As I posted here: http://ask.slashdot.org/comments.pl?sid=2563666&cid=38303250 - I've seen servers at hospitals, local governments, and various other supposedly-secure places (fire stations, airports, etc) in my years as a network security auditor. And I frequently peek under the keyboards in doctors' offices while I'm waiting for them. It's hard to imagine that storing data on someone else's server instead of their own is going to make any substantive difference in their data security posture.

Yes, to me this is a much bigger concern than something intrinsically secure/insecure about cloud computing. By entrusting my data to a third party vendor, I make it one step easier for the government to sieze it. With the kinds of legislation that's being debated even this week, I worry that any data I entrust to a vendor might eventually be subpoenaed, and I wouldn't have any recourse.

And hosting that data elsewhere (ie, outside of my country) doesn't necessarily solve anything.

On the other hand, the benefits of the cloud - a scalability that I can never achieve "at home" - enormously outweigh this concern in most cases. When it comes to confidential data, however, the question becomes much less obvious.

When we have attacks, and compromises (which has happened in the the past) we report in detail on it in the blog. Here's one example: https://sourceforge.net/blog/update-sourceforgenet-attack/

As with any company, these sorts of things have a procedure that we have to follow, and I'm checking with the people along that trail to see what I should say in response. There haven't been any compromises or attacks during my time at SF, so I don't have any personal experience as to how we respond to this, but I've asked some of the guys on our engineering team to help me put together a response to this question.

I would like to believe that when I host a server at Slicehost (oh, yeah, it's Rackspace now) that they have server administrators who are better trained than I am. That they have backup procedures that are better executed than I would do. That they upgrade their hardware more often than I do.

Likewise, if I put my data on a "cloud" service, I am paying for the assurance that they have secured those servers at least as well as I would, in addition to whatever it is that they specialize in (scalability, availability, redundancy, etc). So, in theory at least, that's what's special about it - that they can do a better job at those things, for less money, than I can.

The reality can be less clear cut, and so, as with any vendor selection process, you have to do your homework and find the ones that seem to do a good job.

I think the press has done us all a disservice by making the cloud into, as you say, a mysterious relic with mystical powers. Hopefully those of us actually making these decisions understand what it really means and can be sober about evaluating options.

I used to be a security "expert" (at least according to my business card), but that was long enough ago, and things have changed sufficiently since then, that I no longer make that claim. However, back then, most of our customers happened to be in healthcare in some form or another, and I was appalled, on a daily basis, how insecure their data was. Any high school kid with some tools could completely own their network servers with very little effort. We hired one of those high school kids, and he frequently did.

Furthermore, with a little sweet talking, or looking under keyboards, we got access to all the stuff that he didn't. Granted, this was in the days immediately before HIPAA, and in the first days after HIPAA when people were trying to figure out how to implement the requirements. I naively hope that HIPAA has corrected some of the most glaring of these problems.

It's hard to imagine that putting data "in the cloud", whatever that happens to mean in the particular case under discussion, could be any less secure than where they're already storing your data.

I didn't get to pick the question, if that's what you're asking. Presumably, if I had, it would be more about Open Source. I believe the question was chosen by the Slashdot editorial team.

Yes. I'm called the guinea pig.

Yes, exactly.

Servers "in the cloud" are installed, secured, and maintained, by sysadmins like you and me. Some of those sysadmins are good at what they do, and some of them aren't. "The cloud" is not intrinsically secure or insecure, because "the cloud" is not a definable entity, as much as the tech press wants it to be. This is a misnomer perpetrated by the poorly-informed press, and not really something that's based in reality.

Every time we read an article about "the cloud", it's useful to take a moment to consider what it actually means in that particular scenario.

Although "the cloud" means "I don't care where my servers are", there are in fact actual servers somewhere, and there's an actual person or team of persons responsible for maintaining that server or servers, and they are either good at their job, or they aren't. Talking about "the cloud" as though it's one homogeneous mush of data is nonsense, and leads to all sorts of false conclusions.

Oh, never mind.