Elastic Security

Icon

Security for the Cloud

June 14, 2011 • 17:32 0

Cloud Security and the End-to-End principle

The End-to-End Argument

The end-to-end principle in systems design has become famous for its successful implementation in the Internet architecture. It suggests “that functions placed at low levels of a system may be redundant or of little value when compared with the cost of providing them at that low level.” The complexity and cost of implementing those functions in lower layers, the fact that those functions cannot be implemented in a fully reliable way on lower layers and thus need to be implemented on higher layers anyway, and the risk that they may be inefficient or even useless for certain services on top – all those facts are arguments in favor of the end-to-end principle. In the context of the Internet, it means that the network remains rather dumb (simple packet forwarding), while more sophisticated protocol functions like error detection, retransmissions of lost packets, flow- and congestion control, and connection management are implemented at the end-points, i.e. the servers themselves.

The End-To-End Argument in Information Security

The end-to-end principle however does not play the same role in the information security domain. Encryption of file-transfers (encrypt files instead network packets) follow the end-to-end argument. However, many security functions like firewalls, network intrusion detection systems, authentication and authorization servers or reverse proxies violate the end-to-end principle – and for good reason because they are more effectively done by separate components in the enterprise network instead on the end-points. Even vulnerability, anti-virus software and patch management systems are no longer managed by the end-points, but by centralized servers with big databases behind.

The End-To-End Argument in Cloud Security

OK – the end-to-end argument does rarely hold for Information security systems. But is this still true in a cloud computing setup, where servers may be distributed across different heterogeneous networks and infrastructures provided by different providers? Most cloud providers provide a simple provisioning API that allows to start and stop instances from virtual images and possibly create snapshots of the running servers. They don’t provide a firewall component in their infrastructure (Amazon EC2 is one of the exceptions with their concept of security groups), they provide no or only rudimentary Identity and Access Management, no IDS/IPS systems, no vulnerability and patch management, no encryption, no data leakage systems, no VPN layer. Most providers put the burden of assuring security explicitly on the shoulders of their clients and say: that is your responsibility, not ours – do it yourself or find someone who does it for you. This way, they implicitly promote the end-to-end principle: why encrypting all data in memory and on storage, when only few customers need this level of protection? Why providing a firewall, when every end-point can install and configure their own? Why providing sophisticated identity and access management, when the users know much better what exactly they need with regard to IAM?

The danger of this attitude is that when the cloud providers don’t build security services into their infrastructure, no one may do it. Many users simply won’t do the effort of searching and deploying an appropriate third party security solution. They will use the cloud service as it is, enjoy their immediate benefits (no capex, immediate access, scaling), and postpone the security problem for later. This is somehow understandable, since it corresponds to the division of work and responsibilities in most enterprises today: users/developers are not the administrators are not the security experts. My belief is that cloud providers will be obliged to integrate more and more security services in their infrastructure (similar to Amazon EC2 security groups) and provide APIs for them – and thus adapt a system design that move security functions away from end-points into the cloud providers own network and infrastructure.

Filed under: Discussions, IaaS, , ,

May 26, 2011 • 20:43 0

Solutions Linux presentation

Two weeks ago, I attended the Solutions Linux french exhibition at Paris. I was proud to be part on a round table on cloud computing and I did a presentation on the security track about how to monitor an Amazon EC2 infrastructure with open source tools and specially nagios. Here are the slides as promised (in french).

Filed under: Uncategorized

May 9, 2011 • 14:18 0

Cloud Security – Who is Responsible?

A recent survey among cloud providers (via) raises the question about the responsibility for security between cloud-providers and cloud-users. A large majority of 69% out of the 127 cloud providers asked in this survey rather consider the cloud user responsible for ensuring the security of the cloud services (while 35% of the cloud users see this the same way). 32% of the cloud providers and 32% of the cloud users see security as the cloud providers responsibility, 16% of the cloud providers and 33% of the cloud users see it as a shared responsibility (note: apparently, several choices were possible, the numbers not adding up to 100%).

Those number are alarming, especially together with other findings of the survey:

  • most cloud providers do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers
  • they also say their systems and applications are not always evaluated for security threats prior to deployment to customers
  • on average providers of cloud computing technologies allocate10 percent or less of their operational resources to security and most do not have confidence that customers’ security requirements are being met
  • the majority of cloud providers in our study admit they do not have dedicated security personnel to oversee the security of cloud applications, infrastructure or platforms.

