On 7/18/15 8:15 AM, Georgi Guninski wrote:
On Sat, Jul 18, 2015 at 01:39:45PM +0200, Florian Weimer wrote:

Well, for one thing, it removes physical access to machines from
insiders on your end, and in many cases, also direct access to data,
particularly in its bulk form.

With conscious effort and the right resources, you might be able to
come with better security controls than the large service providers,
but right now, most organizations don't have much of an audit trail
for locally run services.  I'm not sure if moving data off premises
actually results in a net loss of control over it.  Note be cause the
service providers are so good at security, but because various factors
conspire to make almost everyone else so bad.

Well, I don't trust the cloud and don't use it.
(I don't trust my boxen in a different way).

The cloud owns the CPU and this is enough for me.

You should be aware of the numerous virtualization
sploits -- Xen, Qemu, possibly others.

Exploiting a virtualization bug is just the fee
"to be in cloud" and I _suspect_ more efforts
are needed for my boxen.

Valid concerns in the abstract.  In practice, the economic concerns of big cloud providers means they must provide continually upgraded certainty of fundamental security separation.  Part of that is randomness of where your code runs: If there are millions of VMs on hundreds of thousands of physical servers, even if there is a VM escape, it is essentially impractical for malware to target your instance.  This could be enhanced by VM / container hopping in various senses.  Working within the system is likely to provide you a stronger result than something cobbled together locally.

However, we need solutions for that too, with and without cloud technology.  We need people who don't trust the cloud and keep developing better alternatives.  I think some of those alternatives involve cloud technology locally, but that's not a big thing.

I have friends who are rabid Google haters / fearmongers, apparently based on the fact that it was the first company they were aware of that seemed to have access and responsibility for too much information, or too much of their information, or too strong an allure for their information.  I feel perfectly confident that Google is going to protect their billions in income and valuation by being very careful with avoiding abusing their data or users in any strong sense.  That might not withstand a court order or national security letter or TLA hack monitoring unencrypted links, although big Silicon Valley companies recently have been getting tougher there.  But it certainly means they aren't "reading my email" for prurient or invasive purposes that would be embarrassing to me: It would become embarrassing to them quickly and cost millions or billions.

sdw