Location
  • San Luis Obispo,
  • California,
  • United States

Top Contributors

Should we go to Cloud ?

HI All,

i would like to hear your opinion from security perspective about cloud technology . Should government companies go to cloud and use office365 and use azure for hosting ...etc.
View Previous CommentsLoad All Comments (13)
 
Rank: Genius

Expert Comment

serialband2017-09-06 07:40 PMID: 2055842
It depends on the organization.  Also, this belongs with the regular questions, rather than a community group discussion.
0
 
Rank: Sage

Author Comment

Kamal Khaleefa2017-09-06 09:30 PMID: 2055848
Thank you all for sharing you thoughts, important points as mentioned is :

1-Check where will be the data stored
2-review the agreements and who has the right to look to our data
3-Review and do check ups on these cloud providers
4-review the organization county laws regarding the cloud


if you have any other thoughts pls share it .....
1
 
Rank: Ace

Expert Comment

noci2017-09-07 03:44 AMID: 2055901
As a government one should NOT dictate dependencies.
It should assure that Open Standards  are used.
Open Standard that anybody can use without patents, or specific supplier software requirements....
f.e. HTTP, SMTP, LDAP, IP, EThernet, OpenDOC  are OK to use.
but SMB, AD  or any requirement that requires software from a certain (single, few) manufacturer should be avoided.

Also you need to take the  laws into account of:    Country of citizens/ govt., Country where data transits, Country where Data is @ rest and country where data is processed.  Including treaties that those countries have (treaties cause abligations that go Above law).
Also to be taken into account, the laws of Countries where the owners live/are incorporated that handle transit, storage & processing.
Laws not only about data, isp's etc. also about the limits on Security agencies and a track record to what extend those agencies are accountable to breaches of law.

Example: EU Citizens facebook data goes from EU through US/ California to Ireland. So there are several countries involved in transit, EU (+ countries) as where the citizen lives, US (and California)  as the data transits there, is processed and finaly EU Ireland where the data rests. (This is claimed by FB). US / California as that is where the Head Office of FB is located.
0
 
Rank: Genius

Expert Comment

serialband2017-09-07 06:04 AMID: 2055912
As a citizen, I don't want my data going through other countries, especially potentially hostile ones.  Government should have its own servers, isolated from the internet.  If they contract out to Google or Microsoft, then those companies should set up a separate data center that's isolated from the rest of their public "cloud" offerings.  It should not be on the cloud, since that data has to be real data about you

With Facebook or even Experts-Exchange, anyone can put up a fake (fictitious - in legal government terms) presence, or not have one.  While they expect real people, they have no mandate or guaranty that everyone has to be real.  In government, you can have a fictitious name (company) but those are registered by real people.

Again, this should not be a community group discussion and should be asked as a normal question.
0
 
Rank: Ace

Expert Comment

Philip Elder2017-09-08 11:44 AMID: 2056378
1-Check where will be the data stored
2-review the agreements and who has the right to look to our data
3-Review and do check ups on these cloud providers
4-review the organization county laws regarding the cloud

1: Data sovereignty is really important here in Canada. The Patriot act and its Reciprocity Act here in Canada make cloud storage and especially data encryption a big deal.

2: AFAIK, Microsoft is the only cloud vendor that publishes a list of contractors working in their cloud/data centers. All others seem to obfuscate that.

3: Due diligence should be a given. There's enough cloud vendors out there that have gone belly-up.

4: We're still pretty backwards when it comes to digital and cloud based legislation.
0
 
Rank: Sage

Expert Comment

@ Noci


TL;DR:

  •  SMB is an Open standard.
  •  I agree Open Standards are preferable.
  •  However a Open standard is no guarantee of safety.
  •  Stay away from using Software otr standards which are not actively maintained unless you can justify the risk.


[WARNING] RAMBLE FOLLOWS: [/WARNING]


SMB has been an openly published standard, as of SMB 2.x (2006) and forward, although proprietary, it is published to allow interoperability.

  I believe you're thinking of the original version of this protocol (introduced over 30 years ago) and commonly known as CIFS/SMB1.0.

  This version of the protocol was never fully published, and shouldn't even be used considering the major advancements in SMB, especially in the 3.x versions.

  Notably many systems which are running CIFS/SMB 1.0 are legacy NASs which have custom Samba Servers on them developed to meet the partial cifs 1.0 standard, and which may support features from 2.0 and later without being properly written to those standards, often times this is due to resource crunches or the believe that it will be 'better' to support the legacy systems running 1.0.

  However any system old enough to only support SMB 1.0 in the Windows Realm is certainly long past the 10 year window of support and has much larger inherent flaws and should be removed, and SMB 1.0 support turned off, the catch 22, is now windows systems in networks which still have these Legacy SANs with NAS-Heads running kludged code sometimes have to have it enabled to access them, and it makes a dirty cycle.

  The standard being open is only saying you are concerned that the maker of the standard will go belly up, or refuse to continue to support the protocol, and you will have no way of making your own software that can be interoperable with it for your needs until you can migrate to something else.

  likely not a big concern with Microsoft, but also an irrelevant one since the good versions of the protocol are i fact openly published to allow interoperability.

  However the additional concern I'm trying to highlight here is how not properly adhering to a standard once it is published will make trouble.

  It doesn't matter if you're microsoft, or Oracle, or Joe-Blow from down the block, if the software you choose to use is not actively being developed to meet the standards it utilizes, and resolve any bugs with it, then you need to find another piece of software.


  IE:  The protocol is only as good as the software you write, find for free, or purchase.  Whether the standard this software using is Open or closed matters only to the availability to make a better piece of software, or replacement piece of software down the road.  However security comes from having software which is actively being supported and developed to meet changes in the standard and flaws i the protocol.  As we've seen with WSMB 1.0 Microsoft even set out a patch for legacy systems, but not all Samba instances have been patched because there are so many different flavors of the Samba server, not all of which have as much time and attention being devoted to keeping them up to date.


I agree Open standards are better, but people too easily confuse Open Standards with Open Source or 3rd party and or obscure/generic off brand.

I could publish an open standard tomorrow, and if no one is using it it is a hardship to move onto or off of it.

 What makes you secure making sure to use a Common standards and software that are well maintained, and you should only deviate from this when there is a valid business critical reason to use an uncommon standard or software.
0