Jump to content
tanknet.org

Cloud Computing; Good, Bad, Or Ugly?


Recommended Posts

Having everything in a remote location (e.g. a data center near the arctic circle) certainly reduces the chances of disgruntled employees to gain physical access to it. Then again, you just have to trust that this data center under aurora borealis illumination actually is as secure as the cloud operator claims, that your data are really there and not elsewhere, that the data center actually exists ...

 

Somewhere I read an article that tickled me. It talked about cloud storage, and interactions with regulatory agencies. The gist was that when regulated data (such as financial transactions) were stored in cloud storage, due to capacity/latency management, regulators would have a hard time identifying the physical location of a particular database. Even if all required protections were in place, and all policies were followed to the letter, regulators were unhappy that they couldn't swoop in and seize drives at a moment's notice.

Link to post
Share on other sites

Security in the cloud is a royal bitch. Visa certification for credit card transactions requires verifiable physical security of the drives that hold the data. Putting that in the cloud somewhere means that a smart staffer for that provider could figure out where cc numbers are stored, snag those drives and make a bunch of money. Security through obscurity is a really bad security model.

 

Most of the cloud providers, as far as I understand generally don't secure the data. The thing that scares the bejesus out of me is someone diddling your data unbeknownst to you because your core content management system is out in the cloud or pulling from sources that are.

Edited by rmgill
Link to post
Share on other sites

Most of the cloud providers, as far as I understand generally don't secure the data. The thing that scares the bejesus out of me is someone diddling your data unbeknownst to you because your core content management system is out in the cloud or pulling from sources that are.

 

The quick answer is always going to be encryption of data at rest. But if you are using hosted storage, network, and compute, somebody else has 24/7 access to the cabling across which all authentication traffic flows. At some point, a black hat is going to sniff the passwords and have the ability to decrypt at leisure.

Link to post
Share on other sites

I use Amazon Cloud for my pictures, it's great to take pics and video on my phone and have it upload automatically on WiFi so that I can view it on my PC and Kindle. It also works as an offsite backup to my external HD if the condo goes poof. I try not to think about all of the early digital photos I lost due to proprietary software or missing it on swapping to a new PC.

Link to post
Share on other sites
  • 1 month later...

Private use is one thing, corporate use is quite another.

 

But not in the way you think. A relative of mine used to be the manager of trust systems development at a major national bank. I asked her recently what she thought of cloud computing and she says she wishes it had been available 30 years ago.

 

Also, if you're running multiple sites, having a single data repository in the cloud could solve a lot of problems.

 

Are there issues? Certainly. But, for most purposes, they're the same issues you have if you're dependent on a centralized corporate data center. Most application users have been dependent on a cloud for decades now,

Link to post
Share on other sites

It totally depends on the individual case. All I'm saying is that there are possible conflicts with the law, depending on in which country you operate and what kind of data you store. Then there are the obvious issues of distributed data storage. On the upside, the ease of management for the end-user and in some cases also increased reliability with reduced cost.

 

But it's not "just the upside". It is only natural that Cloud providers emphasize the upside and downplay the risks, or inflate the costs associated with NOT using the cloud. The purpose of this thread is to be somewhat of a corrective to one-sided sales pitches. ;)

Link to post
Share on other sites

It totally depends on the individual case. All I'm saying is that there are possible conflicts with the law, depending on in which country you operate and what kind of data you store. Then there are the obvious issues of distributed data storage. On the upside, the ease of management for the end-user and in some cases also increased reliability with reduced cost.

 

But it's not "just the upside". It is only natural that Cloud providers emphasize the upside and downplay the risks, or inflate the costs associated with NOT using the cloud. The purpose of this thread is to be somewhat of a corrective to one-sided sales pitches. ;)

 

The point I'm making is that the risks associated with the cloud are pretty much the same risks we've embraced ever since the widespread adoption of centralized data centers. From the point of view of the client, the data center was in what we would today call the "cloud". You were just as dependent on data center uptime and reliability, carrier reliability and security*, and the trustworthiness of every human involved in the process.

 

*For almost all users, even large corporate users, a "dedicated line" wasn't literally a sole user wire -- it was a service agreement regarding the availability and performance of telephone network services.

Link to post
Share on other sites

Yeah, the Sheriff's Office phones were blowing up about this yesterday. I am still astonished that anyone with an IQ over 20 believes that cloud computing is secure, much less for photos that should not get out to the public (although some nymphet starlets probably doth protest too much...).

Link to post
Share on other sites

Willingness to hand over mission-critical infrastructure to some service provider requires desperation...

 

Nonsense. The minute we started handing over computing to corporate data centers at remote sites, we embraced all, or nearly all, of the risks you enumerate. Even today, your own proprietary data center has employees that could screw you, a physical plant that can be compromised, reliance on links to the outside world that can be cut or hacked, management priorities that might not include you, and a whole raft of other risks that could embarrass you or even put you out of business, if not handled properly. Your arrangements with your corporate data center are in fact just a service agreement, little different in operation or risk WRT a large, reliable cloud services provider.

 

So that ship sailed 40 years ago. And there was no desperation involved in that decision -- except the desperation to find a more efficient way of deploying computing and extending its services to the widest possible customer base. Can't get something for nothing.

Link to post
Share on other sites

You quoted out of context, and maybe your definition of "mission critical" is broader than mine.

 

 

Even today, your own proprietary data center has employees that could screw you

All too true, yet you at least have a chance to filter out misfits in the employment interview, and to treat those that you do hire and to organize their jobs in a way that reduces the incentive to cause harm to your company. The bigger an organization becomes, the more difficult it is to maintain such a difference, of course. So it also depends on what type of a company / organization we're talking here.

