Posts Tagged 'security'

The Bad Guys Use the Cloud Too

Published May 16, 2011 Cloud Computing Comment
Tags: , ,

In the aftermath of the recent Sony PlayStation data breach, which is considered to be in the top 5 data breaches ever, the cloud is once again at the forefront of discussion. What is becoming clear is that hackers used servers provisioned on Amazon EC2 to launch the attack against Sony. Some are taking this opportunity to criticize security in the cloud.

While I am all in favor of proceeding cautiously and for continually re-examining and improving security implementation, if you really look at it the Sony incident has almost nothing to do with “security in the cloud”. The fact of the matter is that Sony’s own private network was hacked. The tie-in to cloud is that the hackers were able to provision servers anonymously and utilize Amazon’s public cloud to leverage their attack with very little up-front investment.

But, isn’t this exactly what the public cloud offers as a benefit? The answer, of course, is yes. Although this attack against Sony was, from the hacker’s viewpoint, particularly successful, using cloud technology in a malicious manner is not new. There have been several reported incidents of Denial of Service attacks launched from EC2 servers. Why not? If you are inclined that way anyway it is very cost effective.

Should Amazon be held responsible for this? That is an interesting question. Amazon has been criticized, in some cases, for being slow to respond. In my opinion, though, it is not necessarily their job to respond. Why should Amazon be placed in a position of deciding what is a “good” and what is a “bad” use of their service? Those are ethical, not technological, questions. To be fair, though, Amazon actually does respond to these types of incidents in a reasonable manner.

What is clear is that whether or not your organization does choose to adopt cloud computing, the ante has been raised as far as security is concerned. Attackers now have available, at their disposal, a seemingly infinite pool of computing resources for pennies per hour. This, by the way, is the same pool that the good guys have access to as well. What this means is that cloud-based hackers can attack your non-cloud datacenter for the cost of just a few dollars. It matters little that you have carefully chosen to avoid using cloud computing in your organization. Security provisions at all sites be they public or private, will have to up their game. This is the new reality.

For a comprehensive treatment of security fundamentals and in particular how they relate to cloud computing, you may want to consider attending Learning Tree’s Course 1220, Securing the Cloud: Hands-On. This course discusses security in a cloud-based environment. It is a security course that happens to be set in a cloud environment; it is not a cloud course that happens to address security issues.

I hope to see you at a Learning Tree Education Center soon!

Kevin

 

Cloud Computing Security Course

Published September 29, 2010 Cloud Computing Leave a Comment
Tags: , , ,

Some great news for technology professionals working with Cloud Computing. Learning Tree is developing a new course titled Securing the Cloud: Hands-On. This welcome addition to the Cloud Computing curriculum covers all those difficult aspects cloud computing raises from a security and disaster recovery perspective.

Questions I am repeatedly asked when teaching the Cloud Computing course include :

  • Is the cloud secure ?
  • How do I ensure my data can always be accessed in the cloud ?
  • How do I secure my server instances in the cloud ?
  • Can I restrict access to members of my organisation to my cloud computing accounts on Amazon EC2 ?

These are just a sample of the types of questions I get asked. Another is “Is cloud security different from standard IT security?”. The new course being developed by Learning Tree aims to answer these questions. The focus of the course is very specifically on Cloud Computing security – that is, those features of security that are new or specific to cloud computing as against traditional computing security. Traditional computing security is already covered by the existing security curriculum. The security requirements of SaaS, PaaS and IaaS are considered, analysed and best of breed solutions provided.

Anybody who is working with Cloud Computing must consider the security requirements and implications. This course will provide those professionals with the skills they require to secure their environments. The first run is on December 8th in Washington DC (Reston, VA). You can sign up here if you are interested.

Chris

AWS Security: Identity and Access Management

Published September 28, 2010 Cloud Computing Leave a Comment
Tags: , , , ,

For an organisation adopting Cloud Computing, one of the benefits is the self service nature of the cloud. If a developer requires a test machine for a short period of time, using an Amazon EC2 instance or Azure server instance is an obvious cheap solution. Not only is the machine only paid for the time it is being used, there is no capital investment required.

A question to be asked for organisations when working with a cloud provider such as Amazon is who will have responsibility for provisioning and releasing resources. One account with a credit card is created but ideally this would not be shared with all personel who require cloud access.

The solution for Amazon EC2 is Amazon Identity and Access Management (IAM). This welcome addition to the Amazon toolset allows the creation of multiple users on a single amazon account. Each user can be assigned permissions on the main account eliminating the need to share passwords or access keys. This enables fine grained security to be configured based on users. For example, an individual user could be allowed permission to start EC2 instances but not terminate them.

Currently IAM is available from the command line tools and the API interface. Plans for incorporating the toolset into the management console have also been announced. No new or extra work is required to use IAM with existing AWS API’s – the security is incorporated seamlessly.

In summary, Amazon have provided a cloud specific transparent security solution that enables a simple, yet elegant solution to enabling controlled multiple user access to AWS resources. Even better, there is no charge for this service – you just pay for the resources utilised as before.

Chris

More Than A Million Reasons the Cloud May Be Safe

Published August 30, 2010 Cloud Computing Leave a Comment
Tags: , , , ,

I am back on the theme of cloud security. Why cloud security again ? Because cloud security raised its head again last week on a consultancy assignment I undertook. My client requires a new business application. This is available as Software as a Service(SaaS), but can also be purchased as a self hosted application. On the analysis I provided, my client could see many business advantages that a cloud solution could provide them – significant cost savings, transparent scalability, an ability to improve business process efficiency, more effective use of staff time …. the list continued. On the downside, security of the cloud was the factor that was pulling the company away from the cloud.

When I questioned which aspects of security were the primary concerns they listed data privacy and access control and then added availability and reliability. Ok, I know these are not all security but they were perceived as security issues by my client. I know from other consulting assignments and also from teaching the Learning Tree Cloud Computing course that many people have exactly these concerns and see them as a barrier to cloud adoption.

As an example of SaaS that works in a secure, highly available and reliable manner I provided the example of SalesForce.com. Here is an organisation that has been providing SaaS for over 10 years. This company has over a million users, all of who have data that is stored securely, and accessed with high availability and reliability. They have major customers such as Starbucks and Cisco. SalesForce.com show their availability, reliability and performance statistics to all users in real time – an approach that builds confidence based on transparency. The reason I use SalesForce.com as an example is that they prove that Cloud Computing works – over a million user cannot be wrong surely ?

Now, just because SalesForce.com works does not mean everything cloud related will work too. However, they are an example of a company doing things incredibly well and providing major benefits to their customers. There are many other cloud providers who do similar great things. The key in selecting a Cloud Computing provider is understanding the cloud and knowing what questions to ask of a provider. Its this kind of knowledge that is gained in Learning Tree’s Cloud Computing course which provides a vendor neutral technical and business view of Cloud Computing.

Chris

Cloud Computing Security and Audit Moves Forward

Published August 24, 2010 Cloud Computing Leave a Comment
Tags: , ,

A key concern for many organisations adopting cloud computing is security. Moving to the cloud means many aspects of security are handled by the cloud provider, especially when using Platform as a Service (PaaS). In addition to security, the operational, policy and regulatory procedures of cloud providers is a concern.

Businesses who require information on security policies and auditory and compliance from a cloud provider have many problems in gathering the information. Firstly, public cloud providers cannot spend all their time providing this information for their customers. Secondly, it is easy to misunderstand what is actually being asked of the provider by their customers resulting in the incorrect information being provided.

To help solve this problem for both cloud providers and cloud consumers, a welcome development is the formation of the Cloud Audit Organisation. The goal of this organisation is to provide a common interface and namespace that enables cloud computing providers to automate the audit, assertion, assessment and assurance of their Infrastructure (IaaS), Platform (PaaS) and Application (SaaS) environments. The result will be the ability of authorised cloud consumers to automatically gather the required security and audit information in a standard manner without any misunderstanding or ambiguity and with no burden on the cloud provider. This follows a key benefit of the cloud – self service.

The Cloud Audit Organisation is a cross industry effort that currently has over 250 participants comprising members of all the leading Cloud Computing providers including Google, Amazon, Microsoft, VMWare, Cisco and many others. As anybody who has attended Learning Tree’s Cloud Computing course and participated in the course workshops knows, this organisation is a welcome and vital development in removing one of the perceived barriers to Cloud Computing adoption.

Chris

Security is Virtually Different in the Cloud

Published July 23, 2010 Cloud Computing Comment
Tags: , , ,

I have just taught a version of the Learning Tree Cloud Computing course and top of the agenda was security and enough debate to stimulate this posting. Security is important in the cloud but is it really that different to security in general application and data security stored on private networks ? The answer is yes most probably.

Security of data and application security principles applied to private networks and deployments should still be applied to the cloud of course. Doug Rehnstrom posted on this recently. Security in the cloud is probably different from a private network and one of the major reasons is virtualization.

Cloud technology is built upon virtualization – this raises a number of security concerns – not just for the cloud but for all organisations that use virtualisation technology. The security of a virtualised solution is highly dependent on the security of each of its independent components – this has been highlighted recently by NIST who have issued guidelines on security in virtualised environments.

Security in a virtualised environment depends on the security of the hypervisor, the host operating system, guest operating system, applications, storage devices, networks connecting them. How many organisations that have deployed virtualised environments – and thats a lot, have actually considered the security implications of their implementation. I am confident that many of these organisations are the ones who state security as a barrier to adopting the cloud. As private clouds become more prevalent then the security of the virtualization, its monitoring and compromise detection will need to be carefully considered and adopted. Should that not be the case for all virtualized deployments, cloud or not ? Most definitely yes too. So if you are using a virtualized environment your security requirements are not so different from the cloud, you just may not have realised it.

If you are interested in the discussion further have a look at the white paper I recently put together.

Chris

12 Ways to Secure the Cloud – Resistance is Futile

Published July 8, 2010 Cloud Computing Comments
Tags: , ,

I keep reading that people are resisting the cloud because of security.  I’m not really getting this.  Moving your application to the Windows Azure or Google App Engine doesn’t mean you are abdicating your security responsibilities and handing them to Microsoft or Google.

In the cloud or not, it is your data and your applications and your responsibility to make them secure.  Here are 12 things you can do to keep your applications secure:

  1. The best way to secure confidential data is to not store it in the first place.  This seems obvious, but start by asking if the value of collecting the data outweighs the cost of keeping it safe. 
  2. If you decide to store the data, then it should be encrypted.  You might be thinking, “I only have to encrypt it, if I put it in the cloud where Microsoft employees can see it.  Right?”  Uh… wrong.
  3. If you’re going to transmit confidential data over the Internet you need to use HTTPS for transmission (cloud or not).
  4. Configuration information should be encrypted.   “But Doug, on my network I don’t have to worry about that because only my programmers can see it.  Right?”  Uh… wrong.
  5. If you’re using a database, connect to it with a restricted account. 
  6. Only allow access to data through stored procedures.  Do not allow access to tables directly.  Many people think stored procedures are used solely for better performance.  Stored procedures should be used for security as well.
  7. Never use string concatenation to build a query – using parameterized queries or stored procedures will prevent SQL injection.
  8. All input from a Web application, whether the user typed it or not, needs to be validated and cleaned.  Characters such as “-”, “;”, “<”, “>” need to be removed.  These characters are used for code injection.
  9. If you are using .NET, pre-compile your applications with strong names.  There’s a misconception that strong names are only needed to deploy to the GAC.  Strong names prevent tampering and enable versioning.  “But Doug, I only have to worry about that if I’m using the cloud, right?“  Uh… wrong.
  10. Strong names prevent tampering, but the source code can still be decompiled and read.  To prevent that, obfuscate it. 
  11. In a Web application make sure to turn off detailed error pages.  In ASP.NET, use the Application_Error event as your last line of defense for unhandled exceptions.
  12. Keep your servers patched and up-to-date.

 

If you don’t understand what I’m talking about, come to Learning Tree course 940: Securing Web Applications, Services and Servers.  Everything in that course applies whether you use the cloud or not.  In the cloud or not, your applications need to be secured by you!

If you’re already doing the things above, your application will be pretty secure in the cloud or on your network.

If you’re not doing the things above, your application is already not secure.  So, move it to the cloud and save some money.  It might come in handy for the lawsuit.

Doug Rehnstrom

Cloud Computing Security Concerns

Published March 31, 2010 Cloud Computing Comments
Tags: ,

On a recent teach of the Learning Tree Cloud Computing Technologies course, attendees cited security as their primary concern relating to cloud computing. The technical and commercial benefits that cloud computing brings an organisation were eagerly accepted, but security was continuously questioned and put forward as a potential barrier to cloud adoption.

On discussing this further, the questions ‘where is my data?’ and ‘who can access my data?’ were the real concerns. Whilst totally understandable, security needs to be considered in much more detail to provide satisfactory answers to these questions as well as many others. Cloud computing is a general term that covers infrastructure, platforms and software applications all delivered as a service. Given this broad scope of services, it follows that the term security also covers many different areas such as application security, access security, network security and more.

Relating to the two security questions above, data could mean application data, server configuration data, application code amongst many other types of data.  Security of data is not only the responsibility of the cloud provider, but also of the cloud user.  In addition, questions such as ‘whose responsibility is security when data is in transit between the cloud provider and the end user?’ need to be addressed.  So how can progress be made to improve security and importantly gain the confidence of potential adopters of cloud computing? 

The Banking Analogy:
Maybe we can draw an analogy with banking.  One of the most valuable resources we as individuals own is our money.  Now just for a moment consider this: where is your money currently? where is it located? how do you gain access your money? who has access to your financial details?  Are you concerned not knowing the answer to these questions?  Yet is storing data in the cloud not similar to having your banking details available over the Internet?  Most of us are happy to handle our financial details using a public network to which millions of people have access without ever knowing or needing to know where our financial data is stored.  We have confidence that our data is secure.  The reason we are happy to do so?  Governance.  The banking world has a number of standards and regulatory procedures that must be followed and adhered to which gives us as customers the confidence that we can trust the banking systems.

To install a similar level of confidence in cloud computing, governance is urgently required.  With appropriate governance, trust in the cloud will grow and accelerate widespread adoption.

Chris

Learning Tree Logo

Cloud Computing Training

Learning Tree offers over 245 IT and Management courses, including over 10 courses on Cloud Computing and Virtualization.

Free White Papers

Cloud Computing Promises: Fact or Fiction

What You Need to Know About Implementing Virtualization in the Workplace

Our Complete Online Resource Library

Enter your e-mail address to follow this blog and receive notifications of new posts by e-mail.

Join 1,701 other followers

Follow Learning Tree on Twitter

Archives

Do you need a customized Cloud training solution delivered at your facility?

Last year Learning Tree held nearly 2,500 on-site training events worldwide. To find out more about hosting one at your location, click here for a free consultation.
Live, online training
.NET Blog
Perspectives on Cloud Computing - Blogged
Follow

Get every new post delivered to your Inbox.

Join 1,701 other followers