Elastic Security

Icon

Security for the Cloud

October 15, 2010 • 10:58 0

Global Security Challenge at Tel-Aviv and THE 2 cloud security questions

I was really pleased to be among the best 4 European start-ups that were in Tel-Aviv last week to participate at the Global Security Challenge. Unfortunately we did not get to the finals but still a very good experience. This competition has a broad security scope, for example there were companies focusing on water security and physical security. IT security is as well very important and even touches critical industrial systems as shown by the stuxnet incident.

On the other hand, I was impressed by the Israeli ecosystem on security technologies and I expect that some of the global security players continue to start from here.

Nevertheless, I found puzzling that the 2 most frequent questions everyone asked me about cloud security, were somewhat contradictory:

  • Is it possible to secure the cloud?
  • What’s new about the cloud that needs new security measures?

So, it seems to suggest that on one hand it is a too big problem to solve and on the other hand that the cloud is more hype than something really new that brings new security requirements.

The easy answer for both questions is to refer to the Cloud Security Alliance, where we did a comprehensive work about these issues, specially on problem statement. Moreover, I try always to enumerate what I believe are the root causes of the cloud security problems and the main differences between public and private clouds. Then I really believe that we need to focus on specific problems and then trying to find solutions. For instance, concerning the problem of lack of visibility on the cloud (API logs on Amazon Web services to give a concrete example), we might think of a gateway (working as a proxy) that logs (and optionally controls) the API usage.

After the long and interesting discussions at Tel-Aviv, I’ll over simplify and draw one hypothesis.

The 2 questions come from the people perception on the “cloud” and it may boil down to the following rephrased questions:

  • Is it possible to secure the PUBLIC cloud?
  • What’s new about the PRIVATE cloud that needs new security measures?

Before trying to answer these questions, I would love to hear what you think about the hypothesis.

Sergio

PS> good luck for the Global Security Challenge finalists

Filed under: AWS, CSA, Discussions, IaaS, Presentations, Uncategorized

September 22, 2010 • 21:57 2

Multi-factor authentication with Google apps

I have just realized that my last post was about the Multi-Factor Authentication (MFA) on Amazon Web Services, what a coincidence or is it fashion? Anyway, I’m really happy to see that authentication is finally getting some good solutions, and this is an important step to achieve secure clouds.

So, back to the Google announcement. We have been using Google Apps for more than one year now and it is really an easy way to share everything, from documents to calendars. In this case, the second factor authentication uses your telephone. I’ve followed the clear instructions to setup the MFA, installing Google authenticator in my iPhone. Everything was done in 5 minutes and it works!

I’ve to say that I would like to know more about the algorithm that generates the one-time codes, but it really solves the problem of signing in on untrusted terminals, and you can even use it on your everyday computer if you don’t mind having your phone with you and tapping the code.

But there was a problem: I could not get my iPhone synced (contacts, emails, calendars) with the Google account using MFA. I could use the Google Apps but I’m used to use the iPhone default applications so I’ll have to wait for Apple to support the Google MFA…

Yet an integration problem or another example of the usability vs security issue? Any thoughts?

Filed under: Discussions, Secure Cloud, Solutions

August 2, 2010 • 18:00 0

Multi-factor authentication with Amazon Web Services

I have been using Amazon Web Services (AWS) for a while but as a security guy always complaining about security issues. Today I wanted to thank AWS (and gemalto) for the AWS Multi-Factor Authentication (MFA). I have been using it for 6 months now and it really solved one my worst fears with the authentication to the administration console. Btw, I am not a AWS console fan but I’m using it due to the MFA.

It is really easy to configure and use like any other authentication token. Of course, you have to keep it with you and when your session timeouts, you’ve to enter a new code: this is the little price to pay for security.

Passwords are not safe and they are kept on the browser (or post-it) and authentication tokens really solve this problem. I do not have to remind you what kind of harm can someone do with access to your administration console. Ideally I would love to use it to protect all my amazon accounts information, even when I buy a new book but here I can cope with the risk.

So, let’s expect that AWS will provide simple solutions for simple security issues, and I will end with just two:

-log information about cloud usage

-access control to be able to limit the privileges of users (of course linked with MFA)

Filed under: AWS

June 24, 2010 • 12:06 0

Cloud Security Presentation at IBM

I was glad to represent the Cloud Security Alliance at IBM La Gaude. The goal was to give an overview of cloud security issues focusing on the 7 top threats and then review the most important guidelines to IBM partners. Slides here.

