Friday, October 30, 2009
Here is the session abstract. The full VordelWorld agenda is here.
Security and compliance in the cloud
Moving to the cloud raises lots of questions, mostly about security. Providers worthy of your business should answer them clearly and honestly. Amazon Web Services has built an infrastructure and established processes to mitigate common vulnerabilities and offer a safe compute and storage environment. Steve Riley will discuss common cloud security concerns, show how AWS protects its infrastructure from internal and external attack, and explain how you can take advantage of the security features of AWS in your own applications as you extend your enterprise into the cloud.
Thursday, October 29, 2009
The slides are here:
Wednesday, October 28, 2009
"We, at Vordel, have our own personal surfer who would be only too delighted to grab a board and hit the waves with you on the east coast"
... but, as the rest of the page says, be sure to pack a wetsuit...
Monday, October 26, 2009
The agility argument is also borne out by recent Avanade research cited by Joe McKendrick, where agility, not cost, is the primary driver to the Cloud.
There some interplay with agility and cost. Randy Bias's presentation also mentions the large "insane" cost additions associated with obtaining and provisioning servers inside a large organization (up to 10X the initial cost for a 2 core 2GB rackmount server, he reports). "Internal Cloud" environments address this issue, allowing new virtual servers to be provisioned internally instead, a point also borne out in the Avanade survey:
And many of these deployments are internal cloud. Avanade says that globally, “there is a 2:1 ratio of respondents who prefer SaaS delivered internally (or as private services) versus from third-party service providers. There is an even greater dissparity in the United States, with a 4:1 ratio in favor of internal SaaS deployments.”
Friday, October 23, 2009
Check out the VordelWorld agenda here.
Thursday, October 22, 2009
Can elasticity blow up in your face?
( Courtesy of YouTube )
Daryl Plummer of Gartner was one of the first people to point out the problems with this - when he blogged that "Cloud Elasticity could make you go broke" back in March.
More recently, the situation has become more worrying with the BitBucket DDoS incident against BitBucket's site hosted by Amazon Web Services. Hoff covers an interview with Peter DeSantis of Amazon, and (paraphrasing), says:
"The solution being proposed by DeSantis here is that a customer should be prepared to launch/scale multiple instances in response to a DoS/DDoS, in effect making it the customers’ problem instead of AWS detecting and squelching it in the first place?Lori MacVittie, writing about the same issue, says that the issue is context - how can you distinguish between the legitimate traffic spikes (the Facebook farming app going viral, the wolf t-shirt sales spiking when it gets an ironic online following) and DDoS attacks such as that against BitBucket.
The answer points to more advanced analytics, which can make this context distinction. And, lo and behold, look at Number 1 and Number 2 on Gartner's "Technologies you can't afford to ignore" Top 10 list for 2010, covered by Joe McKendrick:
Clearly, these two need to work together: Cloud Computing and Advanced Analytics, for advanced analytics of Cloud Computing infrastructure. Though you could argue that analytics do not have to be particularly "advanced" to detect a gigantic DDoS attack which (as Lori MacVittie pointed out) was actually at the infrastructure level not at the application level [ in a similar vein, Hoff asks: "Why did it take 15 hours for AWS to recognize the DDoS in the first place? (They didn’t actually “detect” it, the customer did")].
More reasons for Cloud service providers to provide Value-Added Services which provide increased assurance and security for their customers.
Wednesday, October 21, 2009
The information exchanged relates to vehicle sales, reservations, model and pricing information to ensure that Mazda and dealer systems are always complete and up to date.
The data exchanged is XML, coming from partners and suppliers (shown at the top of the diagram below), and car dealers (shown at the left of the diagram below). The Vordel Gateways were deployed on Sun Solaris machines running on SPARC.
