Hey! Is that a Cloud?

Nice to be back here after a long absense.

Well, part of our absense is mainly due to further studies that we have undertaken, including implementation on the results of these studies to our business model.

Also, I have been talking with lots of people on technologies and we think, one of the most misconcepted and misunderstood term in computing these days is CLOUD COMPUTING. 

What actually is CLOUD COMPUTING? Well, its NOT having your applications run on the Internet, it is also not accessing your own network via VPN on the Internet. If these definitions do not hold true, then what is actually CLOUD COMPUTING?

Per Wikipedia, CLOUD COMPUTING is the delivery of computing and storage capacity as a service. If as a service, what we mean is that it should be paid and not purchased. It means, running your applications, your infrastructure and your platform as though you are subscribing to it on a fixed or variable period. A CLOUD COMPUTING SERVICE is already there, up and running. All a user would have to do is to subscribe, given an access, and run. This concept is different from having your servers and your applications be opened on the Internet for your internal users. CLOUD COMPUTING also implies that the facility is there are you are sharing that facility with other subscribers, security or non-security issues nonwithstanding.

Most vendors are now leveraging the cloud, but actually, most of them are not familiar with the cloud, which adds to the confusion. But then again, only a few vendors would be best qualified to really be determined as a “valid” cloud provider. We will not be naming names here, but it would be up to the readers to really determine who is really telling the truth in terms of cloud marketing.

There are many things that we would want to discuss on CLOUD, but it would be better if we sub-divide these topics for future readings….Watch out for it…..

Cloud Computing Hacking

On-demand cloud computing is a wonderful tool for companies that need computing capacity, but don’t want to invest in fixed capital for long term. For the same reasons, cloud computing can be very useful to hackers — a lot of hacking activities involve cracking passwords, keys or other forms of brute force that are computationally expensive.

For a hacker, there are two great sources for on-demand computing: botnets made of consumer PCs and infrastructure-as-a-service (IaaS) from a service provider. Either one can deliver computing-on-demand for the purpose of brute-force computation. Botnets are unreliable, heterogeneous and will take longer to “provision.” But they cost nothing to use and can scale to enormous size; researchers have found botnets composed of hundreds of thousands of PCs. A commercial cloud-computing offering will be faster to provision, have predictable performance and can be billed to a stolen credit card.

The balance of power between security controls and attack methods shifts quite dramatically if you assume the attacker has high-performance computing available at low cost. Take passwords, for example. The length and complexity of a password determines the effort required to mount a brute force attack. Assume an attacker has access to the “hashed” value of a password database, a database that can be compromised through a vulnerable Web server or authentication server. The hash, usually based on an algorithm cannot be reversed but it can be brute-forced by trying all possible values of a password. This brute-force calculation happens far from the authentication server and therefore is not limited by a three-tries-lockout mechanism.

It would take forever to try every possible combination of an eight-character password on a single core CPU — probably months, perhaps years, depending on the algorithm and password complexity. But the problem is highly parallelizable: the search space can be broken into as many “batches” as needed and farmed out to multiple CPUs to try out in parallel. Using a botnet or IaaS cloud, an attacker can now achieve in minutes or hours what would have taken years.

With the advent of cloud computing, like with any other technology, the bad guys have also found a new tool. When we consider the balance of risk and reward, the cost/benefit evaluation of a security control we have to consider the significantly lower cost of computing for everyone — attackers included. Passwords, wireless encryption keys, at-rest encryption and even old SSL algorithms must be reevaluated in this light. What was thought to be “infeasible” may be well within the means of “average” hackers.

 

Managing Cloud Computing Security Risks

Cloud Computing is all the rage these days. CIOs seem to be diving into cloud-based solutions with reckless abandon despite the fact that a mistake in planning or execution can have career-limiting effects. So, let’s take a moment to balance the benefits against the potential securiy pitfalls that lie in the clouds.

The really important question is, How safe is your business in the clouds? After all, cloud vendors all aim to put your stuff onto cloud servers, and in most cases, these systems sit outside of your data center and outside of your direct control.

While this may buy you some cost reductions, it carries significant risks. Let’s consider the classic triad of information security: confidentiality, integrity and availability.

There’s no getting around that putting data onto an external server carries confidentiality risks. No matter what your cloud vendor may promise contractually or in its service-level agreement, if its security gets breached, so may yours.

How do you counter that risk? You can encrypt sensitive data, or you can keep the real sensitive stuff off the server. Encryption can be a viable path for some stuff like off-site backups. Being particularly careful about what goes on the server can help as well, so long as you maintain some level of oversight and control over the day-to-day decisions. That is, if you give your users the ability to store stuff on a cloud server, they’re liable to store all sorts of stuff there, blissfully unaware of the security risks.

As to integrity, the risks in cloud computing are relatively small, unless your cloud service provider’s security gets breached anyway. If an attacker breaches its defenses and tampers with your business data, then integrity can become vitally important all of a sudden, depending on the nature of the data.

And then there’s availability. You’re gambling that your data will be available when you need it when you put it in the cloud, betting that the availability won’t be eroded by network outages, data center outages and other single points of failure. You can hedge your bet a bit by going with an industrial-strength cloud provider, but you’ll pay more. If availability of data is important to your business, then you can’t blithely go with the lowest bidder. You need to do appropriate due diligence and find out everything you can about your vendors’ availability, disaster recovery and business continuity plans. “Trust but verify” should be your mantra.

Much of this sounds like Information Security 101. To be sure, there’s a lot of plain old common sense that should be applied when considering cloud solutions.

At my company, we do use some cloud services and get gobs of value from them. For example, we are a fan of Google Docs. It helps us  keep our documents synchronized across my various computing devices. But I’m also careful about the data I put there. I keep business-sensitive information on my local hard drives, and generally encrypted.

I’ve also found great value in using cloud services as part of my  disaster recovery.

But the bottomline is that it is about balancing risks and benefits.

That’s how we should view cloud services in general. It’s important to make informed decisions before diving into the latest trend. There is value to be found in cloud computing. But rely too heavily on it, or place your deepest darkest secrets on it, and you’re likely to be disappointed.

-viz-