Re: The magic in the cloud

["Rafal @ IsHackingYou.com" <rafal () ishackingyou com>]

So... how is the hype and magic around "Cloud Computing" and "Cloud 
Security" any different (aside from the context, obviously) than the wave of 
business process outsourcing we did to the cloud (sorry, we call it 
off-shore'ing)?  Your key points if I understand them are outsourcing of 
critical company information, shared environments as related to attacks, and 
liability write-off to a 3rd party... if you strip away the buzz-phrase 
"cloud computing" you can replace it with "process off-shore'ing" or any 
other thing we've stupidly done over the last 5 years in the name of "cost 
savings" or some such stupidity...

Anyway... same pig, different lipstick if you ask me.

__
Rafal M. Los
Security & IT Risk Strategist

 - Blog:         http://preachsecurity.blogspot.com
 - LinkedIn:  http://www.linkedin.com/in/rmlos

--------------------------------------------------
From: "Dave Aitel" <dave () immunityinc com>
Sent: Wednesday, January 21, 2009 10:06 PM
To: <dailydave () lists immunityinc com>
Subject: [Dailydave] The magic in the cloud

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Lately, while I get up to speed on Django and whatever Zen it is that
makes Twitter a huge hit and FriendFeed something you only visit once,
I've been obsessing about a comment someone made to me at a party.
They said "What we want is grid computing, like with our mainframes,
but we want to outsource the whole cloud."

Which is funny, because Terremark, another major Miami technology
company, recently opened up its "outsource your cloud" service. Of
course, lots of companies let you buy VPS's, but usually these are
companies that are cannibalizing sales of shared hosting machines for
PHP apps, not backend processing for real companies.

But if you can outsource, say, your trading algorithms onto someone
else's CPU, then why not just outsource all your sensitive data? Why
not make this someone else's problem, assuming you can get a contract
or insurance to cover you financially? By the time it all bursts like
the real estate bubble, some other CTO will be left holding the smoke
anyways.

"Cloud computing" has a magic ring to it. It makes it someone else's
problem, but somehow hides the security issues. No CTO in his right
mind would ever consider shared hosting as protected by Unix
Permissions. Even Solaris Containers and Zones and newfangled
isolation hotness never seems to pass muster. If an attacker can buy
space on the same kernel, it's not allowed. No amount of crypto magic,
kerberos, key distribution, or PKI can bless it.

So why on earth is it ok if the attacker can buy space on the same
hypervisor? By what trick of psychology is that different?

Speaking of different, I wanted to point out that Immunity has
partnered up with CanSecWest and we're offering free admission to this
year's 2009 conference in March. You're probably already going, but if
you wanted to go for free, which I guarantee makes it easier to find
budget for, you should email admin () immunityinc com and find out how.

- -dave



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJd/DQtehAhL0gheoRAs40AJ4w4OVqvLDr/9BXL7SeXoobQa3BggCeL8aq
iVDsyxyhA08hZNhVLWi2zQQ=
=RvxL
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave 

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave