    I'm going to go with the fact that my data is more secure in my server at home than it would be in the cloud.

    Of course, small businesses without a dedicated security teams are legitimate targets. But whether they store their data in the cloud or in company servers, their business internet connection is vulnerable to attack and provides a much easier road into the cloud storage than trying to directly attack the cloud servers. So realistically, the businesses accessing the cloud servers in bulk are a significant vector for attacking a cloud service. As a result, it doesn't matter where the business stores its data, it is no more or less vulnerable to attack in either location.

    When it comes to large corporations, they are bigger targets but they have the budget to hire security experts just like the cloud provider has. So while they too are probably under constant attack 24/7/365, they are not necessarily any more or less vulnerable than the cloud provider.

    So on balance, I'm going to go with no, the cloud does not necessarily make your data any more (or less for that matter) secure than not using it.

    • by cdrudge ( 68377 )

      And extrapolate that to a very low likelihood that anyone would bother to take the time to attack my server.

      An exposed server is scanned, if not "attacked" almost immediately anymore. Before moving the default port for my ssh server from 22 I had nearly a constant flow of attempts to break into my "home server". Seeing attempts to log in with usernames of administrator, oracle, mysql, dba, etc as well as common names always made me chuckle. Now I consider it a really lame attempt at breaking into my server

      • I don't have my server directly accessible to the outside ports. In fact, nothing from my router redirects into any of my home computers because I don't remotely connect from the outside world. I personally have no interest in enabling that functionality. Though that doesn't stop a Trojan Horse from opening up a port but that has to be initiated from the inside once I've downloaded it. And given the combination of ad blockers and script blockers I run, that's unlikely.
        • Your router can be compromised from the Internet side and your internal network exposed. An internal attack is not needed.
    • by halivar ( 535827 )

      Continue that there's probably never a time when their service isn't under some kind of attack in one way or another.

      But this statement goes to prove that their security is better tested than yours. You're just hoping no black hats notice you, because if they do, you're toast.

      • They can have copies of all the pictures and videos from the Jeep trips I've gone on and they're welcome to my pron collection. That's about all I really keep on my server.
    • by Fwipp ( 1473271 )

      Add in the fact that my server contains nothing of any real value to anyone but me.

      So what you're saying is, it doesn't matter at all if you get hacked. Why talk about security if nobody wants to look at your data?

    • Start with the fact that cloud services are big, ripe, juicy targets for anyone and everyone. Continue that there's probably never a time when their service isn't under some kind of attack in one way or another. Add in the fact that my server contains nothing of any real value to anyone but me. And extrapolate that to a very low likelihood that anyone would bother to take the time to attack my server.

      That was a good argument in the past, maybe, but today the attacks are all automated (and the ones that aren't are against high value targets that don't meet your criteria anyway).

      Low value or not, your server get hammered against every day simply for being on the internet.

  • Of course it can be more secure.

    Unplug it and bury it in cement. It works for all servers, but Amazon has deeper holes in which to bury them.

  • by holophrastic ( 221104 ) on Wednesday November 04, 2015 @04:17PM (#50865827)

    There's often a lot of focus on actual/active security, and a lot less on determining the need for that security. Think of security like a power-to-weight ratio for performance.

    The goal isn't to have great security. The goal is to have no successful attacks. "no successful attacks" is approachable from two primary vectors: "successful" and "attacks". Security focuses on the successful vector, by resisting.

    Certainly, when it comes to contracting a provider, or rolling my own, a big provider might be better than I am. Of course, I can hire a consultant and get the best of both, and a big bill to match.

    Obfiscation is not security. But it is a reduction in the actual number of attacks -- so long as it's working, of course.

    I've been with small providers, I've been with large providers, I've been with Rackspace, and I've rolled my own.

    The truth is that all four scenarios have had plenty of attempted attacks. But dive a little deeper, and something way more interesting appears.

    When I rolled my own, I got loads of random attacks, mostly from China. Nothing persisted for very long. Nothing was particularly focused. And nothing was complicated. Almost all were easily dodged with standard surface-area-of-attack controls, like closing unused ports and not having general server bloat.

    When I was with Rackspace, I had loads of help from their excellent support teams, and on occasion, wow did I ever need it! Persistant attacks, lasting for days, targeted attacks, ddos attacks with large systems on the other end. At one point we had over a dozen rackspace support personnel just fighting to kill stuff fast enough to keep performance up long enough to identify and resolve the issue without needing to take the server entirely offline.

    I was very happy with Rackspace, and was with them for a decade. Now I'm rolling my own again, things are just much more stable that way.

    So what's your preference? Being in a military compound, protected by a thousand soldiers in the middle of a war-zone; or being completely unprotected, on a mountain side, in upstate montana?

    I'm choosing big-sky country, personally.

    Also, I believe that Rackspace is partnered with a very familiar government spy agency quite directly -- since they both moved campuses at the same time the other year, and I was greeted quite aggressively, as you would imagine, when I visited Rackspace for a tour, and accidentally pulled up to the unmarked neighbour. Probably appropriately so, given that it was on a september 10th.

