Full Disclosure mailing list archives
Re: Cloud Questions
From: Jeffrey Walton <noloader () gmail com>
Date: Sat, 9 Nov 2013 16:22:11 -0500
On Sat, Nov 9, 2013 at 9:51 AM, <silence_is_best () hushmail com> wrote:
On 11/09/2013 at 7:32 AM, "David Miller" <dmiller () metheus org> wrote: I’ve been lurking here for some months now and have seen plenty of vulnerabilities go by for applications, and the occasional OS level exploit. I don’t think I’ve seen a single post about cloud security. Is ‘the cloud’, AWS in particular, believed to be secure? Is it simply not targeted? Or would it be covered by some other list? Inquiring minds are, uh, inquiring. TIA, — David There is no such thing as "cloud security" (to me at least). Companies may transfer/store encrypted, but if the NSA/law enforcement ask for it, they give it up. That's not secure to me..that's more...."data held hostage (iCloud anyone?)".
I think you are right in that "good" bad guys (law enforcement) "bad" bad guys (cyber-criminals) attack the node. In this case, the node is the cloud provider. But it also depends on what the data is. I have no faith in CloudHSM, HighCloud or other low level machinery. That's the unattended key storage problem, and its a problem without a solution. Plus, the data becomes available as soon as the VM is powered on. Objects in storage (Amazon S3 or OpenStack Swift) can be encrypted using standard crypto methods with minimal risk. The encryption function will act like a PRP, and the cipher text will be indistinguishable from random. Minimal risk would include leaking the origin (LE probably has that through the account) and leaking file size (unless specific measures are taken). If the owner of the document wants anonymity, they should probably use a Tor hidden service. Other higher level services, like SaaS and DaaS, probably won't fair so well. Those tokenization schemes used for database field encryption by CipherCloud do not live up to expectations. It probably wanders near false/misleading and fraud, and the FTC should investigate some of their claims (unless CipherCloud have a homomorphic encryption system that no one knows about). As a matter of fact, when an informal security analysis was performed and posted to StackExchange, CipherCloud issued a DRM takedown! https://www.google.com/search?q=ciphercloud+drm+takedown. Jeff _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Cloud Questions David Miller (Nov 09)
- Re: Cloud Questions Jeffrey Walton (Nov 09)
- Re: Cloud Questions Yvan Janssens (Nov 09)
- Re: Cloud Questions Jeffrey Walton (Nov 09)
- Re: Cloud Questions silence_is_best (Nov 09)
- Re: Cloud Questions Jeffrey Walton (Nov 09)