First post for 2013. The plan is to hopefully be a bit more active after a slow 2012!

I came across this interesting article that has the details of an interview with Bruce Schneier.

While I pretty much agree with Bruce and especially like Bruce's last comment: "Is my data more secure with you than it is with me?", I think the problems begin with the follow-up to that question - which is "prove it".

Now 'proving security' is fraught with danger (and is most likely an impossible task), but while you may have a good understanding of what you do - or don't do - from a security perspective, it's the lack of details that cloud providers will supply on their security practices (other than to say "we use military-grade encryption" or "we follow industry best practices") that always concerns me.

"Trust us" seems to be the mantra from a number of cloud or SaaS providers and trust them we have, sometimes with less than stellar results.

Before signing over the keys to the kingdom to cloud providers, I think it's important to get a good understanding of exactly how they protect your data, what will happen if they do suffer a breach (at what point do they notify you? When they suspect something happened or 2 weeks later when they've confirmed the breach?) and what you can can do to protect your data (such as encrypt everything and keep the keys to yourself).

The cloud has arrived down under! Well at any rate it has registered on the radar (weather radar?) of our Government officials.

Last month the Defence Signals Directorate (DSD) has issued a paper on Cloud Computing considerations [pdf] that aims to “assist agencies to perform a risk assessment to determine the viability of using cloud computing services.”

This came hot on the heels of the Federal Privacy Minister voicing his concerns with the compatibility of cloud services and the National Privacy Principles and has been followed up by the Victorian Privacy Commissioner releasing a Cloud Computing information sheet to give "a brief overview of how the Information Privacy Act 2000 (Vic) applies to cloud computing technologies"

Personally, I'm happy to see privacy concerns are getting some serious consideration. I'm certainly not anti-cloud, in many ways it is very cool, but I don't want to see businesses running headlong into a potentially disastrous (security & privacy-wise) situation without giving the consequences due consideration. Firm Cloud standards and Government guidelines (and industry guidelines -eg: ASIC) will go a long way to helping any move to the Cloud be successful in the long run (again from a security & privacy perspective).
Assuming you cloud service is up and running that is! (sorry for the cheap shot Amazon!)

Finally on privacy, this week is Privacy Awareness Week, so go and check your facebook privacy settings (because they change pretty often!)

I came across a copuple of interesting reads over at the UK-based Cloud Legal Project site (which is part of the Cenre for Commercial Law Studies, Queen Mary University of London).

The first is a survey of Cloud vendor contracts ('Terms of Service Analysis for Cloud Providers'), which highlights risks such as the vendor right to change ToS at any time without niotification, cancellation of accounts for disuse or AUP violations and limited liabilities for loss of data.

The second paper is on Information Ownership ino the Cloud, which highlights the need for strict definitions in contracts as to who retains the ownsership rights of various data types.

Both papers are well worth a read.

The great Wikileaks scandal that is currently occupying the media's attention has brought to light some interesting food for thought beyond the actual leaked documents and the ultimate insider threat scenario.

Wikileaks has been under denial of service attack for a number of days now, allegedly caused by a 'hacktivist' called 'th3j35t3r' (The jester). The attack has ramped up from the 2-4Gbps that forced the site from it's original host to the Amazon EC2 Cloud Service, where it intensified to a 10Gbps+ attack. Amazon then subsequently dropped hosting of the site, succumbing to both political pressure along with the ongoing DDOS attack.

Does this add an extra wrinkle to the 'put it all in the cloud' future promoted by some organizations or individuals? It does bring up concerns about how a cloud provider would react if your organization came under sustained denial of service attack. The allegations that the attacks were the actions of a single hacker using new software called XerXes that requires no zombie network or botnet to be effective is also extremely concerning.

IT world have an interesting article on what they're calling the 'stealth cloud'. It's not an exactly new concept - mostly bigger companies have had to deal with the 'shadow IT' problem for some time now.

However the recent proliferation of cloud service providers has the potential to greatly exacerbate the problem. As organizations already struggle with governance and meeting requirements such as SOX, PCI-DSS, Privacy Laws and industry regulation; having business units run out and sign up to external SaaS/Cloud services to fast track projects sounds like a disaster (if not a lawsuit or breach fine) waiting to happen...

Many of these services are pitched at consumers, who use them and enjoy the benefits of the likes of cloud file storage or a personal online knowledge base and these same consumers come to the office and want the same services at work.

So how do you combat the problem? There's no easy answer (like just about everything in Security!) but a combination of education/communication - ensure the managers of the business units understand why storing confidential corporate documents via dropbox is risky - and being prepared to be able to formally evaluate the security and risks of the SaaS/Cloud providers to allow resulting decision made out in the open may go a long way to easing the headache.

It's been said before but is worth saying again, most business computer users have no understanding of security. In a recent conversation an office worker was somewhat shocked to hear that email was not 'secure' or even particulary 'private'. Education and communication are the keys and probably the best way to combat those pesky Shadow IT ninja or Stealth Cloud Shinobi! (since they won't let me bring a katana to work...)

The Cloud. These days it seems all-encompassing and unescapable. Perhaps we should have called it 'fog computing' as it seems to have the ability to bamboozle and confuse non-techie types with promises of milk and honey for little or no effort. While it certainly has it's merits, a lack of true definition and standards show it's immaturity at present.

But even in world of magical clouds there's a darkside, for with a greater availability in cheap computing power comes the opportunity for shady-types or in this case, researchers, to use the 'power of the cloud' to crack WPA encryption. WPACracker allows you to run a 285 million word dictionary-based attack to crack WPA-PSK and ZIP file encryption. Purely for research purposes of course!

Using Clouds or 'cloud-like' constructs for crime is nothing new, shown by the prevelance of botnets such as the massive Conficker botnet (estimated at 10-15 million hosts) or the spam spewing Cutwail botnet that could blast out 74,000,000,000 spam messages a day (that's 51,000,000 a minute!).

While I'm on Cloud matters, I spotted a recent interesting little tidbit about personal cloud storage provider Evernote. It seems for their customers, security is an add-on extra that is only available to premium subscribers....

Apparently 'excellent security' means encrypting authentication information only with the remainder sent in the clear. Are we past the age of better security being basically a good idea or advertised as a lure for customers and it turning into a premium extra charge? I hope not.

(thanks for some of the info in the post above to a Circus contributor who must remain anonymous - you know who you are!)