Re: Cloud Questions

[Yvan Janssens <ik () yvanj me>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

I will split my answer in two parts, as they represent both views I
regularly experience. They aren't all related to security.

The first problem is TCO. Cloud services are easy to set up (both as a
vendor and as a user), and have little to no "hard" start-up costs.
(costs that initially are billed as startup costs, before the service
payments start). This results in decisions which aren't really thinked
throughly about in a lot of cases, resulting in poor setups both by
the vendor and by the end-user/customer. Being able to ship fast also
means that you can make mistakes fast - several providers have been
caught in the past while I was using them on blatant mistakes.

Another problem is that you trust a service to a third party provider,
which has full access to the data. I know, there are ways to prevent
this/make this difficult, but in the end it will not be feasible on
the long term to employ such techniques. Targeted attacks will always
succeed, but are easier on cloud services to my opinion. Support
services are useful sources for social engineering (check some of the
last cases of DNS hijacking), since they are used to handle requests
for all customers, and not only internal employees.

The other problem is that you share a physical computer with someone
you don't know and cannot trust. Information leakage techniques have
been discovered [1] and it wouldn't be the first time that someone
finds a clever way to break out of the VM. [2]

It is also more feasible to DoS your application if the physical
hardware is shared with others if they aren't trustworthy. Most
providers monitor extensive resource usage, but try a cheap one, put a
VM on full RAM capacity, disk I/O requests and CPU usage and see how
long it takes to get a notice to ask you to inspect the machine.

There is also a huge thing to tell about stuff which used to be
conspiracy theories about surveillance, but this is out of scope for
this response to avoid indulging trolling. To my opinion cloud
services are good for a temporarily burst of CPU resources, not to
store data, and not to be used permanently nor as a SPOF. I sometimes
use cloud services to launch a build of a large source tree, and then
dispose the machine, but I would never put ownCloud on it to store PGP
private keys without a password or my credit card numbers and bank PINs.

~/y



[1]
http://www.cs.cornell.edu/courses/cs6460/2011sp/papers/cloudsec-ccs09.pdf
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0923

On 08/11/13 15:08, David Miller wrote:
> I’ve been lurking here for some months now and have seen plenty of
> vulnerabilities go by for applications, and the occasional OS level
> exploit.
>
> I don’t think I’ve seen a single post about cloud security.
>
> Is ‘the cloud’, AWS in particular, believed to be secure?  Is it
> simply not targeted?  Or would it be covered by some other list?
> Inquiring minds are, uh, inquiring.
>
>
> TIA,
>
> — David _______________________________________________ 
> Full-Disclosure - We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
Comment: GPGTools - https://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCgAGBQJSfku5AAoJEElyT3Tqk/Mc21sIAK2gyHpoWd/ggCSNiPgQ+9jW
ACjqaJ7NEgGAmxYj+2yphWRHK507As2VjL5CwbyvX26XHE/PkmF2cY+6Np30ar6O
FTv3BR+F5kmR/0JNvJWGogr1H1SJb9pcL03biQr8X8pNsLstKbPQ8s2IzMtHWkOF
y9HVdeMriaAaCz3wWSS4K4TV+2ePgAm0tAsACHfXqt9OnoY8oplUUpjv52qfv/ZC
dplZCtC8yv3M1eehDmjhJgYtcc7oQJnhy2TwWpOtMmDNCAlJ+xUqAP8Sb9FboPDI
Dx+PmiF5ed9hopPWi8gpGoIFadwpy/4NDK0ztFB12uG36vYbS+5vIgQTR5KjzJE=
=P4pu
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/