Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: AOC Cloud - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
AOC Cloud

In matters of food and wine, the Europeans have this concept of "AOC", based on the originally French "Apellation d'origine contrôlée". It means that, say, Bordeaux wine actually comes from there, and is not re-bottled Malbec from Patagonia. The point I'm trying to make, albeit poorly, is that it is sometimes important to know where things are coming from, which implies traceability to the source.

In matters of IT, we are currently losing this AOC. Only three years ago, we likely knew exactly, down to the server room cabinet and shelf, where our mail server was located. These days, with "cloud" services proliferating rapidly, we might know who *sold* us the service, but we only have a vague idea of its real origin or location.

The question recently came to light again when Codespaces (http://www.codespaces.com/) went down after a hacking attack back in June. As they say on their web page "In summary, most of our data, backups, machine configurations and offsite backups were either partially or completely deleted". I wonder how many (if any) of Codespaces' customers had actually done the due-diligence, while signing up, to determine that all of Codespaces' services were hosted at Amazon EWS, *including* the backups. That's AOC!  You might know from where you buy your SVN or GIT hosting, but - unless you negotiate hard, forbid any sub-subcontracting, and ruthlessly enforce your right to audit - you might never learn where your SVN/GIT hoster actually hosts the service. And, not even with your right to audit, will you ever find out where *that* hoster draws their services from. Because you don't have a contract relationship with the hoster (only with the SVN service on top), and if the hoster, at their discretion, decide that they can operate more cheaply by re-selling Virtual Machines from Patagonia instead of running their own .. that's what's going to happen.

If you like this concept, I have a stellar 1961 Bordeaux that I'm willing to part with for a good price. Please don't worry about the penguins and the Spanish language on the label :).

In all seriousness though - it is overdue that "cloud" providers provide a bit less cloud, and a bit more sunlight. It might hurt their bottom line a little, but the kind of "AOC" end-to-end transparency, with traceability to the source, is vital and paramount for the customer to assess and mitigate any resulting risk.

If you have any stories on how you determine the "AOC" of your penguin wine (or not), please share below.

Daniel

367 Posts
ISC Handler
http://xkcd.com/908/
xkcd.com is a web comic
Anonymous
AOC becomes Due Diligence (aka Due-Dil) in IT, no ?
Mr.Prontissimo

14 Posts
A couple of weeks ago, our church web site had mysteriously vanished...and we weren't notified. When I complained to our web designer who also sets up the accounts, all of the files had gone bye-bye...with no backup on the server end---due to a system crash. Thankfully, she had a fairly recent backup that we were able to recover from. However, I spent part of my holiday weekend working on updating everything and changing the design back to our current look.

Look: I know going "virtual" and "cloud" can increase efficiency and productivity. But it does NOT improve reliability. And, as this excellent post notes, it can be outsourced without your knowledge...and I prefer to know what hardware I have on my servers. "Raid 10" means nothing if the entire cabinet gets fried. Or hard drive stack, and that DOES happen.

There are efficiencies that can be gained through the cloud and outsourcing, but I prefer doing it in-house.
I know what's there, and I know what happens. Does it cost more? Sure. Is it more cumbersome to deal with backups, data policies, etc? Yep. But when things go south, I am not calling India at 3 AM wondering what the status of my pages are...
Gilbert

21 Posts
Quoting Gilbert:A couple of weeks ago, our church web site had mysteriously vanished...[...]
But when things go south, I am not calling India at 3 AM wondering what the status of my pages are...


Just because its cloud doesn't mean its reliable. As we all know "cloud" is loose term. Unless it says HA its just a VPS sold as a "cloud" product and runs on local storage.
Anonymous
I completely agree that the "AOC" concept is probably one of the biggest challenges for both users and providers of cloud services. By using cloud services, users/companies give up a lot of control over their data and systems. However, that loss of control shouldn't be blind, and as another poster posted, there should be some due diligence involved. Actually, there should be a LOT of DD involved. This not only includes "where" a cloud provider hosts their cloud, but also what security policies they follow (or at least, what policies they say they follow), physical and technical configurations, etc.

Bottom line, if you use the cloud blindly, you are likely to get hurt.
da1212

69 Posts
The organization is responsible for the data that the organization holds, stores, and or uses on their systems.
Due diligence and due care extend to auditing everything about the cloud services that are to be used... in extreme detail. In essence, the cloud services should be able to pass the audit as effectively as if the organization owned the systems right down to the hardware.

When using online backup solutions, it is important to make sure that the system admin accounts cannot affect the backup libraries and the backup library management is a completely separate function, with accounts that cannot be affected by the system admin accounts.
AlSitte

28 Posts

Sign Up for Free or Log In to start participating in the conversation!