It was interesting to see that cloud adoption is rising fast (even in Europe ;-) ), thanks to the efforts of IBM and other major players such as Cap Gemini. Of course, there is still a lot of hype and “cloud washing” at one hand and security concerns at the other, which have a negative effect on the adoption of cloud technology, but many tools are ready for production and real world projects are running in the cloud worldwide in lot of different domains. For example, there was a nice presentation about tools for cloud integration, and it will be interesting to see how the Cast Iron acquisition will influence the IBM cloud strategy.

However, in my opinion security tools for cloud environments are still lacking. As a consequence, private cloud is today’s answer to address the general and sometimes abstract concern with security in the cloud. A better approach would be to drill down each security risk (the CSA identified 13 different domains) and build concrete solutions for each of them.

Filed under: CSA, IaaS, Presentations

March 19, 2010 • 16:19 0

Thoughts about Secure Cloud 2010

I was at Barcelona for the Secure Cloud 2010 conference. Here are my impressions at the end of 2 days of interesting discussions.

I was happy to realize that – thanks to CSA and ENISA – we are definitely moving forward. We are getting out of endless discussions about problem statements and rather heading towards the next phase, which is about solutions. Here some examples:

  • We started to prioritize the issues, best illustration of this is the CSA top threats initiative.
  • We started talking about security metrics and frameworks for assurance and certification (expert groups within CSA)
  • Some community projects are starting, for example, Craig Balding‘s upcoming SkyLab project that uses an Amazon Machine image based on a Backtrack distribution to perform penetration tests within EC2. Issues with Amazon’s service terms are solved. (I cannot resist to also point to our own open source project Cloudy_Scripts).
  • Other very interesting initiatives that have been started already are OIX, an initiative by several industry giants to deal with the communication of online identity credentials over the web, and CloudAudit (former name A6) that works on defining an API to automate auditing and security assessment of cloud deployments.

There are plenty of opportunities to get involved and contribute. Now that we’ve got a better understanding of the security problems and have started moving forward, we must not forget to keep up with the pace of cloud providers, which are constantly working to improve their offerings.

Filed under: AWS, Discussions, Secure Cloud

December 18, 2009 • 13:12 0

Slides of the brighttalk summit on Public, Private & Hybrid Clouds

Here they are, enjoy

Filed under: BrightTalk Summit, Discussions, Presentations

December 18, 2009 • 12:53 2

Some Thoughts on Cloud Adoption

Yesterday i did a talk on cloud security (in french) at the Forum Aristote. I enjoyed several nice presentations and discussions about  very concrete customer usecases and needs that contributed to questions like:

  • Are there real customers considering the public cloud?
  • Are customers attracted by the idea of cloud cloudcomputing or just being puzzled by the marketing hype?

The discussions I had yesterday gave me the impression of a growing consensus about the use of private clouds for critical information, and the use of public clouds for non-sensitive data and applications. That leads to the question what kind of applications are actually addressed by security features in public clouds – e.g.  Amazon VPC? VPC surely does not give answers to all security concerns, but does it help at least to move more applications into the public cloud?

It is also clear that customers are getting used to the concepts of outsourcing as well as SaaS. Most of them even believe that virtualization security is possible and side-channel attacks in multi-tenant setups have more theoretical than practical impact. So, what’s actually missing?

  • More trust on cloud providers (especially public IaaS)
  • A change of attitude that doesn’t resist to change by principle
  • More knowledge, experience, and cloud success stories

Is cloud adoption captured in a vicious cycle? How to break out of it? I think this mainly depends on the evolution of the offers and the trust building measures of the large providers with regard to compliance, auditing, and security. But there are still far too many remaining and open questions. Feedback welcome!

Filed under: Discussions,

December 9, 2009 • 16:08 1

Public vs Private clouds

Next week (the 15th December), I’m going to give a talk about cloud security on the “Public, Private & Hybrid Clouds” BrightTalk Summit. There are surprisingly many talks that focus on cloud (in)security – although after all it isn’t too surprising given the fact that security is the key issue when comparing public against private cloud infrastructures.

Guy Churchward, LogLogic CEO did an interesting post on this subject and Gartner defends that private is the way to go. I am wondering if this opinion has become a consensus or if there are still public (sic!) defenders of the  public cloud? I hope that the users of Amazon EC2 and Salesforce  raise their voice and that we find more use cases than the usual ones like testing, not sensitive data, marketing campaigns, non-critical business processes and so on.

