Elastic Security

Icon

Security for the Cloud

July 13, 2011 • 17:28 0

Tendances cloud virtual conference

Yet another french presentation to promote the whitepaper of “Tendances cloud”. And great questions from the more than 90 participants. Thanks to the other contributors and the organizers Salesforce.com and PowerOn.
Please stay tuned for the recording of the conference (in french).
 

Filed under: Cloud Computing, CSA, Elastic Security, IaaS, Presentations, , , ,

July 13, 2011 • 17:12 0

Trust and cloud security conference

Last week I was happy to be part of the conference on Trust and Security for cloud computing, organized by the Pole SCS.  I enjoyed the very good presentations and interesting ideas for collaborative projects. Keep up with the good work Pole SCS. Here are my slides.

Filed under: Cloud Computing, CSA, Discussions, Elastic Security, IaaS, Presentations, , , , , ,

June 23, 2011 • 11:37 0

Tendances cloud

Sorry to the non-french readers, but I’m often asked for french papers about cloud computing and security. We are proud to be contributors to a french white paper on cloud computing, so here is the link:

http://www.tendances-cloud.com/

Bonne lecture

Filed under: Cloud Computing, Elastic Security, IaaS, News, SaaS, Secure Cloud, , , , , , , , ,

June 16, 2011 • 09:02 0

How to increase security and visibility of Amazon EC2 instances?

Amazon EC2 administrators have to deal with daily problems such as:

  • Ensuring security of new instances,
  • Detecting performance and capacity problems,
  • Keeping track of the modifications on the infrastructure.

We would like to provide you some insights in our solution to address those problems and to facilitate the life of cloud-administrators by detecting security related issues and events: Elastic Detector. What makes this product unique is that it is fully automated and agentless. You can see how Elastic Detector works on this short video:


Filed under: AWS, Cloud Computing, Elastic Security, IaaS, Internals, Secure Cloud, Solutions, , , , , , , , , ,

May 26, 2011 • 20:43 0

Solutions Linux presentation

Two weeks ago, I attended the Solutions Linux french exhibition at Paris. I was proud to be part on a round table on cloud computing and I did a presentation on the security track about how to monitor an Amazon EC2 infrastructure with open source tools and specially nagios. Here are the slides as promised (in french).

Filed under: Uncategorized

March 25, 2011 • 18:10 0

Security THE differentiator between cloud computing offerings

I’ve read a very interesting and different post about security in cloud computing and more precisely IaaS (Infrastructure as a Service).

Tons of articles and surveys about security being the major obstacle to cloud computing and lots of FUD are current, but Andreas M. Antonopoulos dared to offer a new perspective of security as THE differentiator of IaaS offerings. I have especially like the part:

“Security is like a liquor license to a restaurant — an opportunity to up-sell each customer with a high-profit margin product to balance out the dismal or loss-leading margins of the core product. Security is the single most profitable differentiator that a service provider can add to IaaS to have any hope of making money. Security is brand-sensitive, labor-intensive, infinitely customizable and difficult to scale. That makes security the perfect differentiator that can add value to a bland IaaS offering.”

As a security provider for IaaS I’ve to strongly agree with this new perspective and we are currently working with hosting companies and IaaS providers in order to make this perspective come true.

For us, the main challenges ahead:

  • Heterogeneity: There are several cloud stacks (AWS, OpenStack, VMWare, Nimbula, Eucalyptus just to name a few), so it is hard to build solutions for all and  moreover they offer different functionality
  • Focus: Security is a real and hard problem (please check the guidelines of the Cloud Security Alliance if you want to go deeper), but we have to focus on customers needs with an incremental approach and try to build solutions for each need (there is no silver bullet)

What do you think about these challenges?

Thanks Andreas for the refreshing article

Filed under: Uncategorized

March 8, 2011 • 17:05 0

Elastic Detector Launch

We have launched a private beta program in December 2010 and first of all we would like to thank all our beta testers for their feedback and comments.

For the last 2 months we have been busy improving Elastic Detector by integrating new features that suit your needs such as more powerful graphs and daily reports. Such features are built on top of our auto-check technology, that allows to ensure the security of your infrastructure with near zero configuration.

We are really excited to announce that the first version of Elastic Detector is ready.

Elastic Detector helps you to achieve full visibility of your Amazon EC2 deployment and monitors your security groups. You may give it a free try for 1 month. Configuration takes only 2 minutes,and then you may check Elastic Detector improving the security of your infrastructure in real time.

We will be very happy to count you among the Elastic Detector Community and we are committed at continuously securing your infrastructure on Amazon EC2.

Filed under: AWS, Cloud Computing, Elastic Security, IaaS, SaaS

February 17, 2011 • 21:15 3

Most annoying and at the same time most loved feature of Elastic Detector

During the beta test of Elastic Detector, we had a lot of queries concerning an important feature of Elastic Detector, that is :

  • Elastic Detector considers that an open port in the security groups should correspond to an available service in the instances that use the security group.

For example, if you have defined a security group web with the HTTP port open, Elastic Detector deploys an auto-check HTTP and if Elastic Detector does not get an answer, he raises a critical alert on it.

First of all, why Elastic Detector does this?

From the security point of view, it is a potential threat that can be exploited by an internal or external attacker. It means that the attacker can install a rogue application that has immediate access from everywhere. Imagine that the attacker (internal or external) deploys an e-commerce application to sell viagra on your infrastructure.

So, why sometimes this can be annoying to Elastic Detector Users?

I try to enumerate the reasons they gave us:

  • It is work in progress, so the service is going to be deployed later
  • It is a pain to manage a lot of security groups that should fit their services AND that must be changed whenever a service changes
  • I have IP restrictions to access this service

What are the solutions?

In order to cope with the first and second use case, we plan to allow for an acknowledgment of a temporary exception and for the third we have disabled auto-checks whenever Elastic Detector has no permission to access the service. Of course, once our users add Elastic Detector to the authorized IPs then an auto-check is deployed.

Finally, why is it loved by some Elastic Detector Users?

The administrators that are trying to control cloud usage love this feature. It gives an alert whenever one user changes the security groups, so administrators can at least follow the changes and drill-down if needed.

Conclusion

We strongly believe that the ports should be closed until the service is up and running for the sake of security.

Please let me know your thoughts about this feature, annoying or loved?

Filed under: AWS, Discussions, Elastic Security, IaaS, , , , , ,

February 8, 2011 • 10:17 0

Reply to “Don’t Conflate Virtual with Dynamic”

This post is a reply to the blog post “Don’t Conflate Virtual with Dynamic” posted here and here, that was already a reply to our original post “Why the perimeter must become virtual“.

First of all, thanks to Lori for the very interesting blog post. Here goes my comments :

  1. Overall we agree. In the original block post we stated “Well, the short answer is: the perimeter must also become virtual, highly dynamic, and automated.”. Lori on the other hand says “In order to implement the kind of dynamic network perimeter … we do, in fact, need a more flexible, automated perimeter.” We agree on the dynamic and automation part.
  2. It seems that is the word “virtual” that triggered the discussion, for example Lori states “Dynamic is not a synonym for virtualization and virtualization does not inherently provide the fluidity of the network architecture required to address the challenges associated with highly dynamic environments.” And the fact that virtualization itself rises security, compliance and performance issues. We agree on the issues and for example the top threats to cloud computing from the Cloud Security Alliance refer to this in the item “Shared Technology Issues” (for example xen and vmware vulnerabilities).

So, everything boils down to the questions : Should the (security) perimeter be virtual or non-virtual ? Should we use a “toss another virtual appliance” approach to security (like we do for scaling) or more about “designing an architecture comprised of highly dynamic and interactive components that can be provisioned and managed on-demand” as Lori said ?

These are challenging questions in my opinion and I’d really appreciate to continue to discuss this topic. What are your thoughts?

Just to give some clues, I can think about trusted computing platforms and are they possible with virtualization? Can we establish trust on top of virtualization layers? Actually, these are some of the questions that the Virtualized Platform working group is trying to address.

Sergio

Filed under: CSA, Elastic Security, IaaS, Uncategorized

October 15, 2010 • 10:58 0

Global Security Challenge at Tel-Aviv and THE 2 cloud security questions

I was really pleased to be among the best 4 European start-ups that were in Tel-Aviv last week to participate at the Global Security Challenge. Unfortunately we did not get to the finals but still a very good experience. This competition has a broad security scope, for example there were companies focusing on water security and physical security. IT security is as well very important and even touches critical industrial systems as shown by the stuxnet incident.

On the other hand, I was impressed by the Israeli ecosystem on security technologies and I expect that some of the global security players continue to start from here.

Nevertheless, I found puzzling that the 2 most frequent questions everyone asked me about cloud security, were somewhat contradictory:

  • Is it possible to secure the cloud?
  • What’s new about the cloud that needs new security measures?

So, it seems to suggest that on one hand it is a too big problem to solve and on the other hand that the cloud is more hype than something really new that brings new security requirements.

The easy answer for both questions is to refer to the Cloud Security Alliance, where we did a comprehensive work about these issues, specially on problem statement. Moreover, I try always to enumerate what I believe are the root causes of the cloud security problems and the main differences between public and private clouds. Then I really believe that we need to focus on specific problems and then trying to find solutions. For instance, concerning the problem of lack of visibility on the cloud (API logs on Amazon Web services to give a concrete example), we might think of a gateway (working as a proxy) that logs (and optionally controls) the API usage.

After the long and interesting discussions at Tel-Aviv, I’ll over simplify and draw one hypothesis.

The 2 questions come from the people perception on the “cloud” and it may boil down to the following rephrased questions:

  • Is it possible to secure the PUBLIC cloud?
  • What’s new about the PRIVATE cloud that needs new security measures?

Before trying to answer these questions, I would love to hear what you think about the hypothesis.

Sergio

PS> good luck for the Global Security Challenge finalists

Filed under: AWS, CSA, Discussions, IaaS, Presentations, Uncategorized

Twitter Updates

Follow

Get every new post delivered to your Inbox.