Re: Security and Cloud Computing

You don't seem to be clear on your expectations. What do you want. Critical analysis? Happy fun things? I would be interested to read your paper if you provide a link.

Regards,

valkyrie
_______________________________________________
sapere aude

Re: Security and Cloud Computing

I think what sets security in cloud computing apart from traditional infosec is that systems in the cloud typically demonstrate an extreme degree of automation.

For example, one of the most common configurations I know uses a tool like chef to automatically build out the environment within an instance to your specifications, going from a declarative profile. The instance is effectively a dumb agent that configures itself to do whatever you want it to.

Tools like nanite let you run agents on each of the nodes that connect to a pub/sub message queue and blindly do whatever you tell them to. There's a decent sized section on nanite security if you follow the link and scroll down. But the point still stands if someone compromises your command/control processes they effectively have a big botnet of dumb agents they can do whatever they want with.

With greater levels of automation it becomes easier to replicate something beneficial N times over, but at the same time if someone malicious takes over they get all that automation work for free, plus all the instances/IPs to do whatever they want.

Re: Security and Cloud Computing

Critical analysis. I don't think the picture that is painted is particularly pretty, but I want to work from the hypothesis that it is secure and disprove it if I can. I know that the first thing that a CIO is gonna say is "put my data on a machine that isn't under my control, forget it!" and he would be correct in that assessment.

I'll post links to the economics paper as soon as I find someone to publish it - or I'll just blog it if I can't.

And thanks, bascule. That'll take me a bit to sift through.

S

Re: Security and Cloud Computing

Argggh. While I appreciate you working from a hypothesis that all is secure, let's be reasonable. All is NOT secure. So how does that hork your assumptions?

Regards,

Valkyrie
______________________________________________
sapere aude

Re: Security and Cloud Computing


THAT is an assumption.

I want proof. Or at least evidence.

S

Re: Security and Cloud Computing

Meet me at defcon and I will present evidence. :-) However, you must sign a non-disclosure statement.

Regards,

valkyrie
_______________________________________
sapere aude

Re: Security and Cloud Computing

Now what the hell good is that? I am writing an ARTICLE dammit!

I mean, sure, I'll meet you, but SHEESH!

S

Re: Security and Cloud Computing

Whining will not help you. :-D

Regards,

valkyrie
______________________________________
sapere aude

Re: Security and Cloud Computing

So is it a paper, a talk or an Article that you're doing?

You mentioned all three, so could you clarify?

Re: Security and Cloud Computing

I'm confused...if you presented it at an ACM conference, shouldn't there be a link to it online? I know all the work my friends have presented usually is searchable on the ACM portal, as long as the conference is an ACM conference. If the paper is accepted for presentation, that usually implies it will be published online. A quick search brings back several papers on cloud computing an economics that have been presented recently. I'd suggest looking there or bugging the guy who ran the conference

Re: Security and Cloud Computing

Fair enough question.

I was asked to speak at a local joint IEEE/ACM symposium. Here is the link:

http://www.ieeecolumbus.org/node/87

I decided to write a semi-formal paper and present it, and then look for a publisher. I am sure David would post the paper if I asked him to. However, I wanted to try and get it published instead.

In the meantime, one of the publishers I approached suggested a paper on security, in the cloud, because it is a hot topic. I can and will do my own research, but I thought it would make a good topic here, as I am sure we will hear about it at DefCon this year too.

If I was wrong, I am sorry. I will of course credit anyone who points me in an interesting direction.

S

Re: Security and Cloud Computing

Hydruh, first I'm no expert on cloud computing. Any time I hear that word I just think you want me to put my data/domain/control and my customers data/domain/control where....? It just seems like an internet thin client to me, only sexier because it's in the Cloud. While this may work for earth people end users it surely is very questionable when it comes to business practices.

That said... I believe Valkyrie is trying to offer you the demonstrative, and empirical data you are looking for. This being a "new twist" in technology I'm sure she want's to meet the person she is going to hand over clearly confidential information to rather that just irresponsibly disclosing here in a public forum. A public forum which is visited by all people, the good guys and the bad.

Otherwise I suggest getting a grant, building a cloud infrastructural, and try and break it or use it to try and break stuff. If working with computers have taught me any virtues at all, patience is no doubt at the top of the list. Though I still need a lot of work on proof reading .

xor

Re: Security and Cloud Computing

Understood!

Valkyrie, I apologize, I perhaps am not taking this as seriously as I should.

Admittedly, I was thinking more about the conceptual twists that make Cloud computing inherently insecure (like structural divisions, elevation of authority problems, and eighteen year old kids with root privilege), not specific 0-day exploits. If you look at what I write, I am not that kind of author (though perhaps I should be.)

I'll be at 17, and we'll all chat, perhaps.

S

Re: Security and Cloud Computing

Those are big concerns of any system, not just cloud computing.