RSS Alerts

Share

More services

Related Links

Related Stories

  • Black Hat: major iPhone hack to be revealed today
    You could never describe the Apple iPhone as totally secure, given the number of jailbreaks that crackers have developed to unlock the popular handset from its partner networks, but researchers at the Black Hat security conference are scheduled to reveal a serious chink in the mobile's armour today.
  • Black Hat: Security is not the security team’s problem says Black Hat keynote speaker Douglas Merrill
    This morning, 29th July 2009, at the Black Hat briefings in Las Vegas, Nevada, keynote speaker Douglas Merrill, told his audience that CISOs are getting information security wrong.
  • Black Hat: Information security trade press are bound to Google
    At the BlackHat conference in Las Vegas, 29 July 2009, one conference session addressed the changing nature of the information security trade press. A panel of experienced journalists answered questions on the relationship between trade and mainstream media, the rise of Google news, and the financial challenges affecting the publishing industry.
  • Black Hat briefings start on Thursday
    The organisers of the main Black Hat security conference - which takes place at the Moevenpick City Centre hotel in Amsterdam's Piet Heinkade this Thursday and Friday - have announced that presenters will reveal no less than six high profile vulnerabilities at the event.
  • Black Hat researchers blow hole in Intel BIOS security
    The Black Hat security event taking place in Washington this week brought its usual array of hacker methodology revelations, but Intel watchers will have sat up straight after hearing how researchers have effectively blown a hole in the firm's trusted execution technology.

Top 5 Stories

News

Black Hat: Legal issues come free with cloud computing

30 July 2009

The complications and concerns around cloud computing should not be underestimated, argued Alex Stamos, co-founder and partner of iSEC Partners, at the Black Hat conference in Las Vegas, 30 July 2009.

The complications and concerns around cloud computing should not be underestimated, argued Alex Stamos, co-founder and partner of iSEC Partners, at the Black Hat conference in Las Vegas, 30 July 2009.

In a session titled ‘Cloud computing models and vulnerabilities: Raining on the trendy new parade’, Stamos explored the challenge of securing and auditing systems once the corporate data-centre is abstracted. Although cloud computing promises cost savings for many organisations, there are many complications that need to be considered, said iSEC’s Stamos.

Firstly, Stamos declared the term ‘cloud computing’ useless. “It’s now just a marketing term” he said. “Despite widespread belief, it doesn’t mean virtualisation, or remote backup, neither is it most of the stuff that people actually believe it to be”.

So, what does it mean? “Lots of general purpose hosts; central management; distributed data storage; the ability to move applications from system to system; low-touch provisioning system; and soft failover”, Stamos listed. In short, “If you aren’t re-writing your software, it’s not cloud computing”.

Looking specifically as SaaS (software as a service), Stamos declared that “everything is outsourced; everything is someone else’s responsibility – except your data”.

Through SaaS, organisations lose controls, said Stamos. He listed the following as examples:

  •  Physical and logical network barriers
  •  Endpoint restrictions and management
  •  Non-password authentication
  •  Fine grained credential quality controls
  •  Password re-set process

“Most SaaS vendors do not provide the level of audit logs needed”, said Stamos. “You could take back authentication, but that defeats some of the benefits of the cloud”.

No promises

Stamos presented the issue of liability concerns with EULAs (end user license agreements) from those offering cloud services. “These companies have well-trained legal departments. The agreements you sign to use the services promise you absolutely nothing. If there is a breach, or data loss, don’t expect any support or help from them”.

This, Stamos argued, is unfair. “While you can’t expect them to accept financial responsibility, a certain level of help should be available”.

Most EULAs specifically disallow malicious traffic, “but this is just a standard for information security – and is often required in order to be compliant”.

In addition to this lack of support on the liability front, using cloud services also reduces your protection from law enforcement. “In the current state of law, you have less protection using cloud services than if you were using your own machines to contain the data – this means that you have no protection against search of data by law enforcement.

“If your data is at Google, you have no constitutional protection over that data”. As a result, said Stamos, once your data is in the cloud, you lose the following things:

  •  Protection of a warrant
  •  Guarantee of notice
  •  Ability to fight seizures beforehand

“Storing your data yourself on your own computer is the most legally secure way to handle your private information”, iSEC’s Stamos confirmed.

In conclusion, said Stamos, “moving to SaaS takes away the traditional IT controls that organisations traditionally have. Incident response on the cloud becomes more difficult and legal issues can become a stumbling block – so be sure to get a good IP lawyer”.

“The bottom line”, finished Stamos, “is that state of research into basic technologies does not provide for confident security analysis."
 

This article is featured in:
Application Security • Business Continuity and Disaster Recovery  • Data Loss  • Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012