While those results indicate a general lack of maturity in this early phase of cloud computing adoption (seems to be a recurring pattern that security is added later in the life-cycle of technologies), there’s another aspect that is completely hidden in this survey and even misleading: it doesn’t discriminate results by delivery model (55% of the participants are SaaS providers, 34% IaaS providers, 11% PaaS providers) although the level of control given to cloud users is a very different for the 3 delivery models – and the level of control is essential with regard to sharing responsibilies between providers and users.

IaaS providers (like Amazon EC2) provide a high-level of control to their users back down to the operating system, while SaaS providers (like Google Apps) don’t even give control of how and where data is stored (PaaS models are somewhere in-between). That is, SaaS users are simply not enabled to carry their supposed responsibility, while IaaS users are and actually do to a large part (e.g. Netflix). The following graphic provided by the Cloud Security Alliance (CSA) well illustrates the relationship between security and control.

For example, Amazon EC2 encourages a “Design for Failure” model, where cloud users are supposed to replicate components to deal with potential outages. IaaS users have also full control over their databases and can encrypt sensitive data.

Bottom-line: a discussion about the responsibilities of cloud security does not make sense without taking into account the delivery model of the cloud provider – since responsibility is linked to control.

Filed under: Discussions,

April 19, 2011 • 21:48 0

Amazon Security Groups: VPC vs EC2

Amazon has updated Security Groups for Amazon VPC

Earlier  in April, while adding support for Security Groups within Amazon VPC, Amazon also introduced some major changes such as:

  • outbound filtering
  • fine grained IP protocol tuning
  • ability to apply changes in a one fell swoop

But I found very interesting the fact that we can now change (add/remove) the Security Groups for a running instance. As a customer of AWS, I really love to be able to modify my Security Groups without stopping any instance. I could now start an instance without a deep analysis of what my VPC network will be, and I can adapt it at any time with a minimal impact on the availability of the services my customers are consuming. In my point of view this is a major achievement, because I can adapt my security perimeter on the fly.

I still have some open questions:

In terms of security, I ‘m wondering if the opened/established connection are dropped if I modify my Security Group rule or if I remove it?

Moreover, AWS added NACL (Network Access Control List), which allow now to create DENY firewalling rule. But this seems requiring an internet gateway (VPC specific). This sounds like Amazon was not able to add ACCEPT/DENY options to the Security Group rules even if they added Inbound/Outbound options.

Here is AWS blog-post for more information:  A New Approach to Amazon EC2 Networking

Amazon EC2: public cloud

Unfortunately, I’m not a VPC user, but a EC2 user and it’s a bit frustrating that these brand new features are not available in outside VPC. I’m wondering, if there are any reason why not adding these features to Amazon EC2.

Concerning the Outbound filtering, I can’t see any reason why not adding it for EC2. I would love to hear more about this.

Last, but not least thing that can be discussed is the “one fell swoop” feature. I think this is a step back to true elasticity. Previously, I just had to create a rule and then the rule is automatically and dynamically applied, now I have to build the rule and then apply it just like with a traditional firewall.

/fred

Filed under: AWS, Cloud Computing, , , , , , ,

April 3, 2011 • 10:53 0

Presentation at CloudOps

Videos and slides from the CloudOps Summit in Frankfurt are available online.

Here is the video of our Elastic Detector pitch.

Don’t hesitate to contact us if you have questions or if you are interested in a free trial.

Filed under: Internals, Presentations, ,

March 30, 2011 • 14:57 0

IT Consumerization vs DevOps?

There are two terms that are referred to significantly often in discussions about cloud computing, its drivers, and its impact. The first term is DevOps – a combination of the terms development and operations. It refers to the fact that the tasks of developers and system administrators get increasingly closer in a cloud-based IT world where infrastructure resources become programmable fostering application centric deployment and agile development processes. System administrators are supposed to write sophisticated scripts to automate large parts of operations and think as a developer. (Interesting Links: [here][here] and [here])

The other term is “IT Consumerization” – it refers to the observation that applications, tools, and technologies from the consumer world find their way into the enterprise. This movement has several drivers: employees that are getting more and more mobile are necessarily forced to access their data from different locations and devices (laptops, mobile phones, PCs). As a consequence, enterprise IT infrastructures become ubiquitous and heterogenous: the former one-size-fits approach of IT departments to centralize administration, management, and security of every PC, is no longer feasible today with the number of increasing devices and accelerated technological progress. Thus, employees are given more and more control about what devices and tools they can pick (BYOT – “Bring You Own Technology”). This movement opened the door into the enterprise for SaaS tools like GMail or Salesforce – but also for cloud infrastructure services such as Amazon EC2: quickly need a demo-machine? need some machines for load-testing? need to share some really big files? Amazon EC2 offers the immediate solution to it – without following the lengthy processes of the IT department that may result in rejection of the demand or a purchase with a delivery that takes several weeks. Speed and simplicity play an important role here. (Interesting Links: [here][here] and [here])

While people assume that both are just two sides of the same medal, I find they are somehow conflicting movements. The DevOps movement requires highly skilled IT workers that combine the competences of developers and system administrators and that are able to write sophisticated automation scripts. IT Consumerization means a shift from classical heavy-weight tools (such as HP OpenView, for example) to a broad variety of simpler tools (mostly SaaS tools) that focus on specific use-cases, have a much smaller feature set than classical tools, and are far easier to use. Those tools (let’s cite Pingdom for monitoring as an example, but also the EC2 Management Console) take away a lot of the burden of administrators, extremely simplify their work, and thus even allow less-skilled people to manage a big part of the IT needs of a company.

Is there an error in my reasoning? Where’s the breakup? Feedback welcome!

Filed under: Cloud Computing, Discussions, ,

March 25, 2011 • 18:10 0

Security THE differentiator between cloud computing offerings

I’ve read a very interesting and different post about security in cloud computing and more precisely IaaS (Infrastructure as a Service).

Tons of articles and surveys about security being the major obstacle to cloud computing and lots of FUD are current, but Andreas M. Antonopoulos dared to offer a new perspective of security as THE differentiator of IaaS offerings. I have especially like the part:

“Security is like a liquor license to a restaurant — an opportunity to up-sell each customer with a high-profit margin product to balance out the dismal or loss-leading margins of the core product. Security is the single most profitable differentiator that a service provider can add to IaaS to have any hope of making money. Security is brand-sensitive, labor-intensive, infinitely customizable and difficult to scale. That makes security the perfect differentiator that can add value to a bland IaaS offering.”

As a security provider for IaaS I’ve to strongly agree with this new perspective and we are currently working with hosting companies and IaaS providers in order to make this perspective come true.

For us, the main challenges ahead:

  • Heterogeneity: There are several cloud stacks (AWS, OpenStack, VMWare, Nimbula, Eucalyptus just to name a few), so it is hard to build solutions for all and  moreover they offer different functionality
  • Focus: Security is a real and hard problem (please check the guidelines of the Cloud Security Alliance if you want to go deeper), but we have to focus on customers needs with an incremental approach and try to build solutions for each need (there is no silver bullet)

What do you think about these challenges?

Thanks Andreas for the refreshing article

Filed under: Uncategorized

March 23, 2011 • 16:30 0

Impressions from CloudOps Summit

Last week I attended the CloudOps Summit in Frankfurt. The motto of this conference was “Run the Cloud” and the central idea to show how cloud computing is already used today, how hands-on solutions and architectures look like, how cloud systems are operated, and what tools are already available.

While web-startups almost immediately understand the advantages of public cloud infrastructures such as Amazon EC2, Rackspace or GoGrid and already use those intensively to avoid up-front investments into hardware, scale their infrastructure dynamically to their needs, and benefit from a pay-per-usage model, established enterprises are much more hesitant in adoption – mostly due to security concerns, fear of vendor lock-in, the costs for migrating their legacy data, or the constraints of remaining compatible with existing software. This leads to the funny situation that the big ones listen carefully to learn from the new and small ones.

The conference started with a couple of short 6-minute “lightning talks” and was followed by parallel tracks about architecture, management, operations, and presentations of startups.

Some highlights from the Lightening talks

Jean-Paul Schmetz explained in his keynote that cloud computing means that everything becomes software in the cloud – storage, memory, CPU – they all have become resources that can be created and destroyed programatically on demand. Hardware are fixed assets that requires planning, budgeting, and thus accurate predictions of the future, something very hard to achieve in a world of constantly-changing requirements and needs.

Chris Boos sees in cloud computing the big opportunity for system administrators to ged rid of the boring part of operations and maintenance and to concentrate on the interesting and challenging tasks of creating new things. Cloud computing and its inherent need for automation actually liberate the rare IT experts and revalue their skills.

