Elastic Security

Icon

Security for the Cloud

February 2, 2011 • 11:25 2

Is Cloud-Computing Centralized or Decentralized? (Part 1)

The question if an architecture should be centralized or decentralized is one of the recurring questions in systems design, but also object of discussion in organizational and political theory. In most enterprises and especially IT departments, technical and organisational aspects fall together and even influence each other. To understand the possible impact of cloud computing on the structure of organisations, we would like to figure out if cloud computing is actually following a centralized or a decentralized architecture. Let’s therefore start with a journey through history – the history of cloud computing is nothing less than the history of computers and computer networks – and their alternation between centralization and decentralization.

The First Computers in Use

The first effectively used computer (ENIAC) occupied the space of a large building (around 300 m2), was targeted for very specialized military applications, and all instructions hardcoded and controlled by 6000 switches that could be manually controlled. The next computer (EDVAC) became more flexible, controllable and less error-prone with the use of punchcards. The next one (MIT’s Whirlwind) was the first with a rudimental user interface (a kind of radar screen). Until then, computers are large, extremely expensive, and specialized, and only one organization in the world could use it: military.

Giant monolytic building blocks on a fixed location. The first computers are without any doubt centralized.

Continue [Part 2]

Filed under: Cloud Computing, Discussions, , ,

December 29, 2010 • 18:49 1

Cloud Predictions for 2011

The end of the year is the time for predictions (by the way, does anybody have a look at the predictions from last year?). A quite complete and profound list of predictions was published by Forbes’ CIO Central blog. Instead having a look into my own crystal ball, some remarks and questions from my side on those predictions that refer to general trends in the cloud market and the cloud infrastructure part:

Replace most new procurement with cloud strategies: CFOs will sing the praise of cloud IT? Why didn’t they do this already in 2010 – what has changed in the meantime? The blog cites preferences in deployment solutions and lack of innovative on-premises options – which are a bit weak arguments unless major infrastructure investments are necessary and planned for 2011.

Start with private clouds as a stepping stone to public clouds: private clouds are not a stepping stone for public clouds, but rather a different choice in my opinion. Why would anybody make this huge investment in creating a private cloud when he is willing to switch to a public cloud short time later? Building a private cloud also requires new hardware (since transforming an existing machine park is hardly possible without deconnecting machines temporarily). However, I could very well imagine hybrid scenarios as stepping stone: think of companies like CloudSwitch, Amazon’s VPC, and the recently announced feature of importing VMWare images into EC2 – and you can see that the efforts of playing around with hybrid clouds have become rather small. Certain usecases – like handling temporary peak demand – will also drive hybrid clouds.

Get real about security: for the majority of the early adopters of cloud computing, security concerns were less important than the benefits (OPEX instead CAPEX, scaling, pay-per-use). I expect the next wave of adopters to be more fastidious when it comes to security. That’s by the way is the reason why we believe in software like Elastic Detector that automates monitoring and security for cloud infrastructures.

Move to private clouds as a back up to public clouds: replace “private” by “hybrid” and I agree. Data integration and security are the key competencies needed for migrating (part of) the internal infrastructure of an enterprise to the cloud.

Begin the transition from best of breed purpose built solutions to cloud mega stacks: it seems very clear to me that once enterprises go for SaaS solutions, they also need the customization facilities provided by PaaS platforms. Salesforce with force.com and it’s acquisition of Heroku point clearly into this direction.

Leverage apps market places and ecosystems for the last mile: this prediction is a logical evolution from the need of customization. I fully agree.

Superior user experience and scale won’t be mutually exclusive: while ease-of-use and scale are not mutually exclusive, this is very well the case for ease-of-use and the need for customization and integration. The ease-of-use of SaaS solutions is to a large degree due to its restriction to a minimum and the concentration of specific usecases.

Shift all new custom app development to the cloud: yes, the development and deployment of new projects are a major driver of cloud computing solutions.

Expect DaaS and PaaS to merge in 2011: yes, customization requires both data related and programming logic related facilities. Merging them in a common platform makes perfectly sense.

Demand better virtualization: virtualization will evolve, tools will be more powerful, virtualization technology more efficient. However, this is a process that is ongoing since several years now and I don’t see an important acceleration here. Even more important I consider standardization and compatibility between different virtualization technologies that I guess will play a much more important role in the next couple of months.

Simplify the overall technology landscape: I rather expect that different technologies – cloud and non-cloud technology – will co-exist during a transition phase that may take quite some time. Thus, I rather expect a more heterogeneous and thus also more complicated technology landscape in large organizations. Things are surely different for small organizations that are willing to adopt the public cloud and thus restructure their IT from scratch.

