Security Basics mailing list archives
RE: Bruce Schneier on Google Apps. Do you trust Google?
From: "Ken Kousky" <kkousky () ip3inc com>
Date: Mon, 27 Jul 2009 16:36:33 -0400
Kurt - you hit the core issue. Liability is based on the service levels contracted. The problem with the cloud is the problem with US software licensing practices. If you sign an agreement that your provider takes real accountability, you're in good shape. If not, it's easier to hold your own resources accountable. KWK -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Kurt Buff Sent: Monday, July 27, 2009 3:07 PM To: Ali, Saqib Cc: security-basics () securityfocus com Subject: Re: Bruce Schneier on Google Apps. Do you trust Google? Unless and until all data in the cloud, at all times, remains securely encrypted, and provably so, I don't buy it. Why is my standard different for the cloud provider vs. the sysadmins I oversee? Because there are criminal penalties that I can pursue against them, and I don't believe that they obtain against the cloud provider or its employees, or at least not as easily. Kurt On Mon, Jul 27, 2009 at 09:11, Ali, Saqib<docbook.xml () gmail com> wrote:
"Security is about who you trust," Schneier said. "Do you trust Google more than your sysadmin? Do you trust Google Docs more than Microsoft Office?" "Trust is social," he said. "It's not technical." Read more: http://latimesblogs.latimes.com/technology/2009/07/security-expert-on-google-apps-is-google-trustworthy.html I trust that a Google Employee, whose sole function is to maintain the system, will ensure that the system is secure, patched and up-to-date. It is simply about Reputational risk. Reputational risk (damage to an organization through loss of its reputation or standing), can arise as a consequence of operational failures. Every company understands reputational risk, particularly businesses who regard their brand as one of their most critical assets. Google is one of them. They have a reputation to maintain. Note: I posted the following as a comment to the aforementioned latimes blogpost, so it may be a repeat for some folks. NIST just published a working draft of the Cloud Computing Security presentation. Some of the Security Advantages mentioned in the presentation are: 1. Shifting public data to a external cloud reduces the exposure of the internal sensitive data 2. Cloud homogeneity makes security auditing/testing simpler 3. Clouds enable automated security management 4. Redundancy / Disaster Recovery 5. Data Fragmentation and Dispersal 6. Dedicated Security Team 7. Greater Investment in Security Infrastructure 8. Fault Tolerance and Reliability 9. Greater Resiliency 10. Hypervisor Protection Against Network Attacks 11. Possible Reduction of C&A Activities (Access to Pre-Accredited Clouds) 12. Simplification of Compliance Analysis 13. Data Held by Unbiased Party (cloud vendor assertion) 14. Low-Cost Disaster Recovery and Data Storage Solutions 15. On-Demand Security Controls 16. Real-Time Detection of System Tampering 17. Rapid Re-Constitution of Services 18. Advanced Honeynet Capabilities I understand that these will depend on the actual implementation. It usually does for everything. For e.g. you can create world's most secure cipher, but the poor implementation is usually the weakest link. But in theory, if cloud services are implemented properly, I think NIST's list of advantages hold true. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ __________ NOD32 4282 (20090727) Information __________ This message was checked by NOD32 antivirus system. http://www.eset.com ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Bruce Schneier on Google Apps. Do you trust Google? Ali, Saqib (Jul 27)
- Re: Bruce Schneier on Google Apps. Do you trust Google? Kurt Buff (Jul 27)
- Re: Bruce Schneier on Google Apps. Do you trust Google? Ali, Saqib (Jul 28)
- Re: Bruce Schneier on Google Apps. Do you trust Google? Kurt Buff (Jul 28)
- Re: Bruce Schneier on Google Apps. Do you trust Google? Richard Golodner (Jul 28)
- Message not available
- Re: Bruce Schneier on Google Apps. Do you trust Google? Ali, Saqib (Jul 30)
- Re: Bruce Schneier on Google Apps. Do you trust Google? Ali, Saqib (Jul 28)
- Re: Bruce Schneier on Google Apps. Do you trust Google? Kurt Buff (Jul 27)
- RE: Bruce Schneier on Google Apps. Do you trust Google? Ken Kousky (Jul 28)
- Re: Bruce Schneier on Google Apps. Do you trust Google? Ali, Saqib (Jul 28)
- Re: Bruce Schneier on Google Apps. Do you trust Google? J. Oquendo (Jul 28)
- Re: Bruce Schneier on Google Apps. Do you trust Google? Ali, Saqib (Jul 28)