Pages: [1] :: one page |
|
Author |
Thread Statistics | Show CCP posts - 0 post(s) |
Barakkus
|
Posted - 2011.06.23 21:58:00 -
[1]
So, storing financial information, ie. bank account numbers, ACH routing information etc. on a database server sitting in a public cloud like Rackspace...good or bad for not getting **** stolen?
Why?
Imo, for what I do, very, very bad because it's painting a giant target on your data, with very little you can do to keep it safe since the host doesn't give a ****. Had one server that hosted a website up at Rackspace, got hacked, no financial or company critical data was up there other than a website that was being relied upon by clients to perform a specific function...but none the less hacked...now I have some marketing person trying to convince my boss(es) to move our data to a cloud, that in my opinion is the easiest way to put yourself out of business when hosting the type of financial data we do, and not having $$$$ to throw at a data loss problem on a whim.
So? Thoughts? - [SERVICE] Corp Standings For POS anchoring |
Cpt Placeholder
|
Posted - 2011.06.23 22:38:00 -
[2]
No, unless you have performance problems and no hope of fixing them.
|
Citizen20100211442
Minmatar Carebear Evolution
|
Posted - 2011.06.23 22:58:00 -
[3]
Face it, this is future
One day will be laws punishing you for keeping information on your own
"They" want control and know everything about you
|
Barakkus
|
Posted - 2011.06.23 23:13:00 -
[4]
lol yeah.
I'm just concerned with some other compromised "resident" on the cloud getting information off a VM it shouldn't, which from my understanding is possible...I just don't trust someone else's security for the most part... - [SERVICE] Corp Standings For POS anchoring |
Nariya Kentaya
Global Mining Operation OmniTech Initiative
|
Posted - 2011.06.23 23:17:00 -
[5]
Originally by: Citizen20100211442 Face it, this is future
One day will be laws punishing you for keeping information on your own
"They" want control and know everything about you
ofcourse they know everything, dumbasses keep posting their social security number on facebook, and using the wall on a friends page as a request for them to please go lock their front door. facebook attracts alot of stupid epople, who post stupid comments, that make them look stupid in addition to giving up their house.
|
Liva Daril
Caldari
|
Posted - 2011.06.24 05:22:00 -
[6]
Shades of NetPC.
Will die just as noiselessly as the "disk-less" PC wonder.
Unless they manage to make it mandatory, like somebody else I know is trying. wink, wink, nudge, slam
Originally by: XIRUSPHERE
|
Tautut
The Union Of The Snake
|
Posted - 2011.06.24 07:07:00 -
[7]
Edited by: Tautut on 24/06/2011 07:07:41
Originally by: Barakkus So, storing financial information, ie. bank account numbers, ACH routing information etc. on a database server sitting in a public cloud like Rackspace...good or bad for not getting **** stolen?
Why?
Imo, for what I do, very, very bad because it's painting a giant target on your data, with very little you can do to keep it safe since the host doesn't give a ****. Had one server that hosted a website up at Rackspace, got hacked, no financial or company critical data was up there other than a website that was being relied upon by clients to perform a specific function...but none the less hacked...now I have some marketing person trying to convince my boss(es) to move our data to a cloud, that in my opinion is the easiest way to put yourself out of business when hosting the type of financial data we do, and not having $$$$ to throw at a data loss problem on a whim.
So? Thoughts?
Let's get this straight .... what service are Rackspace offering you that you think is leading your systems towards being exposed? It's got nothing to do with where it's hosted (because hosting in a DC is not new) - so it must be something to do with their 'As A Service' offering. That's what Cloud does - it has nothing to do with location (you can have public and private Clouds) - it offers you something as a consumable service (storage / network / compute / virtualisation etc). Typically, this helps companies buy a service more focussed on OpEx rather than having to worry about CapEx.
So, considering that - are you saying that a Rackspace service gave you a toolset to provision a website with inadequate security features or out of date software containing security holes? Or did they give you a blank VM and let you upload your own toolset where you were responsible for maintaining security?
