Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Cloud thoughts - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cloud thoughts

The cloud means a number of different things to different people.  For some it is the new frontier, the way forward. For others it is outsourcing by a different name and even less control over what happens in the cloud.  In true security fashion and one of my favourite answers, it depends. The reality however is that it is inevitable, in some aspects of your work you will come into contact with the cloud, or you will be asked to secure it. 

So lets have a look at a few of the challenges in cloud world, and if your weekend or Monday is as drab, wet and cold as mine add your comments to the list. We'll try and keep it to pros and cons.

Pro Cloud: 

  • Free up resources from performing menial tasks
  • Access to resources at a price you can afford
    • Getting affordable offsite storage or backup facilities are often cheaper in the cloud than you can do yourself. Especially for smaller businesses.
    • Quality content filtering solutions
    • IDS/IPS services
    • etc.
  • Less limitations
    • e.g. online backups. if you need more space, you purchase it and it is there

Con Cloud: 

  • You do not necessarily know where your data is?
    • Many cloud providers have in their contracts that they can move your services about. So if it is important that your services are delivered locally, then some cloud providers may not be what you are after,
  • How do you get your data back when the provider refuses access or goes bust?
    • Companies go bust.  If your core data resides with that company, how do you get it back
  • Who has access to your information?
    • The cloud is a shared environment. there will always be at least two parties that have access to your information, you and the provider.
    • Attackers
    • Legal entities, depending on the jurisdiction you are in different legal entities may have access to your data.

So that has us started. If sending through comments please state clearly at the start whether your comment is Pro or Con.

Happy thingking

Mark H



392 Posts
ISC Handler
Jun 13th 2011
CON... for certain.
1. There is -no- agreed upon security standard.
2. Cloud providers are -not- responsible. They say so.
3. Pay for that?
4. Even Dilbert and Scott Adams know:
"... You say "Cloud Computing" to an executive and their eyes glaze and they sign whatever PO you put in front of them. They have no idea what it is, but they have been told that they want it."

160 Posts
IDS/IPS services? Really? We priced several providers as a DR site for a public web site, one that is effectively brochure-ware only. Putting a firewall in front of the VM was at least $300 per month and they "managed" it and we had no access to any logs. Yes, a firewall is optional!

The "cloud" is the 21st century version of "The emperor has no clothes."
* you don't have to have floor space, cooling, electricity, or personnel for a big old SAN

* you are still responsible for securing your data only now they are on a foreign / hostile system and you have no control over how they are moved, shared, or stored

93 Posts
There are some great pros of using cloud technology, however I would go through the following steps:

1. I would identify what cloud services I would want to use. I would probably only stay at the data storage service only.

1. For the data storage part I would completely risk assess all of my data and then only put data I am comfortable with if anything happened, taking local copies periodically.

For instance, I wouldn't put anything on there that would breach legal responsibilities if it became lost stolen or leaked.

I would also make sure the contract was pretty good to ensure a standard of service.
11 Posts
1) The cost of no security for your data could be astronomical in size. The legal implications HIPPA, SOX, etc also play into security of the data

2) Leaving the door open for everyone to look at the data just because it is "cheaper" up front is analogous to letting strangers wander through your house just because you you're too cheap to provide a lock on a door.

3) How exactly CAN you control who puts what data where? i.e. you ahve an internal network for 'secure' data but some nitwit drops the latest batch of personnel files 'in the cloud'

4) Once data is leaked to the cloud there is no absolute way to secure it again.
Big "E"

9 Posts
If your internet connectivity is down, your access to the data/application/functionality is down (unless there is some offline capability build in). Some apps can tolerate this, but some cannot.
Cloud works by making many servers act as one, putting some close to the edge of networks you use. How do you know when one path becomes error prone causing your online presence to look like a broken piece of garbage? I know.. never happens... ha!

How do you do damage control if you don't even know this happens? Do you think you get a call every time someone has a problem or better yet do you think your cloud provider will tell you? No!!, and your customers just leave! Bad for business unless you have complete control, which you never can in the cloud.

