ombegov / cloud.cio.gov

Federal Cloud Computing Strategy Website
Other
13 stars 6 forks source link

Cloud Security #4

Open carlsonloggie opened 6 years ago

carlsonloggie commented 6 years ago

There is no evidence that moving to the cloud improves security. The distributed architecture offers a multitude of attack vectors. Cloud Deployments create multiple endpoints, each of which needs to be protected. Data-in-transit moves across untrusted networks, creating yet another attack vector. The cloud computing APIs are yet another attack vector. The contractors, vendors, and other third parties associated with the cloud are a huge insider threat; while the cloud vendor's personnel are often thoroughly vetted, other third parties may not be. Also, securing the cloud is vastly different than securing an on-site data center. The skills are different, requiring additional training and expertise. The security workforce might also need to be larger to match the increased threat. These threats need to be acknowledged and dealt with up front, otherwise we might as well hand the information over to our foreign competitors and enemies. CLOUD_COMPUTING_SECURITY_CHALLENGES_AND.pdf SECURITY_THREATS_ON_CLOUD_COMPUTING_VULN.pdf Security_Issues_in_Cloud_Computing_a_Rev.pdf https://www.cyberisk.biz/cloud-security-how-cloud-services-affect-the-attack-surface/

carlsonloggie commented 6 years ago

Does silence equals consent? Is no one willing to engage in a lively debate? Or is this just a pro forma exercise for a decision that has already been made?

carlsonloggie commented 3 months ago

The recent CloudStrike outage just demonstrated my point. And yet the people at the top, the least qualified, are pushing for what ends up, in many cases, to be the more expensive solution. I'm not saying that moving to the cloud is a bad thing; however, it isn't necessarily cheaper or more secure. The worst thing you can do is a lift and shift, yet that is the option most often used. Once everything is in the cloud, rarely are things rewritten for optimization or security. It's the same software running on someone else's computer. Madness.