Posts Tagged 'cloud computing security'

What’s Different about Security in the Cloud?

Well, in many ways, nothing, really.

Since the advent of “cloud computing” we are certainly considering “security” under a microscope and in a new light. The truth is, though, that security is still just security. Maybe the cloud model has changed the specifics of “who does what” but all the stuff we’ve learned before still applies.

There are some who would have us believe that there is some mystical element to security now that there is the “Cloud”. What about “Hypervisor Security” they say? Yes, I suppose there may be an example or two of a rogue VM jumping into another’s space, but these are almost surely Type II Hypervisors. The reality is that this is extremely unlikely (i.e. probability ~= 0) with Type I Hypervisors used by Cloud Providers. Anyway, what are you going to do? Write your own Hypervisor? I don’t think so.

So where does that leave us?

If you are doing a self-hosted, on-premises Private Cloud then the responsibility is all yours. These are the same responsibilities that you have always had, by the way, as a data center administrator. If you are out-sourcing some or all of your cloud then you are into a shared-responsibility model. By definition “shared” means that you trust someone else to some degree.

So, why should you trust your cloud provider? Surely you could do a better job by yourself, right? Well, maybe, maybe not.

Today most Cloud Providers are certified. That means that they have been able to comply with various standards which are meant to assure us that they can do what they say. If you are a SMB then there is a good chance that your provider will have way more certifications than you would ever care to achieve. If you are an Enterprise then maybe you have this all taken care of on your own.

So, what? Is there a magical formula to security in the cloud? No. When talking about security in the cloud we have to consider all the usual topics: Authentication/Authorization, Encryption, Digital Certificates, etc. These apply equally in or out of the cloud.

Learning Tree International has a number of security courses. Enroll now for an upcoming course at an Ed Center near you! Alternatively you may like to attend the course remotely using our proprietary AnyWare technology.

Either way, I hope to see you soon!

Kevin Kell

Could Cloud Have Prevented Security Concerns of Home Secretary?

Today I awoke to the news that UK Home Secretary Teresa May had left her engagement book in an auditorium last Sunday. There were concerns that the lapse put the home secretary and her colleagues at risk because of the details it contained. The book was left by her personal protection secretary.

So what has this got to do with Cloud Computing you may be asking ? During my consulting activities and when teaching Learning Tree’s Cloud Computing course the comment I hear most is that people and organisations will not store their data in the cloud because of security concerns. They often make these comments without any consideration of the current safety and security of their data. Things such as how secure currently are their servers, networks and software ? Who in their organisation has access to the data and is it stored/copied in multiple places ? What happens to their data if they delete it ? These plus many more are valid questions that should be asked about on-premise as well as for cloud computing based solutions.

In the case of Teresa May, would it have been safer if her appointment book had been stored in the cloud ? Not only would she have had anywhere access but the above incident would not have occurred. I therefore used this incident as an example of where data held in paper form or even locally on PC’s is often more vulnerable than when located in the cloud, where, when encrypted and then protected by world class security experts can be anonymous.

Evaluating Cloud Computing and in particular its security risks is not a trivial task. To help people make informed decisions Learning Tree have developed a three day Cloud Security course. Find out how this course can help you gain practical, in-depth knowledge of Cloud Computing security.

Chris Czarnecki

Missile Defence Agency Adopts Cloud Computing

Today, whilst on a consulting assignment related to mobile development, we discussed the integration of mobile and Cloud Computing. My client immediately said “the big problem with cloud computing is security, applications co-hosted with other organisations applications is dangerous …”. As you know, this is something that I have written about before. Having then began to discuss the merits of Cloud Computing to provide a more balanced view to my client, an email arrived that did the job for me – in fact in a much better way than I was doing. The email contained an article by Jim Armstrong, CIO of the Missile Defence Agency. In the article he explained how the agency had deployed the cloud to better serve their customers. Key features in achieving this were to provide:

  • Optimal service
  • Reduce failure points
  • More maintainable environment
  • Reduce operating costs

Given the data integrity and information assurance compliance requirements the Missile Defence Agency has, a private cloud was deployed to meet the demanding requirements. The cloud has been extended to a hybrid cloud for integrating with defence service providers.

