Elastic Security

Icon

Security for the Cloud

September 29, 2009 • 15:15 2

Impressions from CloudCamp Frankfurt

Yesterday, I attended CloudCamp in Frankfurt. My overall impressions: professional organisation, funny location (the film-museum in Frankfurt), great people, a large variety of topics, and a couple of highly interesting presentations. And most of all: good discussions! Thanks to the organisers and sponsors of this great event!

Presentations

Among my personal high-lights was the presentation of Uri Budnik from RightScale, who gave insights how instrastructure services such as Amazon EC2 are actually used today. Not only startups or Facebook application providers like in the beginning, but also Fortune 500 companies are discovering the cloud and moving IT services in public space.

I also liked the presentation of Bernd Becker from Siemens, who has a decade of experience as Application Service Provider (ASP), which is actually the predecessor of cloud-computing. The fact that cloud-computing emerged from the consumer space and is not designed for enterprises from the very beginning will have an impact on the security architecture and raises questions related to security, auditing and prooving resource usage.

Tom Cole stressed the growing importance of identity management and security with the rising popularity of SaaS usage.

Sam Johnston talked about the Open Cloud Initiative that has the goal to define and protect the Open Cloud including everybody’s right to access his data in the cloud via open interfaces in open data formats. Great initiative!

Panel about Private Clouds

The questions and discussions in the unpanel-session were primarily about importance and justification of private clouds, i.e. cloud computing services built upon the internal infrastructure of an enterprise. The range of opinions were large: “private clouds are not much more than the consequent use of virtualization technology” – “private clouds are an evolutional yet transitional step between internal IT management of today and (public) cloud-based IT management of tomorrow” – “private clouds will always be the first choice for applications with mission-critical data or usecases with small delay and response time requirements“.

Security Workshop

I noted a couple of good questions in this workshop. We plan to address some of them in upcoming blog-posts. If you are a workshop participant and you think I forget something important, please let me know in the comments!

  • Aren’t private or hybrid clouds (including Amazon’s VPC) a sign that the great vision of public clouds are just a chimera? Frankenstein created his monster, but now that it starts walking we see the need to enchain it?
  • Are technical security issues just a way to hide the real problems which are: trust and compliance?
  • Can compliance follow the speed of technological progress? Examples: how to retrieve business-related information of an employee that quit the company, when the information is stored at Google? In some countries, strong encryption is not allowed – how to secure privacy of data here?
  • What new problems appear related to auditing? One example: how does a server know its location and how can we be sure that the location cannot be faked?
  • Aren’t most of the security issues for public clouds are the same as they are for hosting already?
  • What is the difference between a cloud-provider and a bank? Much stronger compliance and auditing!
  • Will the right to audit be a key differentiator once the cloud-market gets more mature pushing companies like Google or Amazon to change their current habits and attitude?

More opinions on CloudCamp Frankfurt 09 here:

Here is the link to the Elastic Security presentation: “Cloud Security: New Problem or New Context?”

Filed under: CloudCamp, Discussions

September 21, 2009 • 10:28 1

Amazon VPC Brief Analysis

Some weeks ago, Amazon Web services announced VPC (Virtual Private Cloud) in a move to address security requirements for enterprise customers and to provide the missing link for hybrid deployments (although some questions remain especially concerning the technology behind their offer). Since we were recently suggesting a list of requirements for a cloud VPN, we want to take Amazon’s announcement as a reason to compare and match VPC features with this list.

The overall usecase Amazon is addressing is Communication between the internal network and the cloud. Here is the list (*):

Clientless: VPC uses IPSec which is supported by the majority of security gateways, so no need for the installation of a client VPN.

Centralized management: VPC configuration is provided by the Amazon API (although not yet integrated in the Amazon Console). Existing VPN Monitoring tools already used in the internal infrastructure should also be operational in the private part of the cloud.

Authentication and authorization features : Even if integration with security groups is not yet provided, they can be expected soon. Concerning authentication the method provided is IKE Security Association using Pre-Shared Keys. Role based access control is not provided by Amazon.

Integration with endpoint security: VPC targets the security of communication, not providing endpoint security. However, enterprises may deploy existing endpoint security products within the AMIs in the VPC.

Advanced logging and reporting: In our opinion, this is the Achilles’ heel of AWS – and VPC is no better. No information is provided at the network and firewall level.

Support of different communication methods and devices: We do not know yet if  multicast will one day be supported in EC2 and VPC. Concerning devices, Amazon announces that “We also plan to support Software VPNs in the near future.”

High availability: Only one VPC can be configured per AWS account for the moment. No elastic load balancing is available so it is up to the customers to construct their HA solution.

Static addressing: Today it is possible to specify a subnet, but the IP address is randomly picked within the subnet. You cannot use elastic IPs. These restrictions are expected to be dropped by amazon in the roadmap.

Conclusion: Even though there are a couple of requirements where VPC falls short, VPC is an important first step towards IaaS security and it will help customers to confidently move to the cloud. It lays the ground on which customers can built upon and extend their security architecture into the public cloud.

(*) Green: works out of the box. Yellow: works partly or can be achieved with additional reasonable efforts of the customer. Red: not fulfilled.

Filed under: AWS, Discussions, Solutions

Twitter Updates

Follow

Get every new post delivered to your Inbox.