default_mobilelogo

Joomla! Extensions

Find extensions for your Joomla site in the Joomla Extensions Directory, the official directory for Joomla components, modules and plugins.

WordPress News

WordPress News

Security Tips

US-CERT Tips describe and offer advice about common security issues for non-technical computer users. Tips are restricted to a single topic, although complex issues may span multiple tips. Each tip builds upon the knowledge, both terminology and content, of those published prior to it.

Storm CloudsSo, who's up on this Data Cloud idea?

The concept isn't exactly inelegant. Basically, the idea is to help out both small and large businesses by creating centralized data centers to handle all your computing needs. Kind of a one-size-fits-all approach. And in this case, one size really could fit all.

The advantages? Well, there are a few.

Consider the following:

Small Businesses

These are actually served best by the cloud ideal. Through this approach, they avoid having to hire their own IT staff or engage costly consultants.

Regarding staff... Small businesses usually don't have enough to do to put an IT person to work full time. And the technical expertise a potential part-time/dual-focus employee may have will usually be so poor it becomes bad for business. This is why so many small organizations employ the "resident office hack" model—a person who does his or her normal job, but then dabbles in technology on the side. But these types of support staff know too little to be effective and just enough to be dangerous.

Regarding consultants... Low-level independent consultants are also often bad for business (though not always), mostly because there's no way to predetermine how qualified they are. They'll tell you they can do the job, but their methods are frequently undisciplined, and oftentimes there's no documentation or proper communication about what they did. So if the consultant leaves, the next one is left with no idea what's been done. For a small business owner, that can result in a huge debacle.

In both cases, support people at this lowest level usually represent the weakest in IT. Bottom line: because those who service small businesses usually lack quality skills, smaller entities are left with few options because they simply can't afford to hire IT technicians who do.

Medium-sized Businesses

These usually have their own IT staff—they usually have enough work to keep them busy. The problem here is more with specialization. A "jack of all trades" is perhaps great when dealing with drill bits at the construction site, but when working with data bits and bytes, assuming that role can represent more of a liability than an asset. There's simply too much for any one person to know.

But these firms, too, can find great solutions through "cloud computing." Because their staff are inherently limited in their specialties, they can potentially gain from having centers of computing—so-called data centers—already built for them. In this scenario, all they have to do is decide what they want to deploy and then let others worry about the infrastructure and software to get it there. And that can allow their IT people to focus much more on the things that matter most to their particular business.

Large Firms

These have the least to gain from large cloud service providers. They usually have top-notch IT personnel on salary, along with specialists in every area they deem critical to their business. In these cases, they already have their own data centers—usually two or more—in case something fails.

So instead, for these enterprises it's more likely they will create their own private cloud to serve their needs. Even though they don't pay a service provider to build the infrastructure, the idea is still much the same: centralize the computing resources, then provide a margin of safety through duplicate systems of both hardware and software.

Ah, but now we come to the main drawback—a huge liability to my way of thinking.

Have you heard all the chatter lately about massive outages or widespread hacking? People have had their passwords and login data stolen from many, many sites. They've lost credit card information. In some cases, identities, complete with Social Security numbers, have been stolen. And that's not to mention the recent NSA spying fiasco.

The reality is, these cloud sites that advertise 99.999% uptime don't seem to be delivering quite what they promise. Just within the last couple of weeks, Amazon's cloud services went down and took with it such popular web sites as Instagram, among others, because Instagram just happened to be floating in their cloud. Imagine their chagrin!

Wait... Wasn't there supposed to be fault tolerance? Wasn't the cloud supposed to prevent these kinds of problems?

Well, it doesn't. And indeed, it can make things potentially much worse.

But here's what I don't get: why doesn't anyone else seem to be able to see the writing on the wall? Am I the only prophetic voice out there?

Consider this. Hackers need targets. And ideal targets are large, bureaucratic entities. Why? Because a substantial part of hacking is finding a way in. And you do that usually by ruse—through a con of some sort. This is known as social engineering, and it represents a central tool in hacking a company's data systems.

Is this starting to make sense? De-centralized, not centralized, is the way to minimize your exposure.

Now, if you have a small businesses where everyone knows everyone else (after all, there are only six people in the company), the probability that someone calls up and says they're "with the Help Desk and need to reset everybody's password, could you please give me yours so I can make the change?" is reduced substantially. But that's not the case with huge enterprises.

So if thousands of small companies are all serviced in a data cloud, and a hacker gets access somehow to the data center, what do you think is bound to happen? But if the small company has their own small "data center" built on one or two machines on-site, with a solid small-biz firewall and even a DMZ where their web server resides (a demilitarized zone, or DMZ, is the part of a private network allowed for access by the public at large), can't we assume that hacking them won't be nearly as easy?

Next, how about data privacy? There are many businesses that hold on to private information—financial data, health data, etc. And maybe small businesses start placing this information in the cloud at data centers across the country (or world?). Do you know who can then see that data? Well, systems administrators certainly can. Also, data center employees hacking from the inside can—internal attacks actually represent the most common threat to data by far (does the name "Snowden" ring any bells?). And finally, any external hacker who might gain access to the system clearly has the potential.

And just think of it. Not one of those individuals likely would have been able to gain access if the data had been safely stored in the basement of your building.

There's a concept known as "attack surface." The larger the surface, the greater the possibility of finding some weakness or hole that can be exploited. Well, it seems to me that data centers represent literally colossal attack surfaces. Their physical location can easily be known. They will have a LOT of connections going in and out of their facility—physical and/or virtual data connections, not to mention personnel. Each of these increase the attack surface.

On the other hand, the attack surface of individual, remote sites spread across the country would be miniscule in comparison.

Now I'm not dismissing the cloud out of hand. As I said before, there's a need for it. But the way it's being pushed right now is, in my opinion, not the answer.

Implementations where it does make sense include data backups. For example, encrypting backup data on remote servers in a cloud could be pretty valuable to a firm. Then if there's some catastrophic calamity (fire, plane crash, earthquake, etc.), the backed-up data remains secure and easily accessible.

Cloud-based email could also make sense, especially if it doesn't include proprietary/confidential/private communication. But for firms other than small businesses, there's still persuasive reasons for keeping email in-house.

Is this starting to make sense? De-centralized, not centralized, is the way to minimize your exposure.

Heaven forbid we have a terrorist attack on multiple cloud-forming data centers at once. In this case, a big chunk of the Internet would go down, but not all. And if your data is around the corner at a small but quality service provider, or in the wiring closet at your business, you'll still be up and running.

In short, my point is this: Don't buy into the cloud hype just yet. While it definitely has its advantages, if you swallow the hype hook, line, and sinker today, it might be that tomorrow you'll wonder how those cute, floating cotton balls ended up turning dark and menacing enough to ruin your sunny day.

(See "Ominous Clouds Portend Future Storms" at the Attica Salt blog—atticasalt.wordpress.com.)

 

Open Source Matters

Internet Services

  • Domain Support
  • Web Hosting
  • Website Development
  • DNS Management

Security Services

  • Firewall Management
  • VPN Management
  • IPS/IDS Management
  • Vulnerability Assessment
  • Penetration Testing

Application Services

  • Active Directory Management
  • Exchange Server Management
  • Remote Desktop Support
  • Remote Application Options

Data Center Consultation

  • Location Siting
  • Disaster Recovery Solutions
  • Offsite Data Backup
  • High Availability Options