Nicolas Plögert from Sharewise showed how his company outsourced almost all non-critical business processes to more than a dozen of web-services – communication, billing, customer relations management to name a few.

Florian von Kurnatkowski told us that even the automative industrie wants to make their internal network (ENX) more flexible by transforming it into a cloud infrastructure.

Startups

In the startup tracks (in which I presented Elastic Detector, our cloud security monitoring service) there were a couple of interesting products around cloud infrastructures:

ScaleUp builds software that helps providers to build their own public clouds. There focus is on account management, provisioning, and managing the “point of purchase”, i.e. the spot where providers and consumers meet.

Scalarium provides a SaaS product that allows to deploy and scale web-application for Amazon EC2.

CloudSafe allows to store and share critical documents in the cloud. All data is encrypted and different access models are supported.

CentralStationCRM is a CRM SaaS product targeting small companies that are over-whelmed by the complexity of products like Salesforce.

SemYou aims to combine the simplicity of an app-store with the flexibility of SaaS applications. There goal is that users can activate any kind of web-application with a single click on their computer that will run transparently in the cloud.

Impossible Software allows to create “dynamic videos” where logos and brands can be integrated in video templates.

Thanks to the organizers for their great work and looking forward to another CloudOps Summit in Frankfurt next year! All presentations are available behind this link.

Filed under: Cloud Computing, Discussions, Solutions,

March 9, 2011 • 16:49 0

CloudyScripts Supports New Amazon EC2 Region: Asia Pacific (Tokyo)

Amazon announces that a new AWS Region in Tokyo is supported (see AWS blogpost for more information).

CloudyScripts WebSite

CloudyScripts has been updated in order to support this new AWS Region.

This AWS Region is available in all the following CloudyScripts:

  • Convert Instance-store AMI To EBS-booted AMI: Takes an instance-store AMI, instantiates it, copies the boot-data to a temporary EBS volume, takes a snapshot of this EBS volume and registers the snapshot as EBS-booted AMI. As a result, the new AMI behaves exactly as the original AMI, but boots from an EBS volume.
  • Copy Ami to Different Region: Creates a copy of a given AMI and make it available in another region. Therefore, instances are created in both regions that perform copying (via rsync) of all files from a volume in the original region based on a snapshot created for the original AMI to a clean volume in the target region. After successful copying, a snapshot is performed in the target region and registered as AMI.
  • Download a Snapshot: Allows to download a snapshot as zip-file. Therefore, the script starts up an instance with a web-server, creates and attaches an EBS volume from the specified snapshot, zips the snapshot data, and makes it available as download link for 5 minutes.
  • Copy Snapshot To Different Region: Creates a copy of a given snapshot and make it available in another region. Therefore, instances are created in both regions that perform copying (via rsync) of all files from a volume in the original region based on the specified snapshot to a clean volume in the target region. After successful copying, a snapshot is performed in the target region.
  • Encrypt Storage Using dm-crypt: Allows you to encrypt an EBS storage using the dmcrypt tool. The script transforms an EBS volume (which must already be attached to an instance) into a dm-encrypted volume, creates a file-system (ext3), and mounts it to the specified path.

CloudyScripts Community AMI

The CloudyScripts Community AMI has also been updated in order to support this new AWS Region. This AMI can be found in EU East (Northern Virginia) Region with the current AMI ID ami-f291639b.

Any feedback is greatly appreciated, so do not hesitate to contact us.

/fred

Filed under: AWS, Cloud Computing, , , , ,

March 8, 2011 • 17:05 0

Elastic Detector Launch

We have launched a private beta program in December 2010 and first of all we would like to thank all our beta testers for their feedback and comments.

For the last 2 months we have been busy improving Elastic Detector by integrating new features that suit your needs such as more powerful graphs and daily reports. Such features are built on top of our auto-check technology, that allows to ensure the security of your infrastructure with near zero configuration.

We are really excited to announce that the first version of Elastic Detector is ready.

Elastic Detector helps you to achieve full visibility of your Amazon EC2 deployment and monitors your security groups. You may give it a free try for 1 month. Configuration takes only 2 minutes,and then you may check Elastic Detector improving the security of your infrastructure in real time.

We will be very happy to count you among the Elastic Detector Community and we are committed at continuously securing your infrastructure on Amazon EC2.

Filed under: AWS, Cloud Computing, Elastic Security, IaaS, SaaS

Twitter Updates

Follow

Get every new post delivered to your Inbox.