Tag Archive for 'Cloud Security'

Solving security, availability and performance issues in the Cloud

By Olafur Ingthorsson on October 20, 2011 in Cloud Computing and Cloud Security. 0 Comments

By Bob Shaw, President and CEO, Net Optics, Inc.

Given its rapid adoption, virtualization can potentially benefit billions—or serve as a vector for calamity. Even as it opens new avenues of productivity, cost-savings, and environmental relief, virtualization alters a company’s infrastructure profoundly, testing its ability to monitor and manage the new environment. Virtualization is enabling the global evolution to Cloud computing, but along with that comes the challenge of securing applications and data in that Cloud.

Courtesy of Μøỳαл_Bгεлл (Flickr)

The outsourced nature of the Cloud means that companies must surrender a large measure of control. Near-infinite elasticity and automated resource maximization also overwhelm previous management approaches. In years past, monitoring and access required physical proximity to the instrumentation layer, with the result that networks and data centers were designed for static, physical devices, not mobile virtual ones. Firewalls and tools were inserted into the aggregation layer, with nearby physical servers in the same security zone.

Now, server virtualization and the mobility of VMs make sending raw traffic to the instrumentation layer more of a problem. A virtualized environment also calls for sophisticated capabilities such as load balancing to make sure that the instrumentation layer performs at peak efficiency. Effective virtual monitoring access must enable:

  • Swift detection and resolution of power and equipment failure
  • Management of complex device implementations
  • Enforcement of security policies
  • Smooth, secure onboarding of new users
  • Efficient rack space utilization
  • Streamlined consolidation
  • Cost-efficient monitoring of distributed sites
  • Quick response to intrusion or attack
  • Securing of performance data for planning and compliance

At Net Optics, we design and manufacture intelligent access and monitoring architecture solutions to protect and manage business-critical traffic in the virtual environment. These provide real-time, end-to-end traffic visibility, monitoring and control to virtualized data centers, cloud computing networks, and remote offices.  The importance of total visibility cannot be overstated. In order to perform vital inspection, analysis and compliance activities, traffic must be visible to network-based security devices such as firewalls and IPSs. Our goal is to surpass physical hardware in security, compliance and performance monitoring.

Complementing the hypervisor-specific Phantom Virtual Tap in the enterprise-grade environment, Phantom HD aggregates virtual traffic of interest from across the cloud infrastructure—moving from server to server, location to location and even from continent to continent. The appliance is architected to overcome barriers to traffic mobility across locations, devices and providers for total inspection anywhere, extending monitoring and access across LAN / WAN / Cloud infrastructures and inter-VM traffic. At 10GB wire speed, Phantom HD enables aggregation of up to 250 Phantom Virtual Taps or other vendor devices.

Phantom HD eliminates the need for a physical, wired connection between the monitoring and access layers and the instrumentation layer. Phantom HD resolves the proximity paradigm, bridging virtual traffic to physical monitoring tools with no need for SPAN Ports on Virtual Switch or Promiscuous Mode.

Along with expanding total visibility into the virtual network, Phantom HD terminates and de-capsulates tunnels transporting traffic of interest out of virtual networks to the instrumentation layer. It encapsulates raw traffic of interest that needs to be transported to a remote location for inspection or storage. Phantom HD™ high-throughput appliance allows switching layer and instrumentation layer devices such as high-end routers to perform the sophisticated functions they were designed for—rather than being wastefully employed on routine GRE de-capsulation tasks. This helps customers gain the full benefit of their investment in these expensive products. As with all our virtual solutions, Phantom HD is engineered to defer or eliminate investment in costly new virtual tools, holding down CAPEX, training and operations costs.

 

Virtualization and consolidation demand ever-higher levels of network integrity because in a virtual landscape, applications and administrative functions share common resources. The shock waves of a failed, hacked or mismanaged element can now travel outward to affect countless applications and users. Only with total visibility to monitor both the physical and virtual arenas can a company realize virtualization’s many benefits.

Tags: , .

Cloud Security Growing Up

By Olafur Ingthorsson on October 3, 2011 in Cloud Computing and Cloud Security. 0 Comments

By Geoff Webb, Director of Product Marketing at Credant Technologies

Whenever the subject of cloud computing comes up there are two facts that seem to dominate the conversation.  The first is that enterprises and small business would desperately like to make greater use of the explosion in new cloud services and offerings.  However the discussion will usually rapidly turn to the fact that the potential of the cloud remains out of reach for many business uses.  The reason?  Security.

By Kevin Steinhardt (Flickr)

Concerns over the security of information in cloud infrastructures, especially public cloud infrastructures, continues to stifle adoption of cloud services and shackles many organizations to traditional approaches to providing business IT services.

Fundamentally, the concerns over cloud security fall into two broad buckets: concerns over availability, and concerns over confidentiality.  And it’s not hard to see why businesses are afraid to plunge into the cloud.

In March 2011 a prolonged period of interruption to Amazon’s Elastic Block Storage (part of the AWS offering) caused a large number of websites to go suddenly, and painfully, dark.  While the problem was nothing more sinister than a simple administrator error, it did cause many to rethink the assumption that “cloud” implied “always on.”

While the need to protect against service interruption is worrying, the solution is at least reasonably well understood — not relying on a single service or service provider.  Even during Amazon’s rather infamous March outage, those organizations that had planned ahead for such an eventuality suffered far less than those who had not.

Keeping information in the cloud confidential is a more difficult proposition.   In June 2011, cloud storage provider Dropbox also suffered a simple administrative error.  But rather than rendering systems unavailable, it had quite the opposite effect.  For a period of four hours *everything* was available.  Access to Dropbox storage accounts suddenly and unfortunately, no longer required the correct password.  While Dropbox quickly remedied the problem, the fact that it happened at all underscored the concern that businesses already felt about storing information in the cloud.  Specifically, who’s watching the security on this stuff and who has access to it?

So are these concerns justified?  Well, probably.  While service providers like Amazon and Dropbox clearly provide great value, and rarely make mistakes that cause problems, such mistakes are inevitable in the long run.  And as more and more data moves out into the cloud, so the impact of mistakes, failed security controls, lax hiring procedures, or disgruntled insiders will continue to affect more and more customers.

Yet none of these are new to businesses, and with good planning, such problems can be overcome or, at least, minimized.  And therein lies the rub, because it is the difficulty of planning for such events that causes such concern.  The integration of cloud and traditional security practices is not a simple one.  Technical, as well as process, hand-offs are often unclear to both provider and customer alike, and this complexity introduces opportunities for both accidental and malicious attack that are new to many organizations.

 

However, what if rather than being the source of security concerns, the cloud could also offer a solution too?  In September the Cloud Security Alliance released their first whitepaper defining Security as a Service, offered through the cloud.

The idea behind the paper is to start to define the various security services that could be offered as cloud-hosted products, including such areas as encryption, security information and event management, email security and so on.

What we are seeing, then, is an emerging and maturing element to cloud security, and it opens up some interesting possibilities.

For example, by creating security services specifically hosted in the cloud, confusion over who has responsibility may be reduced, as new vendors emerge to essentially ‘own’ many of the cloud-specific problems.  This approach of delivering security services through the cloud also offers up the prospect of broadening the types of security technologies available to small and medium businesses who may have been unable to afford them in the past, or to help larger organizations reduce their IT security spend without impacting overall security capabilities.

Finally, it may allow businesses to more clearly and cleanly ensure segregation of duties between the cloud service provider (for example, a storage provider) and the security functions, which could now be delivered through a specialized third party.

 

It’s now clear that the cloud computing is evolving and maturing fast.  While the cloud definitely causes IT security and compliance organizations considerable headaches, the possibility exists that cloud-specific security services may actually benefit everyone in the long run.  Most importantly, they may enable organizations of all kinds to safely, and securely, move more fully into the cloud.

Tags: , .

Business Intelligence in the Cloud

By Olafur Ingthorsson on September 20, 2011 in Cloud Computing. 0 Comments
By Chris Hagans, VP Operations of WCI Consulting
Cloud computing has been opening many doors across all industries, and it’s having a new, profound effect on the business intelligence (BI) industry as well.
BI helps companies analyze data and turn it into valuable business information. As more data and applications migrate into the cloud, numerous new data sources are being created. BI providers are adapting their tools to this new reality, and successful companies must now evaluate and act upon this opportunity.
However, as with any new technology form, both pros and cons exist. Below are a few benefits and challenges that companies may experience when considering and deploying cloud-based BI solutions.
Benefits
– Scalability – Cloud-based or software-as-a-service (SaaS) solutions can be easily fit to companies of all shapes and sizes. This allows even the smallest businesses the ability to tailor a BI system to fit their needs and improve their businesses.
– Easy of Entry – Traditional site-licensed software included a lot of upfront IT costs to get the system up and running. But with a cloud-based BI solution, that upfront cost is reduced because all hardware and software systems are located and managed remotely by vendors and service providers.
– Cost – Cloud-based systems also allow companies to “rent” the software as opposed to buying a full license. This subscription-based approach can ensure that companies only pay for their organization’s usage.
Challenges
– Security – For many businesses, a lot of questions and concern still remain about the physical, network and external security of cloud computing platforms.
– Emerging Technology – Cloud computing is still a newer segment, and companies will have to expect and adjust to unforeseen and unexpected glitches as the web-based platform matures.
– Data Movement – Companies will also have to rely on data movement outside of their “four walls.” In contrast to an in-house system where connection time and access is typically reliable, cloud-based products depend on multiple systems (i.e. a vendor’s servers, ISP uptime, etc.) to complete day-to-day BI tasks.


		


		

			
						

				Tags: , .			

			
					

	



	

		

			

				Regulations a Barrier to Cloud Growth in Europe
			


			
						

				By Olafur Ingthorsson on September 6, 2011 in Cloud Computing and Cloud Security. 0 Comments			
 
			
					


		

						
Europe needs to become not only cloud-friendly but “cloud-active” to fully realize the benefits of cloud computing. That’s the view of  ETNO (The European Telecommunications Network Operator‘s Association) in a recently-issued paper on cloud computing development in Europe, which emphasized the importance of relieving obstacles surrounding data privacy and security.


Courtesy of Alexander Kirk (Flickr)


Fragmented regulations are a particular problem in Europe, where sometimes restrictive legislation of the EU and individual Member States has stifled the development of cloud computing services. ETNO reiterates that rules governing data transfer should be simplified, especially if the transfer is within the same group of companies. Furthermore, ETNO concludes that there is no need for applying specific regulatory or legislative action on cloud computing in Europe. It should suffice to apply general rules of data protection and consumer protection to cloud computing – as with other sectors of industry.


Unified Standard Needed

What will be most beneficial for cloud computing development in Europe is the creation of an international standard based on a unified and consistent approach to online privacy, enabling companies to compete on the same level as US market leaders, the ETNO says. Such a global framework would give providers equal foundation for offering cloud services and the same level of protection for all cloud users.


Unfortunately for the EU, regulations are currently fragmented between the 27 EU Member States when it comes to consumer contracts – increasing compliance costs significantly for service providers that want to offer cross-border cloud services.


Contractual agreements are imperative


ETNO makes a clear distinction of cloud services for companies/organizations and for individuals, and points to the importance of service contracts between service providers and companies always clearly including clauses that specify the applicable law and jurisdiction in the event that any disputes or controversies arise between the parties. This is very important, as the jurisdiction of the service provider often coincides with the location of the end-user, i.e. where the service is provisioned. However, national consumer laws should normally apply when it comes to cloud services for individuals.


Cloud federation addresses interoperability and portability issues


One of the problems intrinsically linked to cloud computing service provisioning may be the complex value-chain of multiple entities or service providers that may be subject to divergent jurisdiction and regulations. These interlinked value-chains must then apply to certain contractual rules and agreements that are homogeneous and transparent to the end-user.


Also, ETNO acknowledges the potential lock-in situation end-users can experience, not being able to easily transfer their service from one service provider to another. The way to address the portability and interoperability problem is to deploy the “federation model,” where end-users establish a business relationship with a “home” cloud provider or broker and obtain the requested cloud resources they need online – regardless of who the seller might be.


This is similar to well-known models from the travel industry including online services like Expedia and Orbitz that offer a single interface to multiple source service providers (flights, hotels, car rentals, etc.).  At the same time, it’s important to understand that the federation model may not always be feasible due to additional costs incurred.


		


		

			
						

				Tags: , .			

			
					

	



	

		

			

				9 reasons why VPNs are the next big IT trend
			


			
						

				By Olafur Ingthorsson on August 23, 2011 in Cloud Computing and Cloud Security. 0 Comments			
 
			
					


		

						
A guest article by Paul Rudo, editor at Enterprise Features


Virtual Private Networks act as a secure tunnel that safely connects the user to a remote network across a public network.


    

  • Thanks to VPNs and the abundance of cheap Internet bandwidth, companies no longer have to lease dedicated lines to connect 2 remote locations. Instead, they can establish a secure encrypted channel which can safely transfer data between both locations across the Internet.
    • 

  • Another common use for VPNs would be for laptop users who want to connect to corporate systems from remote networks. These can include coffee shops, airports, hotels and other places where network security might not be the most reliable. In order to gain secure access to servers on the internal network, these employees will need to install VPNs onto their laptops.
    • 



Courtesy of Mr_Tommy (Flickr)


VPNs are not a new technology. But I strongly believe that this security tool is still very under-used, and that we should soon expect to see a boom in the use of Virtual Private Networks by both companies and individuals alike.


Internet-Enabled Devices


We’re now seeing an abundance of cheap computers embedded into everyday appliances. Everything from refrigerators, to security cameras, to electric meters, to tennis shoes. Anything you can think of has already been turned into a Wi-Fi capable computer.


And when you have an explosive growth in computing devices, you’ll also have an explosive growth in the number of potential attacks. Because of their homogeneity, these electronic “appliances” can be attacked in bulk, and used to perform attacks on other systems.


Who knows? In the future, a hacker might break into your toaster and use it to sniff your traffic.


Free Wi-Fi


Today, it seems like every bus stop, coffee shop, hotel, shopping mall, and school is providing its visitors with free wireless Internet access. Now that Wi-Fi enabled portable devices are so common, these free wireless networks are a cheap way to attract customers and enhance the overall shopping experience.


Of course, these wireless networks are usually managed by minimum-wage employees with no network security experience, and they are also a hot target for hackers. In fact, it’s common for hackers to set up their own publicly accessible Wi-Fi hotspots so that they can steal sensitive information by setting up “Man-In-The-Middle” exploits.


Government Spying


Thanks to laws like the Patriot Act, we can no longer depend on the government to protect our right to privacy. In fact, most police officers will tell you that privacy is dead. There’s even currently a lot of debate over whether or not encryption keys and passwords are protected under the 5th amendment.


The current stance of law enforcement is: “If you don’t have anything to hide, then you won’t mind if we snoop around. And don’t videotape the police.”


Since you can’t trust the government to protect your privacy, you have to take extra steps to protect yourself.


Wireless Is The Default


These days, it’s rare to see a home with wired Internet. Almost everyone relies primarily on wireless routers to distribute connectivity throughout their households and offices. Of course, these home routers are rarely secured using adequate precautions. So “war driving” has become a hot trend within the hacking community in recent years. Even within your own home, you need to encrypt all of your online activities.


Mobile Computing


Today, it’s common for most people to work on at least 2 or 3 different computers as part of their daily routine. They’ll work on their laptop at home, they’ll use a tablet when on the road, and they’ll work on their office PC when at work. And often, these various computers will all be accessing the same resources. It’s absolutely vital that all devices – including mobile devices, laptops and desktops – be secured while sending data over the Internet. A breach on your home laptop could potentially affect you when you get to your workplace desktop machine.


The Cloud


Thanks to SaaS and IaaS, the internal office network is quickly becoming a dying animal. Soon, the Internet will be the primary network for nearly every small company. Enterprise systems will be hosted on remote cloud servers, and employees will work from Software-as-a-Service applications. This means that network security will become much more difficult and much more important.


Censorship


Online censorship is no longer just the domain of authoritarian countries like China and Saudi Arabia. Today, even westernized countries like Australia and the United States are beginning to restrict access to web content. And countries like Canada and the United Kingdom are also enacting gag orders which prevent publishers from discussing certain topics.


This kind of censorship becomes especially important in today’s global business environment, where companies will often have employees spread out across many different countries. In order to ensure that they all have consisted access to corporate resources, their network traffic must be re-routed to a location that guarantees them the appropriate Internet access.


Imagine sending one of your sales reps to China for an important sales meeting, only to have them locked out of the CRM system because of their location!


Easier Access To Hacking Tools


Today, it’s extremely easy for teenagers with virtually no network security experience to perform sophisticated hacking attacks. Today’s hacking tools are designed to be simple and easy-to-use, which is a major reason why we’re seeing so many new attacks by online vandals and political activists.


Anonymity


These days, everything you do online leaves a digital footprint about your past. And once you put something on the Internet, it’s very difficult to take it off. Many would say that removing content from the web is like trying to remove milk from your coffee.


By routing your traffic through an alternate path, you add an extra layer of your protection to your anonymity. This will become even more important as sites like Google and Facebook become even smarter when it comes to sucking out every detail of your private life.


		


		

			
						

				Tags: , .			

			
					

	



	

		

			

				Enduring Lighting Strikes and Service Outages in the Cloud
			


			
						

				By Olafur Ingthorsson on August 21, 2011 in Cloud Computing and Cloud Security. 1 Comment			
 
			
					


		

						
A guest article by Arjan de Jong, Marketing Manager at Jitscale


In early August, a lightning strike at a transformer owned by one of Amazon’s power suppliers caused a major failure in Amazon Web Services’ European cloud. The power outage affected, among others, the Elastic Compute Cloud (ECS) and Rational Database Service (RDS) cloud services.


According to the Amazon Web Services status page, a transformer from an energy supplier for one of the availability zones (EU-WEST-1 region) in Dublin was struck by lightning. An availability zone is a set of hardware that supports cloud services and that functions independently of other zones. According to the site, the cloud services were weakened by the impact. Since the cloud services are composed of complex software components, Amazon had to assign more hardware to restore its cloud services after the power had been restored.


Courtesy of Brilhasti1 (Flickr)


This is the type of event that causes some businesses to doubt the benefits of cloud computing and to believe that it is not a safe or reliable method of hosting data. While these doubts are understandable, the fact is there are a variety of techniques a cloud computing company can apply to mitigate disruption caused by weather events and resulting power outages.


One option, depending on a client’s business requirements, is for the cloud provider to distribute its servers over multiple availability zones (AZ). This redundancy provides excellent protection from localized emergencies such as a lightning strike, power surge or other severe weather related events.


For other customers, monitoring and frequent back ups can mitigate problems when incidents occur. With careful monitoring, engineers will be informed immediately when servers are unreachable. Then, using snapshots of all servers taken on an hourly basis, it is possible to boot the relevant servers in AZ’s that are available.


Several physical redundancies can also help to mitigate problems. These include redundant power supplies and backup generators that are tested to assure they will kick on when the power fails-unlike Amazon’s generators in Dublin. Using redundant Internet connections running simultaneously provides a backup if one provider fails or is performing poorly. Redundant hardware, such as multiple hard drives and other components, can be arranged so that if one fails, another immediately and seamlessly take its place.


		


		

			
						

				Tags: , .			

			
					

	



	

		

			

				The growth of cloud computing in India
			


			
						

				By Olafur Ingthorsson on August 1, 2011 in Cloud Computing and Cloud Security. 1 Comment			
 
			
					


		

						
As many of my blog visitors come from India, I thought it was interesting to put together a short post about the status of cloud computing in India. It is a common consensus that India will play a important role in the growth of cloud computing in the coming years. This is not at all surprising as the cloud will enable much more companies, not least SMEs, to enter the market quicker and more easily as well as benefit economically. And few countries, if any, are producing more SMEs than India, including IT and technology companies, although several challenges still exist – like lack of Internet access and stable electricity in some areas.


Courtesy of Rachel in Wonderland (Flickr)


Cloud computing growing fast in India


According to IDC, India is facing an information explosion with digital data growing from 40.000 petabytes in 2010 to 2.3-million petabytes in 2020 – with the cloud in the middle as Indian companies look for leveraging cost advantages.


As a testament to this development, several research analysts have published predictions on the cloud growth in India:


According to a Gartner survey, Indian companies expect to adopt new cloud services in 2011 much faster than originally anticipated, with two-thirds of CIOs expecting the majority of IT to be running in the cloud within the next four years.


In earlier news, IDC reported that the Indian cloud computing market would grow at a CAGR of 40 percent by 2014, and to become a $3 billion dollar market by 2015.


A study for EMC, conducted by Zinnov Management Consulting, finds that private cloud in India will deliver up to 50% saving to Indian enterprises creating in the process 100,000 additional jobs by 2015.


Furthermore, the CEO of Zinnov claims that cloud computing will reshape the Indian IT market by generating new opportunities for IT vendors and driving changes in traditional IT offerings.


Cloud providers are preparing


However, not only research analysts are forecasting an impressive future for cloud computing in India, several large US companies like Google and Symantec are already taking aggressive steps in leveraging the Indian market. Few big names which recently joined the Google cloud are Indian Youth Congress, Indiamart and Punj Lloyd - a large engineering and design company.


Likewise, Symantec expects that within a year cloud computing will be blooming in India, although many Indian executives have listed concerns over security issues in the cloud. To address this concern, Symantec is interested in providing cloud-based security solutions specifically targeted at Indian businesses.


It is going to be very interesting to monitor the growth of cloud computing in India in the coming months and years. Undoubtedly, will both hear of a number of US companies making large investments in the Indian market as well as seeing some Indian firms become powerful global cloud providers.


		


		

			
						

				Tags: , .			

			
					

	



	

		

			

				Users happy with UK cloud providers
			


			
						

				By Olafur Ingthorsson on July 25, 2011 in Cloud Computing and Cloud Security. 0 Comments			
 
			
					


		

						
According to a new survey from the Cloud Industry Forum of 450 organizations in the UK, almost half (48 percent) are already using cloud computing in some shape or form.


The survey showed high levels of satisfaction with cloud service providers, but lingering confusion about business interruption issues and the consequences of downtime.


Courtesy of Edwård (Flickr)


The Cloud Becomes Mainstream


The survey suggests that cloud services are no longer a buzzword, but already in widespread practice. Not surprisingly, the private sector is leading the way, with far higher uptake of cloud services than seen with their public sector counterparts. Medium to large companies are at the forefront of cloud adoption, as opposed to the small businesses with less than 20 employees or the public sector.


The survey findings also show that the decision to migrate to the cloud is now predominantly made by the head of IT, rather than CEOs or managing directors (MDs). In smaller companies without IT departments, the decision is mostly taken by the MD or owner.


Cloud services are maturing


An overwhelming majority of respondents (94 percent) is satisfied with the use of cloud services and happy with the results of their use of the cloud. This definitely indicates that the market is maturing and service providers are successfully offering cloud services that are meeting customer expectations. Only a few mid- to large-scale enterprises mentioned difficulties with the migration to the cloud, which should not come as a surprise.


Increasing cloud adoption rates


Similarly, the majority of respondents expect their use of cloud services to increase significantly in the next 12 months, especially with email services, data back-up and data storage services. Also, one-third of those not currently employing cloud services claimed that they anticipated adopting them in the next year, and almost two-thirds believe that their companies will eventually employ cloud services.


Data security and location


Not surprisingly, many respondents claim that they are reluctant to move sensitive data to the cloud, especially employee information, account/financial data. Data security and data privacy were cited as the number one concern.


Also, the physical location of data and jurisdiction was another area of concern for cloud users, preferring to have the data stored in the UK or EU. This development is interesting as it reflects natural concerns driven by regulation and that national law provides a higher level of comfort to cloud users. Enterprise users clearly want to know where their data is stored in the cloud at all times and be aware of the legislation of the particular jurisdiction where the data resides.


However, as a sign of immaturity of the cloud market, only about half of respondents employing cloud services negotiated the legal terms of their contract with their cloud service provider (CSP), with larger organizations more likely to do so. Furthermore, the study reveals that users are in the dark over questions of liability, indemnity, insurance and ownership of content in the cloud. Some uncertainty also exists about the issue of business continuity and risk management. Forty-three percent claimed that their insurance covered business interruption from a disaster at the CSP’s data center or a data leak. Two-thirds believed this should be covered by the CSP – indicating an uncertainty of responsibility and accountability. Certainly this reflects the importance of establishing a wider insurance industry and best practices guidelines.


Flexibility is the primary driver


When it comes to the primary driver of cloud adoption the overwhelming reason is flexibility, according to 53 percent of respondents. Interestingly, cost savings were cited by only 16 percent as the primary driver for initial cloud adoption – a contradiction with the emphasis that cloud service providers have put on cost savings as the primary selling proposition. It seems that the cloud is affording businesses large and small, public and private, the flexibility they need to adapt to the ever changing business environment.


		


		

			
						

				Tags: , .			

			
					

	



	

		

			

				Highlights From CloudSlam 2011
			


			
						

				By Olafur Ingthorsson on May 5, 2011 in Cloud Computing, Private cloud computing and Public cloud computing. 0 Comments			
 
			
					


		

						
The third edition of CloudSlam, a virtual annual conference about cloud computing presented by CloudCor, was held from April 18 to 22. The conference provided a fresh outlook on cloud computing, covering all the latest trends and innovations in the space. Since the first event in 2009, CloudSlam has been growing in prominence with partners like Microsoft, CA, Rackspace, AMD and many more endorsing the conference.


The conference hosted many innovative demonstrations and interesting presentations (delivered via WebEx hosted portals) from a variety of cloud players. Some interesting examples include:


    

  • Verizon demonstrated some of the world-class public and private cloud capabilities that are helping driving “Everything-as-a-Service” global cloud strategy to deliver content to users virtually anywhere, anytime, on any device.
    • 

  • Intel delivered a headline keynote address titled “Vision to Action – Cloud 2015″ that discussed the key challenges facing IT as it evolves to the cloud. The speaker also explained how open, interoperable and standards-based solutions enable IT managers to realize greater benefits of cloud computing.
    • 

  • Fujitsu presented a vision of an “intelligent society” that describes how people and technology can be brought together to enhance the quality of life – on a wide scale. People today are entering a different era, where almost everything can be put on a network. New services are being created, such as cloud computing, sensor technology, and mobile services. It is an era in which people can greatly benefit from IT and the important role that technology plays in lives.
    • 

  • PwC shared insight into how companies can achieve business transformation by leveraging cloud technologies while maintaining strong controls over security.
    • 

  • ServiceMesh CEO Eric Pulier delivered a keynote titled “Primal Fear: Enterprise Cloud transformation and the Fight or Flight Reflex,” which addressed common enterprise cloud adoption pitfalls and challenges that await IT and business leaders, along with practical strategies to overcome these hurdles and navigate risk.
    • 

  • Steve Taylor, CTO of OpenMake Software, discussed how Cloud technology can be leveraged to improve DevOps, particularly in the area of software builds and release. According to Steve, cloud technology is becoming increasingly important in the area of DevOps, exaplaining that cloud technology has become very important in the management of build servers and development machines.
    • 



All-in-all, the CloudSlam 2011 virtual conference gave a very comprehensive overview of the latest cloud trends, bringing together many of the largest and most influential players in the cloud ecosystem. For those that missed the conference, the conference proceedings, sessions audio-visual recordings and slide decks, can be purchased (in May 2011) from the CloudSlam homepage.


 


		


		

			
						

				Tags: , , , .			

			
					

	



	

		

			

				Protecting data in the cloud
			


			
						

				By Olafur Ingthorsson on January 10, 2011 in Cloud Computing and Cloud Security. 1 Comment			
 
			
					


		

						
(Written by Danny Lieberman, www.software.co.il)


Several factors combine to make data security in the cloud a challenge.




Web applications have fundamental vulnerabilities. HTTP is the cloud protocol of choice for everything from file backup in the cloud to Sales force management in the cloud. HTTP and HTML evolved from a protocol for static file delivery to a protocol for 2 way applications – a purpose for which they  were never designed; let’s examine some of the data security issues with the current rich content Web 2.0 model:


1. The multiple layers at the server side from db server to Web server or App server are vulnerable to attack since the Web application passes messages to the data tier through several interfaces in order to execute SQL.  The interfaces are vulnerable, in particular to SQL injection


2. HTTP is a stateless protocol. As a result, the simplest kind of Ajax application generates dozens of http transactions between the client and the server. The simplest autocomplete floods the pipe with Ajax transactions.  If you have ever put a sniffer like Wireshark on the line you will see this.  The rich interactivity on the client with Ajax generates a huge, disproportionate amount of traffic and a high price tag for simple operations.   For example – in a tcp socket-socket link, if you want to know if there are new mail messages, no polling is required and the message length is just a few bytes. This is primarily a latency and load issue on the cloud computing infrastructure but also creates additional difficulties in detecting data loss and opens the door for network-based attacks such as a slow POST DDOS attack.


3. Passing messages between remote process (client and server) inside the query string is patently a bad idea that is not remedied by using https (although if you pass privacy data in a query string you must use https). It is a bad idea because it is fragile (may break on software changes) and vulnerable to any number of software bugs and exploits from buffer overflow to sql injection to simple query hacking.  To get a feel for the order of magnitude of the problem, just google for web application security.


The current rich Web 2.0 model is broken, not because Javascript or PHP are bad, it’s just that the existing Web application stack on server and client is a bad fit to the world of applications.


There is little free market demand for software security. The key demand-side driver for cloud computing is that it is a service that can be consumed at a  variable cost like a utility. We might think that with all the headlines on data security breaches,  that consumers would be discerning about the security of the service.  However,  data loss risk is negligible in a consumer buying decision since people use applications based on their utility and productivity and beauty of the UI not because of their security, since we all assume that the security is built-in.  The cloud model requires the consumer to consider impact of data loss, similar to considering the impact of a power spike on home appliances with digital controllers.  Data security in the cloud won’t happen by itself.


Enforcing data security in the cloud is harder than in the enterprise. Trusted insiders can exploit application vulnerabilities no matter where the application runs.  However, our ability todetect data loss inside the cloud is far less than our ability to detect data loss inside an office network and more expensive to mitigate in a virtualized operating system environment.


Inside an enterprise network, you can put procedural, network monitoring and DLP solutions into place, however the same security countermeasures may not be supported by your cloud provider as a standard item.   By implementing custom countermeasures in the cloud, you won’t enjoy the economy of scale of a shared, virtualized infrastructure nor benefit from the experience curve of the cloud service provider.  It will become your problem.


Data security is about economics. If you want guaranteed service levels on the security of your IP and customer data that you store in a SaaS system, you need to RFP and negotiate the appropriate contract and security countermeasures (encrypting data at rest and in motion, employee monitoring, key management, data loss prevention, malicious software detection and more).  Compliance with PCI DSS 2.0 and HIPAA may come at additional cost.


Data security in the cloud is a cost borne upstream by the customer and downstream by the cloud provider.


From a cloud service provider perspective, note that there are high fixed costs involved in providing capacity, customer support and secure infrastructure while the revenue from consumers is variable. Consumers that adopt a hybrid model for cloud delivery will have additional fixed and variable costs of operation.


In order to protect your data in the cloud, I suggest adopting some common-sense best practices:


    

  • Before moving your application to the cloud, do some attack modeling and consider the value of your assets to be stored in the cloud, versus the cloud service costs and custom security measures you may (or may not need) to implement
    • 

  • Invest in software security. Remember that hackers attack your software, not your security procedures.
    • 

  • After you set a budget, choose a cloud service according to your threat model and read their dotted line on data security before committing
    • 



		


		

			
						

				Tags: , .			

			
					

	



	

		

			

				Why Web 2.0 brings vulnerabilities to the Cloud
			


			
						

				By Olafur Ingthorsson on January 3, 2011 in Cloud Computing and Cloud Security. 2 Comments			
 
			
					


		

						
 (Written by Danny Lieberman, www.software.co.il) 


There are some good reasons why cloud computing is growing so rapidly.


First of all there are  the technology enablers: Bandwidth and computing power is cheap. Software development is more accessible than ever. Small software teams can develop great products and distribute it world wide instantly. 


But cloud computing goes beyond supply-side economics and directly to the heart of the demand-side – the customer who consumes IT.


Consuming  computing as a utility simplifies life for a business. It’s easy to understand (unlike data security technology) and it’s easy to measure economic benefit (unlike governance, risk and compliance activities).


Cloud computing is more than an economic option; it’s also a personal option. Cloud computing is an interesting, almost revolutionary consumer alternative to internal IT systems due to it’s low cost and service utility model.


Current corporate IT  operations provide services to  captive “users” and empower management (historically, information technology has its roots in MIS – management information systems).  When IT vendors go to market, they go to the CxO executives. All the IT sales training and CIO strategies are based on empowering management and being peers in the boardroom. Sell high, don’t sell low. After all, employees don’t sign checks.


But cloud computing is changing the paradigm of top-down, management-board decision-based IT. If you are a sales professional and need a new application for your business unit,  you can acquire the application like a smart phone and a package of minutes. Cloud computing is a service you can buy without a corporate signature loop.


An employee in a remote sales office can sign up for Salesforce.com ($50/month for 5 sales people) or Google Apps (free up to 50 users) and manage software development on github.com (free for Open Source).


So far – that’s the good news. But – in the Cloud of rich Web 2.0 application services, we are not in Kansas anymore.  There is a very very good reason to be worried. With all the expertise of cloud security providers – the Web 2.0 service they provide is only as secure as the application software itself.


The current rich Web 2.0 application development and execution model is broken.


Consider that a Web 2.0 application has to serve browsers and smart phones. It’s based on a heterogeneous server stack with 5-7 layers (database, database connectors, middleware, scripting languages like PHP, Java and C#, application servers, web servers, caching servers and proxy servers.  On the client-side there is an additional  heterogeneous stack of HTML, XML, Javascript, CSS and Flash.


On the server-side, we have


2-5 languages (PHP, SQL, tcsh, Java, C/C++, PL/SQL)

Lots of interface methods (hidden fields, query strings, JSON)

Server-side database management (MySQL, MS SQL Server, Oracle, PostgreSQL)

On the client side, we have


2-5 languages ((Javascript, XML, HTML, CSS, Java, ActionScript)

Lots of interface methods (hidden fields, query strings, JSON)

Local data storage – often duplicating session and application data stored on the server data tier.

A minimum of 2 languages on the server side (PHP, SQL) and 3 on the client side (Javascript, HTML, CSS) turns developers into frequent searchers for answers on the Internet (many of which are incorrect)  driving up the frequency of software defects relative to a single language development platform where the development team has a better chance of attaining maturity and proficiency. More bugs means more security vulnerabilities.


Back end data base servers interfaced to front end scripting languages like C# and PHP comes built-in with vulnerabilities to attacks on the data tier via the interface.


But the biggest vulnerability of rich Web 2.0 applications is that  message passing is performed in the UI in clear text – literally inviting exploits and data leakage.


The multiple interfaces,  clear text message passing and the lack of a solid understanding of how  the application will actually work in the wild guarantee that SQL injection, Web server exploits, JSON exploits, CSS exploits and application design flaws that enable attackers to steal data will continue to star in today’s headlines.


Passing messages between remote processes on the UI is a really bad idea, but the entire rich We 2.0 execution model is based on this really bad idea.


Ask a simple question: How many ways are there to pass an array of search strings from a browser client to a Web server? Let’s say at least two – comma-delimited strings or JSON-encoded arrays.  Then ask another question – do Mozilla (Firefox), Webkit (Chrome) and Microsoft IE8 treat client data transfer in a uniform, vendor-neutral standard way?  Of course not.   The list of Microsoft IE incompatibilities or different interpretations of W3C standards is endless.   Mozilla and Webkit  transmit UTF-8 url-encoded data as-is in a query string sent to the server. But, Microsoft IE8 takes UTF-8 data in the query string and converts it to ? (yes question marks) in an XHR transaction unless the data has been previously uri-encoded.   Are browser incompatibilities a source of of application bugs? Do these bugs lead to software security vulnerabilities?  Definitely.


So, it’s really easy to develop cool Web 2.0 applications for seeing who’s hot and who’s not. It’s also cheap to deploy your totally-cool social networking application on a shoestring budget. Facebook started with a budget of $9,000 and so can you.


But, it’s also totally easy to hack that really cool rich Web 2.0 application, steal personal data and crash the system.


More subtly, consider, who is the customer of that cool social media application. It’s not the users, it’s the advertisers.   If you are a user of a cool cloud computing application, delivered as SaaS, you cannot negotiate or RFP the security issues away, because you are not the customer.  You generate content for the advertisers, who are the real customers.


With a broken development and execution model for rich Web 2.0 applications, the cloud computing model of software as a service utility is not sustainable for all but the largest providers like Facebook and Salesforce.com.   The cost of security is too high for the application provider and the risk of entrusting valuable business IP  and sensitive customer data to the cloud is unreasonable. Your best option is to hope that your cool Web application will succeed small-time, make you some cash and enable you to fly under the radar with a minimal attack surface.


Like your first girl friend told you – it’s not you, it’s me.


It’s not the IT infrastructure, it’s the software.


		


		

			
						

				Tags: , .			

			
					

	



	

		

			

				Understand the security risks in cloud computing
			


			
						

				By Olafur Ingthorsson on September 19, 2010 in Cloud Computing and Cloud Security. 1 Comment			
 
			
					


		

						
The Cloud Security Alliance (CSA) has done a great job in the furthering awarenes and creating a homogeneous understanding of the major security concerns in cloud computing. It is best known for its security Guidance for Critical Areas of Focus in Cloud Computing, with its latest version issued in Dec. 2009. The CSA guidance clearly describes the major concerns, from a security perspective, that companies need to be aware of if they are considering a Cloud migration or establishment.


Businesses must be aware of the security risks associated with different cloud deployment models, i.e. privae, hybrid or public. To start with, it is important to map out the data flow from the current infrastructure to an eventual cloud service provider, whether in a private or public context. It is essential to understand if and how data can move in and out of the cloud. Having a high-level understanding of the security risks involved also enables businesses to understand which security and risk controls are appropriate to be executed, and to act proactively.


The three primary service modes in cloud computing; SaaS, PaaS and IaaS also represent different security approaches for businesses. In the case of SaaS, the service provider is responsible, or should be, for maintaining acceptable service levels and security, governance, compliance and liability expectations. However, in the case of PaaS and IaaS the customer is responsible for effectively manage the same expecations, while the service provider normally ensures at least some degree of securing the underlying platform and infrastructure components.


CSA also points to the importance of classifying risk in relation to each service mode and location of assets. For example, in a hybrid cloud context, both the customer and service provider can be responsible for the same risks. The problem is that sometimes it is difficult to distinguish between when and who should take accountability. Due to lack of information of security controls maintained by the service provider, customers can also be misguided – potentially leading to wrong decisions and adverse outcomes.


To address this problem, CSA proposes a “Security Control Model” that is systematically used to find the security gaps in each of the layers of a cloud architecture, i.e. from facilities and infrastructure to the presentation modality and platform. When this analysis has been performed and outcomes are analysed, is i easier to apply a compliance model that actually fits the requirements, whether it would be PCI DSS, SOX, HIPAA or any other appropriate compliance framework or model.




Finally, it should be kept in mind that the security controls in cloud computing are for the most part the same as in any IT environment. Because of the different cloud service models employed and associated technologies used, there may be some different risks present than for traditional IT solutions. As cleverly worded in the the CSA Guidance paper: “Cloud computing is about gracefully losing control while maintaining accountability even if the operational responsibility fall upon one or more third parties






		


		

			
						

				Tags: , .			

			
					

	



	

		

			

				Cloud computing – top threats
			


			
						

				By Olafur Ingthorsson on April 14, 2010 in Cloud Security. 0 Comments			
 
			
					


		

						
Last month, The Cloud Security Alliance (CSA) published a short security guidance paper with an interesting overview of the top 7 threats to Cloud Computing (version 1.0) – according to their analysis. The paper can be used as a simple guideline for addressing, and perhaps checking off, all the major security concerns associated with implementing cloud computing and its different service modes.


Cloud Computing: Security Threats


This is important especially as people often lack an overview of all the potential security vulnerabilities associated with cloud computing. As pointed out in the paper, it is seen as a companion to the much more detailed “Security Guidance for Critical Areas in Cloud Computing” from the SCA (version 2.1 issued in Dec. 2009). The paper includes the top 7 following threats that need to be addressed – in accordance with the type of cloud computing adoption, i.e. “IaaS”, “PaaS”, “SaaS”:






#1: Abuse and Nefarious Use of Cloud Computing (IaaS, PaaS)

#2: Insecure Interfaces and APIs (IaaS, PaaS, SaaS)

#3: Malicious insiders (IaaS, PaaS, SaaS)

#4: Shared Technology Issues (IaaS)

#5: Data Loss or Leakage (IaaS, PaaS, SaaS)

#6: Account or Service Hijacking (IaaS, PaaS, SaaS)

#7: Unknown Risk Profile (IaaS, PaaS, SaaS)		






The threats are equally important – and should reflect the critical threat concerns in Cloud Computing that organizations experience during their adoption processes. The CSA short paper was influenced by a more detailed European research paper produced by ENISA (European Network and Information Security Agency) called “Cloud Computing: Benefits, Risks and Recommendations for Information Society“, published in Nov. 2009.


		


		

			
						

				Tags: , .