The agency has been very careful and considered in what has been moved to the cloud, but for those services that are appropriate many benefits have been achieved, not only those listed above but also:

  • Speed of provisioning
  • Move or duplicate workloads across different regions

By utilising cloud computing as they have, the agency has acknowledged that it simplifies access for their mobile workforce. It resources are accessed in a seamless manner regardless of the device type or location. The reason that Jim Armstrong’s article motivated me to write this post, is that the experiences he has reported are something I have seen many times on consultancy assignments for those organisations that have embraced Cloud Computing. Equally I hear so many people dismiss Cloud Computing, listing concerns that can mostly be addressed and in fact improved by using Cloud Computing over traditional data centres.

If you are not sure about Cloud Computing, why not consider attending Learning Tree’s Cloud Computing course. It will provide you with a thorough introduction to all the technologies and products form vendors and how these can be used effectively by business. The risks and concerns are also addressed. We have just added a private cloud hands-on exercise too so you will get a true feel for private clouds also. It may not convince you to adopt Cloud Computing for your organisation, but at least you will have a more balanced view and having been taught by an expert will be able to make a more informed decision for your organisation.

Chris Czarnecki

Amazon EC2 Security Groups: The Tip of a Very Large Iceberg

The most common concern I hear from attendees when presenting Learning Tree’s Cloud Computing course is security – how secure is the cloud ?. The most common search terms on Google that drive visitors to this blog are related to ‘Amazon Security Groups’. With this in mind I thought it worthwhile expanding a little on Amazon AWS security and the fact that security is a big part of Cloud Computing and something that Amazon handles incredibly well.

The primary service most people use on first contact with AWS is EC2 and as part of the provisioning of a server the user has to setup a security group. This is akin to configuring a simple firewall and has been detailed in a blog by Doug Rehnstrom. What is important is that Cloud Computing users realise that this part of Cloud Security is just the tip of a very large iceberg. To secure the AWS environment Amazon has to implement a number of physical and operational security processes as well as service specific security implementations.

When it comes to operational processes, Amazon implements a controlled environment, through which risk management, certifications and accreditations, backup, monitoring, environmental safeguards are just a few. If we consider the security of EC2 as an example of service specific security then multiple levels of security are required and implemented by Amazon. Equally some of the security is the responsibility of the EC2 user. Because of the virtualised environment these start with the host operating system which is only accessible by Amazon administrators. The guest operating system security which is the responsibility of the EC2 user rather than Amazon and should include such practices as using multi-factor authentication, privilege escalation and certificate based encryption. The firewall level is what is configured by the EC2 security groups and again is the responsibility of the EC2 user. Further to the Firewall there is a need for Hypervisor security and instance isolation because of multiple instances sharing the same physical machine which is the responsibility of Amazon.

Hopefully with this brief description you begin to appreciate that the EC2 security groups are just a small part of an overall security strategy for working with EC2, which itself is a small part of AWS, and that the responsibility for security is partly Amazons and partly the AWS users. Once data storage requirements are added including the different types of storage such as the Simple Storage Service (S3) and Elastic Block Storage (EBS) the number of security considerations increase. Whilst these may sound daunting many are not unique to the Cloud Computing Environment, but computing infrastructure in general. To help Cloud Computing adopters better understand the security requirements, Learning Tree have developed a three day course that focuses purely on the security of Cloud Computing. If you are interested in adopting Cloud Computing it would be beneficial to attend this course to ensure your adoption strategy is secure from the beginning.

Chris

More Than A Million Reasons the Cloud May Be Safe

I am back on the theme of cloud security. Why cloud security again ? Because cloud security raised its head again last week on a consultancy assignment I undertook. My client requires a new business application. This is available as Software as a Service(SaaS), but can also be purchased as a self hosted application. On the analysis I provided, my client could see many business advantages that a cloud solution could provide them – significant cost savings, transparent scalability, an ability to improve business process efficiency, more effective use of staff time …. the list continued. On the downside, security of the cloud was the factor that was pulling the company away from the cloud.

When I questioned which aspects of security were the primary concerns they listed data privacy and access control and then added availability and reliability. Ok, I know these are not all security but they were perceived as security issues by my client. I know from other consulting assignments and also from teaching the Learning Tree Cloud Computing course that many people have exactly these concerns and see them as a barrier to cloud adoption.

As an example of SaaS that works in a secure, highly available and reliable manner I provided the example of SalesForce.com. Here is an organisation that has been providing SaaS for over 10 years. This company has over a million users, all of who have data that is stored securely, and accessed with high availability and reliability. They have major customers such as Starbucks and Cisco. SalesForce.com show their availability, reliability and performance statistics to all users in real time – an approach that builds confidence based on transparency. The reason I use SalesForce.com as an example is that they prove that Cloud Computing works – over a million user cannot be wrong surely ?

Now, just because SalesForce.com works does not mean everything cloud related will work too. However, they are an example of a company doing things incredibly well and providing major benefits to their customers. There are many other cloud providers who do similar great things. The key in selecting a Cloud Computing provider is understanding the cloud and knowing what questions to ask of a provider. Its this kind of knowledge that is gained in Learning Tree’s Cloud Computing course which provides a vendor neutral technical and business view of Cloud Computing.

Chris

This Cloud Thing is Out of Control

I’ve been talking to some colleagues about moving to the Windows Azure cloud, and I’ve heard three reasons why they are resisting it: security, losing control, and trust.  In an earlier post, I wrote about securing the cloud.  In this post I want to address, from my perspective, losing control and trust.

I think “losing control” is the main reason we want to move to Windows Azure.  We lost control a long time ago.  Our servers work fine, but the reality is that if one of them exploded, it would take a while to get back up and running.  Sure, we have backups, but I’ve never felt confident in any backup system I have used.  (Except for the one on my Mac, but they don’t make Time Machine for Windows Servers and SQL Servers.)

I heard we are supposed to have a “patch management process” and a “disaster recovery plan”.  Who the heck is supposed to put those in place, and once in place who’s going to keep them current?  I imagine we could create a process to periodically review the plan.  Every so often, we could do a simulation and see if it works.  We could just buy a few more servers to set up a test environment.  Maybe we could have a committee who could report their findings to some IT manager who is responsible for the change-control process.  Yeah, that’s the ticket.

I guess some companies are swimming in money and have people to do those things, but we sure don’t.

We are supposed to have redundant servers, load balancers and replicated databases.  Those are expensive to set up, and they take smart people to keep working.  Are the streets filled with qualified network administrators with nothing to do?

From my perspective, “losing control” is not a reason to resist the cloud.  Rather, it’s a reason to embrace it.

I also keep hearing things like, “I’m not going to trust Microsoft with my data.”  Well, everyone in my company runs a PC with Windows (except for me because I’m the geek with the Mac).  We use Windows servers and store our data in a SQL Server database.  All our programming is done in Microsoft .NET, and all our documents are created using Microsoft Office.   Hmm, it seems to me that we already trust Microsoft with all our data.  Moving to the cloud only means we don’t have to wipe the dust off our servers every couple years.

Windows Azure will actually cost us more money than what we’re currently spending.  We are not buying virtual machines, though.  We are buying better control over backups, replication, patches, security, and disaster recovery.  Trust me, I think it’s worth it (from my perspective anyway).

To learn more about Windows Azure come to Learning Tree course 2602: Windows® Azure™ Platform Introduction.

Doug


Learning Tree Logo

Cloud Computing Training

Learning Tree offers over 210 IT training and Management courses, including Cloud Computing training.

Enter your e-mail address to follow this blog and receive notifications of new posts by e-mail.

Join 51 other followers

Follow Learning Tree on Twitter

Archives

Do you need a customized Cloud training solution delivered at your facility?

Last year Learning Tree held nearly 2,500 on-site training events worldwide. To find out more about hosting one at your location, click here for a free consultation.
Live, online training
.NET Blog

Follow

Get every new post delivered to your Inbox.

Join 51 other followers

%d bloggers like this: