The title

Month: May 2014

In Cloud We Trust

Somewhere out there….

 

Everyone is talking about the ‘Cloud’ – which seems to be the greatest thing since sliced bread, and everyone thinks they should be making use of it, but how and for what?

Among the many possible usages of Cloud services, those that come most easily to mind are storage, backup, information sharing and email correspondence, but there are many more.

All of these share a common denominator – the storage of our own personal, corporate and/or proprietary information on some other organisation’s resources – located ‘somewhere out there’ – in the Cloud.


How secure is the Cloud?

 

So just how secure, and how private, is the information we store in this pervasive Cloud? Do we know where it might be, or who might have access to it, or how it might be disclosed or made available to further third parties over which we have no control?

While I’ve always been concerned about the overall security of cloud services, a particular blog post a few weeks back highlighted how available our cloud data can be. This particular post refers to Microsoft’s host email solutions Hotmail & Outlook.com, but this is not just about Microsoft – all cloud providers require the same concerns raised – and rather than reproduce this post, I encourage you to read it plus a number of the links provided.

Regardless of which cloud vendor you use, or are considering, I recommend you read carefully their provisions for security & privacy for your data. Below I’ve provided links to some to the major cloud vendors’ current statements – but do note that these are subject to regular revision.

Google:            http://www.google.com/apps/intl/en-GB/trust/data_protection.html

Amazon:           https://aws.amazon.com/security/

Azure:               http://azure.microsoft.com/en-us/support/legal/privacy-statement/

 


Key points to consider

 

Before you go and put your private, business confidential or client confidential data out there in the Cloud, be sure you understand:

  • Is your organisation subject to any professional or regulatory controls regarding location and access to your data?
  • Is the loss of absolute control of your data worth the potential savings in using Cloud services over in-house systems?
  • How would your clients react knowing that you store their information in the Cloud?

PASR Technologies has been providing SME business owners with a level of service and support to the SME business owner that is typically only directly available in very large organisations.
 

My Heart Bleeds

In early April 2014, news of the Heatbleed security vulnerability was announced to the world. This flaw affects the security of supposedly secure SSL (read HTTPS) communications between your browser and your service provider, such as your bank. Specifically, it only impacts services which run on Apache web servers implementing the later releases of the OpenSSL utility application. This flaw allows hackers to read the content of server memory – effectively able to read the content of your secure-channel communications – everything that you see on the page of your bank’s website.

There are a number of interesting points about this particular flaw:

  •  It only impacts those who have ‘done the right thing’ and regularly updated their platforms with latest software releases – seems staying with older releases would have been the better option.
  • It does not impact Windows/IIS servers providing secured websites – we have been led to believe for a long time that Windows’ technology is so more insecure than the open-source LAMP platform (read Linux, Apache, MySQL, PHP) – because ‘so many developers work on open-source code it’s got to be better’ – guess all those posts will need re-writing now.
  • This flaw has existed for over two years – since March 2012 – what happened to all the ‘eyes-on-code’ of the open-source developer community during this period?

While code has now been produced to correct this flaw, the damage may have already been done – how many hackers have known of, and exploited, this flaw in the past two years – without leaving any record of their attack? How much of our secure information exchange has already been compromised? The answer is, we will never know.

What to Do?

If you run secure services on Apache webserver, make sure you check whether you are using flawed version of OpenSSL and take corrective action as proscribed in many other places.

If you use SSL-secured services – who doesn’t? – make sure you check if your service was compromised. if so, you need to change your passwords for these sites. You may also check any other sites at https://filippo.io/Heartbleed/ – just enter your url to test.

© 2022 PASR Technologies Pte Ltd

Terms & ConditionsPrivacy Policy

Support

Support Hotlines

Email: support@pasr.net

+65 6340 1017 (Chat only)

  • Singapore

    9635 6482