Microsoft announced it is joining The Linux Foundation?

James B. Byrne byrnejb at harte-lyne.ca
Fri Nov 18 20:17:08 UTC 2016


On Fri, November 18, 2016 09:59, Ralf Mardorf wrote:
> On Fri, 18 Nov 2016 14:25:47 +0000, Steve O'Hara-Smith wrote:
>>I won't be buying because I'd rather own the hardware that holds my
>>data but that's my personal preference.
>
> Your company perhaps isn't that huge. I could imagine that for huge
> companies, it's an advantage not to maintain their own server farms
> all
> over the world, but instead to pay for a company doing it for them.
> This is not my domain, I don't know how secure, or insecure this
> approach is, compared to maintaining internal server farms all over
> the
> world, but it's easy to imagine that regarding costs and maintenance
> huge companies could have reasons to pay for such a service bundle.
>
> However, while
> https://en.wikipedia.org/wiki/Microsoft_Azure#Privacy
> sounds insecure, owning intern server farms, could suffer from the
> same issues.
>
> Regards,
> Ralf
>
>


Yes there are obvious advantages. And some not so obvious problems. 
For one there is the matter of just where in the cloud is your data.
what country or countries is it in?

We have a wild-west situation at the moment. Few are paying particular
attention to this but ordinary people are getting a might sensitive to
having their financial, medical and other personal data subject to
unrestrained snooping by governments.  The cloud, in all its myriad
names, is completely, utterly and totally compromised from a data
security standpoint.  And that is by design.

We have been contacted by people that want to host our email, our
telephone system, our fax system, our accounting system, our business
operations system; and all for a fraction of the cost that it takes to
keep this stuff in house.  Of course when asked what they are doing to
prevent unauthorised snooping they all say that their security is
'state-of-the-art'. Which is pretty poor when you consider it.

They also have a rather loose concept of what 'authorised' means. 
>From reading their literature and asking some pointed questions it
evidently does not necessarily involve the courts.  It is not even
clear in which jurisdictions your data will reside and whose laws it
will be subject too.  In fact some of these 'contracts' all but say
outright that they are going to farm your data and sell whatever they
can to the highest bidders, however paltry that sum might be.

Data security is really simple when you get down to it. There are
three places where data streams are compromised: point of origin,
point of delivery and medium of exchange.  By far the most difficult
is compromising the medium of exchange.  And yet that is what gets all
the press.  Heartbleed, RSA certificates, 1024 bit vs 2048 bit, MD5
vs. SHA1 vs. SHA2. But compromising the medium of exchange is
expensive and unreliable.  It also requires a lot of people which is
the bane of covert surveillance.  Somebody always talks.

By far the best results are obtained by compromising the origin.  But
that requires overt penetration and compromise of equipment that is
usually physically secured to some degree.  And that is generally
watched over by some party that just might notice strange
transmissions going off-site. Because of its high value product it is
often attempted but, it fails far more often than it succeeds.  And
success is always fleeting.  Eventually somebody on-site twigs and the
result usually takes the form of a iron wall around their data.  Which
is usually the same thing you get after a failed attempt.

Failing compromising the origin or the exchange it is nearly just as
beneficial to compromise the delivery; and generally a lot easier. 
People tend to focus on what they directly control.  Few people worry
over much about how a client stores email messages sent to them,
however sensitive the contents. Off-site data backups frequently prove
a gaping hole in data security. In fact anything kept off-site
frequently becomes a route to compromise the internal security
systems.  Consider Home Depots experience and Target's.

Putting stuff on the cloud makes compromise of the delivery point a
trivial exercise for anyone with access to the underlying
infrastructure. And that infrastructure is not under the watchful eye
of the people whose data it stores.

If you want your enterprise to be turned into somebody's product and
save a few dollars then the easiest thing to do is turn over all of
your internal processes and data to a third party. However, the money
you save will end up being someone else's, eventually.

-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3



More information about the freebsd-questions mailing list