Dailydave mailing list archives
Re: The magic in the cloud
From: "Rafal @ IsHackingYou.com" <rafal () ishackingyou com>
Date: Thu, 22 Jan 2009 00:41:28 -0600
So... how is the hype and magic around "Cloud Computing" and "Cloud Security" any different (aside from the context, obviously) than the wave of business process outsourcing we did to the cloud (sorry, we call it off-shore'ing)? Your key points if I understand them are outsourcing of critical company information, shared environments as related to attacks, and liability write-off to a 3rd party... if you strip away the buzz-phrase "cloud computing" you can replace it with "process off-shore'ing" or any other thing we've stupidly done over the last 5 years in the name of "cost savings" or some such stupidity... Anyway... same pig, different lipstick if you ask me. __ Rafal M. Los Security & IT Risk Strategist - Blog: http://preachsecurity.blogspot.com - LinkedIn: http://www.linkedin.com/in/rmlos -------------------------------------------------- From: "Dave Aitel" <dave () immunityinc com> Sent: Wednesday, January 21, 2009 10:06 PM To: <dailydave () lists immunityinc com> Subject: [Dailydave] The magic in the cloud -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lately, while I get up to speed on Django and whatever Zen it is that makes Twitter a huge hit and FriendFeed something you only visit once, I've been obsessing about a comment someone made to me at a party. They said "What we want is grid computing, like with our mainframes, but we want to outsource the whole cloud." Which is funny, because Terremark, another major Miami technology company, recently opened up its "outsource your cloud" service. Of course, lots of companies let you buy VPS's, but usually these are companies that are cannibalizing sales of shared hosting machines for PHP apps, not backend processing for real companies. But if you can outsource, say, your trading algorithms onto someone else's CPU, then why not just outsource all your sensitive data? Why not make this someone else's problem, assuming you can get a contract or insurance to cover you financially? By the time it all bursts like the real estate bubble, some other CTO will be left holding the smoke anyways. "Cloud computing" has a magic ring to it. It makes it someone else's problem, but somehow hides the security issues. No CTO in his right mind would ever consider shared hosting as protected by Unix Permissions. Even Solaris Containers and Zones and newfangled isolation hotness never seems to pass muster. If an attacker can buy space on the same kernel, it's not allowed. No amount of crypto magic, kerberos, key distribution, or PKI can bless it. So why on earth is it ok if the attacker can buy space on the same hypervisor? By what trick of psychology is that different? Speaking of different, I wanted to point out that Immunity has partnered up with CanSecWest and we're offering free admission to this year's 2009 conference in March. You're probably already going, but if you wanted to go for free, which I guarantee makes it easier to find budget for, you should email admin () immunityinc com and find out how. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJd/DQtehAhL0gheoRAs40AJ4w4OVqvLDr/9BXL7SeXoobQa3BggCeL8aq iVDsyxyhA08hZNhVLWi2zQQ= =RvxL -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- The magic in the cloud Dave Aitel (Jan 21)
- Re: The magic in the cloud Rafal @ IsHackingYou.com (Jan 22)
- Re: The magic in the cloud Christien Rioux (Jan 22)
- Re: The magic in the cloud Rafal @ IsHackingYou.com (Jan 22)