News

Serious Price Tag Overshadows Cloud Computing

Cloud computing promises cost savings, increased flexibility and improved remote access to resources, but these advantages come at a cost, a researcher warned at the Black Hat Briefings security conference.

Data and application owners can lose control over their resources, the perimeter protecting them, and the access controls that allow their use, said Alex Stamos of iSEC Partners. Owners also can lose important legal protection by turning data over to a third-party host, he added.

Cloud computing is one of the big new things in computing. But the technology, the rules governing it and even the language describing it are not mature, Stamos said.

"The term 'cloud computing' is useless at this point," he said. It does not mean virtualization or remote backup. "Most stuff called cloud computing isn't. It is more of a marketing term now."

He defined cloud computing as distributed, general-purpose hosts holding applications and distributed data storage, with software tying it together to enable it all to move smoothly and reliably from one system to another.

Stamos predicted a cloud bubble burst as users discover that it does not necessarily provide all of the ease of use and returns being promised.

Although perimeter security is now recognized as inadequate IT protection by itself, its loss is a threat, Stamos said. "Making something a little harder" for hackers "has value."

Focusing on Software as a Service (SaaS), one element of cloud computing, he said most providers do not have the audit logs needed to recover from a serious breach. Access controls can be reclaimed to a degree by using a single sign-on scheme that returns control of policies and enforcement to the user, but this also eliminates some of the advantages of cloud computing.

One area often not considered in cloud computing is the possible exposure to legal liability. Most agreements with service providers relieve the host of any liability, but they also prohibit malicious traffic, which can prevent a data owner from conducting penetration testing of the systems holding the data.

Under current federal policy, there also is little protection to the data owner from law enforcement or regulatory search and seizure. Data can be seized without warrant and without notice to the owner if it is hosted by a third party, Stamos said.

"You have massively less protection if you are cloud computing than if you own your own machines," he said.

About the Author

William Jackson is the senior writer for Government Computer News (GCN.com).

comments powered by Disqus

Featured

  • AI for GitHub Collaboration? Maybe Not So Much

    No doubt GitHub Copilot has been a boon for developers, but AI might not be the best tool for collaboration, according to developers weighing in on a recent social media post from the GitHub team.

  • Visual Studio 2022 Getting VS Code 'Command Palette' Equivalent

    As any Visual Studio Code user knows, the editor's command palette is a powerful tool for getting things done quickly, without having to navigate through menus and dialogs. Now, we learn how an equivalent is coming for Microsoft's flagship Visual Studio IDE, invoked by the same familiar Ctrl+Shift+P keyboard shortcut.

  • .NET 9 Preview 3: 'I've Been Waiting 9 Years for This API!'

    Microsoft's third preview of .NET 9 sees a lot of minor tweaks and fixes with no earth-shaking new functionality, but little things can be important to individual developers.

  • Data Anomaly Detection Using a Neural Autoencoder with C#

    Dr. James McCaffrey of Microsoft Research tackles the process of examining a set of source data to find data items that are different in some way from the majority of the source items.

  • What's New for Python, Java in Visual Studio Code

    Microsoft announced March 2024 updates to its Python and Java extensions for Visual Studio Code, the open source-based, cross-platform code editor that has repeatedly been named the No. 1 tool in major development surveys.

Most   Popular

Subscribe on YouTube