Windows in the Sky

[Salomé]

this isn't a bad thing whatsoever... it was inevitable.

virtualization is the natural progression of technology, that's undeniable, and this is the logical next step for Microsoft in order to keep up with virtual application powerhouses like Google.

think about it... 15 years ago, the user experience was about 90% local and 10% internet, we have gone far past the point of 50/50 and now the majority of a user's time is spent virtually. considering microsoft built themselves on the local user experience, this is a no brainer.

i really do not think anyone who is not a professional in this field should comment, because if you knew anything you would know this is far more secure. there are not people who manually sift through customer data, that would be too cumbersome, and there are security policies that prevent any one person from accessing and exploiting sensitive data like people have suggested.

microsoft has the money and the expert knowledge to store information safely, unlike a typical PC user, even at the last level of security (physical access). also, considering the current state of the virtual user experience as well as the trend that will continue to carry is further in that direction, it is much safer from a wide-area network standpoint to have customer data stay within a contained private network, separate from the internet by firewalls, with only the information needed to run the client app being sent over the internet (encrypted as it might be)
:

You are a fool.

There is no security policy that can stop people fucking with your data.

That is all.

 

[Grayscale]

You are a fool.

There is no security policy that can stop people fucking with your data.

That is all.

nothing is entirely secure, yes, but what you're saying is nothing new... when was the last time you saw sensitive being exploited internally? there is just too many eyes on it for someone to get away with. and frankly, with your information mixed in with a sea of other customer data, what makes you think anyone gives enough of a shit to steal your information? a lot of your most sensitive data is already in a database, ie financial and identity related information. you think they havent already considered this possibility? a need-to-know requirement is a basic element of every IT security policy i have seen, and there is very rarely a need for any employee to directly access customer data.

if microsoft didnt do this they would be left in the dust... they are already way behind google in the virtual market.

We have pretty good legislation, but in practice every other week some idiotic civil servant sends unencrypted personal/confidential data through the mail on a dvd - then has a fit when it somehow goes missing.

this is confidential company data, the stuff employees interact with on a day-to-day basis, not customer data. taking customer data out in such a insecure fashion would be a huge no-no, either their policy or their enforcement of it is worthless. the government would have puppies if something like that happened, just look at how strict the guidelines are for companies that hold common sensitive customer data like credit cards (https://www.pcisecuritystandards.org/)

think about it, when you have thousands to millions of customers, you are never going to directly work with their data, just the infrastructure that does. that's the network, servers, and application code. in fact, the only people who ever really look at something customer-specific is CS, and even then it's usually things like account and payment records, why would they need to look at your files?

 

[Salomé]

nothing is entirely secure, yes, but what you're saying is nothing new... when was the last time you saw sensitive being exploited internally?

about six months ago, as it happens

there is just too many eyes on it for someone to get away with. and frankly, with your information mixed in with a sea of other customer data, what makes you think anyone gives enough of a shit to steal your information? a lot of your most sensitive data is already in a database, ie financial and identity related information. you think they havent already considered this possibility? a need-to-know requirement is a basic element of every IT security policy i have seen, and there is very rarely a need for any employee to directly access customer data.

I'm talking about databases, what the hell are you talking about?
And that is bullshit. Have you heard of identity theft? Have you heard about the backlash against offshoring to India because of the massive security holes/corruption?

if microsoft didnt do this they would be left in the dust... they are already way behind google in the virtual market.

And I care about Microsoft's market position why, exactly?

this is confidential company data, the stuff employees interact with on a day-to-day basis, not customer data. taking customer data out in such a insecure fashion would be a huge no-no, either their policy or their enforcement of it is worthless.

Worthless, yes, frequently. It happens.
Of course employees access customer data, why they hell would you gather/store data if you weren't going to access it for operational purposes?!?

think about it, when you have thousands to millions of customers, you are never going to directly work with their data, just the infrastructure that does. that's the network, servers, and application code. in fact, the only people who ever really look at something customer-specific is CS, and even then it's usually things like account and payment records.

You don't know what you are talking about, so stop talking.

 

[NoahFence]

I am the network admin here. I control those security policies you speak of, I implement them. I never look at my company's data. But could I, if they pissed me off to the point of going postal?

Seriously. Any network security officer worth his/her salt could turn your business into the virtual version of a smoking hole in the ground if they turned coat and betrayed you. The question of who watches the watchers is paramount to me.

We currently have five distinct layers of security, various manufacturers and services. No way am I ever recommending we put our eggs in one basket like this, particularly when we have no idea whose hands are actually holding that basket.

 

[Salomé]

I am the network admin here. I control those security policies you speak of, I implement them. I never look at my company's data. But could I, if they pissed me off to the point of going postal?