How many times have you downloaded something from the net only to find it crawls, then you cancel the request and try again... and it works? Bet you are going to the cloud!

Cloud is cheap, but not a solution if you need something that is solid with full control. You still have to build your own upload network to make it work in any event.

Remember the days of peering arrangements? They still work but they cost more. Reason.. they are still better.. and you can see what is happening if you know how.

As the new cloud ages you will have more and more problems, not less. And no one will be accountable except you in your customer's eyes.

Al of Your Data Center

80 Posts
Oh, one more big con... for the receiver of cloud transmitted data..

Just one more way to load up nasty code to something, which now can be pushed globally in seconds!

Let's say is known to be viral. Do yo uknow if is?
Al of Your Data Center

80 Posts
"How many times have you downloaded something from the net only to find it crawls, then you cancel the request and try again... and it works? Bet you are going to the cloud!"

That's actually a very good point. I remember reading about people who had extremely slow iTunes downloads while others were fast. People that had switched to Google's DNS servers were very slow because the iTunes servers tried to be geographically aware as a way of balancing load but everyone using Google's DNS servers seemed to come from the same location.
Backup has never been trivial. When you move your data "up" ind the cloud - how do you:
1) Know that that your backup is on a physical different media than the original?
2) Test the integrity of the backup?
3) Perform a disaster recovery (e.g. to another cloud provider) ?

2 Posts
Cloud Computing Rights & Responsibilities
(See the video - 3:45)

160 Posts
Hey Mark, Hope life is treating you well. :)

Couple of Type=0 thoughts:
I agree cloud is inevitable. Reading through the comments, I'm strongly reminded of the late 80's when we transitioned from mainframes to PC's. The business case was strong but it required a rethink on risk mitigation. Some of the folks I worked with took a strong stance against the transition, were perceived as inhibitors to innovation, and were slowly transitioned out of the industry. The folks who survived were the ones who figured out how to resolve the problems. Does everything work the same in Gen3 as it did in Gen2? Of course not. Part of what makes this transition cool is the chance to get on the front line to work out the bumps.

Out of your pro's you mention IDS/IPS. One of the changes with cloud is it shifts risk mitigation from network based to host based. Sure I could plug into the hypervisor and implement network controls, but what if that workload then needs to move to public space? Do I really want to maintain multiple risk mitigation controls based on location? Good example, think of end user workstations. Does it make sense to use different tools and controls on laptops versus desktops? Typically we just apply the same risk mitigation techniques across the board. Going forward, expect to see workloads secured the same way.

With regards to knowing where your data is, that depends on the provider. For example with AWS I can say I want my data to stay on the east coast of the US and it will get locked to that specific data center. It may transition to different pieces of hardware, but the geo-location remains constant.

With regards to "who has access to your data?", "it depends" ;-p If you are talking public SaaS, you are absolutely correct in that it is up to the provider to have good segregation of duties and change controls. Although IMHO this is no better or worse than provider access to your hosted Web site or database that we've been dealing with for years (think Salesforce, ADP, etc.).

If you are talking IaaS, a decent provider will have exactly zero access to your data. Again, to use AWS as an example, they do not perform any key archiving. So if you forget your Admin/root password, you are completely hosed as they cannot get you back in (no matter how much you are paying them each month). The exception would be a provider that leverages introspection, but I don't think I would want to host my data on a provider that has increased the attack surface of hypervisor (Verizon business is the only one I'm aware of doing this).

So I agree cloud is different. As security professionals, our goal should be to innovate how to apply risk mitigation, rather than simply being perceived as "the folks who always say no".

3 Posts
I am one of the last to say no, but cloud computing is mostly hyped cheap distributed hosting. Those who value their data will still do it themselves.

There is no "I can make it secure" here! It is not since you do not manage it.

Of course if you have a music or video distribution network in the cloud it does make sense, but for the vast majority of us it is not worth the headaches related to it.

Again, not a hater.. just a person who sees through the "clouds".

Al of Your Data Center

80 Posts

Sign Up for Free or Log In to start participating in the conversation!