Tuesday, October 20, 2009
- SOA and Cloud Concepts and Architectures
- SOA appliances and XML Gateways
- Deployment architecture: Development, Staging, Production
- Managing policies: High Level
- Policy Migration steps from development, through staging, to production
- Cloud connectors
- SSL Encryption and Mutual Authentication
- WS-Security message-level authentication
- XML Processing Acceleration
- Database integration
- Directory integration [Active Directory, LDAP]
- XML Threat Screening
- Conditional Routing
- Data Stuffing
- Transport Independence
- Security Token Services
- XML Transformation and much more…
- Dynamic Policy creation using the Policy Studio
- Examination of sample policies
- Development of new policies for common use cases
- Testing policies
- Policy re-use
- Versioning and Change Control
- Role-Based Access Control
- Policy Roll Back
- Using the Web-based administration of the VX4000 SOA Appliance
- Remote management using the Monitoring Console
- Alerting: SNMP, Syslog, Windows Event Log
- Log analysis
- Trace Analysis
- Tracing strategy
- Elements of a SOA governance design and runtime enforcement
- Design time policy creation
- Real Time Monitoring
- Web Based Reporting
- SLA Enforcement
- Policy Life-cycle Management
- Run-time Policy Enforcement
- Vordel support procedures
- Incident reporting
- Vordel Customer Service extranet
In many ways, the consumer has always been missing from discussions of SOA. Products such as Vordel's XML Gateway can apply policies based on consumers, but the standards lag this. That is because many of the standards are focused only on the services, rather than the consumer. WS-Policy and WS-SecurityPolicy are about policies applied to services. WS-ReliableMessaging also focuses on services. Arguably, the only standard which explicitly incorporates aspects of the consumer, such as attributes, is XACML.
I'm looking forward to Vikas's talk at VordelWorld next month, where I'm sure he'll be expanding on these ideas.
Friday, October 16, 2009
Here is Vikas's talk abstract from the VordelWorld agenda:
Role of XML Gateways in Identity Management (IdM) infrastructure
Speaker: Vikas Jain, Principal Product Manager- Fusion Middleware
XML Gateways address the key challenges associated with security and runtime governance for SOA and the Cloud: access control, performance and visibility. This session discusses how Vordel XML Gateway solves these key challenges for Oracle Fusion Middleware services infrastructure by leveraging the Oracle Access Management Suite, providing best of breed enterprise security and runtime governance. You will also learn how Vordel XML Gateway can be used for Web 2.0 services and services running in the cloud.
You can see the interface below:
Looking at this interface got me thinking about Parlay-X. For those of you not familiar with Parlay-X, it is a Web Services interface for driving a telecoms platform. It is one of the basis technologies of a Service Delivery Platform (SDP) which allows mobile operators to develop new services quickly. Many of Vordel's customers in the telecoms area are using Parlay-X.
Parlay-X includes the "MakeACall" interface which allows you to initiate a call between two phones, exactly as is done in the Google Voice scenario. In the screenshot below you can see an example MakeACall request in Vordel SOAPbox (with the phone numbers circled) and on the right you can see that the Vordel XML Gateway is monitoring the traffic.
Given their secrecy, it is impossible to know if Google uses Parlay-X. But if you want to check out Parlay-X for yourself, grab a copy of SOAPbox and load in some sample messages.
Thursday, October 15, 2009
It promises to be an interesting talk, here is the abstract:
With an increasing array of cloud based services available and the promise of reduced IT costs, Jeanne discusses the various legal issues associated with cloud computing which businesses need to take into consideration. She address concerns about location of data, the viability of cloud based services over the long term, and negotiating contracts for cloud based services.
Wednesday, October 14, 2009
Linking hospitals to in-Cloud services for radiotherapy processing: Case Study by David Brossard from BT at VordelWorld
Here is the abstract from the VordelWorld Conference site:
David will illustrate how secure access to computer resources has been achieved by innovating on top of products form Vordel and Axiomatics. He will use the RadioptherapyGrid pilot as an example. RadiotherapyGrid is a solution that enables a group of hospitals to securely access in-Cloud services for radiotherapy processing that utilise Grid Computing technology in order to plan the best possible radio therapy treatment for cancer patients.
This service offers two core functions: verification of plans using accurate, but computationally expensive, techniques and searching for the optimal treatments. These tools improve the efficiency and effectiveness of planned treatments as well as reducing the overall cost of treatment planning.RadioptherapyGrid is on of the 25 business pilots delivered by the BEinGRID project, which cover most sectors of the European market Financial Services and Media to eHealth and eScience, and include all key stakeholders in their respective value chains.
BEinGRID is the largest collaborative research investment on ICT for business funded by the European Commission to date. It delivers business studies in commercial applications of Grid and Cloud Computing and technical innovation in the areas ranging from Identity and Access Management to Data Management and Virtual Hosting.
Thursday, October 8, 2009
This tallies with something I've written about before. There is a big problem with the word "security". "Safety" is often a better word.
The problem is that in Information Security, "security" is all-too-often used to mean only encryption. A line is considered "secure" if it's encrypted. But often, the real "security" requirements are much broader and include management (as in access management, identity management), business continuity defense against denial-of-service, and privacy.
I think language is a big issue here. I've always found it interesting that in German, the words for "security" and "safety" (sicherheit, literally "sureness") are the same. In French, the words for "safety" and "security" are also the same (sécurité or sûreté, again literally "sureness"). So, in those languages, "security" has a broad definition, incorporating senses of dependability, management, and safety. I can see how the French and German words fit with the broad information security concepts of business continuity, "management" (access management, identity management), and "safety" that users (and their data) will be protected. But the English language word "security" lets us down.
I read something similar in the BBC's "Letter from Europe" column a few years ago:
A friend and colleague who is annoyingly fluent in half a dozen languages notices the growth of something he calls "Brussels English". One example he gives is the persistent use of "security" to mean "safety", perhaps because in French and German they are the same word. This habit has evidently spread to England too. He cites an example at Waterloo Station, which requests that people put their hot drinks down while going through the ticket barrier "for their own security". But surely it is their safety, not security, that is at risk?
But that sets me musing on whether this is a reaction to a rather modern use of the word "security" in English. When did it first acquire its current meaning in English? Wartime? When did "security guards" first enter the language?
In infosec, I think that the meaning of security as "encryption" entered the language when Bruce Schneier wrote "Applied Cryptography". Also, although undoubtedly useful, SSL and the little padlocks in browsers are partly to blame because they give the impression a site is "secure" just because SSL is used. This carried over to Web Services where people, of course, thought "of course it's secure if we use SSL". And now Cloud Computing. Just last week I had to answer a question of "We are planning to use SSL for our Cloud-based PaaS services, people will be sending in their API keys over SSL, so that means it's fully secure, right?".
Since "Applied Cryptography", Bruce Schneier has since spoken on this topic. He had a memorable talk at RSA 2006 entitled "Why security has so little to do with security". He has spoken on how "security=encryption" is literally a "false sense of security". It is the word "security" used in the wrong sense.
At Vordel, the security we provide goes much beyond cryptography, into the areas of management (access control, reporting on traffic), availability and dependability (monitoring service level agreements), and safety (ensuring data is protected). By having governance in place for Cloud resources, you have more safety and security. We also include testing tools and performance acceleration and offload to provide the sureness that a service will not go down. That encompasses the broader French and German meanings of "security" to include "safety" and "sureness", not just the more narrow English language usage in Infosec to mean "encryption".
This is the reason why I 100% agree with incorporating "safety" into the meaning of "security", as Jill Tummler Singer, Deputy CIO of CIA, did in her keynotes at GovIT Expo . In this way, we can do more justice to security in general and Cloud Security in particular.
As an interesting footnote, I blogged about this before and Gunnar commented that "According to Robert Morris Sr.'s talk at DefCon last summer the word security is derived from a Greek word meaning "carelessness". That is funny, considering how often security is implemented carelessly. But, thinking about it, I can understand that if you have security (and safety) in place, then you have "less cares", so you are "careless" in that sense.
Wednesday, October 7, 2009
Part 1: 连接到云，第 1 部分: 在应用程序中使用云
Part 2: 连接到云，第 2 部分: 实现混合云模型
Part 3: 连接到云，第 3 部分: 云治理和安全性
Tuesday, October 6, 2009
More recently, another group of explorers has been attempting to chart a modern-day Amazon: Amazon Web Services, and EC2 in particular.
Guy Rosen used EC2 resource IDs in order to calculate the amount of Amazon EC2 images. Randy Bias then had a very interesting post with "actual verified EC2 numbers plus some guesses and a rough model of it’s current annual usage". Randy, for those who don't know him, was with Grand Central which was an original "B2B Exchange in the Cloud" startup, and it was so long ago that it predated the "other" Grand Central which Google bought for Google Voice.
Joe McKendrick commented that "The EC2 revenues represent about 1% of Amazon’s revenues for the most recent fiscal year. ($19.2 billion.) Amazon has really effectively leveraged the capacity from its retail business to offer services to the rest of the market. Is this something other companies with large IT infrastructures can contemplate?" http://blogs.zdnet.com/service-oriented/?p=3022
This is Jeff Bezos' "Risky Bet" (as defined in the famous 2006 BusinessWeek cover article) starting to pay off. One dark cloud (sorry, could not resist) on the horizon is the fact that EC2 appears to be vulnerable to DoS attacks, according to the BitBucket experience over the weekend. Once security and identity management for Amazon Web Services are taken care of, then it looks like Amazon's EC2, unlike the river charted in the 1600s, will be off the charts.
