[aklug] Re: My virtual server on Amazon

Starting in January of 2010, The "cloud" will be no longer PCI DSS
Compliant.
Richard

On Mon, May 18, 2009 at 1:23 PM, William Attwood <wattwood@gmail.com> wrote:

> Each "Instance" is, in itself, useless for more than processing and storing
> temporary files; luckily for us, that's primarily what we need.
> EBS, or Elastic Block Storage, is used to store data for a long period of
> time. You can format it any way you want, mount it to a single instance,
> copy files off, unmount, or even encrypt all data to and from it (a large
> waste of cycles if you ask me, of course, depending on the data).
> I enjoy the Cloud, however, I'm not sure where it falls into PCI Compliance
> when it comes to storing sensitive details; I suggest you use the cloud as
> a
> processing center, and some physical data center for your important items,
> like database storage, backups, and sensitive data - this way, you control
> everything behind firewalls and security, while the "Cloud" may serve up
> static content or non-sensitive information.
>
> I also recommend looking into Rightscale - www.rightscale.com - if you're
> in
> the Cloud.
>
> --Will
>
> On Mon, May 18, 2009 at 2:13 PM, Damien Hull <damien@linuxninjas.tv>
> wrote:
>
> > My server doesn't have a password. Not when it starts anyway. The details
> > are a bit fuzzy but there is an X.509 cert that goes with the server. You
> > need that to boot it.
> >
> > Even if an admin at Amazon is able to boot the server there's nothing
> their
> > for them to see...
> >
> > ----- Original Message -----
> > From: jonr@destar.net
> > To: aklug@aklug.org
> > Sent: Monday, May 18, 2009 10:05:26 AM GMT -09:00 Alaska
> > Subject: [aklug] Re: My virtual server on Amazon
> >
> > They would easily be able to log into your VM. They would just change
> > the root password.
> >
> > Jon
> >
> > Quoting Damien Hull <damien@linuxninjas.tv>:
> >
> > > Hmm... Never thought if it that way... In any case, no data is
> > > stored on the image. nothing important anyway. When you shut down
> > > the virtual server all data is lost. Any data you want to save must
> > > be stored on an EBS.
> > >
> > > If the EBS is encrypted an admin at Amazon won't be able to look at
> > > backup data or mount the EBS. Again, it all depends on how paranoid
> > > one wants to be. And yes, I know that a running server gives one
> > > access to the EBS or all my data... Assuming they have a way to
> > > login to my virtual server...
> > >
> > >
> > > ----- Original Message -----
> > > From: "Shane R. Spencer" <shane@bogomip.com>
> > > To: "Damien Hull" <damien@linuxninjas.tv>
> > > Cc: "Arthur Corliss" <acorliss@nevaeh-linux.org>, aklug@aklug.org
> > > Sent: Sunday, May 17, 2009 3:19:27 PM GMT -09:00 Alaska
> > > Subject: Re: [aklug] Re: My virtual server on Amazon
> > >
> > > Your X.509 cert determines your authenticity to start the virtual
> > > machine.. but the machine image itself is not encrypted once it's
> stored
> > > @ S3. Not unless they chose to use a crypto loopback device to handle
> > > your image. Sounds like a waste of cycles since they end up decrypting
> > > it anyways.
> > >
> > > Also.. Amazon gives you your X.509 cert that you generate using their
> > > servers. Authenticated against their trusted master keys. Sigh.
> > >
> > > I have no idea why the images are even encrypted. Anybody? Other than
> > > marketing and false senses of security can anybody tell me why the
> > > amazon encryption methods work and how they protect your data, and from
> > > who? Sure it keeps the stream pretty as it gets uploaded.. lower MITM
> > > attack rate if it's done that way. That's why I use ssh/scp.
> > >
> > > Shane
> > >
> > >
> > > Damien Hull wrote:
> > >> True... However, so much of what we do is in the cloud. Email and
> > >> shopping are good examples. There's encryption for email but people
> > >> don't use it. Our credit card info is encrypted during the
> > >> transaction process but it's sitting on a server somewhere. That's
> > >> how the bad guys get it.
> > >>
> > >> I think it depends on what kind of data we're talking about. What I
> > >> post on my blog doesn't need to be encrypted. Documentation about
> > >> server settings is another story. I might want to keep that safe...
> > >>
> > >> Data security will be come a big issue as more and more people use
> > >> web based applications. Google docs is a good example. How safe are
> > >> ones doc's on Google?
> > >>