  • by Anonymous Coward

    Our company contracted with an external supplier to manage an application for us that we had been managing in house. We got the usual assurances about their data centre, nailed down the SLA, and did a PIA. All good. As we were working with them to get our data moved over one of our sysadmins came upon a SQL Server admin id/password, unencrypted, in one of their .ini files. It was pretty generic (the name of the application with a few numbers instead of letters). That looked suspicious to us, so we contacte

  • Is there a transcript? I don't have time to watch the video as I'm getting my hair cut on my barber's advice.

  • Could you at least get some decent audio if you are going to do these? I listened to the first 10 seconds and could not stand the sound. Also you have a smart audience, we would much prefer to just read the story. We all thought the book was better.
  • That "answer" is nonsense; having more minimally paid and competent "security" staff is no indication of the quality of the actual security.

    You want security? Make the bosses go to jail if a business is breached. THEN they'll spend the time and money to provide security.

  • by pubwvj ( 1045960 ) on Wednesday November 04, 2015 @04:55PM (#50866139)

    Bunk. BS.

    1) She has a vested interest in presenting that her systems are secure.

    2) She offers a weak link in the data chain. Every time any link is added the system gets LESS secure. Adding a weak link further weakens the system.

    Only non-secure data gets stored on the cloud. Remember, it's like a postcard.

    I'll provide my own security.

  • Because Amazon, Rackspace, and other major cloud and SaaS providers probably have lots more security experts and other IT people at their command than you do.

    Oh yes, and because of this, your cloud environment is automagically more secure.

    Did we suddenly become ignorant of these things called contracts? More often than not, I've found that the devil is in the details as to just how much "other IT people" actually have to give a shit about your cloud environment when it goes down for any reason.

  • Where Amazon and Microsoft at least know and cover the basics, and make a serious effort most companies haven't the resources, people, or expertise to keep their servers even remotely secure.

    If you are a supreme security expert perhaps 'you' could make a more secure system. Now ask yourself, how many third rate hacks think they are a supreme security expert, or worse how many companies don't even have that.
  • for every time some one told me that their on-premise is more secure than cloud. To be very fair, the first thing you should look at it is where your security risks, threats, and exploits are arising. If we look at most security failures its almost exclusively due to disgruntled current or former employees within the IT organization or misconfigured external-facing software that is easily broken into. While yes the Chinese, North Koreans, or NSA are probably trying to hack the AWS, Azure, SoftLayer, and Rac

  • Is unplugged, encased in concrete, at the bottom of the ocean.

    And even then...

  • Someone who sells cloud storage advocates that it's safer than doing it yourself. The question isn't worth much until it's answered by someone with no horse in the race.

  • The bigger question is, is it still your data in the cloud? If you miss a bill payment will you be able to access it? If the cloud owner doesn't pay the telecom provider or the data center will you be able to access it? What if they file for bankruptcy? Or have their servers repossessed? How ironclad is that contract? They may have oodles of security but is that really what you would base your business decision on? Just some things to think about...

  • Is based in a nation and its laws and legal amendments:
    Staff are very willing work for the government when asked, requested or have always worked for the government.
    An enthusiastic surveillance partner going back decades or years?
    How good is the legal department when facing paper work thats not a fax from a law enforcement official? That national security letter (NSL) with a request to add hardware on site long term?
    Got some FISA Amendments Act (FAA) paperwork, ready for the FREEDOM Act?
  • Betteridge's law of headlines applies here.

    Okay, while it's theoretically possible to configure a home server to be less secure than a "cloud" solution you would almost have to go out of your way to do so.

    It's lovely that a spokesperson from a Cloud provider wants to reassure us that using their services is secure, but:

    What assurances do you have that they're not sharing your data with their partners or anyone else with enough cash?
    What co-operation will they provide when a TLA (three-letter agency) shows u

    • > Okay, while it's theoretically possible to configure a home server to be less secure than a "cloud" solution you would almost have to go out of your way to do so.

      Or just think you're smarter than the folks doing real security. I can no longer count the number of "professionals" with passphrase free SSH keys on accessable network drives, or who insist on putting passphrase free SSH keys with root access on all their servers "so they can do backups". Couple this with people who run private tunnels to, an

  • Cloud insecurity is similar in scope to large corporation security. The more folks have access to your hardware or your network, the less secure it becomes.

    Sure it may have stellar PHYSICAL security, but your systems are merely one cash payment to an employee ( that you didn't get to screen ) who has a debt problem away from compromise.

    At least if you own the data center and the hardware, you get to pick the employees and what level of access they will have to it.

    In " The Cloud ", those choices are no long

  • The big targets are so very juicy. I can't see a team of world class hackers attacking my usedshoes.com site with $80 in annual sales. With a major cloud provider I can see national governments sponsoring hacks so robust that they may very well get agents hired on as staff within the provider themselves. Then once you are in the rewards are so very massive.

"Being against torture ought to be sort of a bipartisan thing." -- Karl Lehenbauer

Working...