Seriously. Any network security officer worth his/her salt could turn your business into the virtual version of a smoking hole in the ground if they turned coat and betrayed you. The question of who watches the watchers is paramount to me.

We currently have five distinct layers of security, various manufacturers and services. No way am I ever recommending we put our eggs in one basket like this, particularly when we have no idea whose hands are actually holding that basket.

Precisely.
Thank you.
Even with DR sites, it's too big a target.

 

[spirilis]

lol@ Noah
The visual made it 10x better

 

[spirilis]

Yeah cloud computing is a tad sketchy at best when talking about business operations. I can see a lot of companies falling for it, though. Especially when these cloud computing services tout legal mandates behind their security compliance; CIOs fall for that shit plenty.

What makes far more sense, IMO, is clustered computing in-house. Cue the $$$$$ though...

 

[Grayscale]

this?

TJX consumer data theft largest in history

information was stolen in transit, ie when transitioning between customer client and the secure portion of the company's network.

Of course employees access customer data, why they hell would you gather/store data if you weren't going to access it for operational purposes?!?

You don't know what you are talking about, so stop talking.

servers and applications access customer data, it would be logistically impossible for any decent sized enterprise to process customer data by hand.

i currently work as an enterprise network architect, i work with things like this on a daily basis... you are?

I am the network admin here. I control those security policies you speak of, I implement them. I never look at my company's data. But could I, if they pissed me off to the point of going postal?

Seriously. Any network security officer worth his/her salt could turn your business into the virtual version of a smoking hole in the ground if they turned coat and betrayed you. The question of who watches the watchers is paramount to me.

We currently have five distinct layers of security, various manufacturers and services. No way am I ever recommending we put our eggs in one basket like this, particularly when we have no idea whose hands are actually holding that basket.

how big of a company? please explain how GPO management for IT, your own employees and how they access your network and resources is at all the same as accessing sensitive customer databases. for any decent sized companies, you handle this data through queries, not by hand, and most certainly not by IT network admins.

edit: by security policy (singular), i dont mean GPOs, I mean the rules and regulations in place to dictate technology and the employees who work with it in regards to security. it is something that is managed by the CIO and a board, with input from an array of experts.

the closest ive ever heard of when it comes to employees looking at actual customer data is a friend of mine who is a database programmer at a company who parsed provided records for legal litigation. they would run custom queries on a case-by-case basis, but even then they were working with way too much information to care to look at specific files.

the closest analogy i can think of what is being suggested here is if an automobile factory worker got up on the assembly line and started to grab parts off of cars... yeah, someone could probably try and do it, but perhaps you can understand why i raise my eyebrow when people start screaming about employees stealing their data.

 

[Salomé]

Yeah cloud computing is a tad sketchy at best when talking about business operations. I can see a lot of companies falling for it, though. Especially when these cloud computing services tout legal mandates behind their security compliance; CIOs fall for that shit plenty.

What makes far more sense, IMO, is clustered computing in-house. Cue the $$$$$ though...

Not necessarily. Clusters are the way to go. Scaleabillty. Linux platforms are affordable.

information was stolen in transit, ie when transitioning between customer client and the secure portion of the company's network.

Yes. That happens too.

servers and applications access customer data, it would be logistically impossible for any decent sized enterprise to process customer data by hand.

Who's talking about by hand?

i currently work as an enterprise network architect, i work with things like this on a daily basis... you are?

I run my own company. I employ people like you. (Well, not exactly like you).

how big of a company? please explain how GPO management for IT, your own employees and how they access your network and resources is at all the same as accessing sensitive customer databases. for any decent sized companies, you handle this data through queries, not by hand, and most certainly not by IT network admins.

we're talking about security in a public forum and you really expect me to do this?

the closest ive ever heard of when it comes to employees looking at actual customer data is a friend of mine who is a database programmer at a company who parsed provided records for legal litigation. they would run custom queries on a case-by-case basis, but even then they were working with way too much information to care to look at specific files.

See Business Intelligence. (Or any intelligence....)

the closest analogy i can think of what is being suggested here is if an automobile factory worker got up on the assembly line and started to grab parts off of cars... yeah, someone could probably try and do it, but perhaps you can understand why i raise my eyebrow when people start screaming about employees stealing their data.

Yeah. Because you don't know what you are talking about.

 

[Grayscale]

i am somewhat in disbelief that an INTP's argument is coming down to "youre wrong!"

if you had a technical understanding of how any of this works, you'd be able to tell me how one would go about exploiting this. who, and how, specifically. as someone who does, i can tell you that the shift from local to virtualized processes would reduce security threat from a technical standpoint, and would not pose any additional security threat from employees or any of the like.


please tell me how the sensitive data that will need to be stored virtually is different than any other sensitive data that is already stored by companies. please tell me how moving the process from the user's local machine to an online server cluster would create an additional gap in security. please tell me how the current user experience could ever compare (from a security standpoint) from a single, controlled, encrypted virtual session. hell, give me any reasoning for what youre saying, because myself and many commensurate in large enterprises, as well as vendor experts, see this as a good idea.

