Page 1 of 4 123 ... LastLast
Results 1 to 10 of 31

Thread: Cloud computing and it's security aspect.

  1. #1

    Cloud computing and it's security aspect.

    I have had keen interest in Virtualization for quite some time now. With cloud computing coming up virtualization is taken to the next level. My work experience with Virtualization has been rather less (my over all work experience has been 2 years all of in core security architecture development and implementation, virtualization is like few weeks now mostly at home and a server coming up next week ).
    I’ve been intrigued with how virtualization, if used in the right way can solve so many of security problems (although most would say they give rise to many security concerns too and that’s true in its own way).
    I didn’t want to Google this and go over 100’s of pages (not 1000’s yet) of how cloud computing is going to be a security nightmare (I think I read this on Cisco’s web page.) but I want to know it from you (members here) on what they think about how cloud computing will impact security architecture as it stands now or cloud computing and its security aspect as a general topic. You may also put your general questions / comments / opinions about cloud computing.


    I will be using material in this thread towards a paper I’m writing on cloud computing. The paper will focus on “security” aspect of cloud computing.

    Thank you ALL in advance.

    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Most of the security threats we've seen have been to the guest OS rather than the virtualization (at least at the bare metal level compared to the hosted level, which has more ties between the OS and the Hypervisor). It'll be interesting to see what new threats are developed for this environment as time goes on.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    True MS.. (For some reason I knew you'll be the first to reply.. )

    Anyway with virtualization comes certain risks that people seem to oversee. I completely agree with the statement that in virtualization risk lies in host OS but with the way virtual servers are put up security appliances need to re-designed or you're opening up holes in your network. I am not getting a very good example to explain this but I hope you get it (sorry though) ..

    I'm really excited about my paper (I hope to get it out soon) but right now.. It’s time to head home.. (Rain in Mumbai is a killer .. )
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Well, some things do have to change but the principles are still the same. I know our product is EAL 4+ certified out of the box and the NSA/NIST Guide is out for ESX 3 (http://www.nsa.gov/ia/_files/support/I733-009R-2008.pdf). A lot of the consideration is how networking is configured (separate and isolated are preferred, particularly keeping the service console or other management port separate from network storage -- if any -- and the VMs/Cloud's environment). I'd be curious to read the paper after you've completed it.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Lol.. MS between you and me.. (Actually since I’m saying it here its public) anyway I wanted to write a paper detailing "something" that I’ve found interesting for a long time..Trust me my first choice was how to secure Winxp or something

    But then I moved to VM's and now this.. I promise by the time I’m done ill have something good to read upon.. Anyway there WILL be some delay.. I'm trying to give GCIH and PMI ..

    Anyway it’s nice to know that AO isn't completely dead ..
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  6. #6
    Hey I just went over Trend's documents and presentation (sale's oriented) describing how they are using cloud computing for their anti-malware / enterprise grade products..

    I really don't like the way they have done this! I mean it's stupid and actually decreases security level provided.. It does decrease the time frame for new malware to be detected but provides much less security too..

    Can we discuss this? (PM / IM maybe, please )
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  7. #7
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Byte, Well we have moved over to cloud computing for over two years now and everything is going good so far.

    Could you explain the security aspect because as a "Management Hosted Service" with our product such as Managed Office Protection , it makes it relatively easier for the customer as no infrastructure needs to be installed at the premises besides the resident which is light due to "scanning" from the cloud.

    Im also very interested in this topic, dont make it a private discussion
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  8. #8
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Ahhhhhh! "Cloud Computing"..............."The Cloud".............it's so trendy, so hip, so "Now!" isn't it?

    If I might paraphrase the film "Apocalypse Now"............"I do love the smell of marketing bull$h1t in the morning".

    It is so pathetic it almost reminds me of "Sick Sigma"...........but that's another story.............

    The trouble with this fantastic "new" development in the IT sector is that I was auditing Corporations that used it, and their providers, over 35 years ago!!!

    Basically, all it is is the provision of computing facilities as a service by a remote third party.

    I recall one client in Richmond-upon-Thames (England) whose computing services were provided by NASA, in Houston Texas

    OK the technology has advanced, but the fundamental concept and the security concerns are still pretty much the same.

    Primarily, if you don't do it in-house you don't have absolute control. However, given current legislation (certainly over here) you have almost certainly retained liability for regulatory compliance.

    It is a different environment these days as there is now a very real external threat to computer systems. Back then most of your threats were internal (and people still robbed banks and post offices for a living)

    The motivation was also financial back then, only it was more a case of cannot afford, or cost justify ownership, whereas it is now more one of cutting the costs of existing service provision.

    It will be interesting to see how it fares in Europe, where there is relatively strong employment protection legislation..............particularly given the Global recession? After all, if you move functionality to a third party you are outsourcing.

  9. #9
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Interesting, so basically the threat is that you are outsourcing your Apps versus having them in house.

    For example with traditional AV product you would have a console on your "server" and then download the updates and distribute where now you will log into a secure website and that will be your console?
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  10. #10
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Interesting, so basically the threat is that you are outsourcing your Apps versus having them in house.
    The main issue is likely to be that you are putting control and security of your data and processing in the hands of a third party (that includes business continuity).

    Technically I don't see much difference from the current practice of having corporate data centres in remote locations. To some extent we have already gone in that direction with third parties providing data centre/server farm facilities............this just extends the devolution of control.

    I can see problems with the next logical step, though, which is when the service providers try to maximise their profits by taking the actual provision offshore.

    There is also the major issue of employee selection and vetting procedures?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •