*>>OTOH, if we did use colo - and I'm pushing it for backups/DR/BC -*
*it'll be on machines that have encrypted file systems, using encrypted links, and it'll be monitored at least as well as the internalinfrastructure. * What do you believe that monitoring will do for you as it relates to this discussion? So, you're going to encrypt *all* traffic of every type from the machines? More power to you if you manage to pull it off, but most orgs don't make that trade-off until forced. I'm not implying that it is undesirable to provide full encryption. I'm suggesting that there are often business objectives/decisions that preclude it except in the Utopian realm of online discussion. Are you encrypting all of your traffic today?!? Are you using any Data Leak Prevention technologies today? Have you forbidden all wireless access to your network today? Just asking/saying... *ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> *Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market…* On Sun, Dec 22, 2013 at 9:44 PM, Kurt Buff <[email protected]> wrote: > On Sun, Dec 22, 2013 at 11:33 AM, Andrew S. Baker <[email protected]> > wrote: > > Kurt, half of your points also apply to 3rd party infrastructure hosting > (co-location, etc), > > and unless you're providing your own telecom services, or encrypting the > data end-to-end, > > there is always a huge reliance upon 3rd parties. > > Yes, my objections do apply to 3rd party infrastructure hosting. Our > business doesn't colo, and we have IPSec tunnels between our offices - > I'm also pushing for a second ISP. We have an internal PBX. Yes, > everyone relies on 3rd parties to some degree. It's the nature of the > world - after all, I can't manufacture the computers on which the > business runs. > > OTOH, if we did use colo - and I'm pushing it for backups/DR/BC - > it'll be on machines that have encrypted file systems, using encrypted > links, and it'll be monitored at least as well as the internal > infrastructure. > > > >>One can argue that public cloud providers are better at IT operational > security than most internal IT staff. > > > > There's no argument: Most internal IT teams lack knowledge and/or > resources for adequate security when > > compared with cloud providers. Perform enough security assessments of > different types of organizations > > and the patterns will become very, very clear. > > Except when suborned or perverted by money, patriotism or blackmail: > > http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220 > > > If your argument is that internal is always safer than cloud, then you > have to remember that many cloud > > systems *are* in fact internal to someone. Just remember: Amazon's > cloud infrastructure is internal to Amazon. > > Amazon's cloud is external to its customers - Amazon's staff, > procedures and infrastructure are a risk to its customers. I don't > argue that internal is always safer - but it's incontrovertible that > 3rd parties add risk, because the more complexity you add to any > situation, the more risk there is - if for no other reason than that > there's more chance for things to go wrong. Whether the 1st party is > competent is a different matter, and one that's more tractable a > problem than 3rd party risk, IMHO. > > Kurt > > >