 

[Jack Flak]

i am somewhat in disbelief that an INTP's argument is coming down to "youre wrong!"

We're better thinkers than speakers.

 

[NoahFence]

i am somewhat in disbelief that an INTP's argument is coming down to "youre wrong!"

if you had a technical understanding of how any of this works, you'd be able to tell me how one would go about exploiting this. who, and how, specifically. as someone who does, i can tell you that the shift from local to virtualized processes would reduce security threat from a technical standpoint, and would not pose any additional security threat from employees or any of the like..

How about I just blow a huge hole in the firewall and let the hackers figure it out? Again, if I'm the watchdog, who's watching me?

But really that's beside the point. Yes it's sort of doomsdayish, and there's nothing that says a local employee won't go just as postal...but at local you can maybe tell if some situation is brewing. With cloud, you have no clue, there's no oversight within your own company, you're praying that the service provider is on top of things.

On the security level, you're basically consigning physical security to a site you won't ever visit. That's my real issue with it. If I was going to attack a VM, I'd much rather do it at the console than trying to batter my way through from outside. Also, I've met way, WAY too many hired guns who were just plain sloppy...I actually got hired at a job for the sole reason that the consultants they brought in set up their exchange servers with eval copies, and when the trial period ran out, KAFLUSH, bye bye corporate email. With the cloud you're basically talking about having your entire IT department consist of nothing but hired guns.

Speaking of hired guns...most service provider models are flawed in one crucial way: they won't expand without already having more business. But if they need to expand, it's because they have too much for their IT guys to handle already. There are periods in which they are overcomitted, leaving your services exposed to neglect and lack of support.

Here's some enterprise level cons less related to security...my company is smaller, 300 employees, though a fairly extensive setup spanning 8 sites across the eastern seaboard (and texas). Yes I'd still have a job if we went this way, somebody still has to make GPOs like you said, but I'd certainly feel like I was at the mercy of someone else.

1. You're counting on someone else to do your software updates and maintenance. Chances are good they are not even slightly familiar with the software you're using. You ever heard of or tried to update Crane Cost and Care?

2. Dependance on another company not getting bought-out/going under/deciding they'd rather get into platinum mining.

3. Renegotiation of suddenly rising fees becomes a nightmare when faced with the prospect of actually migrating your entire corporate network at once. Please, just...shoot me now?

4. At the mercy of the provider for what is and is not "allowed".

5. Encouraging your users to think "Hey, this internet cafe in Singapore is PERFECT for a quick check of my email".

Ultimately it amounts to outsourcing your entire IT operation. I simply cannot, no way no how, condone that.

That more to your liking, grey?

 

[Salomé]

We're better thinkers than speakers.

Speak for yourself, man.

if you had a technical understanding of how any of this works, you'd be able to tell me how one would go about exploiting this. who, and how, specifically. as someone who does, i can tell you that the shift from local to virtualized processes would reduce security threat from a technical standpoint, and would not pose any additional security threat from employees or any of the like.

please tell me how the sensitive data that will need to be stored virtually is different than any other sensitive data that is already stored by companies. please tell me how moving the process from the user's local machine to an online server cluster would create an additional gap in security. please tell me how the current user experience could ever compare (from a security standpoint) from a single, controlled, encrypted virtual session. hell, give me any reasoning for what youre saying, because myself and many commensurate in large enterprises, as well as vendor experts, see this as a good idea.

I am bored beyond belief with this thread now. Techies are boring.

I am against centralization on principle. Especially where Microsoft and other monopolistic companies are involved. I'm also against it because it doesn't work. You just don't get the efficiencies of scale with IT projects that you think you will. They are too diverse and things move too quickly. Small and agile is the way to go. The way things have been going - that is why the big boys are trying to wrest back control.

I can't reveal confidential information about security risks on projects I have worked on. But I can tell you that your control decreases and your risks rise exponentially as you engage more and more sub-contractors to manage parts of a project. IT is so complex now that this is unavoidable for all but the largest organisations, but you don't need to go looking for ways to give control away.

For any kind of efficiency, these sites are going to be highly standardised, which immediately compromises your flexibility.

Because Microsoft are such b*stards, everything will be proprietary - they won't support open-source, they will hamstring their customers with an inferior product, just as they have done for years. But this time, you'll have no choice but to upgrade if you still want to access your data.

Then you have the terrorist risk. Centralising all your data in a few highly conspicuous sites is an engraved invitation. And DR NEVER works the way it is supposed to.