I think we can associate the threats and risks of cloud computing with the following root causes (admittedly this is a simplification):

  1. outsourcing
  2. resource sharing
  3. virtualization
  4. infrastructure volatility

Private clouds solve the first two: (1) they increase trust and allow full visibility and control over the infrastructure and (2) they are not exposed to  side channel attacks. Hope to interact with you at the summit and if you already have a favorite topic or questions on the subject do not hesitate to drop a comment. I might include it in the presentation.

Filed under: BrightTalk Summit, Discussions

October 24, 2009 • 15:39 0

Quick Notes on the RSA Conference Europe 2009

Good conference, a lot of interesting sessions and discussions during the 3 days.

I will try to give you my quick impressions on the trends of this year conference:

  • Data leakage protection (DLP). Finally, IMO  the products are mature and comprehensive. Maybe not yet ready for widespread adoption by SMBs, but very interesting propositions for when the security budgets will be on the rise.
  • Compliance. This is the real driver of today’s security market. Products to help enterprises getting compliant with major regulations, typically Security Information Management (SIM) solutions are getting much attention in spite of not being a new market.
  • Virtualization security. The hot concrete topic of this year conference. IMO, security professionals were again a bit late reacting to this trend but are now actively developing guidelines and services to addressing virtualization. The first results of these efforts are coming out. I strongly recommend the session of Dennis Moreau of EMC “Attacking and Defending Virtual Infrastructure” for a nice overview on the subject.
  • Cloud security. The buzzword was the real HOT topic. Several tracks were addressing it but it was on every coffee discussions as well. I would like to thank Graig Balding of the cloudsecurity.org for many interesting discussions on the subject. My own conclusion from the conference is that security professionals are really skeptical about the subject, especially concerning compliance and SLAs. A very good illustration was the RANT session by Hugh Thompson. Interestingly enough, one of the only positive voices about cloud security was Philippe Courtot, the CEO of Qualys.

Sorry not to refer to many others’ interesting sessions, i’ll try to get back to them in a later post. Anyway, good conference and i hope that these first notes fuel some more feedback from the other participants or from other people as well. Please add yours thoughts.

Filed under: Discussions, RSA Europe

September 21, 2009 • 10:28 1

Amazon VPC Brief Analysis

Some weeks ago, Amazon Web services announced VPC (Virtual Private Cloud) in a move to address security requirements for enterprise customers and to provide the missing link for hybrid deployments (although some questions remain especially concerning the technology behind their offer). Since we were recently suggesting a list of requirements for a cloud VPN, we want to take Amazon’s announcement as a reason to compare and match VPC features with this list.

The overall usecase Amazon is addressing is Communication between the internal network and the cloud. Here is the list (*):

Clientless: VPC uses IPSec which is supported by the majority of security gateways, so no need for the installation of a client VPN.

Centralized management: VPC configuration is provided by the Amazon API (although not yet integrated in the Amazon Console). Existing VPN Monitoring tools already used in the internal infrastructure should also be operational in the private part of the cloud.

Authentication and authorization features : Even if integration with security groups is not yet provided, they can be expected soon. Concerning authentication the method provided is IKE Security Association using Pre-Shared Keys. Role based access control is not provided by Amazon.

Integration with endpoint security: VPC targets the security of communication, not providing endpoint security. However, enterprises may deploy existing endpoint security products within the AMIs in the VPC.

Advanced logging and reporting: In our opinion, this is the Achilles’ heel of AWS – and VPC is no better. No information is provided at the network and firewall level.

Support of different communication methods and devices: We do not know yet if  multicast will one day be supported in EC2 and VPC. Concerning devices, Amazon announces that “We also plan to support Software VPNs in the near future.”

High availability: Only one VPC can be configured per AWS account for the moment. No elastic load balancing is available so it is up to the customers to construct their HA solution.

Static addressing: Today it is possible to specify a subnet, but the IP address is randomly picked within the subnet. You cannot use elastic IPs. These restrictions are expected to be dropped by amazon in the roadmap.

Conclusion: Even though there are a couple of requirements where VPC falls short, VPC is an important first step towards IaaS security and it will help customers to confidently move to the cloud. It lays the ground on which customers can built upon and extend their security architecture into the public cloud.

(*) Green: works out of the box. Yellow: works partly or can be achieved with additional reasonable efforts of the customer. Red: not fulfilled.

Filed under: AWS, Discussions, Solutions

Twitter Updates

Follow

Get every new post delivered to your Inbox.