 

 

 

a physical plant that can be compromised, reliance on links to the outside world that can be cut or hacked, management priorities that might not include you

I'm not debating any of this, yet the major difference is that you have full control over this when you do it yourself, and that you have to simply trust a cloud service provider's claims of adequacy. A cloud center is more robust when it comes to distributed attacks, especially of the denial type, and more flexible if you have a highly dynamic demand for computing power and/or storage space. Like I wrote, using it totally depends on the individual circumstances.

But there's one solution where you can review and amend security at any time, and there's another where verification is a lot more difficult (if not impossible), and changes in security are limited to what the service provider or one of his competitors (claims that he) offers.

Link to post
Share on other sites

You quoted out of context, and maybe your definition of "mission critical" is broader than mine.

 

Not that far out of context. And what I consider mission critical is the same thing most people do -- provision of persistent data storage in a data-centric application environment.

 

All too true, yet you at least have a chance to filter out misfits in the employment interview, and to treat those that you do hire and to organize their jobs in a way that reduces the incentive to cause harm to your company. The bigger an organization becomes, the more difficult it is to maintain such a difference, of course. So it also depends on what type of a company / organization we're talking here.

 

What's with this "you", "you", "you" business? I though I was making it pretty obvious that I was commenting from the position of the corporate client that is totally dependent on a remote company data center. That customer type -- a very common one -- has none of the control you're claiming, yet takes all of the same risks that any user of cloud services is likely to take.

 

I'm not debating any of this, yet the major difference is that you have full control over this when you do it yourself, and that you have to simply trust a cloud service provider's claims of adequacy. A cloud center is more robust when it comes to distributed attacks, especially of the denial type, and more flexible if you have a highly dynamic demand for computing power and/or storage space. Like I wrote, using it totally depends on the individual circumstances.

But there's one solution where you can review and amend security at any time, and there's another where verification is a lot more difficult (if not impossible), and changes in security are limited to what the service provider or one of his competitors (claims that he) offers.

 

See, you're totally focused on security. Security is just one aspect of the data storage and management problem. And most of the time it's not even the biggest one. Most of the time your problems are reliability, availability, and redundancy. If you're dependent on a small company data center or just a local server room, you may have reliability and availability, but your redundancy sucks. Even if you have totally mirrored mission-critical systems, if your physical plant is taken out -- and it could be, by something as small as the fire sprinklers going on by accident -- then you're out of business. Cloud data storage services look real good when those are your risks. The same goes for a corporate customer that can develop its own apps, but has to scratch and claw to get into a server farm in a data center three states over.

Link to post
Share on other sites
  • 3 months later...

The schools are all using Google accounts for the kids to do homework, and then upload it to the cloud. I wonder if I am going to have to get a Chromebook to have the kids do their homework on? This apparently elimnates the "dog ate my homework" issues.....

Link to post
Share on other sites

The schools are all using Google accounts for the kids to do homework, and then upload it to the cloud. I wonder if I am going to have to get a Chromebook to have the kids do their homework on? This apparently elimnates the "dog ate my homework" issues.....

 

Are they uploading into Google Docs, or into an LMS? A lot of schools are using LMSes (Learning Management Systems) like Blackboard, which has a built-in fileserver capability. IME it tends to be flaky and required quite a bit of maintenance, but schools really like it.

Link to post
Share on other sites

I am not sure what they are using, but I might end up getting one of those Chromebooks if it becomes necessary. I hate the every present march of things that require I spend more and more money on items with little real purpose. IMHO Chromebooks are a bad joke at best.

Link to post
Share on other sites

A Chacha20 cipher is available for some SSL implementations, but it's not used much yet. The security community is split on the viability of Chacha20 as well, but mostly because it is relatively new and hasn't yet had thousands of eggheads and blackhats spend significant brain-hours searching for vulnerabilities.

 

An AES-Chacha20-Counter or AES-Threefish-Counter cipher would be the best of both worlds.

Just an update: A chacha20-poly1305 cipher has been adopted into mainstream OpenSSH, and is in the most recent release. It is considered suitable for production use, and I'd encourage people to use it. You'll need to update your ssh and sshd config files to put chacha20-poly1305@openssh.com at the beginning of their "Ciphers" setting (so that if both sides of a connection supports it, it will be preferred over other ciphers).

 

http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html

Link to post
Share on other sites

 

The schools are all using Google accounts for the kids to do homework, and then upload it to the cloud. I wonder if I am going to have to get a Chromebook to have the kids do their homework on? This apparently elimnates the "dog ate my homework" issues.....

 

Are they uploading into Google Docs, or into an LMS? A lot of schools are using LMSes (Learning Management Systems) like Blackboard, which has a built-in fileserver capability. IME it tends to be flaky and required quite a bit of maintenance, but schools really like it.

 

Google provides Docs for schools as an LMS posing as Google Docs. Such capability is beyond my school board, who pays a company a huge amount of money for a lesson planning system, then uses open-source Moodle because "they can't afford another license"

 

Then again, my school board thinks they're clever by buying Dells with HDMI ports for video for computer labs (then stand around flummoxed why they can't connect the projectors in the labs to a workstation) and giving us the old computers in our class... that were bought back in 2007.

 

In the mean time, the rural school board next door renewed their property tax for technology in schools that allows the school board to swap out about 10k computers every 2 years and is now pushing a program to give every student an Android tablet.

Link to post
Share on other sites
  • 1 year later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...