August 3, 2015 at 8:01 pm
Comments posted to this topic are about the item Cloud Security Issues
August 4, 2015 at 6:14 am
Thanks for your succinct and clear overview of the 3 part series. You led me to the Economist debate and it's results, 64% yea/36% nay, on whether we should go to Cloud services (CS). "It depends" is certainly an accurate starting point. I will review the 3 part series as well. But for now, I found myself drawn to the notion that the biggest driver for going to CS is lack of highly knowledgeable staffing locally. The problem is indeed then whether you get that by going to CS. Many vendors of 3rd party services have proven to be less than stellar when it comes to accurate and reliable knowledge, and timeliness of response has also been an issue. What is mission critical to me on a Saturday evening is not at all guaranteed to be so to the CS vendor, even if you are paying for premium level service.
I paraphrase this as the idiot I know, i.e. in house staff, (often myself), is better than the idiot I don't know (at CS). Or as world opinion has generated and preserved it, "Better the devil you know, than the devil you don't".
Anyway, nice commentary and/or executive summary of the series. Thanks.
August 4, 2015 at 6:41 am
I've heard about denial of service attacks against Amazon's AWS databases that resulted in downtime and possibly loss of data. I guess denial of service attacks will always be a problem, because it's sort of like kids tossing rocks through the plate glass window of a bank and then running away empty handed. Perhaps all you can do is mitigate it.
I've also heard of worst case scenario data breaches from public consumer SaaS related cloud databases, like LastPass and Apple iCloud. That type of thing is preventable.
However, has anyone heard of an actual data breach on a corporate SQL Azure or AWS hosted database? I'm talking about a documented case where hackers broke in and successfully siphoned usable unencrypted records.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
August 4, 2015 at 7:17 am
Is it really about cost saving and dumping risk responsibility elsewhere? Has disk or tape suddenly started to become more expensive after years of being cheap? Haven't companies always had IT security staff anyway?
August 4, 2015 at 7:18 am
The cloud has no security. Full stop.
Any temporary security built into clould solutions has vulnerable points that can be attacked, no matter what. Worse, the defenders won't know about the weak points that *should* have been strong. (i.e. 0-days) until the data's already gone. And you may not even know it was copied!
Clould violates the most basic security principle of all: attack surface (and the related # of possible attackers). After all, the clould can be attacked by *anyone*, from *anywhere* on the whole planet.
Uh...no. Supersized mega-nope. Do. Not. Want.
When even the United States Government can't keep *security clearance* applications secret, it's game over. What chance do the rest of us have with no budget and no buy-in from bosses (except lip service, natch)?
Given the number of potential "insiders" involved in large scale cloud data the ONLY data that should be in the cloud is data you WANT shared!
With the current (and even theoretically possible future) state of the art in data security, putting confidential data in the clould is criminal negligence in my opinion.
August 4, 2015 at 9:36 am
knausk (8/4/2015)
Anyway, nice commentary and/or executive summary of the series. Thanks.
You are welcome.
August 4, 2015 at 9:38 am
Eric M Russell (8/4/2015)
I've heard about denial of service attacks against Amazon's AWS databases that resulted in downtime and possibly loss of data. I guess denial of service attacks will always be a problem, because it's sort of like kids tossing rocks through the plate glass window of a bank and then running away empty handed. Perhaps all you can do is mitigate it.I've also heard of worst case scenario data breaches from public consumer SaaS related cloud databases, like LastPass and Apple iCloud. That type of thing is preventable.
However, has anyone heard of an actual data breach on a corporate SQL Azure or AWS hosted database? I'm talking about a documented case where hackers broke in and successfully siphoned usable unencrypted records.
Haven't seen the last one. Certainly some DoS attacks, but I've seen those on-prem as well.
There have been attacks against some of the more consumer based services (dropbox).
August 4, 2015 at 9:41 am
TheFault (8/4/2015)
Is it really about cost saving and dumping risk responsibility elsewhere? Has disk or tape suddenly started to become more expensive after years of being cheap? Haven't companies always had IT security staff anyway?
No and no. Some companies do, but they're limited by the expertise they have at the time. There is turnover in security staff, and it's hard to compete with Amazon/Azure/etc when trying to find the hire some of the best security folks.
