Friday, October 30, 2009

Steve Riley from Amazon speaking at VordelWorld next week

Amazon's Steve Riley is speaking next week at VordelWorld on "Security and compliance in the Cloud". Steve's work at Amazon centers on helping organizations understand how to address security, performance, and reliability concerns so that they can integrate the the cloud with their existing networks to extend reach and create new business models.

Here is the session abstract. The full VordelWorld agenda is here.

Security and compliance in the cloud
Moving to the cloud raises lots of questions, mostly about security. Providers worthy of your business should answer them clearly and honestly. Amazon Web Services has built an infrastructure and established processes to mitigate common vulnerabilities and offer a safe compute and storage environment. Steve Riley will discuss common cloud security concerns, show how AWS protects its infrastructure from internal and external attack, and explain how you can take advantage of the security features of AWS in your own applications as you extend your enterprise into the cloud.

Thursday, October 29, 2009

Craig Balding: The Belgian Beer Lovers Guide to Cloud Security

This slide presentation by Craig Balding is informative not only about Cloud security but about Belgian beer also. And I have to tip my hat to anyone who can do a full beer-themed presentation about Cloud security and not make a corny joke about "cloudy" beer.

The slides are here:
http://cloudsecurity.org/2009/09/21/slides-from-my-brucon-talk-the-belgian-beer-lovers-guide-to-cloud-security/

Video - Policy-based Governance for SOA

Here's a video of Vordel's Policy Director product which provides policy management, versioning, rollback, and lifecycle governance for SOA:

video

Wednesday, October 28, 2009

Personal surfing at VordelWorld

If the agenda of Cloud and SOA talks at VordelWorld isn't enough, how about personal surfing? Check out the venue information at http://www.vordel.com/vordelworld/venue.html:

"We, at Vordel, have our own personal surfer who would be only too delighted to grab a board and hit the waves with you on the east coast"
... but, as the rest of the page says, be sure to pack a wetsuit...

Monday, October 26, 2009

Data points for agility as the driver for Cloud Computing

Randy Bias of CloudScaling.com has posted a 5-minute scene-setting presentation about Cloud Computing. He mentions an example where one company subdivision had such a long lead-time to get delivery of a server from another subdivision of the same company, they went to an outside provider instead. This points to agility as the primary driver to the Cloud. You can Randy's presentation (like his definition of Cloud Computing itself) in an "on-demand, self service fashion" via SlideShare here.

The agility argument is also borne out by recent Avanade research cited by Joe McKendrick, where agility, not cost, is the primary driver to the Cloud.

There some interplay with agility and cost. Randy Bias's presentation also mentions the large "insane" cost additions associated with obtaining and provisioning servers inside a large organization (up to 10X the initial cost for a 2 core 2GB rackmount server, he reports). "Internal Cloud" environments address this issue, allowing new virtual servers to be provisioned internally instead, a point also borne out in the Avanade survey:
And many of these deployments are internal cloud. Avanade says that globally, “there is a 2:1 ratio of respondents who prefer SaaS delivered internally (or as private services) versus from third-party service providers. There is an even greater dissparity in the United States, with a 4:1 ratio in favor of internal SaaS deployments.”
http://blogs.zdnet.com/service-oriented/?p=3207

Friday, October 23, 2009

Cross Country Auto case study at VordelWorld

William MacDonald, Senior Systems Engineer at Cross Country Automotive Services (CCAS) is presenting a case study at VordelWorld about how CCAS uses Vordel products as part of its realtime response infrastructure for vehicle disablement services.

Check out the VordelWorld agenda here.

Thursday, October 22, 2009

When elasticity is a bad thing


Can elasticity blow up in your face?
( Courtesy of YouTube )
Elasticity is a highly-touted value of Cloud Computing. As demand goes up, you can provision new infrastructure to match it. You could even do this automatically. This is great, right?

Daryl Plummer of Gartner was one of the first people to point out the problems with this - when he blogged that "Cloud Elasticity could make you go broke" back in March.