Conclusions: Cloud Computing is no longer a question of “if” or “when”, but a question of “how”. Companies are convinced about the financial benefits of cloud computing. I thus expect them to push for interoperability, standardization, customization, and integration. They will also ask for security, management, and monitoring solutions that deal with the elastic character of cloud computing. When SaaS providers offer more and more customization facilities – and IaaS providers more and more additional services on top of their basic infrastructure offer, they both seem to merge into something that resembles PaaS. If you look for a bottom-line for he predictions, here it is: 2011 could be the year of PaaS.

Filed under: Discussions, ,

October 15, 2010 • 10:58 0

Global Security Challenge at Tel-Aviv and THE 2 cloud security questions

I was really pleased to be among the best 4 European start-ups that were in Tel-Aviv last week to participate at the Global Security Challenge. Unfortunately we did not get to the finals but still a very good experience. This competition has a broad security scope, for example there were companies focusing on water security and physical security. IT security is as well very important and even touches critical industrial systems as shown by the stuxnet incident.

On the other hand, I was impressed by the Israeli ecosystem on security technologies and I expect that some of the global security players continue to start from here.

Nevertheless, I found puzzling that the 2 most frequent questions everyone asked me about cloud security, were somewhat contradictory:

  • Is it possible to secure the cloud?
  • What’s new about the cloud that needs new security measures?

So, it seems to suggest that on one hand it is a too big problem to solve and on the other hand that the cloud is more hype than something really new that brings new security requirements.

The easy answer for both questions is to refer to the Cloud Security Alliance, where we did a comprehensive work about these issues, specially on problem statement. Moreover, I try always to enumerate what I believe are the root causes of the cloud security problems and the main differences between public and private clouds. Then I really believe that we need to focus on specific problems and then trying to find solutions. For instance, concerning the problem of lack of visibility on the cloud (API logs on Amazon Web services to give a concrete example), we might think of a gateway (working as a proxy) that logs (and optionally controls) the API usage.

After the long and interesting discussions at Tel-Aviv, I’ll over simplify and draw one hypothesis.

The 2 questions come from the people perception on the “cloud” and it may boil down to the following rephrased questions:

  • Is it possible to secure the PUBLIC cloud?
  • What’s new about the PRIVATE cloud that needs new security measures?

Before trying to answer these questions, I would love to hear what you think about the hypothesis.

Sergio

PS> good luck for the Global Security Challenge finalists

Filed under: AWS, CSA, Discussions, IaaS, Presentations, Uncategorized

September 22, 2010 • 21:57 2

Multi-factor authentication with Google apps

I have just realized that my last post was about the Multi-Factor Authentication (MFA) on Amazon Web Services, what a coincidence or is it fashion? Anyway, I’m really happy to see that authentication is finally getting some good solutions, and this is an important step to achieve secure clouds.

So, back to the Google announcement. We have been using Google Apps for more than one year now and it is really an easy way to share everything, from documents to calendars. In this case, the second factor authentication uses your telephone. I’ve followed the clear instructions to setup the MFA, installing Google authenticator in my iPhone. Everything was done in 5 minutes and it works!

I’ve to say that I would like to know more about the algorithm that generates the one-time codes, but it really solves the problem of signing in on untrusted terminals, and you can even use it on your everyday computer if you don’t mind having your phone with you and tapping the code.

But there was a problem: I could not get my iPhone synced (contacts, emails, calendars) with the Google account using MFA. I could use the Google Apps but I’m used to use the iPhone default applications so I’ll have to wait for Apple to support the Google MFA…

Yet an integration problem or another example of the usability vs security issue? Any thoughts?

Filed under: Discussions, Secure Cloud, Solutions

May 10, 2010 • 18:07 0

Reality Check: Data Center & Cloud Computing

Last week I visited the “Data Center & Cloud Computing” trade-show in Paris and talked to many exhibitors about their usage of public cloud infrastructures, their perception of services like Amazon EC or Rackspace, and the impact they might have on their business. The term “cloud computing” was omnipresent in almost all panels and discussions about IT organization, data center design, and software development. It was written on many banners, boot headers and brochures, but still people understand completely different things by it. It seems to cause as much rejection and fear as well as enthusiasm and hope. Here a collection of my impressions and discussion points that struck me…

Rejection & Fear

Rejection and fear often comes from existing hosters and managed service providers. There arguments against public cloud computing infrastructures:

  • The question of Service Level Agreements (SLAs) and service guarantees that include penalties for service outages
  • Performance guarantees
  • Security Concerns and data protection
  • Trust in local providers

They see a risk in the fact that IT transforms into a fully industrialized service with few big players that are – moreover – only coming from the US. Some have also built a differentiating core competence in managing IT more efficiently and negotiating better service contracts than their competitors – they fear to  loose this competitive advantage when cloud infrastructures becomes mainstream. In addition, there are fears of the system administrators that are confronted with the unknown and forced to learn a lot of new things and change well established processes.

