Survey after survey finds that IT professionals’ number one concern about cloud services is security. Some may say that concerns are overblown and that IT managers are more worried by loss of control than by real security risks. In some cases, the argument goes, security may even be better with a cloud deployment. That may be …
Is it just me....
[QUOTE] “If you encrypt everything haphazardly with loads of different keys, you are making a nightmare for yourself in five years time when you want to open encrypted files with keys you no longer own." [/QUOTE]
...or would this ONLY happen in a cloud-based system where you will most likely be given a "subscription"-based fee for the keys you "own".
If you privately/locally make and store your keys, they are yours, and would remain so. And, you could have at-will access to them, if needed in the future.
Perhaps I'm not understanding the entire implication of what is being stated here....
Happens all the time in orgs today
The implication of my comment was related to the fact the making, storing, retiring, etc multiple keys for multiple users, for multiple applications is hard (especially in a medium-sized and upward company). I think I may have actually said "have access to" rather than "own" at the time of interview...
That help clarify?
I think you've understood perfectly.
You're quoting a "techie-turned marketing man at Symantec" with a market share/publicity target to meet. and FUD to spread.
"There is unencrypted business intelligence here. I can sell it, err sorry, I mean SMELL it"
Disagree with Mr Jones @Symantec
ISPs like BT/Phorm, TalkTalk/Huawei, and Vodafone Bluecoat are systematically compromising the confidentiality/security/integrity of their networks, and selling commercial intelligence to third parties.
A communications channel without essential characteristics like confidentiality/security/integrity isn't a trust worthy communication channel.
Thus passing any unencrypted commercially valuable data over an untrustworthy network infrastructure is madness.
Secure infrastructure is key, only then can you be sure your information is secure.
If you then choose to use cloud services offered by BT/Google with commercially sensitive information, there's no hope for you. You've gifted your business to your competitors.
Therein lies the inherent weakness of cloud computing. Untrustworthy communication networks. Untrustworthy hosting providers.
Talking at different layers
Totally agree that at a network layer unencrypted communication almost NEVER makes sense. However, I was more commenting on an information object level on top of that. Example: The only reason I would care about someone knowing I was emailing a mate about playing squash on Thursday night is if they then used that information to know I was out and therefore break into my house. However, if I'm communicating regarding my personal information to do with login details to my bank then sure I want then encrypted at all times, in transit or at rest.
What is it you recommend, exactly? Clever heuristics which determine on the fly what communications need to be encrypted? Relying on users following company protocol so that you can determine which communications need to be encrypted based on that protocol?
I suspect most sysadmins would rather choke than rely on either of those ;)
Not Just The Pros
"Survey after survey finds that IT professionals’ number one concern about cloud services is security."
I'm quite unprofessional and I worry about it too.
"Encryption technologies track where it is going" What??? How does that work?
The actual elephant in the room is if you encrypt at the data layer how do you then perform any processing on the resulting cyphertext? If you had a working homomorphic encryption algorithm you might be able to but not with a "normal" heteromorphic one.
Data loss, not Encryption, for tracking
It doesn't! I'd switched gears and was talking to Lucy about Data Loss Protection technologies doing things like Vector Machine Learning on content moving about organisations to determine where it was flowing to apply "appropriate" encryption "just in time". Have a read of this to learn more: http://bit.ly/ksxDwy
Cost Benefit Analysis
First, I agree with AC#3 who pointed out that a Symantec marketing person might be a less than reliable source of information or insight on this issue.
Second, I think it's just as unreasonable to assume that encryption is too expensive as it is to assume that it's free. People should weigh both the costs *and* the benefits of using more vs. less secure storage, and measure those against realistic requirements. Most people and businesses should "default to secure" with respect not only to encryption but also to authentication, allowable locations and mandated retention/destruction of data, etc. because the cost/likelihood of compromise is just too high. If data has to traverse someone else's network or sit on someone else's storage, and performance goals etc. can be met with encryption, then encryption should probably be used even if the system would be "more efficient" without it.
Third, I'm hardly a disinterested party myself here. I'm the project leader for CloudFS (http://cloudfs.org/cloudfs-overview/) which addresses exactly these kinds of issues - not only at-rest and in-flight encryption which are both optional, but also other aspects of multi-tenant isolation and management for "unstructured" (file system) data. Of course, I'm not alone. The "senior partner" when it comes to storage security/privacy has to be Tahoe-LAFS (http://tahoe-lafs.org/trac/tahoe-lafs) which provides extremely strong guarantees in those areas at the cost of modest sacrifices in performance and functionality. Other entries in this area range from corporate-appliance players such as Nasuni and Cleversafe down to personal-software players such as SpiderOak and AeroFS. Enabling different tradeoffs between security, performance and usability is an active area of research and commercial competition, and we should all be wary of "this is the one answer" FUD.
Disclaimer: I'm an "associate" at Red Hat, but not speaking for Red Hat, yadda yadda.
