The Relentless Cloud

  • Comments posted to this topic are about the item The Relentless Cloud

  • Ever since the Snowden revelations, I have not been well disposed towards the Cloud.

    However, now that I am thinking about getting a new computer at home, I am considering a Cloud-account instead.

    I want to experiment with In-Memory DBs v2 with SQL server 2016 and the more RAM I have at my disposal the better.

  • Anyone who is not a US citizen, or not a US company, should be aware that data owned by non-US citizens but held on servers under US jurisdiction is not secure — by law.

    Because US law requires US companies (e.g. cloud server owners) to hand over any data requested for any reason by law enforcement or similar, provided that the data is owned by someone who is not a US citizen or company.

    On the other hand, data owned by US citizens and held on servers under US jurisdiction is fully protected and requires a subpoena or similar legal force for any of it to be made available to law enforcement etc.

    As a UK citizen, I always advise anyone considering using cloud storage to first ask themselves whether they're happy about US police, FBI, etc. all being able basically to look at all of their data at any time, for any reason?

    Personally I will never ever use anything like 'the cloud' until and unless that law is changed. Not because I have anything to hide, but because of that utterly outrageous US law.

  • cad.delworth (7/20/2016)


    Anyone who is not a US citizen, or not a US company, should be aware that data owned by non-US citizens but held on servers under US jurisdiction is not secure — by law.

    Because US law requires US companies (e.g. cloud server owners) to hand over any data requested for any reason by law enforcement or similar, provided that the data is owned by someone who is not a US citizen or company.

    On the other hand, data owned by US citizens and held on servers under US jurisdiction is fully protected and requires a subpoena or similar legal force for any of it to be made available to law enforcement etc.

    As a UK citizen, I always advise anyone considering using cloud storage to first ask themselves whether they're happy about US police, FBI, etc. all being able basically to look at all of their data at any time, for any reason?

    Personally I will never ever use anything like 'the cloud' until and unless that law is changed. Not because I have anything to hide, but because of that utterly outrageous US law.

    Data security comes via many other forms also. We're trusting our data to companies where we have no visibility or influence on their staff recruitment/security screening policies, assuming they are up to date with patches and latest security standards, assuming they have comprehensive recurring penetration testing and vulnerability scanning with immediate fixes. These companies will smile and nod during service reviews... the actual truth as we all know can be very different.

  • cad.delworth (7/20/2016)


    Anyone who is not a US citizen, or not a US company, should be aware that data owned by non-US citizens but held on servers under US jurisdiction is not secure — by law.

    Because US law requires US companies (e.g. cloud server owners) to hand over any data requested for any reason by law enforcement or similar, provided that the data is owned by someone who is not a US citizen or company.

    On the other hand, data owned by US citizens and held on servers under US jurisdiction is fully protected and requires a subpoena or similar legal force for any of it to be made available to law enforcement etc.

    As a UK citizen, I always advise anyone considering using cloud storage to first ask themselves whether they're happy about US police, FBI, etc. all being able basically to look at all of their data at any time, for any reason?

    Personally I will never ever use anything like 'the cloud' until and unless that law is changed. Not because I have anything to hide, but because of that utterly outrageous US law.

    We have a one sided extradition treaty between the UK and US where the US can demand that a UK citizen be extradited to the US. However, in the case of Gary McKinnon the extradition was blocked.

    When the treaty was signed considerable concerns were raised that US law was stacked in favour of the prosecution.

    Precisely how the US can enforce such a law is a bit of a curiosity. If I as a non-US citizen store an encrypted file in a US data storage facility then apart from deleting my file and making a lot of noise what exactly can the US do?

    There is the axiom that hard cases make for bad laws. On one hand we value civil liberties, freedom of speech and expression etc but on the other hand we don't want those privileges abused.

    Good luck with decrypting a 2048bit encrypted file. If you can decrypt it you deserve to read it. I hope you like Douglas Adams

  • Cloud security is an oxymoron.

    Those who say cloud security problems will be solved are actually saying "The Cloud can't be trusted yet".

    I would go further. One critical concept in any threat environment, physical or virtual, is vulnerability. Vulnerability is a function of how how easily a targets defenses can be dealt with (hardening), how many areas may be attacked (attack surface), how easily the target can be reached, how many attacks can be mounted, and how much risk there is to the attacker.

