On Wed, 2010-09-15 at 17:20 -0400, Mike Rathburn wrote: > What's the security risk difference between having this software on > the aforementioned server in a virtual machine sitting in a rack > downtown versus having this software on a virtual machine hosted by > Amazon?
There are lots of differences, here are some off hand. Control over the data and host machines. You can't pull the plug from something in the cloud. If someone takes over one of your cloud instances, who are you gunna call? Not the ghost busters :) Seriously though, How will you access or work with an exploited cloud instance? How will you handle a security breach? Then there is back ups, you have no idea how many backups or copies of your data might exist in the cloud. Or its shelf life. Which is something to consider, seems S3 will have at least 3 copies of your data. They are providing data protection from loss, not protection as in security. http://aws.amazon.com/s3/#protecting Then they go beyond backing up with Versioning. Whats stopping someone else from obtaining a copy of your instances or data? Keep in mind that could be happen as a result of a software bug or something innocent vs malicious. Monitoring app unable to reach an instance, thinks it down, starts another. Likely not to practical, but who knows, this stuff is all still evolving and rather new. Unless you know it can't happen well :) Either way they are not guaranteeing security in section 7.2 http://aws.amazon.com/agreement/#7 They limit their liability in section 11.8. Limitations of Liability http://aws.amazon.com/agreement/#11 Finally Indemnification http://aws.amazon.com/agreement/#12 If the crap hits the fan, its all you! > I had a COTS firewall. They have a professional-grade, beefy > enterprise firewall (that I would never be able to afford or maintain) > for which I have quite a bit of control over who gets in where and > when. Which they also have control over, and likely more features than you :) > Then there's the Winderz software firewall. This isn't 1999 anymore > - it's quite okay now. The final kicker ... even the VM itself is > running on RHEL! Keep in mind packets past through the host machine, which could change, along with instance in the cloud. Packets are likely duplicated, and/or could be visible at the host level. > Couple that with QB accounting (no pun intended) for about 85% of the > small business market share, of which 90% of all business conducted in > America is 'small business'. We all must be snorting pixie dust > apparently. Never said not to run Quickbooks and its not the only solution out there. Several past clients of mine ran Peachtree. http://www.peachtree.com/ Then there is still others. I use a mix of my own home brewed software and db, with GNU Cash :) But really its not the software in use. Its where the data resides, outside of your hands and control. I bet you are legally liable to be in control of the data. Regardless of software or OS, I would not put sensitive data I am legally responsible for in third party hands. Without some sort of guaranty or assurance of data security with the third party. > Note that this is likely just a temporary arrangement also, as the > technology evolves and the price comes down, Intuit will be hosting > the application (SaaS) without the need for a VM host. Doesn't that already exist? Quickbooks online? Seems rather SaaS to me ;) > Security boils down to common sense. Lock your doors when you're out. > Keep the ports closed when not in use, and monitor when they are. > > That's my .11 cents per hour. Yeah and common sense ( at least to me :) ) right now says if its sensitive data or you are liable in any way shape or form. Or at minimum customers might not like their data being outside of your control. Unless your hosting say the LUG wiki, mailing list, a site like Zillow, no personal data, or a public site like twitter. Clouds really are not an option at this time. To many unknowns. If you don't know, how are you going to protect yourself against the unknown? -- William L. Thomson Jr. Obsidian-Studios, Inc. http://www.obsidian-studios.com --------------------------------------------------------------------- Archive http://marc.info/?l=jaxlug-list&r=1&w=2 RSS Feed http://www.mail-archive.com/[email protected]/maillist.xml Unsubscribe [email protected]
