Elastic Security

Icon

Security for the Cloud

October 15, 2010 • 10:58 0

Global Security Challenge at Tel-Aviv and THE 2 cloud security questions

I was really pleased to be among the best 4 European start-ups that were in Tel-Aviv last week to participate at the Global Security Challenge. Unfortunately we did not get to the finals but still a very good experience. This competition has a broad security scope, for example there were companies focusing on water security and physical security. IT security is as well very important and even touches critical industrial systems as shown by the stuxnet incident.

On the other hand, I was impressed by the Israeli ecosystem on security technologies and I expect that some of the global security players continue to start from here.

Nevertheless, I found puzzling that the 2 most frequent questions everyone asked me about cloud security, were somewhat contradictory:

  • Is it possible to secure the cloud?
  • What’s new about the cloud that needs new security measures?

So, it seems to suggest that on one hand it is a too big problem to solve and on the other hand that the cloud is more hype than something really new that brings new security requirements.

The easy answer for both questions is to refer to the Cloud Security Alliance, where we did a comprehensive work about these issues, specially on problem statement. Moreover, I try always to enumerate what I believe are the root causes of the cloud security problems and the main differences between public and private clouds. Then I really believe that we need to focus on specific problems and then trying to find solutions. For instance, concerning the problem of lack of visibility on the cloud (API logs on Amazon Web services to give a concrete example), we might think of a gateway (working as a proxy) that logs (and optionally controls) the API usage.

After the long and interesting discussions at Tel-Aviv, I’ll over simplify and draw one hypothesis.

The 2 questions come from the people perception on the “cloud” and it may boil down to the following rephrased questions:

  • Is it possible to secure the PUBLIC cloud?
  • What’s new about the PRIVATE cloud that needs new security measures?

Before trying to answer these questions, I would love to hear what you think about the hypothesis.

Sergio

PS> good luck for the Global Security Challenge finalists

Filed under: AWS, CSA, Discussions, IaaS, Presentations, Uncategorized

July 14, 2010 • 12:05 0

Cloud Computing: Hype or Revolution?

What is cloud computing? What different clouds exist? What are the differences between the different shapes? What do they have in common? What’s new? How big is the cloud? And which cloud is best for me?

Here are the slides of my presentation at BarCamp Sophia Antipolis 2010.

Filed under: IaaS, Presentations,

June 24, 2010 • 12:06 0

Cloud Security Presentation at IBM

I was glad to represent the Cloud Security Alliance at IBM La Gaude. The goal was to give an overview of cloud security issues focusing on the 7 top threats and then review the most important guidelines to IBM partners. Slides here.

It was interesting to see that cloud adoption is rising fast (even in Europe ;-) ), thanks to the efforts of IBM and other major players such as Cap Gemini. Of course, there is still a lot of hype and “cloud washing” at one hand and security concerns at the other, which have a negative effect on the adoption of cloud technology, but many tools are ready for production and real world projects are running in the cloud worldwide in lot of different domains. For example, there was a nice presentation about tools for cloud integration, and it will be interesting to see how the Cast Iron acquisition will influence the IBM cloud strategy.

However, in my opinion security tools for cloud environments are still lacking. As a consequence, private cloud is today’s answer to address the general and sometimes abstract concern with security in the cloud. A better approach would be to drill down each security risk (the CSA identified 13 different domains) and build concrete solutions for each of them.

Filed under: CSA, IaaS, Presentations

May 10, 2010 • 18:07 0

Reality Check: Data Center & Cloud Computing

Last week I visited the “Data Center & Cloud Computing” trade-show in Paris and talked to many exhibitors about their usage of public cloud infrastructures, their perception of services like Amazon EC or Rackspace, and the impact they might have on their business. The term “cloud computing” was omnipresent in almost all panels and discussions about IT organization, data center design, and software development. It was written on many banners, boot headers and brochures, but still people understand completely different things by it. It seems to cause as much rejection and fear as well as enthusiasm and hope. Here a collection of my impressions and discussion points that struck me…

Rejection & Fear

Rejection and fear often comes from existing hosters and managed service providers. There arguments against public cloud computing infrastructures:

  • The question of Service Level Agreements (SLAs) and service guarantees that include penalties for service outages
  • Performance guarantees
  • Security Concerns and data protection
  • Trust in local providers

They see a risk in the fact that IT transforms into a fully industrialized service with few big players that are – moreover – only coming from the US. Some have also built a differentiating core competence in managing IT more efficiently and negotiating better service contracts than their competitors – they fear to  loose this competitive advantage when cloud infrastructures becomes mainstream. In addition, there are fears of the system administrators that are confronted with the unknown and forced to learn a lot of new things and change well established processes.