    Any cloud target hardening has to deal with a nearly infinite attack surface, by complete lack of cover to attackers, by nearly infinite attackers who can (each) launch a vast number of attacks--in anonymity.

    Given that, how in the world can a cloud database be defended? How can anyone say with a straight face "this database is secure enough to trust with your life, your financial security, your reputation, and your company's existence (from being sued into bankruptcy over a breach)."

    Barring some mythical perfect security development, trusting the cloud is almost criminally negligent. Even "low risk" applications are certain to attract attacks sooner or later. Which might give an attacker enough to attack a more important target.

    Clould isn't inevitable. Cloud is headed for a Waterloo event. I just hope it doesn't involve nuclear launch codes...

    [EDIT: Spelling]

  • cad.delworth (7/20/2016)

    As a UK citizen, I always advise anyone considering using cloud storage to first ask themselves whether they're happy about US police, FBI, etc. all being able basically to look at all of their data at any time, for any reason?

    I believe a recent ruling declared that data in the EU is exempt from this?

    http://www.wsj.com/articles/microsoft-wins-appeals-ruling-on-data-searches-1468511551

    The WSJ site is popup-tastic, by the way, so maybe try the Guardian instead: https://www.theguardian.com/technology/2016/jul/14/microsoft-emails-court-ruling-us-government

  • roger.plowman (7/20/2016)


    Cloud security is an oxymoron.

    Those who say cloud security problems will be solved are actually saying "The Cloud can't be trusted yet".

    I would go further. One critical concept in any threat environment, physical or virtual, is vulnerability. Vulnerability is a function of how how easily a targets defenses can be dealt with (hardening), how many areas may be attacked (attack surface), how easily the target can be reached, how many attacks can be mounted, and how much risk there is to the attacker.

    Any cloud target hardening has to deal with a nearly infinite attack surface, by complete lack of cover to attackers, by nearly infinite attackers who can (each) launch a vast number of attacks--in anonymity.

    Given that, how in the world can a cloud database be defended? How can anyone say with a straight face "this database is secure enough to trust with your life, your financial security, your reputation, and your company's existence (from being sued into bankruptcy over a breach)."

    Barring some mythical perfect security development, trusting the cloud is almost criminally negligent. Even "low risk" applications are certain to attract attacks sooner or later. Which might give an attacker enough to attack a more important target.

    Clould isn't inevitable. Cloud is headed for a Waterloo event. I just hope it doesn't involve nuclear launch codes...

    [EDIT: Spelling]

    The same could be said for any database on a network, including inside your company. If you have a connection to outside networks. I think you're a bit over exaggerating concerns of a cloud database compared to other databases.

    Is the database that powers PokeMon Go no suited to the cloud? How about the vacation tracking for your company? The parts database for a retail company?

    Your bank may already be using a cloud database.

  • Beatrix Kiddo (7/20/2016)


    cad.delworth (7/20/2016)

    As a UK citizen, I always advise anyone considering using cloud storage to first ask themselves whether they're happy about US police, FBI, etc. all being able basically to look at all of their data at any time, for any reason?

    I believe a recent ruling declared that data in the EU is exempt from this?

    http://www.wsj.com/articles/microsoft-wins-appeals-ruling-on-data-searches-1468511551

    The WSJ site is popup-tastic, by the way, so maybe try the Guardian instead: https://www.theguardian.com/technology/2016/jul/14/microsoft-emails-court-ruling-us-government

    There's also a whole legal process that has to be followed in the US, but let's face it - any government has lots of lawyers.

  • When it comes to protecting your data from big brother, encryption and good lawyer will buy you some time to ponder your next legal move. Meanwhile, however, you will still be sitting in jail.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Steve Jones - SSC Editor (7/20/2016)


    roger.plowman (7/20/2016)


    Cloud security is an oxymoron.

    Those who say cloud security problems will be solved are actually saying "The Cloud can't be trusted yet".

    I would go further. One critical concept in any threat environment, physical or virtual, is vulnerability. Vulnerability is a function of how how easily a targets defenses can be dealt with (hardening), how many areas may be attacked (attack surface), how easily the target can be reached, how many attacks can be mounted, and how much risk there is to the attacker.

