Elastic Security

Icon

Security for the Cloud

May 26, 2011 • 20:43 0

Solutions Linux presentation

Two weeks ago, I attended the Solutions Linux french exhibition at Paris. I was proud to be part on a round table on cloud computing and I did a presentation on the security track about how to monitor an Amazon EC2 infrastructure with open source tools and specially nagios. Here are the slides as promised (in french).

Filed under: Uncategorized

March 25, 2011 • 18:10 0

Security THE differentiator between cloud computing offerings

I’ve read a very interesting and different post about security in cloud computing and more precisely IaaS (Infrastructure as a Service).

Tons of articles and surveys about security being the major obstacle to cloud computing and lots of FUD are current, but Andreas M. Antonopoulos dared to offer a new perspective of security as THE differentiator of IaaS offerings. I have especially like the part:

“Security is like a liquor license to a restaurant — an opportunity to up-sell each customer with a high-profit margin product to balance out the dismal or loss-leading margins of the core product. Security is the single most profitable differentiator that a service provider can add to IaaS to have any hope of making money. Security is brand-sensitive, labor-intensive, infinitely customizable and difficult to scale. That makes security the perfect differentiator that can add value to a bland IaaS offering.”

As a security provider for IaaS I’ve to strongly agree with this new perspective and we are currently working with hosting companies and IaaS providers in order to make this perspective come true.

For us, the main challenges ahead:

  • Heterogeneity: There are several cloud stacks (AWS, OpenStack, VMWare, Nimbula, Eucalyptus just to name a few), so it is hard to build solutions for all and  moreover they offer different functionality
  • Focus: Security is a real and hard problem (please check the guidelines of the Cloud Security Alliance if you want to go deeper), but we have to focus on customers needs with an incremental approach and try to build solutions for each need (there is no silver bullet)

What do you think about these challenges?

Thanks Andreas for the refreshing article

Filed under: Uncategorized

February 8, 2011 • 10:17 0

Reply to “Don’t Conflate Virtual with Dynamic”

This post is a reply to the blog post “Don’t Conflate Virtual with Dynamic” posted here and here, that was already a reply to our original post “Why the perimeter must become virtual“.

First of all, thanks to Lori for the very interesting blog post. Here goes my comments :

  1. Overall we agree. In the original block post we stated “Well, the short answer is: the perimeter must also become virtual, highly dynamic, and automated.”. Lori on the other hand says “In order to implement the kind of dynamic network perimeter … we do, in fact, need a more flexible, automated perimeter.” We agree on the dynamic and automation part.
  2. It seems that is the word “virtual” that triggered the discussion, for example Lori states “Dynamic is not a synonym for virtualization and virtualization does not inherently provide the fluidity of the network architecture required to address the challenges associated with highly dynamic environments.” And the fact that virtualization itself rises security, compliance and performance issues. We agree on the issues and for example the top threats to cloud computing from the Cloud Security Alliance refer to this in the item “Shared Technology Issues” (for example xen and vmware vulnerabilities).

So, everything boils down to the questions : Should the (security) perimeter be virtual or non-virtual ? Should we use a “toss another virtual appliance” approach to security (like we do for scaling) or more about “designing an architecture comprised of highly dynamic and interactive components that can be provisioned and managed on-demand” as Lori said ?

These are challenging questions in my opinion and I’d really appreciate to continue to discuss this topic. What are your thoughts?

Just to give some clues, I can think about trusted computing platforms and are they possible with virtualization? Can we establish trust on top of virtualization layers? Actually, these are some of the questions that the Virtualized Platform working group is trying to address.

Sergio

Filed under: CSA, Elastic Security, IaaS, Uncategorized

October 15, 2010 • 10:58 0

Global Security Challenge at Tel-Aviv and THE 2 cloud security questions

I was really pleased to be among the best 4 European start-ups that were in Tel-Aviv last week to participate at the Global Security Challenge. Unfortunately we did not get to the finals but still a very good experience. This competition has a broad security scope, for example there were companies focusing on water security and physical security. IT security is as well very important and even touches critical industrial systems as shown by the stuxnet incident.

On the other hand, I was impressed by the Israeli ecosystem on security technologies and I expect that some of the global security players continue to start from here.

Nevertheless, I found puzzling that the 2 most frequent questions everyone asked me about cloud security, were somewhat contradictory:

  • Is it possible to secure the cloud?
  • What’s new about the cloud that needs new security measures?

So, it seems to suggest that on one hand it is a too big problem to solve and on the other hand that the cloud is more hype than something really new that brings new security requirements.

