How important is your data? What would happen if it got into the wrong hands? Do you think you could recover quickly if it all vanished?

Now ask yourself, how secure is your cloud? Does your HR department know you have outsource the number crunching for payroll to a few hourly temps (cloud systems) and that their payroll isn’t being done by the black boxes they walk by every day on their way to lunch?

These are just some of the questions I have been pondering this past weekend. I ended my weekend of rss reading on this article Cloud Providers Are Better At Securing Your Data Than You Are…, and it made me realize I needed to write this post.

There is no aspect of your business, large or small which can’t be outsourced, rented, leased, or temped. Everything from the security guard sleeping at the desk to the cafeteria worker slopping food onto a plate. Now with cloud computing, even your number crunching can be exported.

But how safe is this exporting of cloud computing? With the recent increase of pirates in the Indian ocean taking over oil tankers, how long until smarter pirates take down the connections to a major data center. Imagine this, 4 or 5 people get together and each have an accidental crash, all within a few minutes in 1 downtown area, for example: 9725 Datapoint Dr., San Antonio, TX 78229 United States. It would be possible to cut the power and telecommunications to a single data center, with just a few minor fender benders.

Now take it further, what if that happened at a 1/2 dozen data centers? Pretty soon you end up with the results of the great NYC blackout, the demand on the backup systems is so great they go down too. Pretty soon a major corporation is knocked offline, because they outsourced there computer to a single cloud. For a few hundred dollars in speeding ticket fines, it might be possible for these individuals to do millions in damages in the matter of seconds. These data centers may have microwave uplinks and backup generators, but with some minor sabotage it is very possible that they happen to be offline due to a few cups of sugar in a gas tank or some missing parts in a microwave transceiver.

Now with all that said, I also spent some time this weekend trying out Amazons S3 Web Service. I have used it before, but never found a client that was easy enough to use until now. I’m running Cyberduck for file transfers on my macbook pro, and have been very happy with it overall. I was creating a new connection where I noticed the option to create a Amazon S3 connection. So I did, and have uploaded about 28 MB of data. Just the documents in my document folder for now. The transfer speed was acceptable and the price is very good. I’m going to be doing a lot more before I head home for the holidays. In case anything happens in transit or while home I will have 100% backup of all files so I could reload the laptop and reload the whole system in a matter of hours.

Now the question, Was I worried about the files I have uploaded, no. There is no personal data, beyond some photoshop images and php files, all which are on my websites if anyone really wanted to download them. When I do the complete backup, I will be using some method of encryption. I don’t expect someone to spend the time downloading a few gig encrypted folder and waste the cpu cycles trying to decrypt it, but it is a good piece of mind in case something happens where they do gain access to the bucket.

Perhaps the weakest point to the whole S3 system is Amazon’s own password scheme. It allows for very weak passwords and I’m sure with some good social engineering could probably get them to reset it to a new e-mail address claiming the old address was changed due to a corporate e-mail policy change. Take any company, buy the domain mail-corportationname.com, and probably get any phone support person to believe you are infact working for that corporation. If needed do some fake letter head, get a fax number in the same town / phone exchange, and pretty soon you could be the head of the smallest branch office of that corporation. It must happen pretty often, Amazon even has a page for people’s who’s email has changed since the last order.

So, how secure is your cloud? Using the same techniques used to compromised domain names and have them transfered, it would be possible to recover Amazon passwords and login and download complete S3 collections, Start and Stop clouds, and manage any other Amazon web service.

So to answer the question, the answer is… it ain’t. So deal with it.

You can argue stuff about keys, restricted ips, encryption, secure methods. But if someone can login to the management portal because of a compromised password it ain’t secure. Once they are in the management console, they can start and stop servers, cancel services, reset restrictions and possibly even lock you out of your own account.

Discovered on: DABCC

No related posts