[aklug] Re: My virtual server on Amazon

If you read through the new PCI DSS compliance rules on there web site
https://www.pcisecuritystandards.org/

On Mon, May 18, 2009 at 2:08 PM, William Attwood <wattwood@gmail.com> wrote:

> Do you have a source?
>
>
> On Mon, May 18, 2009 at 3:06 PM, Richard Moore <dewey.moore@gmail.com>wrote:
>
>> Starting in January of 2010, The "cloud" will be no longer PCI DSS
>> Compliant.
>> Richard
>>
>> On Mon, May 18, 2009 at 1:23 PM, William Attwood <wattwood@gmail.com>
>> wrote:
>>
>> > Each "Instance" is, in itself, useless for more than processing and
>> storing
>> > temporary files; luckily for us, that's primarily what we need.
>> > EBS, or Elastic Block Storage, is used to store data for a long period
>> of
>> > time. You can format it any way you want, mount it to a single
>> instance,
>> > copy files off, unmount, or even encrypt all data to and from it (a
>> large
>> > waste of cycles if you ask me, of course, depending on the data).
>> > I enjoy the Cloud, however, I'm not sure where it falls into PCI
>> Compliance
>> > when it comes to storing sensitive details; I suggest you use the cloud
>> as
>> > a
>> > processing center, and some physical data center for your important
>> items,
>> > like database storage, backups, and sensitive data - this way, you
>> control
>> > everything behind firewalls and security, while the "Cloud" may serve up
>> > static content or non-sensitive information.
>> >
>> > I also recommend looking into Rightscale - www.rightscale.com - if
>> you're
>> > in
>> > the Cloud.
>> >
>> > --Will
>> >
>> > On Mon, May 18, 2009 at 2:13 PM, Damien Hull <damien@linuxninjas.tv>
>> > wrote:
>> >
>> > > My server doesn't have a password. Not when it starts anyway. The
>> details
>> > > are a bit fuzzy but there is an X.509 cert that goes with the server.
>> You
>> > > need that to boot it.
>> > >
>> > > Even if an admin at Amazon is able to boot the server there's nothing
>> > their
>> > > for them to see...
>> > >
>> > > ----- Original Message -----
>> > > From: jonr@destar.net
>> > > To: aklug@aklug.org
>> > > Sent: Monday, May 18, 2009 10:05:26 AM GMT -09:00 Alaska
>> > > Subject: [aklug] Re: My virtual server on Amazon
>> > >
>> > > They would easily be able to log into your VM. They would just change
>> > > the root password.
>> > >
>> > > Jon
>> > >
>> > > Quoting Damien Hull <damien@linuxninjas.tv>:
>> > >
>> > > > Hmm... Never thought if it that way... In any case, no data is
>> > > > stored on the image. nothing important anyway. When you shut down
>> > > > the virtual server all data is lost. Any data you want to save must
>> > > > be stored on an EBS.
>> > > >
>> > > > If the EBS is encrypted an admin at Amazon won't be able to look at
>> > > > backup data or mount the EBS. Again, it all depends on how paranoid
>> > > > one wants to be. And yes, I know that a running server gives one
>> > > > access to the EBS or all my data... Assuming they have a way to
>> > > > login to my virtual server...
>> > > >
>> > > >
>> > > > ----- Original Message -----
>> > > > From: "Shane R. Spencer" <shane@bogomip.com>
>> > > > To: "Damien Hull" <damien@linuxninjas.tv>
>> > > > Cc: "Arthur Corliss" <acorliss@nevaeh-linux.org>, aklug@aklug.org
>> > > > Sent: Sunday, May 17, 2009 3:19:27 PM GMT -09:00 Alaska
>> > > > Subject: Re: [aklug] Re: My virtual server on Amazon
>> > > >
>> > > > Your X.509 cert determines your authenticity to start the virtual
>> > > > machine.. but the machine image itself is not encrypted once it's
>> > stored
>> > > > @ S3. Not unless they chose to use a crypto loopback device to
>> handle
>> > > > your image. Sounds like a waste of cycles since they end up
>> decrypting
>> > > > it anyways.
>> > > >
>> > > > Also.. Amazon gives you your X.509 cert that you generate using
>> their
>> > > > servers. Authenticated against their trusted master keys. Sigh.
>> > > >
>> > > > I have no idea why the images are even encrypted. Anybody? Other
>> than
>> > > > marketing and false senses of security can anybody tell me why the
>> > > > amazon encryption methods work and how they protect your data, and
>> from
>> > > > who? Sure it keeps the stream pretty as it gets uploaded.. lower
>> MITM
>> > > > attack rate if it's done that way. That's why I use ssh/scp.
>> > > >
>> > > > Shane
>> > > >
>> > > >
>> > > > Damien Hull wrote:
>> > > >> True... However, so much of what we do is in the cloud. Email and
>> > > >> shopping are good examples. There's encryption for email but people
>> > > >> don't use it. Our credit card info is encrypted during the
>> > > >> transaction process but it's sitting on a server somewhere. That's
>> > > >> how the bad guys get it.
>> > > >>
>> > > >> I think it depends on what kind of data we're talking about. What I
>> > > >> post on my blog doesn't need to be encrypted. Documentation about
>> > > >> server settings is another story. I might want to keep that safe...
>> > > >>
>> > > >> Data security will be come a big issue as more and more people use
>> > > >> web based applications. Google docs is a good example. How safe are
>> > > >> ones doc's on Google?
>> > > >>
>> > > >> There's no simple answer. I'll watch what I put in the cloud but
>> > > >> I'm not taking the paranoid approach.
>> > > >>
>> > > >> NOTE
>> > > >> My Ubuntu server image on Amazon is encrypted. It can't be started
>> > > >> with out my X.509 cert.
>> > > >>
>> > > >> ----- Original Message -----
>> > > >> From: "Shane R. Spencer" <shane@bogomip.com>
>> > > >> To: "Damien Hull" <damien@linuxninjas.tv>
>> > > >> Cc: "Arthur Corliss" <acorliss@nevaeh-linux.org>, aklug@aklug.org
>> > > >> Sent: Sunday, May 17, 2009 2:29:38 PM GMT -09:00 Alaska
>> > > >> Subject: Re: [aklug] Re: My virtual server on Amazon
>> > > >>
>> > > >> Somebody somewhere has a funny saying about "Better than nothing".
>> > > >>
>> > > >> Just remember that your encryption key is in memory on a box
>> somewhere
>> > > >> that's out of your control.. And cryptsetup needs to be validated
>> > > >> against your package repository before being used. Virtual server
>> > > >> environments are fun because of all the security problems they
>> impose.
>> > > >>
>> > > >> When storing data to an offsite backup system I always back up the
>> > > >> result of an encrypted block device, file, or stream. Like when
>> using
>> > > >> ecryptfs or encfs, you back up the encrypted directory using tools
>> > like
>> > > >> rsync since you'll never be able to decypher the names using, say,
>> tab
>> > > >> completion. You just have to back up the entire thing.
>> > > >>
>> > > >> When using duplicity you pipe the output of their stream archive
>> > format
>> > > >> through GPG running on a local host. This way you control
>> everything
>> > > >> assuming you are in control of your own box.
>> > > >>
>> > > >> Anyways.. it doesn't need to be this tight if the data doesn't
>> require
>> > > >> it. But encryption is next to useless if you're doing the
>> processing
>> > on
>> > > >> a virtual machine on top of a host that you have no control over.
>> > > >>
>> > > >> Shane
>> > > >>
>> > > >> Damien Hull wrote:
>> > > >>> This is true. Couple of things to remember...
>> > > >>> 1. This is all web data...
>> > > >>> 2. No different then a real server in some far off data center
>> > > >>>
>> > > >>> There are exceptions...
>> > > >>> 1. Email
>> > > >>> 2. Groupware applications that allow users to upload files etc...
>> > > >>>
>> > > >>> I'm looking at encrypting my data. That doesn't include /etc...
>> > > >>> Amazon has a service called the "Elastic Bloc Service" or EBS for
>> > > >>> short. Luks Format for block level data encryption... If the EBS
>> > > >>> block device is mounted my data is wide open. However, snapshots
>> > > >>> would be encrypted...
>> > > >>>
>> > > >>> It's better then nothing...
>> > > >>>
>> > > >>>
>> > > >>> ----- Original Message -----
>> > > >>> From: "Arthur Corliss" <acorliss@nevaeh-linux.org>
>> > > >>> To: "Damien Hull" <damien@linuxninjas.tv>
>> > > >>> Cc: aklug@aklug.org
>> > > >>> Sent: Monday, May 11, 2009 10:12:07 PM GMT -09:00 Alaska
>> > > >>> Subject: Re: [aklug] My virtual server on Amazon
>> > > >>>
>> > > >>> On Mon, 11 May 2009, Damien Hull wrote:
>> > > >>>
>> > > >>>> I think this is the wave of the future. I don't have to worry
>> > > >>>> about hardware... Or fast Internet connections. Very cool!
>> > > >>> :-) It sounds interesting, but remember, all things within reason.
>> > > >>> Remember, now someone other than you has direct access to any
>> private
>> > > data
>> > > >>> you put on that cloud, whether it be private SSL or SSH keys, your
>> > > shadow
>> > > >>> file, etc.
>> > > >>>
>> > > >>> Something to think about before you use the same passwords as you
>> > > >>> do on your
>> > > >>> own systems.
>> > > >>>
>> > > >>> --Arthur Corliss
>> > > >>> Live Free or Die
>> > > >>>
>> > > >>
>> > > >>
>> > > >
>> > > >
>> > > > --
>> > > > Damien Hull
>> > > > Linux Ninja
>> > > > Open Source Assassin
>> > > >
>> > > > http://linuxninjas.tv
>> > > > http://elite.linuxninjas.tv
>> > > > http://www.digital-overload.net
>> > > >
>> > > > ---------
>> > > > To unsubscribe, send email to <aklug-request@aklug.org>
>> > > > with 'unsubscribe' in the message body.
>> > > >
>> > > >
>> > >
>> > >
>> > >
>> > >
>> > > ---------
>> > > To unsubscribe, send email to <aklug-request@aklug.org>
>> > > with 'unsubscribe' in the message body.
>> > >
>> > >
>> > > --
>> > > Damien Hull
>> > > Linux Ninja
>> > > Open Source Assassin
>> > >
>> > > http://linuxninjas.tv
>> > > http://elite.linuxninjas.tv
>> > > http://www.digital-overload.net
>> > >
>> > > ---------
>> > > To unsubscribe, send email to <aklug-request@aklug.org>
>> > > with 'unsubscribe' in the message body.
>> > >
>> > >
>> >
>> >
>> > --
>> > Warm regards,
>> > William Attwood
>> > Idea Extraordinaire
>> > wattwood@gmail.com
>> > P. J. O'Rourke<
>> > http://www.brainyquote.com/quotes/authors/p/p_j_orourke.html>
>> > - "Never fight an inanimate object."
>> >
>> >
>> > ---------
>> > To unsubscribe, send email to <aklug-request@aklug.org>
>> > with 'unsubscribe' in the message body.
>> >
>> >
>>
>>
>> ---------
>> To unsubscribe, send email to <aklug-request@aklug.org>
>> with 'unsubscribe' in the message body.
>>
>>
>
>
> --
> Warm regards,
> William Attwood
> Idea Extraordinaire
> wattwood@gmail.com
> Fran Lebowitz<http://www.brainyquote.com/quotes/authors/f/fran_lebowitz.html> - "If you're going to America, bring your own food."

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon May 18 13:18:45 2009