

Cloud computing a 'security nightmare,' - vaksel
http://www.computerworld.com/s/article/9131998/Cloud_computing_a_security_nightmare_says_Cisco_CEO

======
andreyf
What blatant FUD. If "cloud computing is a security nightmare", what do you
call the current industry alternative - carrying sensitive data on unencrypted
laptops and USB sticks?

~~~
extension
It's not clear that storing data on physical devices which _may_ be stolen is
worse than storing it with a hosted service that is _definitely_ accessible by
a third party, some or all of its employees, and anybody who slips through
their security, of which you have limited knowledge and control.

The common practice of storing data on internal servers is generally the most
secure approach, and is also what "cloud computing" is primarily trying to
replace.

~~~
anamax
Are the security problems with a "hosted service" really all that different
than the security problems with a hosting center?

Rackspace (generic) folks have physical access to the machines and installed
the OS or at least whatever you used to get the OS on the machine. How did you
verify that they didn't install a trojan or root-kit?

~~~
extension
With a co-lo, there are well defined demarcation points between customer and
provider with regards to access privileges and security responsibilities. In
the cloud, those points are vague to non-existent, depending on the category
of cloud service in question.

~~~
anamax
> With a co-lo, there are well defined demarcation points between customer and
> provider with regards to access privileges and security responsibilities.

And which of those keeps rackspace from installing rootkits before the OS?

~~~
extension
Towards the less "cloudy" end of the service spectrum, such a practice becomes
professionally embarassing, a breach of contract and ultimately criminal. At
the other end, you have things like Google App Engine which, as far as I can
tell, are free to do whatever they like with your data and offer no service
level or security guarantees.

If criminal law doesn't put you at ease, run your own servers, as I originally
suggested.

~~~
anamax
> ultimately criminal

In other words, the answer to my question about which of the demarkation
points provides security is "none of the above".

Contract and criminal law apply to the cloud as well. As with every other kind
of hosting, you must decide whether the contracts offered by a specific
service suit your purposes.

------
prodigal_erik
I would think trusting the owner of the hardware is the big security problem,
not switching to the secure versions of the protocols the apps use. Does Cisco
expect people to buy hardware to conserve cycles on cheap cloud hosts?

------
jimfl
Even if companies decide to entrust portions of their information to the
cloud, the single largest obstacle to integration of the cloud to the
datacenter is the problem of identity. In order to effectively integrate the
cloud, users have to have the same identity there as in the datacenter. This
is, at present, an unsolved problem, at least practically (there are examples
of federated identity systems such as Shibboleth, but there is no generally
adopted technology).

