Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 31

Thread: Cloud computing and it's security aspect.

  1. #21
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Byte's original post: I don't think it's going to be a nightmare but rather we're going to have to change the way we think about things. In the end we still have to adhere to the same principles as before -- CIA -- to ensure corporate protection. I think CISCO is using a little FUDing here to drive some market share towards them. If we break it down..

    1. We have to ensure security of the physical datacenter. This should already exist as a standard. Even when that physical datacenter (aka infrastructure in the video provided) is spread across multiple areas, there is always a physical component that needs to be looked after.

    2. The application or virtual servers that run on the infrastructure still need protections. Either host based firewalls or networks for them to go out on. And either host based or network based virus protection (virus walls?). The scanning you mentioned, where one part of the cloud is heavily scanned while others are not is likely an indication of an outbreak (think viruses that affect humans -- recent swine flu outbreak shutdown many locations and nearly stopped all border traffic for Mexico for a while and CDC + others visited -- same principle).

    3. Separation of networks. VLANs and good virtual switch design can ensure that an environment is kept sound. Firewalls, regular audits and monitoring are all things that should be done on a regular basis.

    Quote Originally Posted by nihil View Post
    The main issue is likely to be that you are putting control and security of your data and processing in the hands of a third party (that includes business continuity).
    You do that already when you purchase anything from anyone today. I buy software from MS, Apple, etc. and I'm putting control and security into their hands (aka, I'm trusting them to build good, ethical software that won't phone home). If I go to a consultant to provide security audits for a company, then I'm trusting them to do a good job and be ethical -- whether they are 2 feet in front of me or 6000 miles away.

    It is a question of trust in general. The internet, as a whole, has had this degraded over the last 15+ years or so. While not a true computing cloud (there's no control over which resources run and which don't during peak and non-peak times) it's a kind of cloud that has let trust erode from it's membership.

    I can see problems with the next logical step, though, which is when the service providers try to maximise their profits by taking the actual provision offshore.

    There is also the major issue of employee selection and vetting procedures?
    The issue you're referring to, Nihil, really isn't cloud computing itself but rather who runs it and is it internal, external or both? A question of trust from the sounds of it. Running off shore in itself isn't an issue. It's how it's managed off shore and how are things verified off shore that is the issue. We're a global society now. For smaller organizations it makes no sense to run their own external cloud unless there is a reason for them to do so (e.g., legal requirements, health policy requirements, etc.). They can use existing environments or the precursor to cloud -- standard virtualization (whether host or hypervisor model).

    There is a mythos that outsourcing to India and other locales automatically means that data is compromised but keeping it in the UK, USA or other "industrialized nation" means it's secure. Bullshit. There are just as many unethical administrators here in the industrial world as there is elsewhere. If I do not vet who I outsource to, regardless of their physical location, I do a disservice to myself, my company and, in some cases, may be breaking the law by not ensuring that standards are met.

    If offshoring is a concern, then house the cloud yourself. Run your own cold/warm/hot site at your own physical location (75 miles away or whatever to account for major natural disasters). Use standard scanners (traditional AV on the servers -- physical and virtual) and standard firewalls. It will mean more work for you and less play time but at least it's not outsourced.

    Like any other form of outsourcing, vet the company. Get them to provide a security report from a reputable and responsible firm. And if possible, get your own 3rd party do an independent audit. Visit the site they host and ask about their procedures for things like hiring, auditing of systems and people, etc.

    If you just go ahead into the cloud and don't ask questions, well.. Caveat emptor, eh?



    Quote Originally Posted by ByTeWrangler View Post
    http://www.youtube.com/watch?v=QJncFirhjPg

    Possibly the best video out there explaining Cloud Computing. I always compared it with virtualization but it’s not exactly the same. Anyway A MUST WATCH VIDEO.

    That's a pretty good basic description. The key is, of course, the ability to access resources on demand and then disable (shutdown) those resources when not in demand (it always makes me think of a modified Beowulf cluster).