Enthusiasm & Hope

Enthusiasm and Hope mainly comes from new players in the field, startups, and managed service providers. They see new business models and the possibility to start a software service with few capital expenses. Agile development finally found its friendly counterpart: agile deployment that no longer hurts at the bottlenecks of IT processes and static equipment.

But also established players including hosters see new opportunies, especially the opportunity to decomplexify IT processes and more cost effectiveness due to pay-per-use models. Some open-source partisans also expressed the hope that cloud computing infrastructures strengthen the open-source movement. I met also several companies – established hosters as well as new players – that offer pay-per-use models on top of their own data centers and started to offer resources the cloud way including APIs.

Conclusion

Cloud computing is omnipresent in all discussions on IT management, hosting and data centers. Amazon EC2 is the dominating name for cloud infrastructures. Young companies start using it, established ones anticipate the impact of cloud services and even consider it a strategic must to show presence in the domain.

Filed under: Discussions, IaaS

March 10, 2010 • 16:39 0

Reality Check: Infrastructure Clouds on CeBIT 2010

Last week I spend two days at CeBIT and talked with many people about Cloud infrastructure services like Amazon EC2 or Rackspace. I wanted to know if and how cloud infrastructures are already used and which business impact they have for European IT companies. What are the drivers, usecases, and obstacles of cloud computing? Here is what I found out (note that these findings are not the result of a representative market study and prone to personal bias).

Hosting Providers

Hosting Providers (at least those delivering managed and application hosting) see increasing requests of their customers to deliver hosting services that are 1) immediately available (minutes instead days or weeks) and 2) don’t require long-term contracts. As a consequence, some hosting providers work on appropriate solutions based on wide-spread virtualization technology such as VMWare, Parallels or Xen. Others already keep a pool of physical machines in standby mode dedicated to just-in-time allocation and temporary and short-term usage. I didn’t met a cloud-hosting provider that offered IaaS (Infrastructure as a Service) such as AWS does. However, I saw several companies providing solutions to turn existing infrastructures into cloud infrastructures and manage infrastructure and billing for either internal usage (“private cloud”) or cloud hosting (“public cloud”).

Consultants and Integrators

The vast majority of small integrator companies I met at CeBIT offered development and hosting for specific applications (in the domains ERP, CRM, CMS, E-Shops) for  small- and medium-sized companies. The majority of those 1) has never heard of cloud infrastructures 2) think it is a fad or 3) think it is only something for few companies with extreme scaling needs. There were also quite a couple that use it for development, testing, and demoing ongoing projects to customers. For those kind of usages, security concerns are not important (by the way, I heard several times that customers are less concerned about if their data is store securely, but more where it is stored. Don’t know if this is a common concern…). I met one CMS software and service provider that runs already a handful of their customers on AWS.

Web-Shops are very often implemented, managed, and run by web-agencies and integrators. I was surprised that I didn’t find more cloud infrastructure users in the E-Commerce domain.  I guess that Web-Shops could save a lot of money to dynamically adapt their resource usage to the varying activity by their own customers depending on holidays, seasons, weekdays (or even hours: how many Germans buy books between 3 and 4 in the morning?). Probably, long-established partnerships and investments in existing infrastructures play an important role here as well as a rather conservative mentality (“never change a running system”).

Managed Security Service Providers (MSSPs)

This group offers and advocates cloud services (anti-spam, web-security, leakage protection, secure document sharing), but they don’t use cloud infrastructures themselves, but rather built and manage their own data-centers. Since security is their core competence and asset, using cloud infrastructure services could cause irritations among their customers. In addition, full control of all aspects of their infrastructure including network and hardware is important for them.

SaaS Startups

Among this group (which was rather small at CeBIT), I found the most enthusiastic advocates and users of cloud infrastructures, which is not very surprising due to their inherent needs to start small with little capital, the potential to grow quickly and scale, and also the readiness to innovate and try new technologies.

Summary

The term “Cloud computing” was omni-present in the marketing material and discussions on CeBIT, but it’s real-world impact is still relatively small. SaaS is on the way to mainstream and seems to be the key driver to cloud infrastructure services. Application hosters watch companies like AWS very closely and even work on making their offerings more flexible with regard to contract duration and pay-per-use models. Today – at least outside the (European) startup-world – public IaaS (Infrastructure as a Service) adoption is in an early stage. It seems that companies address the demand for utility computing rather by creating private cloud infrastructures – at least as a first step.

Filed under: CeBIT, Discussions, IaaS

Twitter Updates

Follow

Get every new post delivered to your Inbox.