The easy answer for both questions is to refer to the Cloud Security Alliance, where we did a comprehensive work about these issues, specially on problem statement. Moreover, I try always to enumerate what I believe are the root causes of the cloud security problems and the main differences between public and private clouds. Then I really believe that we need to focus on specific problems and then trying to find solutions. For instance, concerning the problem of lack of visibility on the cloud (API logs on Amazon Web services to give a concrete example), we might think of a gateway (working as a proxy) that logs (and optionally controls) the API usage.

After the long and interesting discussions at Tel-Aviv, I’ll over simplify and draw one hypothesis.

The 2 questions come from the people perception on the “cloud” and it may boil down to the following rephrased questions:

  • Is it possible to secure the PUBLIC cloud?
  • What’s new about the PRIVATE cloud that needs new security measures?

Before trying to answer these questions, I would love to hear what you think about the hypothesis.

Sergio

PS> good luck for the Global Security Challenge finalists

Filed under: AWS, CSA, Discussions, IaaS, Presentations, Uncategorized

March 29, 2010 • 15:52 0

The Crux with the Creds

Foto: ShivashankarJ

The Problems

A veritable eco-system is starting to thrive around cloud infrastructure services such as AWS. Management and monitoring services (RightScale, Ylastic, CloudKick), security services (VPN Cube, Enstratus, Vordel), integration, migration, and deployment services (CloudSwitch, Makara, Elastra). Not to forget about storage solutions. In almost all cases, the services are offered in SaaS mode requiring to pass your access credentials of the cloud infrastructure provider (AWS, Rackspace, Linode) to the service provider that builds on top of it. Two major problems are inherent to service stack model.

  • The first problem is a problem of trust. You share your key to access the center of your IT infrastructure, notably to your critical applications and your confidential data with several companies all around the world of which you 1) don’t know how they store and protect your credentials 2) don’t know how long they will exist and to whom they may belong one day. When we launched Cloudy_Scripts, we faced this problem and got the remark: “won’t use your site, only your code”.
  • The second problem is related to the first one, but a pure technical one: credential management. You need to change your cloud infrastructure credentials? Don’t forget to log-in to replace the old credentials by the new ones for all your managing, monitoring, security, and deployment services that you use. Otherwise, they simply won’t work anymore.

These are two veritable problems. How can you deal with them? How to solve them? Some suggestions:

Solution 1: Trust Every Service Provider

Actually, that’s not really a solution, but rather ignoring the problem. Even when you fully trust all the service providers you subscribe to, changing the credentials of your cloud infrastructure provider requires you to update those credentials for each and every service.

Solution 2: Wait for Your Cloud Infrastructure Providers Role-based Credentials Support

Imagine your Cloud Infrastructure Provider (CIP) would allow you to generate credentials with limited access (limited in time, limited by location, limited by API calls) that can be given out to our Cloud Added-Service Providers (CASP). You would manage your credentials at a central place and be able to revoke them at any time you want. Even better: your CIP supports a standard protocol that allows to update the credentials for all your CASPs automatically. Dreams are today’s answers to tomorrow’s questions (E.Cayce)

Solution 3: Self-Service

This is a very pragmatic solution (and the one we took for Cloudy_Scripts). Instead of relying on a SaaS provider, run the service yourself within your infrastructure. In the case of Amazon EC2, this means: starting a preconfigured AMI yourself that manages the credentials (see Trusted Gateway pattern). Precondition: the service provider plays the game and delivers his solution as virtual appliance. Don’t know of a management console supporting this mode, but JumpBox and CohesiveFT offer lots of self-service images. Self-service, however, does not address the issue of managing credentials across different services.

Solution 4: Trusted Credentials Broker

Now this is my favorite one.  The idea is the same as for solution 2, but the solution is provided by a third party. The broker service could be a proxy that exposes the same API as the CIP does. It knows your security credentials for your CIP (if you don’t want this, then you might want to run the broker yourself like solution 3) and issues security credentials that are then given to the CASPs. The broker/proxy could even do even more useful things in addition to managing credentials and perform access control, e.g. it could provided detailed audit logs and usage information for your cloud infrastructure or accelerate HTTP access and reduce load (and thus costs) on the server by using caching techniques. Link-tip: The idea has been explained and discussed in detail here.

Any other solutions? How is your company dealing with the “crux with the creds”?

Filed under: Uncategorized

Twitter Updates

Follow

Get every new post delivered to your Inbox.