More recently, the situation has become more worrying with the BitBucket DDoS incident against BitBucket's site hosted by Amazon Web Services. Hoff covers an interview with Peter DeSantis of Amazon, and (paraphrasing), says:
"The solution being proposed by DeSantis here is that a customer should be prepared to launch/scale multiple instances in response to a DoS/DDoS, in effect making it the customers’ problem instead of AWS detecting and squelching it in the first place?
http://www.rationalsurvivability.com/blog/?p=1456
Lori MacVittie, writing about the same issue, says that the issue is context - how can you distinguish between the legitimate traffic spikes (the Facebook farming app going viral, the wolf t-shirt sales spiking when it gets an ironic online following) and DDoS attacks such as that against BitBucket.

The answer points to more advanced analytics, which can make this context distinction. And, lo and behold, look at Number 1 and Number 2 on Gartner's "Technologies you can't afford to ignore" Top 10 list for 2010, covered by Joe McKendrick:



Clearly, these two need to work together: Cloud Computing and Advanced Analytics, for advanced analytics of Cloud Computing infrastructure. Though you could argue that analytics do not have to be particularly "advanced" to detect a gigantic DDoS attack which (as Lori MacVittie pointed out) was actually at the infrastructure level not at the application level [ in a similar vein, Hoff asks: "Why did it take 15 hours for AWS to recognize the DDoS in the first place? (They didn’t actually “detect” it, the customer did")].

More reasons for Cloud service providers to provide Value-Added Services which provide increased assurance and security for their customers.

Wednesday, October 21, 2009

Mazda Case Study - Car Dealer and Partner Integration enabled by Vordel

Mazda uses Vordel infrastructure for implementing B2B communications with car dealers and partners. The goal is to improve business efficiency at dealerships and head office by reducing the double keying of information, and to provide streamlined access to multiple sources of information via one interface. A full case study is available on the Vordel website.

The information exchanged relates to vehicle sales, reservations, model and pricing information to ensure that Mazda and dealer systems are always complete and up to date.

The data exchanged is XML, coming from partners and suppliers (shown at the top of the diagram below), and car dealers (shown at the left of the diagram below). The Vordel Gateways were deployed on Sun Solaris machines running on SPARC.

Tuesday, October 20, 2009

Vordel Product Training at VordelWorld in November

At the VordelWorld conference next month, we are running a parallel VCSE (Vordel Certified Systems Engineer) training course. This is useful not only for Vordel customers, but also for anyone who wants hands-on training for connecting systems up to the Cloud. The material covered includes the following:

Architecture:
  • SOA and Cloud Concepts and Architectures
  • SOA appliances and XML Gateways
  • Deployment architecture: Development, Staging, Production
  • Managing policies: High Level
  • Policy Migration steps from development, through staging, to production
XML Gateway Capabilities:
  • Cloud connectors
  • SSL Encryption and Mutual Authentication
  • WS-Security message-level authentication
  • XML Processing Acceleration
  • Database integration
  • Directory integration [Active Directory, LDAP]
  • XML Threat Screening
  • Conditional Routing
  • Data Stuffing
  • Throttling
  • Transport Independence
  • Security Token Services
  • XML Transformation and much more…
Policy Development
  • Dynamic Policy creation using the Policy Studio
  • Examination of sample policies
  • Development of new policies for common use cases
  • Testing policies
  • Policy re-use
  • Versioning and Change Control
  • Role-Based Access Control
  • Policy Roll Back
Appliance Management
  • Using the Web-based administration of the VX4000 SOA Appliance
  • Remote management using the Monitoring Console
  • Alerting: SNMP, Syslog, Windows Event Log
  • Log analysis
  • Trace Analysis
  • Tracing strategy
Active and Passive Management
  • Elements of a SOA governance design and runtime enforcement
  • Design time policy creation
  • Real Time Monitoring
  • Web Based Reporting
  • SLA Enforcement
  • Policy Life-cycle Management
  • Run-time Policy Enforcement
Support Processes
  • Vordel support procedures
  • Incident reporting
  • Vordel Customer Service extranet
Check out the VordelWorld Training here.

Bringing the consumer into SOA

Today, Vikas Jain from Oracle has a great blog post coining Consumer Oriented Service Architecture (COSA) . Vikas's assertion is that SOA should not be only focused on the services. Instead, the consumer should be taken into account. He makes a very good point - even the name "Service Oriented Architecture" means that it's easy to think only about services, and forget that often you wish to make policy decisions based on the consumer. For example - if a client has accessed a service via a particular social networking site, then factor this into the service response. Or, throttle service usage based on the consumer, or attributes of the consumer (account status, whether they are using a mobile device), rather than just basing the traffic management rules on the service itself.

In many ways, the consumer has always been missing from discussions of SOA. Products such as Vordel's XML Gateway can apply policies based on consumers, but the standards lag this. That is because many of the standards are focused only on the services, rather than the consumer. WS-Policy and WS-SecurityPolicy are about policies applied to services. WS-ReliableMessaging also focuses on services. Arguably, the only standard which explicitly incorporates aspects of the consumer, such as attributes, is XACML.

I'm looking forward to Vikas's talk at VordelWorld next month, where I'm sure he'll be expanding on these ideas.

Friday, October 16, 2009

Oracle presentation at VordelWorld in November

Oracle's Vikas Jain (author of the ws-security blog) is speaking at VordelWorld on how the Vordel XML Gateway operates in the Oracle Fusion Middleware services infrastructure. He is speaking at 11.45 on Thursday November 5.

Here is Vikas's talk abstract from the VordelWorld agenda:

Role of XML Gateways in Identity Management (IdM) infrastructure
Speaker: Vikas Jain, Principal Product Manager- Fusion Middleware
Oracle
XML Gateways address the key challenges associated with security and runtime governance for SOA and the Cloud: access control, performance and visibility. This session discusses how Vordel XML Gateway solves these key challenges for Oracle Fusion Middleware services infrastructure by leveraging the Oracle Access Management Suite, providing best of breed enterprise security and runtime governance. You will also learn how Vordel XML Gateway can be used for Web 2.0 services and services running in the cloud.

Google Voice and Parlay-X

Google Voice has a useful feature whereby it will call your phone and another number, then link the calls. This is free within the US, and very cheap for international calls (certainly cheaper than dialing out directly from my mobile phone).

You can see the interface below:



Looking at this interface got me thinking about Parlay-X. For those of you not familiar with Parlay-X, it is a Web Services interface for driving a telecoms platform. It is one of the basis technologies of a Service Delivery Platform (SDP) which allows mobile operators to develop new services quickly. Many of Vordel's customers in the telecoms area are using Parlay-X.

Parlay-X includes the "MakeACall" interface which allows you to initiate a call between two phones, exactly as is done in the Google Voice scenario. In the screenshot below you can see an example MakeACall request in Vordel SOAPbox (with the phone numbers circled) and on the right you can see that the Vordel XML Gateway is monitoring the traffic.



Given their secrecy, it is impossible to know if Google uses Parlay-X. But if you want to check out Parlay-X for yourself, grab a copy of SOAPbox and load in some sample messages.

Thursday, October 15, 2009

Law and the Cloud

Jeanne Kelly, a partner at the law firm Mason Hayes + Curran is speaking about Law and the Cloud at VordelWorld.

It promises to be an interesting talk, here is the abstract:

With an increasing array of cloud based services available and the promise of reduced IT costs, Jeanne discusses the various legal issues associated with cloud computing which businesses need to take into consideration. She address concerns about location of data, the viability of cloud based services over the long term, and negotiating contracts for cloud based services.

Wednesday, October 14, 2009

Linking hospitals to in-Cloud services for radiotherapy processing: Case Study by David Brossard from BT at VordelWorld

Medical processing is a very good use case for Cloud Computing, since it requires significant processing power. It also has clear and obvious governance requirements, concerning secure access to information. David Brossard from BT is speaking at VordelWorld on the solution which his team has put together using Vordel and Axiomatics products to link hospitals to in-Cloud services for radiotherapy processing.