Enthusiasm & Hope

Enthusiasm and Hope mainly comes from new players in the field, startups, and managed service providers. They see new business models and the possibility to start a software service with few capital expenses. Agile development finally found its friendly counterpart: agile deployment that no longer hurts at the bottlenecks of IT processes and static equipment.

But also established players including hosters see new opportunies, especially the opportunity to decomplexify IT processes and more cost effectiveness due to pay-per-use models. Some open-source partisans also expressed the hope that cloud computing infrastructures strengthen the open-source movement. I met also several companies – established hosters as well as new players – that offer pay-per-use models on top of their own data centers and started to offer resources the cloud way including APIs.

Conclusion

Cloud computing is omnipresent in all discussions on IT management, hosting and data centers. Amazon EC2 is the dominating name for cloud infrastructures. Young companies start using it, established ones anticipate the impact of cloud services and even consider it a strategic must to show presence in the domain.

Filed under: Discussions, IaaS

March 19, 2010 • 16:19 0

Thoughts about Secure Cloud 2010

I was at Barcelona for the Secure Cloud 2010 conference. Here are my impressions at the end of 2 days of interesting discussions.

I was happy to realize that – thanks to CSA and ENISA – we are definitely moving forward. We are getting out of endless discussions about problem statements and rather heading towards the next phase, which is about solutions. Here some examples:

  • We started to prioritize the issues, best illustration of this is the CSA top threats initiative.
  • We started talking about security metrics and frameworks for assurance and certification (expert groups within CSA)
  • Some community projects are starting, for example, Craig Balding‘s upcoming SkyLab project that uses an Amazon Machine image based on a Backtrack distribution to perform penetration tests within EC2. Issues with Amazon’s service terms are solved. (I cannot resist to also point to our own open source project Cloudy_Scripts).
  • Other very interesting initiatives that have been started already are OIX, an initiative by several industry giants to deal with the communication of online identity credentials over the web, and CloudAudit (former name A6) that works on defining an API to automate auditing and security assessment of cloud deployments.

There are plenty of opportunities to get involved and contribute. Now that we’ve got a better understanding of the security problems and have started moving forward, we must not forget to keep up with the pace of cloud providers, which are constantly working to improve their offerings.

Filed under: AWS, Discussions, Secure Cloud

March 10, 2010 • 16:39 0

Reality Check: Infrastructure Clouds on CeBIT 2010

Last week I spend two days at CeBIT and talked with many people about Cloud infrastructure services like Amazon EC2 or Rackspace. I wanted to know if and how cloud infrastructures are already used and which business impact they have for European IT companies. What are the drivers, usecases, and obstacles of cloud computing? Here is what I found out (note that these findings are not the result of a representative market study and prone to personal bias).

Hosting Providers

Hosting Providers (at least those delivering managed and application hosting) see increasing requests of their customers to deliver hosting services that are 1) immediately available (minutes instead days or weeks) and 2) don’t require long-term contracts. As a consequence, some hosting providers work on appropriate solutions based on wide-spread virtualization technology such as VMWare, Parallels or Xen. Others already keep a pool of physical machines in standby mode dedicated to just-in-time allocation and temporary and short-term usage. I didn’t met a cloud-hosting provider that offered IaaS (Infrastructure as a Service) such as AWS does. However, I saw several companies providing solutions to turn existing infrastructures into cloud infrastructures and manage infrastructure and billing for either internal usage (“private cloud”) or cloud hosting (“public cloud”).

Consultants and Integrators

The vast majority of small integrator companies I met at CeBIT offered development and hosting for specific applications (in the domains ERP, CRM, CMS, E-Shops) for  small- and medium-sized companies. The majority of those 1) has never heard of cloud infrastructures 2) think it is a fad or 3) think it is only something for few companies with extreme scaling needs. There were also quite a couple that use it for development, testing, and demoing ongoing projects to customers. For those kind of usages, security concerns are not important (by the way, I heard several times that customers are less concerned about if their data is store securely, but more where it is stored. Don’t know if this is a common concern…). I met one CMS software and service provider that runs already a handful of their customers on AWS.

