Kurt, half of your points also apply to 3rd party infrastructure hosting (co-location, etc), and unless you're providing your own telecom services, or encrypting the data end-to-end, there is always a huge reliance upon 3rd parties.
There are very few self-contained networks in existence upon this planet. *>>One can argue that public cloud providers are better at IT operational security than most internal IT staff. * There's no argument: Most internal IT teams lack knowledge and/or resources for adequate security when compared with cloud providers. Perform enough security assessments of different types of organizations and the patterns will become very, very clear. If your argument is that internal is always safer than cloud, then you have to remember that many cloud systems *are* in fact internal to someone. Just remember: Amazon's cloud infrastructure is internal to Amazon. *ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> *Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market…* On Sun, Dec 22, 2013 at 12:11 AM, Kurt Buff <[email protected]> wrote: > But, it's not a countervailing point, IMHO. > > First, I note that it's likely that the Target breach was at least > assisted by an insider if not fully executed by same, according to at > least one report. But... > > Public clouds do increase risk - because > o- You're increasing the number of parties who have access to the > information, and > o- You're giving up physical custody of the data to a third > party, and depending on the care of that third party, without any > countervailing technical measures - at least for now. Cloud crypto > isn't real yet, and won't be for some time. > > Compounding the risk is that, to "the cloud", your operation is just > another customer, and the already tenuous bonds of employer/employee > are further attenuated. > > If the data were in the cloud, the further risk would be in the > employees and practices of the cloud provider, in addition to any > insider risk. > > In addition, the cloud really does make things much more complex - > multi-tenant cloud computing is inherently more complex than > self-hosting, and there have been security failures, including a > report (anecdotal to be sure, but by a witness I consider reliable) of > one cloud provider doing a demo to a prospective customer, during > which the demonstrator brought up another company's data. That kinda > killed the sale, right there. > > One can argue that public cloud providers are better at IT operational > security than most internal IT staff. Maybe true, maybe not - and I > lean toward the latter, especially given recent revelations by > Snowden... > > Kurt > > On Sat, Dec 21, 2013 at 8:31 PM, Ken Schaefer <[email protected]> wrote: > > Everytime a "cloud service" gets hacked the list has a few posters who > post something about it. > > > > Thought I'd make the countervailing point :) > > > > Cheers > > Ken > > > > -----Original Message----- > > From: [email protected] [mailto: > [email protected]] On Behalf Of Webster > > Sent: Saturday, 21 December 2013 1:51 AM > > To: [email protected] > > Subject: [NTSysADM] RE: 40 Million CC breach at Target.... > > > > I took Ken's response as sarcasm saying people think in-house equipment > is "safer" or "more secure" than cloud because "everyone" knows the cloud > is not secure. > > > > > > Webster > > > > ________________________________________ > > From: [email protected] <[email protected]> > on behalf of Ziots, Edward <[email protected]> > > Sent: Friday, December 20, 2013 8:46 AM > > To: [email protected] > > Subject: [NTSysADM] RE: 40 Million CC breach at Target.... > > > > This doesn't have anything to do with the "cloud" it has to do with > hacked machines that control the POS terminals. I can tell you from > experience these machines are usually not very well kept and usually run > embedded XP/Windows7, without the right patches and the software that takes > transactions isn't the best built or most secure either. > > > > And please don't tell me that the "update to date" AV is going to safe > you from getting hacked, which is required by PCI DSS. (Lol) > > > > Z > > > > Edward E. Ziots, CISSP, CISA, Security +, Network + Security Engineer > Lifespan Organization [email protected] > > Work:401-255-2497 > > > > > > This electronic message and any attachments may be privileged and > confidential and protected from disclosure. If you are reading this > message, but are not the intended recipient, nor an employee or agent > responsible for delivering this message to the intended recipient, you are > hereby notified that you are strictly prohibited from copying, printing, > forwarding or otherwise disseminating this communication. If you have > received this communication in error, please immediately notify the sender > by replying to the message. Then, delete the message from your computer. > Thank you. > > > > > > > > > > -----Original Message----- > > From: [email protected] [mailto: > [email protected]] On Behalf Of Ken Schaefer > > Sent: Thursday, December 19, 2013 5:45 PM > > To: [email protected] > > Subject: [NTSysADM] RE: 40 Million CC breach at Target.... > > > > Oh, the bloody insecure cloud, if only they'd keep this data in their > own data centres, on their own servers. > > > > Oh wait... > > > > Cheers > > Ken > > > > -----Original Message----- > > From: [email protected] [mailto: > [email protected]] On Behalf Of Ziots, Edward > > Sent: Friday, 20 December 2013 12:09 AM > > To: [email protected] > > Subject: [NTSysADM] 40 Million CC breach at Target.... > > > > > http://www.nbcnews.com/business/40-million-credit-debit-card-accounts-may-be-hit-data-2D11775203 > > > > Z > > > > > > > > > > > > >