...we can eliminate the slow Internet access speeds to the Cloud and get it working like an internal Gigabit network, the only other thing I need is the Cloud as a bubble. Everything in that bubble and access to it should be mine and under my control. If I want to encrypt the contents of that bubble, parcel it up into discrete pieces or restrict access to protect my data then so be it. The provider should only care about giving me the space and / or resources I need. What I do with it is non of their concern.
It is like renting a house from a landlord; same principle. If I come home from work and find a stranger laying on my couch reading one of my books cuz the landlord let them in, I would not like that one bit.
Providers having access to my info unimpeded is the Achilles Heel of the Cloud setup. I can barely keep ahead of my companies needs for security without having to continually validate and assess my providers IT staff and security.
A dangerous approach
“Encryption is a component, not the be-all-and-end-all. It must be used appropriately. It is a waste of time and resources to encrypt a social email exchange, for example. Securing information, not infrastructure, is key,”
If you only encrypt "what's important," you leave two VERY glaring weaknesses in your security strategy. First off, you attract attention to the data you consider to be most worth protecting. Secondly, and far more importantly, you run the risk of failing to catch all of the important data which you must safeguard.
You are correct that encrypting haphazardly opens you up to a potential mess of lost keys and irrecoverable data. However, careful key management plus the full and careful intent to encrypt ALL data is far more likely to protect you from unauthorized theft of critical information than attempting to pick and choose what is "sensitive" or not.
Nobody knows anything.
And they're all idiots.
Honestly, this distributed storage/computing thing has been bashing around for decades and several fundamental problems were never solved:
* Yes, security, and all the complexity thereof
* A wonderful MAGICAL network, Lisa! That never fails and is always available!
* How do you do generic coding? Clusters can't, they need specialized daemons written to be purpose specific? Java? Pffft. Yeah right. Python? Ok, viable, but how do you sandbox it without a million programming caveats? What is your distribution model in this 'cloud'? Are all services cluster....oh! sorry!....'cloud' aware? No? What do you do about that?
Let's all just put our suits on, turn up and give a 1 hour presentation of utter, utter bunkum to some morons from rich families in more suits, say 'cloud' a lot (and maybe 'paradigm' and 'leverage' a few times), collect our $2000 fee and head home to the spa and ho's. Who's with me!
Why focus on Encryption?
I'm apparently an Information Security Professional. And concerned about Cloud; not because of the technology or technical impacts - just like PKI - it all seems to be fine. I'm more concerned about the non technical aspects: risk, accountability, reliability, legal and privacy implications (just what killed off "Big PKI").
I have one of my auto-rants around this topic at http://www.pingudownunder.com/2011/05/04/simon-harveys-answer-to-what-are-common-concerns-about-adopting-cloud-computing/ and and more than happy to stand corrected.
A recent CIO.com article quoted this is the cruicial point: "This is what shared responsibility implies—both parties have to step up to the security aspects in their control, and failing to do so means the application is not going to be secure. Even if the CSP does everything correctly for portions of the cloud application within its control, if the application owner fails to implement its security responsibility correctly, the application is going to be insecure. "
My issue is that given the immense hype, marketing and over-simplistic sales pitch by Cloud/IT Vendors, they ignore their own responsibilities. And the market they are selling to - CEOs - incorrectly assume that security is no longer their issue. At least with traditional IT Outsourcing, the Rs & Rs was clear - contractually - about who is responsible for what. I have yet to see this in the Cloud world.
Looking at the Amazon Web Services downtime over Easter, the default compensation from AWS to customers was 10 days hosting credit. I wonder if this fully compensates the the business loss incurred by their customers - and how many of them had DR/IT BCP plans in place.
Don't get me wrong ... similar to other "innovations" like SOA, BPO, BPM, Outsourcing, NearSourcing, Offshoring, NearShoring, and so on; I do like the promise of "Cloud" and can see many benefits; i just don't like its execution by the IT Industry.
And I strongly believe that you cannot assume, or belive the marketing hype, that Security becomes a non-issue. Ultimate responsibility for security and risk management remains that of the Customer - and they need to select the appropriate CSP which provides them with the most appropriate level of controls to their needs (insurance, contractual limtations/compensation, technical and policy monitoring/evaluation, etc).
Case in point: El Reg's reporting of the Virgin Blue downtime seems to indicate that they have good contractual obligations on Navitaire - i.e. the airline is due to be fully compensated for actual losses, including compensation given to VB's customers, plus additional charges on their IT Service Provider. I can't see anything approaching near this in the "Retail Cloud" space (e.g. Amazon, Google, Rackspace") ...
- +Comment Anti-Facebook Ello: Here's why we're still in beta. SPAMGASM!
- NASA rover Curiosity drills HOLE in MARS 'GOLF COURSE'
- WHY did Sunday Mirror stoop to slurping selfies for smut sting?
- Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9
- George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests