Security In the Ether 93
Posted
by
Soulskill
from the less-likely-than-ether-in-the-security dept.
from the less-likely-than-ether-in-the-security dept.
theodp writes "Technology Review's David Talbot says IT's next grand challenge will be to secure the cloud — and prove we can trust it. 'The focus of IT innovation has shifted from hardware to software applications,' says Harvard economist Dale Jorgenson. 'Many of these applications are going on at a blistering pace, and cloud computing is going to be a great facilitative technology for a lot of these people.' But there's one little catch. 'None of this can happen unless cloud services are kept secure,' notes Talbot. 'And they are not.' Fully ensuring the security of cloud computing, says Talbot, will inevitably fall to emerging encryption technologies."
Remember kids (Score:0, Insightful)
"Cloud" computing is a buzzword, nothing more. It has no real meaning, therefor all talk about it is worthless drivel.
Proceed with the drivel.
Whom are we securing it from? (Score:5, Insightful)
For example: all but the largest will be outsourcing their data centers. And when they outsource that storage will they find the same sort of pricing structures, perhaps on a different scale, that everybody else does - it is attractive, from a price perspective, to off-shore that data to places where it's just cheaper to run. One of the strengths of the Internet is how it shrinks the planet in that regard. But there has recently been a big debate about whether or not the 4th Amendment in the U.S. protects hosted e-mail from search and seizure by the U.S. government. What does the 4th Amendment in Malaysia protect against?
What if your biggest competitor in your particular industry is a Chinese company and your Cloud provider decides to store your data on a server located in China. Do you suppose the Chinese gov't might be able to access (or monitor) your data and provide any of it to their company?
Even if your data stays on a domestic server and your business is entirely legitimate - most Cloud providers are multi-tenant (that's the economy of scale that helps them keep prices down). What if one of the other tenants on that server is doing something naughty and the government decides to seize the server to go after them. Will your data be safe and protected? They're the government, right? OF COURSE your data will be handled properly.
Another big topic is document retention. You want to keep documents as long as you need to and then expire those documents. Will your SaaS/Cloud provider respect your document retention policies? Or are you going to discover, hopefully not after being served with a discovery request, that they actually have copies of your expired documents in cache or on backups somewhere that they never destroyed?
There are a LOT of new security issues that come up when you essentially put your data at arm's length with no real idea of where it's physically stored or who has access to those servers. I'll close with a quote:
"If (CIO) Randy Mott told me 'Put the general ledger up in the Cloud' I'd say 'Go back to work, we're not doing that."
-Mark Hurd, CEO of Hewlett Packard-
Security aside... (Score:4, Insightful)
Would you trust other companies to manage your electronic secrets?
I would never, no matter what promise.
Besides, we all know the track-records of the companies offering this and they are real bad at least in my opinion.
TCP/IP is a cloud we trust (Score:4, Insightful)
We already trust the cloud a bit. We use the internet to move stuff around. Do we trust intermediate nodes not to eavesdrop or
steal our data? No... we use SSL. Do we trust the intermediate nodes to deliver our packets on time? No... we wait for ACKs and use timeouts.
Seems to be this is just like cloud storage. Use it but don't just it all. Encrypt everything. Periodically pull the data back to make sure its OK, etc.
Re:Security aside... (Score:2, Insightful)
Would you truth other companies to manage your physical secrets? Well, lots of people do. They're called banks.
Banks.... (Score:4, Insightful)
Would you truth other companies to manage your physical secrets? Well, lots of people do. They're called banks.
I may be wrong here but I'm still convinced my super secret stuff will be safer in a safety deposit box (where I have the only copy of one the two keys needed to open it), which is located behind a massive steel door, encased in layers upon layers of concrete in the cellar of a bank than those secrets will be if I store them on "the cloud". It takes a court order (which isn't easy to get in most places since the banks tend to fight them tooth and nail) or a gang of seasoned bank robbers with a lot of time on their hands and some very heavy equipment to lift my secrets from that vault. On "the cloud" the only thing standing between my secrets and Russian mafia hackers is a badly paid marginally competent sysadmin in an IT sweatshop in India.
Re:Whom are we securing it from? (Score:4, Insightful)
Cloud computing violates the first rule of security: Don't let the data be accessible in any shape or form to those not authorized. It goes with one of the fundamental rules of the Internet which is often ignore:, don't put anything on a Net accessible computer that you would be afraid of it ending up linked off of 4chan.
Cloud computing has some seductive properties for PHBs: It is just a network jump away through an API, requires no dedicated equipment on the client site, and the big named company salespeople who play in the same foursome at the golf course sell the stuff.
However, if one drops the smoke and mirrors, there isn't much difference between cloud storage and FTP-ing files onto a remote site.
So, what does one do? Before someone states "encrypt it!" one has to know that there are two parts to encrypting:
First is choosing the algorithms (AES-256, and if worried about an AES crack, chain AES and Serpent or Twofish [1]) and how they are implemented (ECB bad, XTS good). You also add to this how one can tell if the key is valid, and one of the most secure ways is to have the key use a salt, decrypt part of the cyphertext, and check it against a known value. TrueCrypt does this when validating if a filesystem is OK to mount.
The second part is not as obvious, but it means as much to secured data as the cypher: Key management is where you feel the burn. The simplest key management is having some random passphrase the maximum length allowed stored in a file on a USB flash drive and printed out for safekeeping. However, this runs you into the same issues as using WPA2-PSK, if the key is divulged on one area, the whole security of the system is now compromised.
Which means that you have to have a system of subkeys where the keys will decrypt the master key, similar to how PGP stores multiple passphrases and public key information to open a PGPDisk. You can give everyone a different passphrace to remember, or you can give them some type of smart card that unlocks the information. If a passphrase is divulged, it will suck, but given time, it can be removed from the authorized list.
Don't forget not just using one volume key for the data, one needs to use a different one every so often, so a compromised subkey which allows someone to slurp up the main decryption key won't compromise everything.
In reality, after a company goes through their iterations of a key management system, going from passphrases to RSA keys (because passphrases are hard to remember), then going from a list of keys to a full blown PKI with multiple recovery mechanisms, companies usually end up going to a smart card system. Of course, this is expensive and requires an elaborate support structure, but it is the best way of dealing with key management we have. And of course smart cards have driver hell in most cases.
So, with all the complexity that one needs to have in place for an encryption layer before stuff ends up stored offsite, it gets to a point where why should one even bother? Instead, for a number of SMBs with a non trivial amount of employees, they should just buy tape libraries and a backup program that has encryption. Some drives (like some of HP's) have encryption functionality in hardware. Then after the tapes are backed up, they are either stored in the data center (with restricted access), a tape safe, or an Iron Mountain tub.
What is the advantage of going back to tape even though cloud computing is seductive and seems like all problems of storage are just an Internet connection away? You know who has physical possession of the data at all times. It is a lot easier to deny someone access to physical media by rekeying locks, yanking their HID card access, or striking their name from the authorized user rolls at the offsite system than it is to deny access to stuff where you don't know even where it is stored.
With physical media, you have two pieces of security. The physical media itself, and the encryption on it. With cloud storage, ALL your se
Re:Security aside... (Score:1, Insightful)
I trust several companies to manage my physical secrets:
Iron Mountain manages tapes and offsite stuff.
My bank manages the pathetically small amount I have in checking, as well as allows me to store crucial files in a safe deposit box.
U-haul manages a storage I have.
However there is a difference between physical secrets and electronic ones: If someone tries to mess with the stuff I have in storage, it will be evident. Either via a broken seal, a cracked off padlock, a broken label, or some other means. There is no way that you can be assured that someone didn't make a copy of your data on the storage backend.
Of course, there are ways to forge seals and make undetectable tampering attempts, but doing so takes a *lot* more work than a simple cp -r.
Re:Why Bother? (Score:0, Insightful)
Because with your DIY storage you have no redundancy, no failover, no information security from a disaster recovery point of view. 2 hard drives won't even cut it, unless they're safely stored in different geological locations to protect against natural disaster (and once they're split up geographically, how will you keep them in sync?).
In an honest apples-to-apples comparison, the costs of actually doing it yourself is much higher than the cost of a single drive. You couldn't do what they do as cheaply as they do it.
Re:TCP/IP is a cloud we trust (Score:3, Insightful)
SSL is different. The encryption key that is used is used just for the communication, then is tossed. In general, one will not have a SSL negotiated key for last week's bank transaction on their computer.
Because the SSL key management is about keys that are tossed, there isn't much of an issue with the nodes in between.
Cloud computing is about long term, persistant storage. The session key that gets chucked in SSL has to be kept permanently somewhere when it comes to storage, and key management is a major headache. Have too little redundancy, you can lose access forever to data. Have too much redundancy, and keys can wind up in the hands of blackhats and people who you really don't want to have access.
Re:Never safe. (Score:3, Insightful)
I don't get why it isn't obvious, but if you can't trust your hosting provider, you can't trust the server you run at their site. Period. If you can't trust them with the root password, then you shouldn't be hosting with them. They have physical access. Any 20 minute downtime (which you may never notice) could be them pulling the hard drive and cloning it, then putting it back.
Even if you encrypt the hard drive, most likely they could stage a MITM attack one way or another to get the key. They can go to the point of emulating the machine on a hypervisor and access the RAM directly. They have total physical and network control of the machine, so nothing can stop them. It is like saying you don't trust your bank, but your safety deposit box is secure because they gave you a key.
If you don't use a host you can trust, don't be surprised if they root your server or copy your private data. Just as if you can't trust your bank, don't be surprised if they funnel all your money into their personal accounts (such as charging absurdly high interest / fees and upper management giving themselves absurd multi-million dollar salaries and bonuses). Do research and try to find a company you can trust. If what you have is too valuable to be trusted with someone else, don't let them handle it.
BTW, from the posts in that story, from what I understood, they wanted his root password because they moved his image to another computer [slashdot.org] because the old one was flaky and they needed to install drivers on the new one to get it to boot, and the asshole was too cheap to pay their $35/day fee for virtual kvm access so he could do it himself [slashdot.org].