    Traditional virtualization (e.g. VI3, Xen, Hyper-V) are the basic infrastructure needed to get to cloud computing. vSphere is closer to cloud than traditional virtualization. The ability to power off physical servers, VMs, etc. when resource utilization is low is on of the main features. The one thing that, IMO, is still holding us back is the fact the VM is still -- technically -- reliant on a single machine for it's "four food groups" (cpu, memory, network, disk). That may go soon, too, however, with the advent of FT for VMs (which I really like as a concept and for it's purpose).


    Ultimately, one of the things I've noticed is that a lot of people look at cloud and they go "oooh!! Magic!!! It's so scary!!" <insert Gabriel Iglesias voice here> It's not. It's just changing some parts of how we do computing from a strict physical compartmentalization to a virtual compartmentalization to a cloud compartmentalization. We're not at the point of the neural networks (aka Star Trek) but we're moving towards it, baby-step by baby-step.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #22
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    You might like to read this:

    http://news.xinhuanet.com/english/20...t_11717437.htm

    Yes, it is all about trust and competence..............governments, banking systems, retail systems.................



    And this:

    http://www.capecodonline.com/apps/pb.../BIZ/907160307

    And this:

    http://www.infosecurity-magazine.com...urity-failure/

    Quoth the Raven: "Nevermore"

    Last edited by nihil; July 16th, 2009 at 04:01 PM.

  3. #23
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Quote Originally Posted by nihil View Post
    You might like to read this:

    http://news.xinhuanet.com/english/20...t_11717437.htm

    Yes, it is all about trust and competence..............governments, banking systems, retail systems.................



    And this:

    http://www.capecodonline.com/apps/pb.../BIZ/907160307

    And this:

    http://www.infosecurity-magazine.com...urity-failure/

    Quoth the Raven: "Nevermore"

    In each one of those it was due to the user having a simple password (I mean, come on.. PASSWORD?!). Regardless of whether it's cloud or not, once I have a way in, I can get in. The cloud is to allow application/application servers to run anywhere on hardware. How I secure that underneath and on top is still standard security. Good passwords, different passwords for different applications/environments, only open what needs to be open, limit access internal (I've been mentioning internal vs external cloud for a reason).

    For some they may never feel comfortable with the cloud becauase.. well, it's "magic".

    I don't think it's necessarily evil nor do I think it's insecure. I think one needs to look at a grandeur scheme of things than a single location. And that perhaps is the biggest challenge.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #24
    Wouldn't it be less secure than having the same data being hosted in your facility ?


    Btw, MsM you've given me enough material for half of my paper.. maybe more .. Would it be okay if I use it.. Ill send a copy before releasing and upon your conformation ill release it..?

    *THANKS A LOT THOUGH*


    PS: How was your exam ?
    Last edited by ByTeWrangler; July 18th, 2009 at 08:15 PM.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  5. #25
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    For some they may never feel comfortable with the cloud becauase.. well, it's "magic".
    Not really, I think for "magic" you should read "bullshit".

    As I pointed out earlier, the whole concept dates back to the early 1970's (I am not old enough to go back further than that)

    The marketing hype surrounding "the cloud" is quite likely to kill the whole thing...............people will think that it is supposed to be magic.........that they don't understand it, and therefore will not want to know.

    It may sound prosaic but I would go for the commonsense line:

    "This has been around for years as a concept.....you are familiar with third party vendors, contractors, packages, outsourcing, thin clients and the rest. New technology has provided a new opportunity for improved service at substantially reduced costs..............blah, blah................"

    In a way, it is very similar to the age old business decision of "make or buy?"

    EDIT:

    Hi ByTe~,

    This may be of interest if you take regulatory compliance and other legal aspects to be part of "security"

    http://news.cnet.com/8301-19413_3-10286028-240.html

    Basically, current legislation and case precedents are based on current IT models. This could have serious legal implications if your IT is distributed and in the hands of third parties.

