×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Cloud Security: What You Need To Know To Lock It Down

samzenpus posted about 2 years ago | from the better-safe-than-sorry dept.

Cloud 74

Nerval's Lobster writes "IT security writer Steve Ragan writes: 'The word "cloud" is sometimes overused in IT—and lately, it's been tossed around more than a football during a tailgating party. Be that as it may, organizations still want to implement cloud-based initiatives. But securing assets once they're in the cloud is often easier said than done.' He then walks through some of the core concepts of cloud security, along with the companies operating in the space."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

74 comments

Lock it down (5, Interesting)

colinrichardday (768814) | about 2 years ago | (#40595009)

the only safe cloud is a dead cloud.

Re:Lock it down (0)

Anonymous Coward | about 2 years ago | (#40595069)

That's good. Mine was, "Don't use it!"

Re:Lock it down (1)

JustOK (667959) | about 2 years ago | (#40595277)

But every cloud has a silver lining and silver is a good conductor of electricity

Re:Lock it down (1)

colinrichardday (768814) | about 2 years ago | (#40595575)

But how do you stop the silver from conducting your data to unauthorized parties?

Re:Lock it down (0)

Anonymous Coward | about 2 years ago | (#40600487)

nickel nitride passivation layer.

If I run "your" cloud I have access to your data. (0)

Anonymous Coward | about 2 years ago | (#40598733)

Period. There is no securing it, there are no workarounds to this. I own the hypervisor, I own the metal I can look at what everything that goes in there, I can do with your ass what I want. I can steal your data, I can falsify your data, I can impersonate as you, you have no control and can not defend against me.

It does not matter whether you encrypt your data IF you decrypt it on my machines. I can capture your decryption key. The only thing you could do is store encrypted data and never put the key on any of my machines. However that makes me your backup service, not "your" cloud.

There is NO SECURITY in the cloud beyond what I let you have.

WE OWN YOUR ASSES (tm).

Re:If I run "your" cloud I have access to your dat (1)

lister king of smeg (2481612) | about 2 years ago | (#40599303)

i can encrypt my database and querie it without having to decrypt it.* so yes i can.

*(http://www.forbes.com/sites/andygreenberg/2011/12/19/an-mit-magic-trick-computing-on-encrypted-databases-without-ever-decrypting-them/)

Easy (2, Interesting)

Anonymous Coward | about 2 years ago | (#40595021)

Easy solution: Don't do it. There, I saved you having to RTFA which is just spam to drive hits to Slashdot's Cloud page.

Re:Easy (0)

Anonymous Coward | about 2 years ago | (#40598823)

Mod points for you sir!

I thought the same thing as I read TFA: "Wait, this is a sales pitch, where's the article?"

You can't have it all. (2, Informative)

Anonymous Coward | about 2 years ago | (#40595049)

If you want something to be secure, you have to store it in house.
There is no guarantee that once you put it out on "the cloud" that someone else won't reach for it.

Re:You can't have it all. (1)

dgatwood (11270) | about 2 years ago | (#40595683)

Or encrypt it before you put it out on "the cloud". AES-128 ought to provide at least three or four years of protection.

Re:You can't have it all. (1)

Anonymous Coward | about 2 years ago | (#40596217)

ROT-13 encryption should be good enough for anyone. ROT-26 if you absolutely NEED the extra security...

Re:You can't have it all. (1)

hawguy (1600213) | about 2 years ago | (#40595931)

If you want something to be secure, you have to store it in house.

There is no guarantee that once you put it out on "the cloud" that someone else won't reach for it.

But don't you already encrypt your sensitive data at rest? If that's the case, is the cloud really any less secure than having it in-house? Your secret data is more likely to leave your facility through your internet connection than from someone taking a hard drive from your server.

Cloud = server (1)

Anonymous Coward | about 2 years ago | (#40595057)

In the "beginning" was the text terminal connected to a server through a cable. Fast forward half a century. Now its the mobile smartphone connected to a server cluster via radiowaves. What's the big deal?

Re:Cloud = server (1)

Kenja (541830) | about 2 years ago | (#40595119)

There is a major difference. Unlike a "real" server a cloud server is an image of a system that exists in multiple locations. Its like if you took a server, and put it on a flash drive that you could stick in your pocket and walk out the door with. There is a much higher security risk as a result, since your data does not exist only in a physical location that you can control.

Re:Cloud = server (1)

Anonymous Coward | about 2 years ago | (#40595133)

Did you really think your data couldn't walk out the door before? Nothing has changed...

Re:Cloud = server (0)

Anonymous Coward | about 2 years ago | (#40595273)

Did you really think your data couldn't walk out the door before? Nothing has changed...

Except in this case, the data is already out of the door.

its the 10/10 security problem (1)

RobertLTux (260313) | about 2 years ago | (#40595859)

If you run a server room (or rooms) then you can put a couple "retired" Marines at the door and have them SHOOT anyone not authorized to enter.

with THE CLOUD you don't know exactly which door (or even which BUILDING currently has your data.

(hint 10/10 is the Marine Corp Birthday)

Re:its the 10/10 security problem (1)

kcitren (72383) | about 2 years ago | (#40597463)

So you put the guards and the doors of your facilities. What's the problem?

Re:its the 10/10 security problem (1)

Lennie (16154) | about 2 years ago | (#40600333)

With "the cloud", you don't own the server. So you don't decide how your data is secured.

Insecure, and the cloud providers know it. (5, Insightful)

Animats (122034) | about 2 years ago | (#40595071)

From the article:

"When you sign a Business Associate agreement, there's a level of liability that the business associate accepts. They openly acknowledge they have to operate within the HIPAA security rule like any covered entity. Understandably, none of the current cloud providers are willing to do that."

That says it all. The major cloud providers won't accept responsibility for security in their own systems.

Re:Insecure, and the cloud providers know it. (0)

Anonymous Coward | about 2 years ago | (#40595113)

Amazon apparently does: http://aws.amazon.com/about-aws/whats-new/2009/04/06/whitepaper-hipaa/

Ooooo! A white paper! (0)

Anonymous Coward | about 2 years ago | (#40595219)

White paper, shite paper.

What really counts are their actions when the shit hits the fan.

Re:Insecure, and the cloud providers know it. (3, Insightful)

rgbrenner (317308) | about 2 years ago | (#40595443)

Did you actually read that whitepaper? Amazon says you should encrypt the data BEFORE uploading it to S3. Doesn't that tell you everything you need to know about S3's security? And to top it all off, at the end:

Disclaimer

This white paper is not intended to constitute legal advice. You are advised to seek the advice
of counsel regarding compliance with HIPAA and other laws that may be applicable to you
and your business. Amazon Web Services LLC. and its affiliated entities make no
representations or warranties that your use of Amazon Web Services will assure compliance
with applicable laws, including but not limited to HIPAA.

Re:Insecure, and the cloud providers know it. (1)

jkiller (1030766) | about 2 years ago | (#40595977)

What about the many, many customers that deal with HIPPA (Health Safety Information) And Patient Safety information? Also, what about security clearance? There are very few hosting services out there that offer certified compliance standards as well as employee screenings for ALL employees that will be handling (read: potentially have access both on hardware and software levels) for things that require background checks (Such as FBI background check, etc.). I deal with this on a daily basis. I've dealt with incompetent people, let's call them c-level, who just want to throw everything out of the data center into some puffy place so they don't have to worry (read: pay) for infrastructure/support on-going and up front. Also they thing this will deal with things like overheard regarding number of needed staff/salaries. Drives me up a goddamn wall. Private cloud with proper DR in place is good enough. That's the only way I'd ever plan it.

Re:Insecure, and the cloud providers know it. (1)

hawguy (1600213) | about 2 years ago | (#40596235)

Did you actually read that whitepaper? Amazon says you should encrypt the data BEFORE uploading it to S3

You should always encrypt your data before it's stored on any disk media, not just "cloud storage".

Re:Insecure, and the cloud providers know it. (0)

rgbrenner (317308) | about 2 years ago | (#40596423)

That's the thing: amazon can encrypt your data with aes256.. but they are saying you should encrypt it yourself before uploading it.

In other worse, their encryption is not good enough to comply with HIPPA

Re:Insecure, and the cloud providers know it. (0)

Anonymous Coward | about 2 years ago | (#40596975)

The strength, or lack thereof, of Amazon's encryption is irrelevant. Assuming that they use the same scheme I use (whatever that scheme is), it will always be more secure for me to encrypt my own data than to let them do it. Why? Because for Amazon to encrypt my data, I have to give them the key. How secure is that!?

Re:Insecure, and the cloud providers know it. (1)

PintoPiman (648009) | about 2 years ago | (#40634083)

Why would Amazon want to take liability for your data's security? I'm sure they do their best to avoid breaches, but it seems to me that if you want a SLA that guarantees security that you should pay them for it (beyond what you're paying for the basic service). What corporation would ever volunteer to take on extra liability?

Re:Insecure, and the cloud providers know it. (0)

Anonymous Coward | about 2 years ago | (#40595629)

Well, isn't a cloud service like a parking garage type of service? You put your car there, but they are not responsible for the security of your car.

I guess the question is if the parking garage is trusted not to let perps (or the government) peak into your car. Or replicate the contents and hand it to someone else. Other than that, seems like a reasonable premise.

WHAT? (1)

Anonymous Coward | about 2 years ago | (#40595093)

'it's been tossed around more than a football during a tailgating party'

The hell does that even mean? I need a car analogy, STAT.

Car analogy Re:WHAT? (1)

davidwr (791652) | about 2 years ago | (#40595251)

In-house computing is like having a corporate car or fleet of cars owned or leased by your company, dedicated to its use.

Shared-cloud (vs. intranet-cloud, managed in-house) computing is as if you paid a car-rental company $X/year for the right to have any of your employees walk up to the rental counter and be issued a car at any time day or night, without any additional payment and without any lack of availability beyond what was negotiated in the master contract.

Re:WHAT? (1)

million_monkeys (2480792) | about 2 years ago | (#40595769)

'it's been tossed around more than a football during a tailgating party'

The hell does that even mean? I need a car analogy, STAT.

It's an alogy to help you in case you couldn't understand the previous line: 'The word "cloud" is sometimes overused in IT'. And quite frankly, anyone who doesn't already know the term is overused, and after upon being informed of that fact needs an analogy to help them understand it, really shouldn't be directly in charge of anything IT related.

Re:WHAT? (0)

Anonymous Coward | about 2 years ago | (#40596449)

obviously i meant analogy, not alogy.

alogy
n. 1. Unreasonableness; absurdity.
Medicine. an inability to speak, especially as the result of a brain lesion.

hmm....

Can't be done. (4, Informative)

Hatta (162192) | about 2 years ago | (#40595103)

The cloud provider effectively has physical access to your machine, which is game over for any sort of security. Even if you use full disk encryption, you're going to have to decrypt it, and that means your key will be in RAM. A motivated spy in the cloud provider would have little trouble dumping your VM's RAM and decrypting everything.

You might be able to get away with running machines locally, and using the cloud for storage, if you encrypt everything locally and only store encrypted data in the cloud. But that removes most of the benefits of using the cloud in the first place.

Re:Can't be done. (2, Insightful)

Anonymous Coward | about 2 years ago | (#40595193)

There's always someone who can compromise your secret data. In a typical non-cloud in-house datacenter who is it? The 7 guys in the IT department, the 4 other guys in the network department, 5 or 6 key developers who have privileges to debug realtime production problems, a few high-level VPs and Execs. Oh and let's not forget all of the hardware vendors you're trusting not to plant hardware backdoors in the servers and network gear they ship you (it has happened before!). You're already putting a lot of faith (and/or contractual threats) into those people. Now you get to add Amazon to the list of people you have to trust. For *most* companies of a reasonable size, you're actually gaining security by handing off some of the risk to a larger and probably more-responsible organization like Amazon.

Not all the benefits (5, Informative)

davidwr (791652) | about 2 years ago | (#40595297)

Locally-encrypted backup-to-the-cloud is a viable, marketable service. This works both on an "intranet" basis for departments that don't, or for legal reasons can't,* trust IT with access to their data but who want the physical security of their backups managed by IT as well as on the "internet" as an outsourced-backup arrangement.

* Human Resources and departments that have certain external contractual obligations may not want to allow anyone outside of their department to have access to un-encrypted data or encryption keys. In certain industries like defense or medical care, the entire business may function like this.

Re:Can't be done. (1)

sociocapitalist (2471722) | about 2 years ago | (#40596299)

The cloud provider effectively has physical access to your machine, which is game over for any sort of security. Even if you use full disk encryption, you're going to have to decrypt it, and that means your key will be in RAM. A motivated spy in the cloud provider would have little trouble dumping your VM's RAM and decrypting everything.

You might be able to get away with running machines locally, and using the cloud for storage, if you encrypt everything locally and only store encrypted data in the cloud. But that removes most of the benefits of using the cloud in the first place.

You could still 'cloud' anything not sensitive, and keep anything considered sensitive local -

Re:Can't be done. (1)

cryptizard (2629853) | about 2 years ago | (#40598075)

There are plenty of things you can do to take advantage of computational resources in the cloud while remaining secure i.e. private information retrieval, secure multiparty computation, homomorphic encryption, etc.

Re:Can't be done. (1)

shikan_taza (782021) | about 2 years ago | (#40600589)

There are plenty of things you can do to take advantage of computational resources in the cloud while remaining secure i.e. private information retrieval, secure multiparty computation, homomorphic encryption, etc.

I think fully homomorphic encryption is still in the PoC stage and is too resource-intensive to be practical.

Re:Can't be done. (1)

cryptizard (2629853) | about 2 years ago | (#40608555)

Nobody said fully homomorphic. You can do a lot with just multiplication or just addition. There was a paper by Microsoft Research about a year ago with a list of real world applications for partially homomorphic encryption. One of the big ones is statistical analysis (sum, mean, regression all require only additions). There are also almost-fully homomorphic ciphers that can do an unbounded number of additions and a small number of multiplications efficiently.

Tailgating party? (0)

Anonymous Coward | about 2 years ago | (#40595107)

I thought people ate bad food and drank bad drinks at these so-called tailgating parties. Do they really also throw a ball around?

Re:Tailgating party? (1)

million_monkeys (2480792) | about 2 years ago | (#40595855)

I thought people ate bad food and drank bad drinks at these so-called tailgating parties. Do they really also throw a ball around?

No. They'd like to, but they are too drunk from drinking bud light and too fat from eating chili dogs to be capable of that sort of strenous physical exercise.

Re:Tailgating party? (0)

Anonymous Coward | about 2 years ago | (#40597447)

That sir is a lie, drinking water will not get you drunk. Now the fat part from that food is true.

Whose cloud is it anyway? (2)

davidwr (791652) | about 2 years ago | (#40595189)

Is it my intranet-cloud managed by my IT department?

Is it a dedicated cloud that my company out-sources, but which is not used by anyone else? If the servers in this dedicated cloud are virtual, are the real servers also dedicated to just my company? To the extend that there is un-encrypted communication between virtual or real servers, is the physical network the traffic travels on dedicated only to me, as it might be if all the equipment was on the same rack?

If the servers are outside of my physical control, is all persistent storage encrypted? If not, do I care if it leaks?

If the network traffic is not encrypted, what assurance do I have that nobody who isn't on my company's payroll can snoop it, or that if they do I can live with the consequences?

That's just for security from leaks.

There's a whole other set of issues related to downtime and other issues that are different with "cloud" data storage vs. in-house data storage.

Step #1 (3, Insightful)

Nadaka (224565) | about 2 years ago | (#40595217)

Don't use the cloud.

Step #2
We don't need no stinking step #2.

Re:Step #1 (0)

Anonymous Coward | about 2 years ago | (#40596199)

Step #0 - fail to understand difference between Subject and Comment.

Looking good! (0)

Anonymous Coward | about 2 years ago | (#40595755)

Cloud Security: What You Need To Know To Lock It Down

You spray it with a silver lining.

Ultimate responsibility (1)

starfishsystems (834319) | about 2 years ago | (#40595761)

"The most important thing to remember when you’re storing or processing sensitive data in the cloud is that you are still fully responsible for the security of the data, and you are fully accountable if that data is lost or stolen,” Shaul concluded. “Even if your cloud provider offers some security services or indemnifies you for losses resulting from a breach, if your data is stolen, it’s still your problem.”

This is a resounding vote for private cloud. At the very least, if you're thinking of deploying an application to a public cloud provider, better make sure that you have the cloud implementation fully operational in your own data center. Then, if you like how it works, you can incrementally migrate pieces of it to the public cloud. There may be a core component that has to remain in house for security reasons, and that's fine, that's simply being realistic.

Secure Clouds Are Easy To Build (0)

Anonymous Coward | about 2 years ago | (#40595987)

All that's needed to make a cloud acceptably secure is to manage the cloud infrastructure in-house. As long as the employees with access to the data are your own and the software and data are on servers that belong to you, you're good. In fact, all you really have to do is start calling your current IT department "the cloud" to get whatever ignorant asshat keeps bothering you about "moving to the cloud" off your back.

Re:Secure Clouds Are Easy To Build (1)

Lennie (16154) | about 2 years ago | (#40600369)

You do know this article is talking about "public cloud" services ? What you describe is called "private cloud".

Duh (0)

Anonymous Coward | about 2 years ago | (#40596569)

I don't understand the need to state the obvious. Are so many people jumping on the "cloud" just to say it in marketing material that they don't even have common sense? Anyone this stupid deserves to have their data stolen.