Cloud doesn't have to be a black hole where you don't know which country your data is sitting in. If you're really worried about maintaining control then speak to a good Cloud service provider and look for someone providing infrastructure as a service (IaaS). You'll get all the cloud benefits of OpEx over CapEx (i.e. not having to fork out every three years for new hardware - but just consume it per blade / GB and Gb per month) and full control of the operating systems and applications running on them - including any firewalling etc.
EDIT:Crap spelling
The Union of the Snake [SNAKE]
|
Cpt Placeholder
|
Posted - 2011.06.24 08:44:00 -
[8]
Originally by: Tautut what service are Rackspace offering you that you think is leading your systems towards being exposed?
Virtualization.
Originally by: Tautut It's got nothing to do with where it's hosted
Laws have a lot to do with where it's hosted.
Originally by: Tautut You'll get [..] full control of the operating systems and applications running on them - including any firewalling etc.
You and your cloud hoster and anybody who can break out of the sandbox.
Clouds are a good idea. Giving other people sensitive information has never been a good idea.
|
Tautut
The Union Of The Snake
|
Posted - 2011.06.24 11:11:00 -
[9]
Edited by: Tautut on 24/06/2011 11:11:16
Originally by: Cpt Placeholder
Originally by: Tautut what service are Rackspace offering you that you think is leading your systems towards being exposed?
Virtualization.
Originally by: Tautut It's got nothing to do with where it's hosted
Laws have a lot to do with where it's hosted.
The point I'm making is that Cloud doesn't automatically equal hosted services in a foreign location - hence private cloud. You're talking about governance which is a separate issue - but yes, very important. A good service provider should be able to tell you where your systems run and your data is located down to the blade and the array.
Originally by: Cpt Placeholder
Originally by: Tautut You'll get [..] full control of the operating systems and applications running on them - including any firewalling etc.
You and your cloud hoster and anybody who can break out of the sandbox.
Clouds are a good idea. Giving other people sensitive information has never been a good idea.
Cloud security is only as good as the design work that's gone before the service. I wouldn't buy any cloud service for business (especially hosting sensitive customer data) unless I was convinced that it was a proper SMT (secure multi tenanted) service. It's not difficult these days to isolate customers usings VLANs / VRFs and the right storage technology.
The term Cloud is thrown about like it's a single entity - it's not. You'll need to check the pedigree of your service provider and ask pointed questions rather than Google 'cloud service' and hand over your credit card.
Edit: I still can't spell
The Union of the Snake [SNAKE]
|
AlleyKat
Gallente The Unwanted.
|
Posted - 2011.06.24 11:31:00 -
[10]
Your financial information is already on a cloud?
|
|
Scorpyn
Caldari Infinitus Odium
|
Posted - 2011.06.24 12:51:00 -
[11]
Your marketing person is an idiot. If your boss(es) listen to him, then they are also idiots.
Not only because the data can get stolen. What happens if you lose connection to the cloud? What happens if the cloud loses all data?
What happens when your customers find out that you don't care about what happens to their data?
If you want the data in a cloud, then make your own cloud. And by cloud I mean redundancy, which you hopefully already have.
Do NOT move it to a public cloud.
|
Taedrin
Gallente Zero Percent Tax Haven
|
Posted - 2011.06.24 15:07:00 -
[12]
Originally by: Tautut Edited by: Tautut on 24/06/2011 11:11:16
Originally by: Cpt Placeholder
Originally by: Tautut what service are Rackspace offering you that you think is leading your systems towards being exposed?
Virtualization.
Originally by: Tautut It's got nothing to do with where it's hosted
Laws have a lot to do with where it's hosted.
The point I'm making is that Cloud doesn't automatically equal hosted services in a foreign location - hence private cloud. You're talking about governance which is a separate issue - but yes, very important. A good service provider should be able to tell you where your systems run and your data is located down to the blade and the array.
Originally by: Cpt Placeholder
Originally by: Tautut You'll get [..] full control of the operating systems and applications running on them - including any firewalling etc.
You and your cloud hoster and anybody who can break out of the sandbox.