Web-Shops are very often implemented, managed, and run by web-agencies and integrators. I was surprised that I didn’t find more cloud infrastructure users in the E-Commerce domain.  I guess that Web-Shops could save a lot of money to dynamically adapt their resource usage to the varying activity by their own customers depending on holidays, seasons, weekdays (or even hours: how many Germans buy books between 3 and 4 in the morning?). Probably, long-established partnerships and investments in existing infrastructures play an important role here as well as a rather conservative mentality (“never change a running system”).

Managed Security Service Providers (MSSPs)

This group offers and advocates cloud services (anti-spam, web-security, leakage protection, secure document sharing), but they don’t use cloud infrastructures themselves, but rather built and manage their own data-centers. Since security is their core competence and asset, using cloud infrastructure services could cause irritations among their customers. In addition, full control of all aspects of their infrastructure including network and hardware is important for them.

SaaS Startups

Among this group (which was rather small at CeBIT), I found the most enthusiastic advocates and users of cloud infrastructures, which is not very surprising due to their inherent needs to start small with little capital, the potential to grow quickly and scale, and also the readiness to innovate and try new technologies.

Summary

The term “Cloud computing” was omni-present in the marketing material and discussions on CeBIT, but it’s real-world impact is still relatively small. SaaS is on the way to mainstream and seems to be the key driver to cloud infrastructure services. Application hosters watch companies like AWS very closely and even work on making their offerings more flexible with regard to contract duration and pay-per-use models. Today – at least outside the (European) startup-world – public IaaS (Infrastructure as a Service) adoption is in an early stage. It seems that companies address the demand for utility computing rather by creating private cloud infrastructures – at least as a first step.

Filed under: CeBIT, Discussions, IaaS

December 18, 2009 • 13:12 0

Slides of the brighttalk summit on Public, Private & Hybrid Clouds

Here they are, enjoy

Filed under: BrightTalk Summit, Discussions, Presentations

December 18, 2009 • 12:53 2

Some Thoughts on Cloud Adoption

Yesterday i did a talk on cloud security (in french) at the Forum Aristote. I enjoyed several nice presentations and discussions about  very concrete customer usecases and needs that contributed to questions like:

  • Are there real customers considering the public cloud?
  • Are customers attracted by the idea of cloud cloudcomputing or just being puzzled by the marketing hype?

The discussions I had yesterday gave me the impression of a growing consensus about the use of private clouds for critical information, and the use of public clouds for non-sensitive data and applications. That leads to the question what kind of applications are actually addressed by security features in public clouds – e.g.  Amazon VPC? VPC surely does not give answers to all security concerns, but does it help at least to move more applications into the public cloud?

It is also clear that customers are getting used to the concepts of outsourcing as well as SaaS. Most of them even believe that virtualization security is possible and side-channel attacks in multi-tenant setups have more theoretical than practical impact. So, what’s actually missing?

  • More trust on cloud providers (especially public IaaS)
  • A change of attitude that doesn’t resist to change by principle
  • More knowledge, experience, and cloud success stories

Is cloud adoption captured in a vicious cycle? How to break out of it? I think this mainly depends on the evolution of the offers and the trust building measures of the large providers with regard to compliance, auditing, and security. But there are still far too many remaining and open questions. Feedback welcome!

Filed under: Discussions,

December 9, 2009 • 16:08 1

Public vs Private clouds

Next week (the 15th December), I’m going to give a talk about cloud security on the “Public, Private & Hybrid Clouds” BrightTalk Summit. There are surprisingly many talks that focus on cloud (in)security – although after all it isn’t too surprising given the fact that security is the key issue when comparing public against private cloud infrastructures.

Guy Churchward, LogLogic CEO did an interesting post on this subject and Gartner defends that private is the way to go. I am wondering if this opinion has become a consensus or if there are still public (sic!) defenders of the  public cloud? I hope that the users of Amazon EC2 and Salesforce  raise their voice and that we find more use cases than the usual ones like testing, not sensitive data, marketing campaigns, non-critical business processes and so on.

I think we can associate the threats and risks of cloud computing with the following root causes (admittedly this is a simplification):

  1. outsourcing
  2. resource sharing
  3. virtualization
  4. infrastructure volatility

Private clouds solve the first two: (1) they increase trust and allow full visibility and control over the infrastructure and (2) they are not exposed to  side channel attacks. Hope to interact with you at the summit and if you already have a favorite topic or questions on the subject do not hesitate to drop a comment. I might include it in the presentation.

Filed under: BrightTalk Summit, Discussions

Twitter Updates

Follow

Get every new post delivered to your Inbox.