Number 1 rule in any system design - no single points of failure.
Why is the Internet designed the way it is? Because the military needed it to be immune to attack. But while the infrastructure may be robust/self-healing, nothing that traverses it can be 100% secure.

As for the data centres themselves, I'm not saying they can't be secure, I'm just saying they won't be, because humans are fallible, greedy and by and large, incompetent. And there are always backdoors if you know where to look.

This post is already unforgivably long and boring so if you want to know about my personal misgivings, PM me.

Also read this.

Reported incidents.

 

[Salomé]

The_Myth_of_Cloud_Computing

"it's just a giant hamster wheel of pain" lol

 

[kuranes]

Here's an Israeli Palestinian joint venture, using this idea, that helps to bring the two together. G.ho.st - Home Page, Virtual Computer (VC), Web OS (WebOS) and Online Storage

 

[Grayscale]

I still disagree that this is a bad idea. all the reasons cited did not have exception to the development of physical computing infrastructure. all i see are flaws in application and no real reason why the concept itself is bad... even if cloud computing isn't implemented your transport is already largely virtual, and your data is sitting right next to the WWW on it's way from one client to the next within your [virtual] private network.

again, i think it's that people don't grasp the technical theory behind virtualization... because it is security, reliability, efficiency, and flexibility embodied. we know this because we've had virtualization on a smaller scale for years. almost every spectrum of IT has utilized the concept in some way with [unsurprisingly] excellent results. yes, there will be growing pains to apply it to something so widespread... there are lots reasons that the people in-the-know are so interested in it, skepticism from internet journalists is nothing new and i have yet to hear why the concept is flawed and not individual applications of it.

virtualization in this regard is moving the concept of what a system is to span a cluster, this is a powerful ability and the only inherent security threat it brings lies in any holes in the programming thereof. yes, we no longer have physical boundaries, and there are pros and cons to that, but as usual the downsides can be overcome, it is no different than any new, powerful (and thus potentially dangerous) technology.

How about I just blow a huge hole in the firewall and let the hackers figure it out? Again, if I'm the watchdog, who's watching me?

1) fundamental problem is not related to virutalization 2) exploitations of this fundamental problem through virtualization only provides additional threat due to scale, and yet there plenty of other examples where scale is drastically increased and this same issue exists without as much concern

Ultimately it amounts to outsourcing your entire IT operation. I simply cannot, no way no how, condone that.

i was just going to say... let's not confuse this with outsourcing. the only thing that is "outsourced" is the infrastructure, the increased efficiency through consolidation allows companies to save money. within your virtual bounds, you still have the same responsibilities.

theoretically, in a perfect world, it would be most efficient to have a single set of hardware running every virtual UI, because this converts all the large-scale data transport to the virtual sphere, resources can be allocated based on need (in a perfect world, anyways, we'd have enough capacity for that) of course the logistical impossibilities of such a single system prevent it, the theory still rings true.

 

[kuranes]

I wonder if some variant on this might not help things out..
How It Works — Cleversafe.com

Edit: and -
Anagran - Technology Overview

 

[Salomé]

i have yet to hear why the concept is flawed

Real world IT doesn't run on concepts. Implementation is all.

(I can't believe I'm saying this to an S. )

 

[Grayscale]

Real world IT doesn't run on concepts. Implementation is all.

(I can't believe I'm saying this to an S. )

present day IT runs on logistics of implementation, sure... after all most companies are not stupid enough to jump onto the latest server OS when it comes out however, moving forward consists of ironing out the logistical flaws of new technologies. so maybe im confused, because it seems like youre saying 'do not want', rather than 'do not want now'... it's entirely possible we're not ready for it, that is much more difficult to say.

if im misunderstanding you, my apologies. i can understand that from a business management perspective, you would avoid this. i am inclined to look at the technology itself and conclude it is our undeniable future, it's an assumption of mine that companies would know that virtualization is not yet vetted as far as cloud-computing goes and jumping into it head first at this point is probably not a good idea. i have just seen too many good ideas thrown out because of speedbumps in implementation since everyone thinks they have to go back to the drawing board instead of examine the inconsistencies between the idea and the application.

 

[ptgatsby]

Technical workers want to maintain control over their corner of the world. News at 11.

At the business level, I see the benefits. And given what I have seen in high level document management systems, I don't see a lot of data risk. I would go as far as to say that virutalising the whole thing would remove many of the transportation risks and add a much more powerful audit trail to the data.

It'll be a long run thing though. We are already doing it more and more, and other issues, like DRM and such are going to push it forward. Companies are outright lousy at maintaining their own security and the public knows it. They also keep it hidden from the public and even the law, until it is exposed through damages. And there is no way to trace back what the issue was, most of the time... etc. But companies are very protective of competitive data. That'll be the major issue.