The "cloud" has its uses but not for big business (0)

Anonymous Coward | about 2 years ago | (#40596683)

For some guys like me the cloud has its uses. It lets my little company setup an automated backup of our critical server data to a 2nd provider (encrypt then forward). For a large company though the operations should be an in-house "cloud" for data backup. Anything requiring real security needs to be stored on raw hardware. I'd be less concerned about compliance with regulation if a small company is taking care of something than a large company. A small company with limited data might end up compromised although the damage will be minimal. That's why you get insurance. However a large company has no excuses. That scaling that is done means you should have the money to do things in house with background checks of employees.. etc. If you control 1/10 of the countries customers or more you should be complaint with regulations. If it's less I'd be not so terribly concerned. It's when you end up with monopolies (as we almost always seem to) is when I'd be concerned.

Huh? (0)

Anonymous Coward | about 2 years ago | (#40596737)

Why would you be throwing a 'foot'ball around with your hands instead of your feet, and why would you do that at a tailgating party?

And what exactly is a tailgating party?

What *is* this nonsense you are spouting?

Desktops ? (0)

Anonymous Coward | about 2 years ago | (#40597005)

Maybe before securing the cloud, we should secure millions of vulnerable desktops ...

Cloud beholden to the FBI (0)

Anonymous Coward | about 2 years ago | (#40597353)

The cloud is subject to arbitrary USA enforcement procedures; usually involving punishment before any proper judicial process.

Guantanamo, MegaUpload, ... all the same ... punishment without a trial. And you only need to watch programs like "Cops" to see it in action.

Yet, the US constitution says "... all people ..". It doesn't say "... only US citizens ...". But I am still trying to find the part that says "... guilty until proven innocent ...".

Relevance of responses (3, Interesting)

dave562 (969951) | about 2 years ago | (#40599529)

(Go ahead and mod this flamebait. I just need to rant)

When I read the replies that always come up in these cloud discussions, I often wonder how many people on this forum are real IT professionals and how many are just people with opinions that were formed in a vacuum. When I read these cloud articles, I think about them in the context of large corporations with many divisions that are consolidating IT operations. I think of application silos, and business continuity/disaster recovery. I think of internal IT provisioning resources to departments and using technology like hardware and storage virtualization to be smarter about how they allocate resources. I think about rapid provisioning of test/dev and QA environments, or rapidly spinning up new servers to meet unanticipated growth or to address seasonal growth trends.

So many of the comments seem to be coming from people whose entire concept of IT revolves around their home music collections, or working in a very small company that handles everything in house. The idea of giving up control to a cloud provider in that context seems reasonable. But there are large uses for "cloud" technologies that far surpass the tiny use cases in the SMB market. Denouncing everything to do with "cloud" shows a really immature understanding of how the technology is being deployed in the real world.

If you are not up to speed on how virtualization and distributed computing environments can improve IT operations, your skills are probably stagnant and you either need to sharpen your skills, or pick another field. Whining about cloud being a buzzword is not doing you any good. It just making you look irrelevant and out of touch. Having said that, I will be the first to admit that it is an annoying buzzword. But pointing it out is lame at this point. Even a broken clock tells the right time twice a day. If you cannot see how cloud technologies are relevant to IT, you are probably in the wrong discipline.

OwnCloud (0)

Anonymous Coward | about 2 years ago | (#40600899)

The only cloud service I use is OwnCloud, hosted on my own Linux server out of my own basement. I'm quite happy with it and the client side sync utility. It's a pretty nice product... leaving a LOT to be desired from other services like Dropbox. Though, Google Docs still takes the cake for online real time collaborative editing from multiple people at once.

Clouds Legality = Service Vapor (0)

Anonymous Coward | about 2 years ago | (#40601365)

I had a conversation with my dad on Clouds and in the end came up with only one really good reason for a cloud, public data that isn’t sensitive to the point of business failure. Everything else is going to be an issue with how much you spend on your cloud or how much risk you are willing to live with.

Just don't plan to stand on your cloud, you might fall through.

Security Audit on EC2 (0)

Anonymous Coward | about 2 years ago | (#40603625)

We had a security consulting firm look at EC2 for use in a HIPAA compliant application. For the most part there were no showstopping issues. One of the difficulties with the EC2 would have been that their built in firewall does not allow you to log incoming traffic for threats, it only lets you block them. We would have had to implement and maintain our own software firewall on every host just for logging.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...