
‘Where Does Cloud Storage Really Reside? And Is It Secure?’ - dnetesn
https://www.nytimes.com/2017/01/23/insider/where-does-cloud-storage-really-reside-and-is-it-secure.html?rref=collection%2Fsectioncollection%2Ftechnology&action=click&contentCollection=technology&region=stream&module=stream_unit&version=latest&contentPlacement=1&pgtype=sectionfront&_r=0
======
Steeeve
This feels like a puff piece.

> In the case of the big public clouds, the protection is the work of some of
> the world’s best computer scientists, hired out of places like the National
> Security Agency and Stanford University to think hard about security, data
> encryption and the latest online fraud.

> And they’re pretty good at keeping things safe online.

Cloud providers have employees that make mistakes and bad assumptions just
like everybody else. They leverage technology that wasn't created in-house
that wasn't originally built for such a large scale use case. They build their
own technology that is flawed at the very least because there is no perfect
software.

You should never assume that a cloud provider is better at managing anything
better than you could do in house. You should verify and understand that the
more popular a product is the more desirable a target it is.

Whether you are doing things in house, in the cloud, or some sort of hybrid,
plan for security failures and never assume that your environments or your
datasets are secure.

~~~
epistasis
>You should never assume that a cloud provider is better at managing anything
better than you could do in house.

This is a piece for a general audience, explaining what a cloud is.

What percentage of its audience do you think could secure things as well as
any of the major clouds? 1% 0.1%? 0.00001%?

If you were to take the class of IT professionals, those with jobs working in
IT, I would say less than 0.5% would be able to put something in place in
their house that even matches what's going on in the large clouds whose design
and policies have been vetted by multiple people.

Whatever a person is doing in their own house is going to be quite difficult
to match to the same level of security. Not least of which because people's
houses are not secure. Breaking in and adding a keylogger or such in order to
break disk encryption is much easier there.

~~~
Steeeve
> If you were to take the class of IT professionals, those with jobs working
> in IT, I would say less than 0.5% would be able to put something in place in
> their house that even matches what's going on in the large clouds whose
> design and policies have been vetted by multiple people.

What do you base that on?

I googled "what does amazon do to make their cloud secure" and got Amazon's
cloud security page.

[https://aws.amazon.com/security/](https://aws.amazon.com/security/)

It says:

1\. They lock the doors at their data center.

2\. They meet some unknown compliance requirements.

3\. You can save money and scale with them.

4\. You can buy some services to make you securer.

5\. You can report vulnerabilities to them.

6\. They use firewalls.

Click on through to their page about Pen Testing and all it says is if you
want to do Pen Testing, you have to get permission first.

So how can I make the assumption that they are better than the people who
manage security in-house?

I would bet that on more than one occasion, an employee or a customer has
spoken up and said "things should REALLY be done differently." And I would bet
that will happen again and again because the reality is that security is an
ever-changing landscape.

I personally know they do some pretty impressive things where security is
concerned, but I don't know the totality of their security solution. I doubt
many amazon employees know what they do from the top down.

Would you have guessed that Yahoo would play cavalier with all of their users
passwords? Or linkedin? Didn't they have security design and policies vetted
by multiple people?

I'm just using amazon as an example because they were the cloud provider I
thought of first.

Then I remembered Azure leaving all of their RHEL instances vulnerable by
design:

[http://www.theregister.co.uk/2016/11/28/microsoft_update_ser...](http://www.theregister.co.uk/2016/11/28/microsoft_update_servers_left_all_azure_rhel_instances_hackable/)

Would 99.5% of IT professionals really have set up RHEL environments that
could be owned by a remote hacker on 1st startup? I don't know. That's a
pretty bold claim.

I'm going to stand by my original comment. It's not meant to steer people away
from the cloud. Just from making false assumptions.

~~~
nicky0
You're missing the point of the article. It's for the average Joe Public
personal computer user who probably has no idea how to secure their own
computer. The article isn't aimed at businesses.

------
lojack
> For the people running the computers, it doesn’t really matter where the
> data or the programs are at any one moment: The stuff is running inside a
> “cloud” of computing capability.

For the purposes of security, this makes a huge difference. It's also one of
the biggest flaws with the authors argument. With a service like Dropbox,
Google Drive, or Office 365; your files are likely stored both locally and on
their servers. This undoubtedly make your files less secure... now potential
attackers have two attack vectors when they would previously only have one.

~~~
stuckagain
You don't need to sync Drive to your own storage. I don't. Do Dropbox and
Office require that?

~~~
beachstartup
those documents exist in some form, either partial or whole, in your local
system memory, video memory, and probably a filesystem cache of some sort.
they also traverse your network subsystem and other IO buffers/subsystems.

a root level compromise on your system can see any of this stuff in plaintext
as it gets shifted around.

~~~
AnimalMuppet
> a root level compromise on your system can see any of this stuff in
> plaintext as it gets shifted around.

Sure, but that was true without cloud storage, too. Worse: Without cloud
storage, a root level compromise lets the attacker destroy _your only copy_.