Clouds are a good idea. Giving other people sensitive information has never been a good idea.
Cloud security is only as good as the design work that's gone before the service. I wouldn't buy any cloud service for business (especially hosting sensitive customer data) unless I was convinced that it was a proper SMT (secure multi tenanted) service. It's not difficult these days to isolate customers usings VLANs / VRFs and the right storage technology.
The term Cloud is thrown about like it's a single entity - it's not. You'll need to check the pedigree of your service provider and ask pointed questions rather than Google 'cloud service' and hand over your credit card.
Edit: I still can't spell
None of this changes the fact that you a trusting a third party with potentially sensitive information. If you host on "The Cloud", unless you own "The Cloud", you can't completely control the security of the environment. Yes, they can use virtualization to improve security, but all it takes is !one! security breach to make your life a living hell.
Don't get me wrong, "The Cloud" is a wonderful thing. But it is better to play things on the safe side when it comes to information which you can't afford to have stolen. ----------
Originally by: Dr Fighter "how do you know when youve had a repro accident"
Theres modules missing and morphite in your mineral pile.
|
Barakkus
|
Posted - 2011.06.24 18:22:00 -
[13]
Originally by: Tautut
Let's get this straight .... what service are Rackspace offering you that you think is leading your systems towards being exposed?
This was all due to my boss and the admins not knowing exactly what the service was. They basically got an unsecured linux image and just configured it to do what they wanted it to...they were both under the impression some form of security like a packet filtering firewall was going to be provided...well it wasn't, and someone took control of it via the ssh server running on it. I don't know all the specifics, but **** happens. We've had problems with Rackspace in the past with other stuff though, like contracting them to do backups of what we hosted there, then when we need one, there are no backups because they forgot to set it up...I just don't like them :P
I'm more worried about another resident vm at the service provider gaining access to vms that it shouldn't or data somewhere that it technically shouldn't be accessing for the most part since it's all shared hardware.
This is mostly what I'm concerned about: http://findarticles.com/p/articles/mi_hb242/is_201104/ai_n57242244/
Most cloud service providers will swear up and down that your data is going to be perfectly safe just to get a sale honestly. Had some snake oil salesmen from some provider trying to sell me on their cloud services at a Symantec security and virtualization conference couple months ago. I just had a bad feeling about it how quick they were to tell me it was no problem but couldn't provide me specifics on how it would stay safe other than "the data is encrypted on disk".
I am actually considering moving all the workstations to a private cloud here, but that's going to be quite spendy, and will probably have to be put off for a while.
And on the other mentioned topic of "what happens if you lose internet connectivity"...that was my other problem with it. Currently we have Comcast fiber + a microwave DS3 doing BGP, but you never know what could happen...couple months ago our old DS3 primary provider decided to pull our IP block without warning, leaving us black to the world for around 12-14 hours. We had our backup provider get us a new block assigned, it was a nightmare...I think I'd rather not have 50 or 60 employees not doing anything because nothing works...
- [SERVICE] Corp Standings For POS anchoring |
Lutz Major
|
Posted - 2011.06.24 18:54:00 -
[14]
We had the same discussion at our company with our bosses (who really know nothing about IT, but like to hear buzz words from 'consultants'.
Truth be told, you can't beat a serious cloud provider on technical terms and cloud computing is the future. Like it or not.
BUT: currently there aren't any considerable laws for outsourcing uber-secret company data. No provider can guarantee 24/7 access to your data. Therefore (at least in Austria) insurance companies increase their rates substantially. Making it not interesting to move a company hardware into a cloud.
Another reason for us were also laws: in Austria you must be able to know, where your financial data is located (and therefore proof it is safe and secure). With cloud computing, you can't tell for sure whether your data is stored in Ireland, US or Mogadishu.
|
Tautut
The Union Of The Snake
|
Posted - 2011.06.24 22:47:00 -
[15]
Originally by: Lutz Major
With cloud computing, you can't tell for sure whether your data is stored in Ireland, US or Mogadishu.
