Re: Bruce Schneier on Google Apps. Do you trust Google?



Hi Stephen,

1) You can always use 2-factor authentication to mitigate the risk of
compromised static passwords.

2) As for legal concerns, can you please elaborate on them. Are you
referring to the Safe Harbour Act for PII and Habeas Data in South
America? I would like to understand the specific legal issues with
storing information in the Cloud.

3) Documentation process for Chain of Custody will not change (AFAIK).
Once you get a e-discovery request or learn that a lawsuit has been
filed, you can retrieve the required data from SaaS provider, and then
proceed with the investigation.

Thanks
Saqib


On Tue, Jul 28, 2009 at 4:33 AM, Stephen
Mullins<steve.mullins.work@xxxxxxxxx> wrote:
you'll have employees with weak easily brutable passwords or
losing their accounts to "secret questions" that their 10 year old
could answer and use to "hack" their accounts.


Then you have the fact that it injects all sorts of legal concerns for
entities outside of the U.S. should the "cloud provider" be based in
the U.S., or vice versa.





A company such as Google providing web apps or email has no
obligations to you whatsoever and their user agreement spells that out
plainly.

It's not even worth pointing out the other flaws with this concept of
"enhanced security via cloud computing."  The fact is that placing
data completely outside of your control in some kind of "cloud" is
incompatible with real security.  No chain of custody, no ability to
audit the data, etc.

Steve Mullins

On Mon, Jul 27, 2009 at 12:11 PM, Ali, Saqib<docbook.xml@xxxxxxxxx> wrote:
"Security is about who you trust," Schneier said. "Do you trust Google
more than your sysadmin? Do you trust Google Docs more than Microsoft
Office?"

"Trust is social," he said. "It's not technical."

Read more:
http://latimesblogs.latimes.com/technology/2009/07/security-expert-on-google-apps-is-google-trustworthy.html

I trust that a Google Employee, whose sole function is to maintain the
system, will ensure that the system is secure, patched and up-to-date.
It is simply about Reputational risk. Reputational risk (damage to an
organization through loss of its reputation or standing), can arise as
a consequence of operational failures. Every company understands
reputational risk, particularly businesses who regard their brand as
one of their most critical assets. Google is one of them. They have a
reputation to maintain.

Note: I posted the following as a comment to the aforementioned
latimes blogpost, so it may be a repeat for some folks.

NIST just published a working draft of the Cloud Computing Security
presentation. Some of the Security Advantages mentioned in the
presentation are:

 1. Shifting public data to a external cloud reduces the exposure of
the internal sensitive data
 2. Cloud homogeneity makes security auditing/testing simpler
 3. Clouds enable automated security management
 4. Redundancy / Disaster Recovery
 5. Data Fragmentation and Dispersal
 6. Dedicated Security Team
 7. Greater Investment in Security Infrastructure
 8. Fault Tolerance and Reliability
 9. Greater Resiliency
 10. Hypervisor Protection Against Network Attacks
 11. Possible Reduction of C&A Activities (Access to Pre-Accredited Clouds)
 12. Simplification of Compliance Analysis
 13. Data Held by Unbiased Party (cloud vendor assertion)
 14. Low-Cost Disaster Recovery and Data Storage Solutions
 15. On-Demand Security Controls
 16. Real-Time Detection of System Tampering
 17. Rapid Re-Constitution of Services
 18. Advanced Honeynet Capabilities

I understand that these will depend on the actual implementation. It
usually does for everything. For e.g. you can create world's most
secure cipher, but the poor implementation is usually the weakest
link.

But in theory, if cloud services are implemented properly, I think
NIST's list of advantages hold true.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------




------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



Relevant Pages

  • RE: Bruce Schneier on Google Apps. Do you trust Google?
    ... Bruce Schneier on Google Apps. ... Unless and until all data in the cloud, at all times, remains securely ... It is simply about Reputational risk. ... NIST just published a working draft of the Cloud Computing Security ...
    (Security-Basics)
  • Re: Bruce Schneier on Google Apps. Do you trust Google?
    ... cloud computing. ... incompatible with real security. ... It is simply about Reputational risk. ... Securing Apache Web Server with thawte Digital Certificate ...
    (Security-Basics)
  • Re: Bruce Schneier on Google Apps. Do you trust Google?
    ... You'll never see any organization that truly values security using ... cloud computing. ... "enhanced security via cloud computing." ... It is simply about Reputational risk. ...
    (Security-Basics)
  • Re: Bruce Schneier on Google Apps. Do you trust Google?
    ... Unless and until all data in the cloud, at all times, remains securely ... system, will ensure that the system is secure, patched and up-to-date. ... It is simply about Reputational risk. ... NIST just published a working draft of the Cloud Computing Security ...
    (Security-Basics)
  • Re: Moving Kerberos to the Cloud?
    ... and thus the security attributes of the cloud in question. ... risk in the picture I suspect no one would move a KDC to a cloud. ...
    (comp.protocols.kerberos)