Announcement

Collapse
No announcement yet.

Security and Cloud Computing

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security and Cloud Computing

    I recently presented a paper on economics of cloud computing to the ACM, and was asked to prepare a talk on security in cloud computing. I know internet security fairly well, and I know cloud computing principles fairly well, but I thought there would be people on this forum who would know a lot more and have some good resources. If you don't mind sharing that is.

    So have at it! What's your favorite story, article or thought on security and cloud computing? And before you say it - yes I have read Jason' blog post.

    S

  • #2
    Re: Security and Cloud Computing

    Originally posted by hydruh View Post
    I recently presented a paper on economics of cloud computing to the ACM, and was asked to prepare a talk on security in cloud computing. I know internet security fairly well, and I know cloud computing principles fairly well, but I thought there would be people on this forum who would know a lot more and have some good resources. If you don't mind sharing that is.

    So have at it! What's your favorite story, article or thought on security and cloud computing? And before you say it - yes I have read Jason' blog post.

    S
    You don't seem to be clear on your expectations. What do you want. Critical analysis? Happy fun things? I would be interested to read your paper if you provide a link.

    Regards,

    valkyrie
    _______________________________________________
    sapere aude

    Comment


    • #3
      Re: Security and Cloud Computing

      I think what sets security in cloud computing apart from traditional infosec is that systems in the cloud typically demonstrate an extreme degree of automation.

      For example, one of the most common configurations I know uses a tool like chef to automatically build out the environment within an instance to your specifications, going from a declarative profile. The instance is effectively a dumb agent that configures itself to do whatever you want it to.

      Tools like nanite let you run agents on each of the nodes that connect to a pub/sub message queue and blindly do whatever you tell them to. There's a decent sized section on nanite security if you follow the link and scroll down. But the point still stands if someone compromises your command/control processes they effectively have a big botnet of dumb agents they can do whatever they want with.

      With greater levels of automation it becomes easier to replicate something beneficial N times over, but at the same time if someone malicious takes over they get all that automation work for free, plus all the instances/IPs to do whatever they want.
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
      [ redacted ]

      Comment


      • #4
        Re: Security and Cloud Computing

        Originally posted by valkyrie View Post
        You don't seem to be clear on your expectations. What do you want. Critical analysis? Happy fun things? I would be interested to read your paper if you provide a link.
        Critical analysis. I don't think the picture that is painted is particularly pretty, but I want to work from the hypothesis that it is secure and disprove it if I can. I know that the first thing that a CIO is gonna say is "put my data on a machine that isn't under my control, forget it!" and he would be correct in that assessment.

        I'll post links to the economics paper as soon as I find someone to publish it - or I'll just blog it if I can't.

        And thanks, bascule. That'll take me a bit to sift through.

        S

        Comment


        • #5
          Re: Security and Cloud Computing

          Originally posted by hydruh View Post
          Critical analysis. I don't think the picture that is painted is particularly pretty, but I want to work from the hypothesis that it is secure and disprove it if I can. I know that the first thing that a CIO is gonna say is "put my data on a machine that isn't under my control, forget it!" and he would be correct in that assessment.

          I'll post links to the economics paper as soon as I find someone to publish it - or I'll just blog it if I can't.

          And thanks, bascule. That'll take me a bit to sift through.S
          Argggh. While I appreciate you working from a hypothesis that all is secure, let's be reasonable. All is NOT secure. So how does that hork your assumptions?

          Regards,

          Valkyrie
          ______________________________________________
          sapere aude

          Comment


          • #6
            Re: Security and Cloud Computing

            Originally posted by valkyrie View Post
            All is NOT secure.

            THAT is an assumption.

            I want proof. Or at least evidence.

            S

            Comment


            • #7
              Re: Security and Cloud Computing

              Originally posted by hydruh View Post
              THAT is an assumption.

              I want proof. Or at least evidence.

              S
              Meet me at defcon and I will present evidence. :-) However, you must sign a non-disclosure statement.

              Regards,

              valkyrie
              _______________________________________
              sapere aude

              Comment


              • #8
                Re: Security and Cloud Computing

                Originally posted by valkyrie View Post
                However, you must sign a non-disclosure statement.
                Now what the hell good is that? I am writing an ARTICLE dammit!

                I mean, sure, I'll meet you, but SHEESH!

                S

                Comment


                • #9
                  Re: Security and Cloud Computing

                  Originally posted by hydruh View Post
                  Now what the hell good is that? I am writing an ARTICLE dammit!

                  I mean, sure, I'll meet you, but SHEESH!