Here is the abstract from the VordelWorld Conference site:

David will illustrate how secure access to computer resources has been achieved by innovating on top of products form Vordel and Axiomatics. He will use the RadioptherapyGrid pilot as an example. RadiotherapyGrid is a solution that enables a group of hospitals to securely access in-Cloud services for radiotherapy processing that utilise Grid Computing technology in order to plan the best possible radio therapy treatment for cancer patients.

This service offers two core functions: verification of plans using accurate, but computationally expensive, techniques and searching for the optimal treatments. These tools improve the efficiency and effectiveness of planned treatments as well as reducing the overall cost of treatment planning.RadioptherapyGrid is on of the 25 business pilots delivered by the BEinGRID project, which cover most sectors of the European market Financial Services and Media to eHealth and eScience, and include all key stakeholders in their respective value chains.

BEinGRID is the largest collaborative research investment on ICT for business funded by the European Commission to date. It delivers business studies in commercial applications of Grid and Cloud Computing and technical innovation in the areas ranging from Identity and Access Management to Data Management and Virtual Hosting.

Thursday, October 8, 2009

Jill Tummler Singer of the CIA speaks on "Cloud Safety" : +1

I saw this tweet this morning and I thought "+1" (I guess I am a geek if I am thinking in Digg/Slashdot shorthand).



This tallies with something I've written about before. There is a big problem with the word "security". "Safety" is often a better word.

The problem is that in Information Security, "security" is all-too-often used to mean only encryption. A line is considered "secure" if it's encrypted. But often, the real "security" requirements are much broader and include management (as in access management, identity management), business continuity defense against denial-of-service, and privacy.

I think language is a big issue here. I've always found it interesting that in German, the words for "security" and "safety" (sicherheit, literally "sureness") are the same. In French, the words for "safety" and "security" are also the same (sécurité or sûreté, again literally "sureness"). So, in those languages, "security" has a broad definition, incorporating senses of dependability, management, and safety. I can see how the French and German words fit with the broad information security concepts of business continuity, "management" (access management, identity management), and "safety" that users (and their data) will be protected. But the English language word "security" lets us down.

I read something similar in the BBC's "Letter from Europe" column a few years ago:
A friend and colleague who is annoyingly fluent in half a dozen languages notices the growth of something he calls "Brussels English". One example he gives is the persistent use of "security" to mean "safety", perhaps because in French and German they are the same word. This habit has evidently spread to England too. He cites an example at Waterloo Station, which requests that people put their hot drinks down while going through the ticket barrier "for their own security". But surely it is their safety, not security, that is at risk?

But that sets me musing on whether this is a reaction to a rather modern use of the word "security" in English. When did it first acquire its current meaning in English? Wartime? When did "security guards" first enter the language?
http://news.bbc.co.uk/2/hi/europe/4601722.stm


In infosec, I think that the meaning of security as "encryption" entered the language when Bruce Schneier wrote "Applied Cryptography". Also, although undoubtedly useful, SSL and the little padlocks in browsers are partly to blame because they give the impression a site is "secure" just because SSL is used. This carried over to Web Services where people, of course, thought "of course it's secure if we use SSL". And now Cloud Computing. Just last week I had to answer a question of "We are planning to use SSL for our Cloud-based PaaS services, people will be sending in their API keys over SSL, so that means it's fully secure, right?".

Since "Applied Cryptography", Bruce Schneier has since spoken on this topic. He had a memorable talk at RSA 2006 entitled "Why security has so little to do with security". He has spoken on how "security=encryption" is literally a "false sense of security". It is the word "security" used in the wrong sense.

At Vordel, the security we provide goes much beyond cryptography, into the areas of management (access control, reporting on traffic), availability and dependability (monitoring service level agreements), and safety (ensuring data is protected). By having governance in place for Cloud resources, you have more safety and security. We also include testing tools and performance acceleration and offload to provide the sureness that a service will not go down. That encompasses the broader French and German meanings of "security" to include "safety" and "sureness", not just the more narrow English language usage in Infosec to mean "encryption".

