Friday, May 7, 2010

Attention Cloud Fanatics

The Bureau of Engraving and Printing web site is back up. I am not sure when it came up but I thought I would conduct my own uninformed lessons learned.

My initial impressions: The cloud has the same problems that other platforms do.

I am not a cloud apologist, but I think that we can all agree that application security sucks as a general rule and not enough people are listening to OWASP.

So while I would love to throw "cloud" or outsourced services under the bus, this is an application vulnerability that could happen to any site. It is a "failure to assess" as opposed to a "failure to communicate".

There is a decent wrap-up of the whole thing here: http://www.federalnewsradio.com/index.php?nid=19&sid=1951253 My problem with that story is the last paragraphs that talk about staying patched and using anti-malware software. But at least he agrees that it isn't necessarily cloud related.

The bottom line for me is that "it's the basics, stupid". Cloud, not cloud, embedded, virtualized, whatever. It all comes back to the same types of problems and there is no easy fix.

1 comment:

David said...

Hey thanks a lot for sharing such a nice and informative article.
Here are some of the Risks of cloud computing by Garter.

1. Privileged user access. Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the "physical, logical and personnel controls" IT shops exert over in-house programs. Get as much information as you can about the people who manage your data. "Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access,"

2. Regulatory compliance. Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. Cloud computing providers who refuse to undergo this scrutiny are "signaling that customers can only use them for the most trivial functions,"
3. Data location. When you use the cloud, you probably won't know exactly where your data is hosted. In fact, you might not even know what country it will be stored in. Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of their customers.

By the way for more information on Security courses check this link: http://www.eccouncil.org/certification.aspx