[Info-vax] Cloud Security - 68M accounts hacked on Dropbox

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Fri Sep 2 10:53:43 EDT 2016 

TL;DR: are there advantages to running your own servers and your own 
infrastructure?   Sure.   There are other and equally good reasons not 
to run your own, too.   And I'll bet there'll be more than a few 
OpenVMS x86-64 boxes hosted by outside providers, once native boot and 
VM support is available.   Computing serves the organization.  Where 
it's a competitive advantage, IT will be held more closely.   Where 
computing and IT is little more than infrastructure, there'll be 
financial pressures to outsource.  Learn from the mistakes of Dropbox, 
and the mistakes of others including those folks that have privately 
hosted services on OpenVMS.

On 2016-09-02 13:31:58 +0000, Kerry Main said:

> We need to remember that public clouds are just another name for 
> selective IT outsourcing.
> ..

We need to remember that bringing all that in-house adds more than a 
little to the administrative overhead and skills and budgets.   All 
feasible, certainly.   But for various businesses, certainly either an 
outsourced private cloud or private hosting is entirely appropriate.

> .To clarify what one loses from a data and security policy perspective, 
> here are a few examples of what you LOSE when moving to a public 
> cloud...

Ayup.  Here's what you gain with self-hosting and OpenVMS: you gain 
inadequate network security tools, a security model that's baroque for 
an inexperienced user to implement at best, negligible digital 
certificate integration with poorly-integrated OpenSSL and with its own 
dependencies and wrinkles around SSL-related upgrades in recent 
history, a need to manage your own encrypted password stores and roll 
your own key bags, a requirement to protect down-revision network 
services or to disable those and replace those tools with more modern 
versions built on your own, to create your own distributed network 
security monitoring or integrate third-party monitoring tools or both 
given the complete lack of distributed monitoring support, at best a 
manually-built and DAC-based ability to isolate applications and 
network servers against potentials exploits and with little 
fine-grained control (BSD pledge, sandboxes, etc), no network filtering 
nor firewall support (e,g, pf) and no documented API for that, no 
encrypted volume support, security patches that can be months or years 
behind current, and — apropos for any server breach — a password hash 
that's massively weaker than what Dropbox uses.   Then there's how you 
gain the complete lack of SSL-protected email and no submission port 
with the vendor IP stack, and you certainly also gain the lack of 
encrypted SNMPv3, you gain the lack of a VPN server, that there's no 
mechanisms for cryptographically verifying the integrity of a software 
installation and where the secure distribution model is comparatively 
fragile at best, there's no integrated end-point security monitoring, 
and other such details.

In short, you're signing up for more work when you run your own 
privately-hosted server — you have to deal with the management and the 
security and certificates and monitoring and the rest.  You sign up for 
incrementally more work when you choose OpenVMS servers, too.   At 
least until VSI gets a chance to roll out whatever updates and 
enhancements they have planned.

Is there reason to pick one approach over the other?  Sure.  Welcome to 
making trade-offs.

So...  yeah, I can and do trust hosted services, and can and do use 
hosted services providers.    For some uses.   Most organizations do, 
after all.    But then I also know how to secure servers and 
particularly also OpenVMS servers, and know that it isn't easy, and 
know that the effort — even with add-on tools, in the case of OpenVMS — 
is on-going.     Can OpenVMS be secured?   Sure.   Within some limits, 
and quite possibly with replacement pieces and services depending on 
what services you need.   Is securing a server out-of-the-box easy?   
Nope.   Can cloud services be secured?    Depends.   Some services and 
some hosting certainly makes that claim: 
https://aws.amazon.com/compliance/fedramp/  
http://www.defenseone.com/technology/2014/07/how-cia-partnered-amazon-and-changed-intelligence/88555/ 


Then there's the static I've gotten around here from some folks 
persisting in the use of telnet and ftp on OpenVMS.  With privileged 
accounts.  We all make mistakes.   Learn from what Dropbox did and 
didn't, and look at your own hosting providers — or at your own servers 
— and learn where you can improve.

Needs vary.  Budgets vary.   Implementations vary.   Decisions 
secondary to trade-offs vary.   Are there risks with both hosted and 
private?   Sure.   YMMV.   Etc.


-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list