This is the reason why I 100% agree with incorporating "safety" into the meaning of "security", as Jill Tummler Singer, Deputy CIO of CIA, did in her keynotes at GovIT Expo . In this way, we can do more justice to security in general and Cloud Security in particular.

As an interesting footnote, I blogged about this before and Gunnar commented that "According to Robert Morris Sr.'s talk at DefCon last summer the word security is derived from a Greek word meaning "carelessness". That is funny, considering how often security is implemented carelessly. But, thinking about it, I can understand that if you have security (and safety) in place, then you have "less cares", so you are "careless" in that sense.

Wednesday, October 7, 2009

Connecting to the Cloud in Chinese: 连接到云

Following the translations in Japanese and Spanish, the Connecting to the Cloud series of articles, which I wrote for IBM DeveloperWorks, is now available in Chinese. The series introduces cloud platforms such as Force.com and Amazon SQS, including code samples in Java, and governance and policy, again including code samples (an Amazon policy expressed in JSON). The Gateway "onramp" model is described.

Part 1: 连接到云,第 1 部分: 在应用程序中使用云

Part 2: 连接到云,第 2 部分: 实现混合云模型

Part 3: 连接到云,第 3 部分: 云治理和安全性

Tuesday, October 6, 2009

Charting the Amazon

In the late 1600s, Samuel Fritz charted the Amazon


More recently, another group of explorers has been attempting to chart a modern-day Amazon: Amazon Web Services, and EC2 in particular.

Guy Rosen used EC2 resource IDs in order to calculate the amount of Amazon EC2 images. Randy Bias then had a very interesting post with "actual verified EC2 numbers plus some guesses and a rough model of it’s current annual usage". Randy, for those who don't know him, was with Grand Central which was an original "B2B Exchange in the Cloud" startup, and it was so long ago that it predated the "other" Grand Central which Google bought for Google Voice.

Joe McKendrick commented that "The EC2 revenues represent about 1% of Amazon’s revenues for the most recent fiscal year. ($19.2 billion.) Amazon has really effectively leveraged the capacity from its retail business to offer services to the rest of the market. Is this something other companies with large IT infrastructures can contemplate?" http://blogs.zdnet.com/service-oriented/?p=3022

This is Jeff Bezos' "Risky Bet" (as defined in the famous 2006 BusinessWeek cover article) starting to pay off. One dark cloud (sorry, could not resist) on the horizon is the fact that EC2 appears to be vulnerable to DoS attacks, according to the BitBucket experience over the weekend. Once security and identity management for Amazon Web Services are taken care of, then it looks like Amazon's EC2, unlike the river charted in the 1600s, will be off the charts.

When REST Attacks

"Traditional" Web Services traffic involves XML messages sent using HTTP POSTs. However, REST Web Services make use of the other HTTP verbs besides POST, namely: PUT, DELETE, OPTIONS, and GET.

One of the most common questions at Vordel is "Do you support REST-style Web Services as well as SOAP?". The answer is "Yes", and for this reason you can see REST in the list at the top of the Specifications section for the Vordel XML Gateway. In the "Research" section of the Vordel website there is a free White Paper on Security for REST Web Services. It's important that any XML Gateway can be configured to apply the same policies to "traditional" SOAP/ HTTP POST Web Services as it does to REST style services, which are accessed using GET, POST, PUT, DELETE, and OPTIONS. If a user is not using REST, then the REST requests should be "denied by default".

So it is ironic to read that the Cisco ACE XML Gateway is vulnerable to disclosing internal IP address information in an error message it returns when it is sent a HTTP OPTIONS request. In the purist REST world, a HTTP OPTIONS request is intended to return back a list of available Web Services, not an error message disclosing IP addresses. In this case, the OPTIONS request becomes a way to force the Cisco ACE XML Gateway to disclose a client IP address which it should not disclose, which is too much information.