                  S
                  Whining will not help you. :-D

                  Regards,

                  valkyrie
                  ______________________________________
                  sapere aude

                  Comment


                  • #10
                    Re: Security and Cloud Computing

                    Originally posted by hydruh View Post
                    I recently presented a paper on economics of cloud computing to the ACM, and was asked to prepare a talk on security in cloud computing.
                    S
                    Originally posted by hydruh View Post
                    Now what the hell good is that? I am writing an ARTICLE dammit!

                    I mean, sure, I'll meet you, but SHEESH!

                    S
                    So is it a paper, a talk or an Article that you're doing?

                    You mentioned all three, so could you clarify?
                    And I heard a voice in the midst of the four beasts, And I looked and behold: a pale horse. And his name, that sat on him, was Death. And Hell followed with him.

                    Comment


                    • #11
                      Re: Security and Cloud Computing

                      Originally posted by hydruh View Post
                      I recently presented a paper on economics of cloud computing to the ACM, and was asked to prepare a talk on security in cloud computing.
                      Originally posted by hydruh View Post
                      I'll post links to the economics paper as soon as I find someone to publish it - or I'll just blog it if I can't.
                      I'm confused...if you presented it at an ACM conference, shouldn't there be a link to it online? I know all the work my friends have presented usually is searchable on the ACM portal, as long as the conference is an ACM conference. If the paper is accepted for presentation, that usually implies it will be published online. A quick search brings back several papers on cloud computing an economics that have been presented recently. I'd suggest looking there or bugging the guy who ran the conference
                      afterburn

                      Comment


                      • #12
                        Re: Security and Cloud Computing

                        Originally posted by afterburn188 View Post
                        I'm confused...if you presented it at an ACM conference, shouldn't there be a link to it online? I know all the work my friends have presented usually is searchable on the ACM portal, as long as the conference is an ACM conference. If the paper is accepted for presentation, that usually implies it will be published online. A quick search brings back several papers on cloud computing an economics that have been presented recently. I'd suggest looking there or bugging the guy who ran the conference
                        Fair enough question.

                        I was asked to speak at a local joint IEEE/ACM symposium. Here is the link:

                        http://www.ieeecolumbus.org/node/87

                        I decided to write a semi-formal paper and present it, and then look for a publisher. I am sure David would post the paper if I asked him to. However, I wanted to try and get it published instead.

                        In the meantime, one of the publishers I approached suggested a paper on security, in the cloud, because it is a hot topic. I can and will do my own research, but I thought it would make a good topic here, as I am sure we will hear about it at DefCon this year too.

                        If I was wrong, I am sorry. I will of course credit anyone who points me in an interesting direction.

                        S

                        Comment


                        • #13
                          Re: Security and Cloud Computing

                          Originally posted by hydruh View Post
                          THAT is an assumption.

                          I want proof. Or at least evidence.

                          S
                          Hydruh, first I'm no expert on cloud computing. Any time I hear that word I just think you want me to put my data/domain/control and my customers data/domain/control where....? It just seems like an internet thin client to me, only sexier because it's in the Cloud. While this may work for earth people end users it surely is very questionable when it comes to business practices.

                          That said... I believe Valkyrie is trying to offer you the demonstrative, and empirical data you are looking for. This being a "new twist" in technology I'm sure she want's to meet the person she is going to hand over clearly confidential information to rather that just irresponsibly disclosing here in a public forum. A public forum which is visited by all people, the good guys and the bad.

                          Otherwise I suggest getting a grant, building a cloud infrastructural, and try and break it or use it to try and break stuff. If working with computers have taught me any virtues at all, patience is no doubt at the top of the list. Though I still need a lot of work on proof reading .

                          xor
                          Last edited by xor; May 24, 2009, 12:08.
                          Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

                          Comment


                          • #14
                            Re: Security and Cloud Computing

                            Originally posted by xor View Post
                            That said... I believe Valkyrie is trying to offer you the demonstrative, and empirical data you are looking for. This being a "new twist" in technology I'm sure she want's to meet the person she is going to hand over clearly confidential information to rather that just irresponsibly disclosing here in a public forum. A public forum which is visited by all people, the good guys and the bad.
                            Understood!

                            Valkyrie, I apologize, I perhaps am not taking this as seriously as I should.

                            Admittedly, I was thinking more about the conceptual twists that make Cloud computing inherently insecure (like structural divisions, elevation of authority problems, and eighteen year old kids with root privilege), not specific 0-day exploits. If you look at what I write, I am not that kind of author (though perhaps I should be.)

                            I'll be at 17, and we'll all chat, perhaps.

                            S

                            Comment


                            • #15
                              Re: Security and Cloud Computing

                              I was thinking more about the conceptual twists that make Cloud computing inherently insecure (like structural divisions, elevation of authority problems, and eighteen year old kids with root privilege)
                              Those are big concerns of any system, not just cloud computing.
                              A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

                              Comment

                              Working...
                              X