As to dumping responsibility. You're still responsible for your data. If you work at GM and you choose to move data to azure or AWS, you're still on the hook if there are issues. You, as the person that made the decision could get fired, and you, as the company can be sued.
This is about changing your economy, certainly. There are implications in cost as well as CapEx v OpEx, but it's also about meeting new demand in a flexible manner. It's the same extension of saying I need to buy a truck for my business v renting one from someone or using a service. We do this all the time in business and in our personal lives. We outsource services when we think it makes sense.
August 4, 2015 at 9:43 am
roger.plowman (8/4/2015)
The cloud has no security. Full stop.Any temporary security built into cloud solutions has vulnerable points that can be attacked, no matter what. Worse, the defenders won't know about the weak points that *should* have been strong. (i.e. 0-days) until the data's already gone. And you may not even know it was copied!
Cloud violates the most basic security principle of all: attack surface (and the related # of possible attackers). After all, the cloud can be attacked by *anyone*, from *anywhere* on the whole planet.
Uh...no. Supersized mega-nope. Do. Not. Want.
When even the United States Government can't keep *security clearance* applications secret, it's game over. What chance do the rest of us have with no budget and no buy-in from bosses (except lip service, natch)?
Given the number of potential "insiders" involved in large scale cloud data the ONLY data that should be in the cloud is data you WANT shared!
With the current (and even theoretically possible future) state of the art in data security, putting confidential data in the cloud is criminal negligence in my opinion.
Disagree, but you raise good points. There are definitely things to worry about, and you've listed some of them.
August 4, 2015 at 9:58 am
Am I right in thinking that to connect to a typical SQL Azure instance, you would need both a proper SSL certificate and an accountname / password ?
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
August 4, 2015 at 7:40 pm
There are a lot of issues here. Most seem unclear in their presentation.
An interesting study, now that AWS and Azure are making headway, would be to learn how many in house people were displaced at the companies that went to the Cloud.
Marty Boos, formerly of Fingerhut, Digital River, and any number of Silicon valley businesses now, was one of the first people to spin up a Cloud service. That happened at Digital River. As I recall Toshiba lost their website and call center one morning, circa 1999, and called DR. Marty and his team had both up and running by that afternoon on some of his servers and calls were going through a local call place. take note, problem occurs in morning, resolution/remediation by afternoon....
The result was pretty well received. Not perfect. But it demonstrated the idea that complex tech can be spun up rapidly by people who really know their shit. It was not even their main intent, just a fringe benefit of their base skills.
In current cloud services or vendor managed services, you would be hard pressed to get a smart person on the phone before tomorrow and resolution of all but the most mundane things is a ways away if ever to be seen.
Now it is a business model. Talent is recruited, not always retained, and the product has some vulnerabilities. Let the buyer beware they say.
It becomes a self fulfilling prophecy of sorts. Tech is sent to the cloud. Tech talent locally withers. More tech goes to the cloud. The Data Lords of Amazon and Azure Rule the Universe. Larry Ellison dresses as a jester and serves as a footstool for Jeff Bezos....amen. ( though perhaps I digress)
August 4, 2015 at 9:36 pm
Eric M Russell (8/4/2015)
Am I right in thinking that to connect to a typical SQL Azure instance, you would need both a proper SSL certificate and an accountname / password ?
Just account passwrod, but there are firewall restrictions.
August 4, 2015 at 9:48 pm
Is security a concern? Always. People question it where ever you go, but it's heighten the moment its out of your hands and into the hands of a third-party.
From my end, cloud computing is becoming a very attractable solution simply because SQL Server does not scale horizontally to meet the needs of large volume computations. The question of investing in your own solutions is raised, but that's a huge undertaken when cloud solutions are so easy to jump into tomorrow. The, "yes, no, well, maybe" happens a lot.
March 7, 2016 at 9:29 am
roger.plowman (8/4/2015)
...Clould violates the most basic security principle of all: attack surface (and the related # of possible attackers). After all, the clould can be attacked by *anyone*, from *anywhere* on the whole planet...
This was a totally valid argument until remote access to certain systems became the norm. Especially when the demand for BYOD came into play i.e. no corporate controlled hardware only policy.
We can argue whether it is a justifiable position but the question is irrelevant to some degree as this is what some corporations allow so it is some peoples' reality.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
Viewing 14 posts - 1 through 13 (of 13 total)
You must be logged in to reply to this topic. Login to reply