> > >> There's no simple answer. I'll watch what I put in the cloud but
> > >> I'm not taking the paranoid approach.
> > >>
> > >> NOTE
> > >> My Ubuntu server image on Amazon is encrypted. It can't be started
> > >> with out my X.509 cert.
> > >>
> > >> ----- Original Message -----
> > >> From: "Shane R. Spencer" <shane@bogomip.com>
> > >> To: "Damien Hull" <damien@linuxninjas.tv>
> > >> Cc: "Arthur Corliss" <acorliss@nevaeh-linux.org>, aklug@aklug.org
> > >> Sent: Sunday, May 17, 2009 2:29:38 PM GMT -09:00 Alaska
> > >> Subject: Re: [aklug] Re: My virtual server on Amazon
> > >>
> > >> Somebody somewhere has a funny saying about "Better than nothing".
> > >>
> > >> Just remember that your encryption key is in memory on a box somewhere
> > >> that's out of your control.. And cryptsetup needs to be validated
> > >> against your package repository before being used. Virtual server
> > >> environments are fun because of all the security problems they impose.
> > >>
> > >> When storing data to an offsite backup system I always back up the
> > >> result of an encrypted block device, file, or stream. Like when using
> > >> ecryptfs or encfs, you back up the encrypted directory using tools
> like
> > >> rsync since you'll never be able to decypher the names using, say, tab
> > >> completion. You just have to back up the entire thing.
> > >>
> > >> When using duplicity you pipe the output of their stream archive
> format
> > >> through GPG running on a local host. This way you control everything
> > >> assuming you are in control of your own box.
> > >>
> > >> Anyways.. it doesn't need to be this tight if the data doesn't require
> > >> it. But encryption is next to useless if you're doing the processing
> on
> > >> a virtual machine on top of a host that you have no control over.
> > >>
> > >> Shane
> > >>
> > >> Damien Hull wrote:
> > >>> This is true. Couple of things to remember...
> > >>> 1. This is all web data...
> > >>> 2. No different then a real server in some far off data center
> > >>>
> > >>> There are exceptions...
> > >>> 1. Email
> > >>> 2. Groupware applications that allow users to upload files etc...
> > >>>
> > >>> I'm looking at encrypting my data. That doesn't include /etc...
> > >>> Amazon has a service called the "Elastic Bloc Service" or EBS for
> > >>> short. Luks Format for block level data encryption... If the EBS
> > >>> block device is mounted my data is wide open. However, snapshots
> > >>> would be encrypted...
> > >>>
> > >>> It's better then nothing...
> > >>>
> > >>>
> > >>> ----- Original Message -----
> > >>> From: "Arthur Corliss" <acorliss@nevaeh-linux.org>
> > >>> To: "Damien Hull" <damien@linuxninjas.tv>
> > >>> Cc: aklug@aklug.org
> > >>> Sent: Monday, May 11, 2009 10:12:07 PM GMT -09:00 Alaska
> > >>> Subject: Re: [aklug] My virtual server on Amazon
> > >>>
> > >>> On Mon, 11 May 2009, Damien Hull wrote:
> > >>>
> > >>>> I think this is the wave of the future. I don't have to worry
> > >>>> about hardware... Or fast Internet connections. Very cool!
> > >>> :-) It sounds interesting, but remember, all things within reason.
> > >>> Remember, now someone other than you has direct access to any private
> > data
> > >>> you put on that cloud, whether it be private SSL or SSH keys, your
> > shadow
> > >>> file, etc.
> > >>>
> > >>> Something to think about before you use the same passwords as you
> > >>> do on your
> > >>> own systems.
> > >>>
> > >>> --Arthur Corliss
> > >>> Live Free or Die
> > >>>
> > >>
> > >>
> > >
> > >
> > > --
> > > Damien Hull
> > > Linux Ninja
> > > Open Source Assassin
> > >
> > > http://linuxninjas.tv
> > > http://elite.linuxninjas.tv
> > > http://www.digital-overload.net
> > >
> > > ---------
> > > To unsubscribe, send email to <aklug-request@aklug.org>
> > > with 'unsubscribe' in the message body.
> > >
> > >
> >
> >
> >
> >
> > ---------
> > To unsubscribe, send email to <aklug-request@aklug.org>
> > with 'unsubscribe' in the message body.
> >
> >
> > --
> > Damien Hull
> > Linux Ninja
> > Open Source Assassin
> >
> > http://linuxninjas.tv
> > http://elite.linuxninjas.tv
> > http://www.digital-overload.net
> >
> > ---------
> > To unsubscribe, send email to <aklug-request@aklug.org>
> > with 'unsubscribe' in the message body.
> >
> >
>
>
> --
> Warm regards,
> William Attwood
> Idea Extraordinaire
> wattwood@gmail.com
> P. J. O'Rourke<
> http://www.brainyquote.com/quotes/authors/p/p_j_orourke.html>
> - "Never fight an inanimate object."
>
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon May 18 13:06:48 2009