One of the most common questions at Vordel is "Do you support REST-style Web Services as well as SOAP?". The answer is "Yes", and for this reason you can see REST in the list at the top of the Specifications section for the Vordel XML Gateway. In the "Research" section of the Vordel website there is a free White Paper on Security for REST Web Services. It's important that any XML Gateway can be configured to apply the same policies to "traditional" SOAP/ HTTP POST Web Services as it does to REST style services, which are accessed using GET, POST, PUT, DELETE, and OPTIONS. If a user is not using REST, then the REST requests should be "denied by default".
So it is ironic to read that the Cisco ACE XML Gateway is vulnerable to disclosing internal IP address information in an error message it returns when it is sent a HTTP OPTIONS request. In the purist REST world, a HTTP OPTIONS request is intended to return back a list of available Web Services, not an error message disclosing IP addresses. In this case, the OPTIONS request becomes a way to force the Cisco ACE XML Gateway to disclose a client IP address which it should not disclose, which is too much information.
Full details about the Cisco ACE XML Gateway vulnerability are on the Full Disclosure mailing list.
Friday, October 2, 2009
So here’s the rub, if MSSP’s/ISP’s/ASP’s-cum-Cloud operators want to woo mature enterprise customers to use their services, they are leaving money on the table and not fulfilling customer needs by failing to roll out complimentary security capabilities which lessen the compliance and security burdens of their prospective customers.To this list I would add access management. Many organizations have significant investment in products such as SiteMinder, and naturally wish to use these also to control access to their Cloud-based resources. I have written before about how the Amazon Virtual Private Cloud provides a network security focused solution for bringing Cloud-based resources "behind the firewall" to some degree, but as yet Amazon is not addressing the need to bring Cloud-based resources into a corporate identity and access management framework. When an organization provisions a user in their corporate IdM systems, it makes sense that they can control the usage of Cloud services there also, rather than trying to mirror the user at the Cloud side, with all of the hassle that entails.
While many provide commoditized solutions such as anti-spam and anti-virus capabilities, more complex (but profoundly important) security services such as DLP (data loss/leakage prevention,) WAF, Intrusion Detection and Prevention (IDP,) XML Security, Application Delivery Controllers, VPN’s, etc. should also be considered for roadmaps by these suppliers.
Think about it, if the chief concern in Cloud environments is security around multi-tenancy and isolation, giving customers more comfort besides “trust us” has to be a good thing. If I knew where and by whom my data is being accessed or used, I would feel more comfortable.
Yes, it’s difficult to do properly and in many cases means the Cloud provider has to make a substantial investment in delivery platforms and management/support integration to get there. This is why niche players who target specific verticals (especially those heavily regulated) will ultimately have the upper hand in some of these scenarios – it’s not socialist security where “good enough” is spread around evenly. Services like these need to be configurable (SELF-SERVICE!) by the consumer.
An example? How about Google: where’s DLP integrated into the messaging/apps platforms? Amazon AWS: where’s IDP integrated into the VMM for introspection?
A cloud service broker is the other option to augment security and compliance in front of the service itself. But Cloud service providers themselves will realize in time that their corporate customers would like the broker effectively baked at the edge.
Thursday, October 1, 2009
Centralising Federated Services Security
Speaker: Chris Taylor, Lead Architect for Enterprise Portals and Integration, 3
3’s XML Gateway infrastructure provides a centralised and secure gateway for controlled access from 3rd party partner systems to services available on 3’s Business Support Systems. This presentation will describe the context within which the security threats were identified and the business justification needed to support the deployment of Vordel's XML Gateway product. It describes the need for effective governance and reporting of service interactions as well as the creation of a centralised infrastructure for partner management and enforcement of Service Level Agreements. An overview of the technical implementation will be provided with details of the keys lessons learnt in relation to the end to end lifecycle of service development and partner integration.
Here are the links to the Japanese versions of Parts 1,2, and 3 of the series:
クラウドに接続する: 第 1 回 アプリケーションにクラウドを活用する
クラウドに接続する: 第 2 回 ハイブリッド・クラウド・モデルを実現する
クラウドに接続する: 第 3 回 クラウドのガバナンスとセキュリティー