slider2

woensdag, 19 november 2014 00:00

Interactive Q&A with Cloud Providers

Things get interesting when you put some of the biggest cloud providers together on stage and you basically give the crowd control on the questions to ask. This interactive Q&A had a lot of interesting people on board:

  • Eran Feigenbaum, Director of Security, Google Apps
  • Tim Rains, Director, Trustworthy Computing, Microsoft
  • Kay Hooghoudt, Director Business Development Managed Cloud, Atos/Canopy
  • Cory Louie, Trust, Safety & Security, Dropbox
  • David Lenoe, Director, Secure Software Engineering, Adobe 

Here is a summary of the (short) Q&A:

Q: What are your opinions about information sharing of user data?

Adobe: Information sharing in a responsible way should be possible.

Dropbox: As a cloud provider, we realize trust is key. Some people also forget that Dropbox itself is a customer of services. We expect that the services we use as a customer should respect our desire of privacy, as we expect this from others, we also engage ourselves to provide privacy to our customers.

Google: Eran shares the idea of Cory but adds that there should be a balance between trust and transparency. There's still a lot to do but the whole model of "don't-use-my-data" is too restrictive at this moment.

Microsoft: Information sharing is a loaded word since that Snowden has published the NSA revelations. Let's go back to the basics and see what we can do to give the maximum amount of privacy to our users. Furthermore Microsoft will do everything in their power to make the law enforcement respect every letter of the law. They will not share any data, unless it is perfectly legally backed. They will constantly challenge the law enforcer to follow the law.

Atos: Shares this global opinion of trust.

In conclusion: trust is key, and cloud providers have a responsibility

Q: What are your companies doing to move away from the classic username and password login mechanism?

Microsoft: Our team has set the goal to eliminate passwords and are experimenting with identity based logins. However Tim stresses that people still need to have the choice.

Google: Google says they already reduced the amount of logins with username password and moved to a somewhat risk-based mechanism, but with a good usability. Eran acknowledges that the username-password mechanism is not sufficient anymore, people use the same passwords or passwords with too low entropy. He also stressed that Google already uses additional mechanisms for alternative login. In addition to lowering the prompts for username and password in Gmail, Google also does anomaly checks on the user operations: which computer is he sending from, how many transactions is the user performing, what is his device fingerprint. This allows Google to scan for anomalies in the usage and if necessary prompt the user for another factor authentication. Also Lollipop, the latest release of Android has some improvements. It will no longer ask for passwords when the device is used in a trusted context. For example: if I am connected to my home Wi-Fi don't ask for my code but let me bypass my security lock screen.

Dropbox: We are trying to solve this problem in an open source way. We are trying to build profiles of the users and leverage a lot of variables. 

Adobe: Adobe wants to add that there will always be a struggle between usability en security and that there's still a lot of work to do in this field.

In conclusion: they all acknowledge this technology is outdated and we have to move to new mechanisms for authentication. There is still a lot of work to do.

Q: Information sharing on security breaches?

Adobe: We work with trusted groups where we disclose certain security vulnerabilities.

Google & Dropbox: We are more supporters of the idea to let everybody know about the vulnerabilities at once.

Microsoft: We have a dedicated webpage for disclosing breaches.

Kevin Walker (in audience, Vice President Walmart):  This discussion should be obsolete. The customer has the right to know this, information security should be handled better, seize this unique moment as big cloud providers.

In conclusion: two main approaches: disclosure in a closed group of trusted people & let everybody know at the same time.

Note by the reporter of SaaSificationSecurity on site Dario Incalza: Not all questions or answers are wrote perfectly as they were brought by the discussion members as I added some personal interpretation, but the overal opinion is the same as I perceived while attending the Q&A.

@Saasifisecured on twitter