    Any cloud target hardening has to deal with a nearly infinite attack surface, by complete lack of cover to attackers, by nearly infinite attackers who can (each) launch a vast number of attacks--in anonymity.

    Given that, how in the world can a cloud database be defended? How can anyone say with a straight face "this database is secure enough to trust with your life, your financial security, your reputation, and your company's existence (from being sued into bankruptcy over a breach)."

    Barring some mythical perfect security development, trusting the cloud is almost criminally negligent. Even "low risk" applications are certain to attract attacks sooner or later. Which might give an attacker enough to attack a more important target.

    Clould isn't inevitable. Cloud is headed for a Waterloo event. I just hope it doesn't involve nuclear launch codes...

    [EDIT: Spelling]

    The same could be said for any database on a network, including inside your company. If you have a connection to outside networks. I think you're a bit over exaggerating concerns of a cloud database compared to other databases.

    Is the database that powers PokeMon Go no suited to the cloud? How about the vacation tracking for your company? The parts database for a retail company?

    Your bank may already be using a cloud database.

    Yes, Yes, no, and *HELL* no.

    Internal networks have a FAR smaller attack surface. We have two internet entry points, for example. One automatically blocks the user's IP address after 5 failed login attempts in a 30 day rolling window. The other is an email server with severely limited access to the rest of our network.

    Yes, we're extremely paranoid. For us a security failure might end up with someone shot, or *dead*. So...yeah.

    The litiny of cloud security failures is as abyssmal as it is enormous. Just a few highlights: Sony, Microsoft, Google, the *IRS* for God's sake!, EBay, JP Morgan Chase (speaking of banks), Ashley Madison (one you REALLY don't want exposed :)), My Space, Anthem (ins), Carefirst (BC/BS insurance!), Securus Technologies (prison phone provider), Home Depot, AOL, Adobe, Steam (gaming co), Target. And lots of different government databases.

    The list goes on and on...

    You're saying I should trust this thunderstorm-level leaky cloud with data that could get someone killed? Um, no.

    Inside my network the attacker has to come through a single opening that's firewalled and IPS guarded. That seriously reduces attack surface. A public facing database (or even interface) is mega-softer, bigger, and juicier than any internal database.

    When it comes to the cloud's lack of security I'm not exaggerating anything. Remember, defenders have to be perfect every single time. Attackers only have to be lucky ONCE.

    By the way, here's a pretty damning read:

    http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

  • Agree there are things to worry about. But plenty of those companies were hacked without being the cloud. The cloud in and of itself, isn't necessarily less secure for companies.

  • It seems to me that most database breaches are the result of hackers exploiting web based applications with public facing surface area. For example, unencrypted wifi on point of sales terminals, SQL injection on eCommerce websites, etc. For intranet applications, either entirely on premises or a cloud hybrid, there are fewer vectors for attack coming from outsiders.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • I just have to point out the obvious.

    You really can't use what you read on major news outlets as the baseline. Most of those companies are high-profile companies that will always be in the news much like high-profile celebs. You rarely are going to read about majority of the breaches that are not Target, Wal-Mart, McDonalds, and so forth. Most that happen are actually not vocal about it with the news media because they do not want the world to know. It's bad for business.

  • xsevensinzx (7/21/2016)


    I just have to point out the obvious.

    You really can't use what you read on major news outlets as the baseline. Most of those companies are high-profile companies that will always be in the news much like high-profile celebs. You rarely are going to read about majority of the breaches that are not Target, Wal-Mart, McDonalds, and so forth. Most that happen are actually not vocal about it with the news media because they do not want the world to know. It's bad for business.

    When I was working in the telecoms arena there were a number of cases where large organisations phone systems were hacked. An example was students dialling in and then back out again, i.e. making an international call for the price of a local one. This was all kept quiet as there was then the potential of using TCP/IP to access other areas. When on one occasion it was found to be an inside job the person was just asked to resign rather than risk any sort of publicity. In my previous place the cloud services were provided on our own hardware located in a secure data centre with our firewalls behind their firewalls.

Viewing 15 posts - 1 through 15 (of 23 total)

You must be logged in to reply to this topic. Login to reply