However, this does not refute the argument that, with the cloud, the attacker
can get at your data two places, instead of just one, thereby increasing the
attack surface. (In fact, the attacker can get at it three places: in
transit.)

~~~
stuckagain
I doubt this increase in the attack surface is meaningful. If someone gains
control of my device they can in all likelihood initiate a transfer of my
files from cloud storage. They can also gain control of the cloud service. But
the probability of the latter is too small to consider. When A >> B, A+B =~ A

~~~
beachstartup
if you believe in unbreakable encryption, sure. but i don't. now it's
traversing an unknown number of systems, every time you view or edit.

~~~
AnimalMuppet
You don't have to believe in _unbreakable_ encryption, just like you don't
have to believe in _unhackable_ cloud hosts. You just have to believe in _hard
enough to break_ and _hard enough to hack_. Then you're back to stuckagain's
point, slightly revised: When A >> B and A >> C, A+B+C =~ A.

(Ah, that is, you have to believe that the encryption _used in all legs of
transit_ is hard enough to break.)

------
njharman
Thinking that "secure" is a boolean is fundamental misunderstanding of
security.

~~~
turc1656
Yes, I'm reminded of this fairly well known quote within the security world -
"security is a process, not a product".

I do not trust anyone to house any data of mine that I consider too important
or sensitive to put at risk - unless there is end to end encryption so that no
one except me can access it at any time. That's about the only exception. If I
am not sending the data over already encrypted, forget it. I try to do as much
in house as possible.

Also, let's not forget the risk of unintended affiliations - there have been
several times when law enforcement has seized drives/servers that were shared
and the non-offending users that were simply sharing the resource ended up
having their sites unintentionally taken offline. That may not really apply to
cloud storage, but it definitely applies to shared hosting services, which are
abundant and widely used. Could totally screw over a small business.

~~~
AnimalMuppet
It depends on your threat model. Data security has three components:
confidentiality (nobody else can read it), integrity (nobody else can change
it), and availability (I can get at it when I need it).

If you're mostly worried about confidentiality, cloud storage may have too
much risk for you. If you're primarily worried about integrity or
availability, though, cloud storage (plus a local copy) is a big improvement.

~~~
turc1656
Good point. Yes, for me confidentiality is the primary concern. I run my own
data duplication tasks to close the integrity gap. And availability is largely
a non-issue for what I'm doing.

That's why I choose many times to not use cloud services but they may serve
the purposes of others, especially if they are not as technically savvy.

------
ezekg
> None of the most catastrophic hacks have been on the big public clouds.

Wasn't Apple's iCloud hacked last year? Or was that the work of social
engineering?

~~~
scrollaway
Social engineering, IIRC.

Edit: [http://www.businessinsider.com/how-hackers-get-into-your-
app...](http://www.businessinsider.com/how-hackers-get-into-your-apple-icloud-
account-2014-9)

------
dastbe
Nice layman explanation of cloud storage. I think it would've been worthwhile
to add something about how difficult security is, and how cloud storage makes
it easier to keep your data secure (at a cost).

------
mnm1
"Most of those attacks hit traditional servers, though. None of the most
catastrophic hacks have been on the big public clouds."

Absolute fucking bullshit. Yahoo. Linkedin. iCloud.

It's called fucking 'iCloud' for fuck's sake. This is not a puff piece. It's
simply wrong. No, it's so fucking wrong, it's fake news.

~~~
xyzzy123
You could qualify that with "at the level of infrastructure" and it would be
very close to true.

Yahoo wasn't public cloud. Their infra has long been a sieve. Linkedin was an
application issue.

iCloud is the strongest case of these three, but they had weak user-facing
authentication for a consumer service (most users were unaffected).

------
X86BSD
Cloud computing, is another attempt in a long line to consolidate network
resources. It was attempted, and failed, with X terminals, network computers,
java stations, etc.

Those that want to throw their hands up and give up on managing their network,
data, and security by pushing it out to someone else to manage it thinking
"it's cheaper and I can fire most of my IT staff" well that is their choice.

I wouldn't surrender my security to google or amazon at any cost, let alone
the plundering of your data as they mine the hell out of it for whatever they
can get.

I've never been a fan of this thinking and I never will be. I am a dinosaur.

~~~
dexterdog
So what do you do for internet access? You do realize that whoever is giving
it to you can plunder your data as they mine the hell out of it for whatever
they can get, right?

~~~
X86BSD
Really? All my ZFS pools sitting encrypted and on a private network not
attached to the internet in general in my home/office? They can mine that? Wow
I am impressed!

~~~
dexterdog
And you can run encrypted filesystems on a cloud provider such that they can
have no knowledge of your data. It will also be a little safer and more
reliable than running it on your network.

~~~
X86BSD
The data is only encrypted at rest. In flight it's in the clear and there is
ample time and opportunity for them to mine it.

------
xkxx
There is no "cloud", there are "servers you don't control".

~~~
ucaetano
And there's no "internet", there are "cables you don't control".

~~~
catwell
It's slightly different, because as long as what goes through them is
encrypted you don't really care about the pipes. Well, you should still care
about the metadata, but it's not exactly the same issue.

With Cloud computing, operators frequently have access to all your data.
Sometimes it is part of their business model to use it (e.g. gmail). As long
as you are aware of that, no problem. They typically won't use your data for
things more harmful than targeted advertising (although you should check that
ToS do not give them _ownership_ of your data...), except if you're, say, a
paedophile, in which case they might tell authorities
([http://www.telegraph.co.uk/technology/news/11012008/Paedophi...](http://www.telegraph.co.uk/technology/news/11012008/Paedophile-
snared-as-Google-scans-Gmail-for-images-of-child-abuse.html)).

In other words, your data is typically well protected as long as the cloud
provider and entities which could require access to its data (e.g. law
enforcement agencies from its home country or the countries where its servers
are) are not part of your threat model.