Hehe - you can on my bleedin service. Not all Cloud Service providers are the same. The Union of the Snake [SNAKE]
|
Scorpyn
Caldari Infinitus Odium
|
Posted - 2011.06.25 01:37:00 -
[16]
Originally by: Lutz Major Truth be told, you can't beat a serious cloud provider on technical terms and cloud computing is the future. Like it or not.
Sure. But that doesn't mean that a public offsite cloud is a good idea.
Tbh, I don't like the term cloud. What do you need? Virtualization? Redundancy? Off-site backup? Storage available over internet? Website mirrors? Everything is called a cloud nowadays.
|
Blacksquirrel
|
Posted - 2011.06.25 02:22:00 -
[17]
Edited by: Blacksquirrel on 25/06/2011 02:26:29 Depends on where your company wants to go. IT should helps facilitate business. Not distract it. To some degree moving IT resources away make a ton of sense. If your infrastructure sucks or you lack the manpower to support needed IT or your manpower lacks the knowledge and skill. Then someone else taking care of it is ok.
Furthermore see what kinda of contracting they are offering and what liabilities everyone has. You get what you pay for really and you need to double check what they have in place to safe guard data from security breaches to backup and recovery. You get what you pay for, and get what what you dont read under contracts. Is it simple storage hosting? Or full on taking care of everything minus data entry?
Next one should look at cost savings of moving IT over, and someone else taking care of it v. your company upgrading or hiring on more people. Business people understand one thing numbers..how much and how much risk. As an IT manager you should be there to show them cost benefit analysis for various routes to take. EG: upgrade hardware, hire on consultant to shore up security and poor code or say move existing IT over to a 3rd party.
If it is better to move over DOUBLE CHECK THEIR Infrastructure AND WHAT THEY ARE LIABLE FOR!
Also if your data is sensitive it should be encrypted even for administrators... That way if a cloud company has a shady employee they may have access to it, but wont be able to do much with it.
|
Barakkus
|
Posted - 2011.06.25 05:41:00 -
[18]
Originally by: Blacksquirrel
Also if your data is sensitive it should be encrypted even for administrators... That way if a cloud company has a shady employee they may have access to it, but wont be able to do much with it.
There are ways to circumvent encryption if you have access to the host encrypting it though, at some point the data is going to not be encrypted during whatever processing, say like printing checks (which we do)...not sure if it's worth the risk...having a million dollar check in your hands from time to time makes you a little skiddish about anyone getting a hold of that kind of information. - [SERVICE] Corp Standings For POS anchoring |
Blacksquirrel
|
Posted - 2011.06.25 16:00:00 -
[19]
Originally by: Barakkus
Originally by: Blacksquirrel
Also if your data is sensitive it should be encrypted even for administrators... That way if a cloud company has a shady employee they may have access to it, but wont be able to do much with it.
There are ways to circumvent encryption if you have access to the host encrypting it though, at some point the data is going to not be encrypted during whatever processing, say like printing checks (which we do)...not sure if it's worth the risk...having a million dollar check in your hands from time to time makes you a little skiddish about anyone getting a hold of that kind of information.
Someone with enough will and time can always circumvent something... Thats not really a good argument. Because I can make the same argument about the security measures at your current work place. Really if you're that worried about it you need to prove how security is better at your place than whoever you're looking to hire. I dont see you you guys printing checks gives a data center access to that.
Even if they have they have the means (Which they might or might not depending on what service you have) to get threw say AES 256 or say TDE in the case of a DB would take a **** ton of computing power and a long long time. At which point you should have known something was compromised. So really the people with access keys would be your prime suspects. However as stated before this could happen with you guys or at the center.
Really you got to show them how it's a better business decision. Do you have offsite backup/recovery? Multiple firewalls? VPNs? Secure NAS, or DAS? Backup power supplies? Network monitoring/logging services that send txt warning if the logs indicate failure or breach? On top of that what on site contracts do you have for your hardware? If you really are dealing with millions of dollars you should evaluate that as minimum.
|
|
|
|
Pages: [1] :: one page |
First page | Previous page | Next page | Last page |