    I distinctly recall that incident a while back when the FBI raided a co-location facility and seized everything.......................



    Here is a recent article that might be of interest. Apparently Los Angeles are looking at using Google Apps:

    http://www.dailynews.com/news/ci_12864208
    Last edited by nihil; July 19th, 2009 at 01:02 PM.

  6. #26
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Quote Originally Posted by ByTeWrangler View Post
    Wouldn't it be less secure than having the same data being hosted in your facility ?


    Btw, MsM you've given me enough material for half of my paper.. maybe more .. Would it be okay if I use it.. Ill send a copy before releasing and upon your conformation ill release it..?

    *THANKS A LOT THOUGH*


    PS: How was your exam ?
    LOL. It is something IT is going to have to discuss. I would bet, based on discussions here, that you'll find a "religious split": 50% will say it's secure while the other 50% will say otherwise. LOL

    As for the exam, still waiting. It's a beta exam so they take a look at the results and any really bad questions are yanked. It was pretty tough for what is to be an intro exam, far more than previous VCP exams. Eh. Wait and see.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  7. #27
    I honestly find cloud computing good for current state where everyone is not in the best of conditions to buy new hardware and host data but want freedom to have really powerful (or lot of powerful) server grade hardware under them. It will help people set up business with low capital expenditure, to this extent I am sure cloud computing is beneficial.

    However, since you're turning to someone for service lot of "problems" will arise. I have, at least in India seen that SLA's are hardly met and the condition is so bad that people don't even bother to take legal actions when SLA's are not met. I wonder if a company from India will start giving cloud services, then it’s time to unplug the machine and go to sleep!

    Anyway the idea is good but like most new (Nihil would kill me for calling it new) idea's there are still sides we don't know about.

    I think its better to wait before completing this discussion.


    Anyway, MsM and Nihil thank you VERY MUCH FOR YOUR INPUTS.
    Last edited by ByTeWrangler; July 19th, 2009 at 03:51 PM.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  8. #28
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Well,

    Looking at it from my personal viewpoint:

    Wouldn't it be less secure than having the same data being hosted in your facility ?
    I can think of quite a few instances where it would probably be far more secure. Basically small operations where they don't have the resources or expertise.

    Whilst remote computing operations make very tempting targets, they are of sufficient scale to implement a very high level of security.

    Strange as it may seem, I know of quite a few sites that run their payroll through a third party provider, so they are prepared to embrace the concept.

    I don't like the term "cloud computing" and the hip, chic, mysterious connotations that it has. To put it bluntly, a lot of the people I deal with eyes would glaze over when you started talking about "clouds"

    Tell them it is an up-to-date, internet based implementation of well established business processes, and they are happy! I am not against the concept.

    As for the remote aspect, there are obviously potential geopolitical and legal issues, but I really don't see those as insurmountable in the longer term. If the rules say that this must be hosted in the US or in the EU then so be it. That doesn't detract from the concept, it just dictates some aspects of the implementation.

    Also there is the question of reliability of your connection, but I would say that over here that is probably as good as, if not better than, quite a few local networks and WANs. Just make sure you take it into account with your business continuity plan?

    Nihil would kill me for calling it new
    Not really The concept is well tried, only this particular implementation is new.

    I wonder if a company from India will start giving cloud services, then it’s time to unplug the machine and go to sleep!
    Not if the price is right!

  9. #29
    * BUMP * to the thread.. There is a nice paper out on "Information Leakage in Cloud Computing".. Some more food for thought..

    http://cseweb.ucsd.edu/~hovav/dist/cloudsec.pdf

    I haven't gone read it completely yet but i'm going to do that now.. I'll update once i'm done..

    Have a great week ..
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  10. #30
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Thanks Byte, Got it down and will give it a read through.
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •