Elastic Security

Icon

Making your cloud a safe heaven

January 19, 2010 • 11:12 0

Privacy in Hostile Environments?

Foto: Mykl Roventine

Mark Zuckerberg says that the age of privacy is over. Those who feel socially invulnerable and are totally confortable to give control over their personal data into the hand of American startup companies might skip the rest of this article. Those who believe that privacy will remain a precious asset and precondition of freedom and democracy in the future, might start to worry if the rising use of web-services and the ubiquity of access to all kind of potentially confidential information concerning their life or the company they work for might become a threat important enough to abstain from using those kind of applications in certain contexts.

What options do exist besides full trust in the cloud providers and negociating appropriate SLAs? Is it possible and technically feasible to manage privacy within the web without relying on the web-application providers like Google, Salesforce or Facebook to respect privacy concerns and implement the necessary measures to avoid unsollicited access to private data and abuse from outside and inside the service platform?

Actually, the question is not a new one and the common response to it is the use of proxies that intercept confidential data and replace them with anonymized data. This must happen in a completely transparent way to not break the system. A prominent example is the use of anonymization proxies (e.g. Proxify) to hide IP addresses to ISPs. However, protecting data that is stored on the system of a SaaS provider is much more sophisticated.

Here are some ideas how such a solution can be realized to anonymize specific data used in web-applications.

Network: Van Jacobson proposes a solution on the network level by switching from the current location based architecture to a new paradigm called  Content Centric Networking that uses content objects as the principal abstraction and that allows to build in security features on the data level. This idea probably will remain an idea for a long time since it would represent a revolution that requires replacing robust and well-understood equipment on a running system all over the world.

Database: Another idea is to use a proxy between web-application and database, which would need to be deployed on the premises of the SaaS provider. The proxy intercepts SQL queries between application server and database, identifies confidential data and replaces them. Some advanced Database Firewalls are able to identify user-based data-streams and match them against their firewall rules. The advantage of this approach is that it works generically for all web-applications without changing any line of code. However, the architecture is quite complex and has several open questions: how to manage keys (must be stored outside the SaaS provider)? Whom and how to specify, which kind of data to be protected?

Browser: Yet another possibility would be to let the proxy work at the client side, for example, as a browser plugin that either intercepts Javascript calls on the application level or HTTP requests/responses to anonymize data. The biggest question here is if it is possible to have a generic solution that works for all kind of web-applications and that doesn’t harm the integrity of the application.

But maybe the answer will not be a technical but a political one? The awareness for data privacy is growing strongly, at least in Europe. France ponders a Right-To-Forget law. Will the solution be at the end in the hands of politicians and judges?

Filed under: Privacy, SaaS, Solutions

January 7, 2010 • 16:15 0

Data Remanence in the Cloud

Foto: S.Bär

Any critical data must not only be protected against unauthorized access and distribution, but also securely deleted at the end of its life-cycle. For organizations storing information related to health, financial or defense it is mandatory to ensure that no data is left on disks from where it is exposed to the risk of being recovered by malicious users. This problem is generally referred to Data Remanence.

When you have full control of your file servers, you would use tools like this that overwrite the corresponding sectors on the disk several times to literally destroy any physical trace of a file. But how would you do this in the cloud?

The technique of overwriting file sectors does not work without the collaboration of the cloud provider. You are not given access to the physical device, but only to higher level abstractions like file-systems (e.g. Amazon EBS) or key-value based APIs (e.g. Amazon S3). In SaaS/Paas environments, access only happens on the data level. Until cloud providers start paying attention to this issue (I am not aware of even a single provider) and offer secure deletion as a feature of there services, there is only one solution that works already today at least on IaaS platforms: strongly encrypt your data and keep the key at a safe place, i.e. outside the cloud where your data is stored. Secure deletion then becomes nothing more than destroying the key.

Filed under: Solutions

December 18, 2009 • 13:12 0

Slides of the brighttalk summit on Public, Private & Hybrid Clouds

Here they are, enjoy

Filed under: BrightTalk Summit, Discussions

• 12:53 2

Some Thoughts on Cloud Adoption

Yesterday i did a talk on cloud security (in french) at the Forum Aristote. I enjoyed several nice presentations and discussions about  very concrete customer usecases and needs that contributed to questions like:

  • Are there real customers considering the public cloud?
  • Are customers attracted by the idea of cloud cloudcomputing or just being puzzled by the marketing hype?

The discussions I had yesterday gave me the impression of a growing consensus about the use of private clouds for critical information, and the use of public clouds for non-sensitive data and applications. That leads to the question what kind of applications are actually addressed by security features in public clouds – e.g.  Amazon VPC? VPC surely does not give answers to all security concerns, but does it help at least to move more applications into the public cloud?

It is also clear that customers are getting used to the concepts of outsourcing as well as SaaS. Most of them even believe that virtualization security is possible and side-channel attacks in multi-tenant setups have more theoretical than practical impact. So, what’s actually missing?

  • More trust on cloud providers (especially public IaaS)
  • A change of attitude that doesn’t resist to change by principle
  • More knowledge, experience, and cloud success stories

Is cloud adoption captured in a vicious cycle? How to break out of it? I think this mainly depends on the evolution of the offers and the trust building measures of the large providers with regard to compliance, auditing, and security. But there are still far too many remaining and open questions. Feedback welcome!

Filed under: Discussions ,

December 9, 2009 • 16:08 0

Public vs Private clouds

Next week (the 15th December), I’m going to give a talk about cloud security on the “Public, Private & Hybrid Clouds” BrightTalk Summit. There are surprisingly many talks that focus on cloud (in)security – although after all it isn’t too surprising given the fact that security is the key issue when comparing public against private cloud infrastructures.

Guy Churchward, LogLogic CEO did an interesting post on this subject and Gartner defends that private is the way to go. I am wondering if this opinion has become a consensus or if there are still public (sic!) defenders of the  public cloud? I hope that the users of Amazon EC2 and Salesforce  raise their voice and that we find more use cases than the usual ones like testing, not sensitive data, marketing campaigns, non-critical business processes and so on.

I think we can associate the threats and risks of cloud computing with the following root causes (admittedly this is a simplification):

  1. outsourcing
  2. resource sharing
  3. virtualization
  4. infrastructure volatility

Private clouds solve the first two: (1) they increase trust and allow full visibility and control over the infrastructure and (2) they are not exposed to  side channel attacks. Hope to interact with you at the summit and if you already have a favorite topic or questions on the subject do not hesitate to drop a comment. I might include it in the presentation.

Filed under: BrightTalk Summit, Discussions

December 2, 2009 • 22:19 3

Impressions from CloudStorm Paris

Yesterday I attended CloudStorm in Paris. The idea behind this series of events is to give solution providers in the Cloud Computing space the possibility to present their products in front of potential customers and establish contacts with potential partners and customers.

My expectations of the event were to get an impression of the state of the art in the cloud computing space: what kind of companies are migrating to the cloud? What are they looking for? What are the major obstacles of adoption? What business models are valid and popular? Which role do security concerns play in the adoption of cloud computing? What problems are still not solved?

My impressions were the following: The solution range went from SaaS providers (collaboration, project management, enterprise communication, and catalogue production) over infrastructure software and service providers (targeting service integration, cloud storage systems, or private cloud creation) to a service provider actually using cloud technology to implement his service offer. The only large global player represented was Sun Microsystems.

While this multiplicity of players represent very well the actual confusion around the term Cloud Computing, I am not convinced if it really helped the solution providers to talk to people particularly interested in their problem space.

The event also included three panels targeting three different topics. The panel “Creating a Startup” discussed the challenges of being entrepreneur in the software domain (not really specific to cloud computing). The panel “Scalability Aspects” concluded that scaling a business is at least as difficult as to scale a web-application. The panel “Selling Cloud Solutions” stated that the simplicity of the business model makes applications based on utility computing easier to sell than traditional software and allows to gain better feedback on the customer’s problems and thus solve them faster. While the panels had interesting topics and consisted of competent people, time was simply too short to provide deeper insights.

I would be interested to know how the solution providers perceived the event and hear their opinion on the helpfulness and impact of the Cloudstorm format.

Filed under: CloudStorm

November 18, 2009 • 11:44 0

Alternatives to AMIs?

Foto: ilovecode

Some weeks ago, I discussed the dangers of using Amazon Machine Images (AMIs) from third-party providers and suggested that a web-service combining profound security scanning with community feedback could be a solution to reach a good level of  transparency and trust. But are AMIs really the right abstraction for a software marketplace? Can they replace installers? Is searching for an AMI that fits the need of a customer and then launching it, the way that people want to install software? Are AMIs the determining abstraction of cloud IT?

I see two important limitations to the role of the AMI:

  • The first is the problem of sharing resources on application level: starting an AMI for every application is costly, the customer needs to pay for every running instance that is in most cases overprovisioned. At the other hand, you loose all advantages of simplicity when you deploy, maintain, and upgrade several applications on the same instance. There’s probably no AMI that deploys your preferred CRM plus your preferred bug-tracking tool plus WordPress – you need to create it yourself (and run into new questions, e.g. how to maintain and upgrade your setup).
  • The second is that launching is just not enough: instances must also be configured, e.g. with IP addresses, application specific parameters, or to achieve persistency. An AMI is not just a simpler software installer or even a DVD-like digital asset that can be played with one click, it is only one brick of a service or an application among others and it rarely works out-of-the-box.

If AMIs are not the right entity for a cloud infrastructure marketplace, which could be the right one then? One possibility could be a marketplace for “cloud deployment services” where a deployment service is basically a programming routine that takes input from the user and performs the complete setup, i.e. starting AMIs, attaching persistent storages, configuring static IP addresses, applying account information, connecting application-servers to database, encrypting storage, etc.

Such deployment services would clearly solve problem number two (configuration), but could also be enabled to reuse existing resources and thus solve the problem number one (resource sharing). At the other hand, they may become so specific that they are often needed only once. Any thoughts?

Filed under: AWS, Discussions, Solutions

November 5, 2009 • 16:45 0

Software Updates on EC2

Foto: Lady-Bug

Let’s imagine I am a small software vendor that uses Amazon EC2 for his complete IT infrastructure. Let’s say I have around 20 virtual machines on Ubuntu Linux running all my applications. There are internal applications, i.e. applications that only my company uses – like a CRM, code-repository, a document-management tool,  a project-management tool, a billing-system or a mail-server. And there are external applications that are shared with the outside such as a file-server to download documents and software, a bug-tracking tool, and a SaaS version of my products. Almost any software is also using a database instance in the backend. Of course, there are also a couple of management tools running and scripted processes for backup, integrity checks, or auditing.

So far so good. Now a new version of Ubuntu comes out that fixes a potential security leak. In addition, I want to use the latest release of MySQL for performance reasons. And there’s this new version of my bugtracking system with the long-awaited new feature. In the classical IT world, I would start software updates (e.g. for Ubuntu) or download and install the latest version of MySQL and my bug-tracking tool. How would I do it in the EC2 Cloud?

I could try it the same way. But I might run into problems like this – a new OS version might require an update of the kernel, which is not possible with EC2. So I do need to start up a new instance from an AMI containing the last Ubuntu version, reinstall and configure my software, reimport my data, and copy and reactivate my scripts. When I choose to do it like that, I must also be prepared for the (rare) case of corrupted instances or unintentional termination of an instance. In such cases, I need to do the whole process from scratch. RightScale helps to automate those kind of updates, since it allows to write and assign reusable scripts to AMIs that are executed on startup or termination of an instance.

With VMWare, I would install the new software and create a snapshot after the upgrade, which allows me to switch back immediately to a certain system state at any time I want. This feature is not available for EC2, but can be somehow simulated: the process of creating a VM snapshot corresponds to the process of bundling a new AMI. Everytime I need to upgrade, I would do my updates on the running instance (or better: a clone of that instance based on the same AMI) and then create a new AMI out of it. Elastic-Server is a service that helps you to do that more easily. Afterwards, I need to shut-down my instance based on the old AMI and start a new one based on the new AMI. However, that only works for application and service software upgrades and for OS upgrades without kernel modifications. For kernel upgrades, I still need to do the whole installation process from scratch…

Ideally, I would like to separate my AMI from the installation information of the software. What about a solution like this: I start from a clean OS-only image and store all modifications on persistent storage i.e. EBS (Elastic Block Storage). On my AMI, there is an installation script executed at startup that checks the current setup against the target setup stored on EBS.  Installing MySQL? Store the whole bin+lib+config on EBS. The installation script will check if it needs to apply modifications and gets them directly from the EBS. Upgrading MySQL means simply updating the target state on EBS. Upgrading the OS means: using another AMI (that includes the installation script – that’s the catch).

I will try to formalize those solutions and add them to the list of EC2 Patterns. Every input is welcome (especially, I am still searching for good pattern names)!

Filed under: AWS, Solutions

October 30, 2009 • 11:55 0

CloudCamp in the Cloud

Last week I attended the CloudCamp in the Cloud. Apart from the fact that the around 70 attendees were connected via a public webinar, the program was similar to a normal CloudCamp: 5-Minutes-Lightning-Talks, an Unpanel (questions to a dynamically formed group of Panelists), and Break-Out-Sessions for deeper discussions on certain topics. In fact, the difference between the Unpanel and the Break-Out-Session was not noticeable since most people (including me) remained on the main channel of the web-conference and the sessions were as unstructured as the Unpanel-session itself. Maybe next time we could simply remain on the same channel and fix time-slots of let’s say 30 minutes to concentrate on pre-defined topics (topic propositions could be sent in by mail the days before the conference). Everybody interested in a specific topic could join at the right time. Those sessions could even be linked to the Lightening-Talks (when we can avoid having masqueraded sales pitches), which would allow some discussions around the talks and direct feedback for the speaker.

Here are my notes during the conference. They reflect some of the most important questions and concerns around Cloud Computing. I will classify them by topic proposed for the break-out sessions during the conference.

  • Cloud Computing Definition, Introduction
    • How can we better educate adopters of cloud computing to know what they’re getting into?
  • Cloud Computing Providers and Market
    • How does Amazon compare to its competitors (like SliceHost, GoGrid, Rackspace) with regard to features and cost?
    • When economies of scale are necessary to reduce the computing costs, aren’t we heading to a market with very few players, which are then able to keep costs high?
    • What are the growth numbers of providers?
    • How do I get more “nines” from my application in the cloud?
    • Interoperability between cloud vendors – what is the state of the art?
    • What will be the role of channels/VARs in the cloud eco system?
    • Will there be a market for AMIs? Are AMIs the right abstraction to sell?
  • Security and Legal
    • Does the patriot act put constraints on the usage of cloud computing?
    • Multi-tenancy is the principal for a good ROI on cloud services, but isn’t that a bad maneuver for security and client (secure) isolation
    • What additional security issues do I need to consider when moving to the cloud?
    • Questions about cloud provider security and trust are legitimate. But how do these question apply to internal systems? Are people putting more security requirements on the provider than on themselves?
    • If trust into your provider is indispensable, how can trust be created?
  • Hands-On Experience and Technical
    • Do I need to make changes to my application to have it scale-out in the cloud?
    • How do KVM vs Xen compare to each other?
    • Is Hadoop highly suitable for cloud deployments?

Reuven Cohen recently posted Recap and Video of the conference here. Slides of the lightning talks can be found here.

Filed under: CloudCamp, Discussions

October 24, 2009 • 15:39 0

Quick Notes on the RSA Conference Europe 2009

Good conference, a lot of interesting sessions and discussions during the 3 days.

I will try to give you my quick impressions on the trends of this year conference:

  • Data leakage protection (DLP). Finally, IMO  the products are mature and comprehensive. Maybe not yet ready for widespread adoption by SMBs, but very interesting propositions for when the security budgets will be on the rise.
  • Compliance. This is the real driver of today’s security market. Products to help enterprises getting compliant with major regulations, typically Security Information Management (SIM) solutions are getting much attention in spite of not being a new market.
  • Virtualization security. The hot concrete topic of this year conference. IMO, security professionals were again a bit late reacting to this trend but are now actively developing guidelines and services to addressing virtualization. The first results of these efforts are coming out. I strongly recommend the session of Dennis Moreau of EMC “Attacking and Defending Virtual Infrastructure” for a nice overview on the subject.
  • Cloud security. The buzzword was the real HOT topic. Several tracks were addressing it but it was on every coffee discussions as well. I would like to thank Graig Balding of the cloudsecurity.org for many interesting discussions on the subject. My own conclusion from the conference is that security professionals are really skeptical about the subject, especially concerning compliance and SLAs. A very good illustration was the RANT session by Hugh Thompson. Interestingly enough, one of the only positive voices about cloud security was Philippe Courtot, the CEO of Qualys.

Sorry not to refer to many others’ interesting sessions, i’ll try to get back to them in a later post. Anyway, good conference and i hope that these first notes fuel some more feedback from the other participants or from other people as well. Please add yours thoughts.

Filed under: Discussions, RSA Europe

Twitter Updates

Pages