Full details about the Cisco ACE XML Gateway vulnerability are on the Full Disclosure mailing list.

Friday, October 2, 2009

An Edge from the Edge: How self-service security capabilities can give Cloud providers an advantage

Hat-tip to Gunnar for this link to Hoff's post on "Cloud Providers and Security “Edge” Services – Where’s The Beef?"
So here’s the rub, if MSSP’s/ISP’s/ASP’s-cum-Cloud operators want to woo mature enterprise customers to use their services, they are leaving money on the table and not fulfilling customer needs by failing to roll out complimentary security capabilities which lessen the compliance and security burdens of their prospective customers.

While many provide commoditized solutions such as anti-spam and anti-virus capabilities, more complex (but profoundly important) security services such as DLP (data loss/leakage prevention,) WAF, Intrusion Detection and Prevention (IDP,) XML Security, Application Delivery Controllers, VPN’s, etc. should also be considered for roadmaps by these suppliers.

Think about it, if the chief concern in Cloud environments is security around multi-tenancy and isolation, giving customers more comfort besides “trust us” has to be a good thing. If I knew where and by whom my data is being accessed or used, I would feel more comfortable.

Yes, it’s difficult to do properly and in many cases means the Cloud provider has to make a substantial investment in delivery platforms and management/support integration to get there. This is why niche players who target specific verticals (especially those heavily regulated) will ultimately have the upper hand in some of these scenarios – it’s not socialist security where “good enough” is spread around evenly. Services like these need to be configurable (SELF-SERVICE!) by the consumer.

An example? How about Google: where’s DLP integrated into the messaging/apps platforms? Amazon AWS: where’s IDP integrated into the VMM for introspection?
http://www.rationalsurvivability.com/blog/?p=1407
To this list I would add access management. Many organizations have significant investment in products such as SiteMinder, and naturally wish to use these also to control access to their Cloud-based resources. I have written before about how the Amazon Virtual Private Cloud provides a network security focused solution for bringing Cloud-based resources "behind the firewall" to some degree, but as yet Amazon is not addressing the need to bring Cloud-based resources into a corporate identity and access management framework. When an organization provisions a user in their corporate IdM systems, it makes sense that they can control the usage of Cloud services there also, rather than trying to mirror the user at the Cloud side, with all of the hassle that entails.

A cloud service broker is the other option to augment security and compliance in front of the service itself. But Cloud service providers themselves will realize in time that their corporate customers would like the broker effectively baked at the edge.

Thursday, October 1, 2009

Chris Taylor from 3 on Centralising Federated Services Security at Vordel World in November

We're excited to have Chris Taylor, Lead Architect for Enterprise Portals and Integration at 3, speaking at Vordel World. Check out his presentation at 10.25am on November 5th.


Centralising Federated Services Security
Speaker: Chris Taylor, Lead Architect for Enterprise Portals and Integration, 3
3’s XML Gateway infrastructure provides a centralised and secure gateway for controlled access from 3rd party partner systems to services available on 3’s Business Support Systems. This presentation will describe the context within which the security threats were identified and the business justification needed to support the deployment of Vordel's XML Gateway product. It describes the need for effective governance and reporting of service interactions as well as the creation of a centralised infrastructure for partner management and enforcement of Service Level Agreements. An overview of the technical implementation will be provided with details of the keys lessons learnt in relation to the end to end lifecycle of service development and partner integration.

Connecting to the Cloud in Japanese - クラウドに接続する

The Connecting to the Cloud series of articles, which I wrote for IBM DeveloperWorks, is now available in Japanese. The series introduces cloud platforms such as Force.com and Amazon SQS, including code samples in Java, and governance and policy, again including code samples (an Amazon policy expressed in JSON). The Gateway "onramp" model is described.

Here are the links to the Japanese versions of Parts 1,2, and 3 of the series:

クラウドに接続する: 第 1 回 アプリケーションにクラウドを活用する

クラウドに接続する: 第 2 回 ハイブリッド・クラウド・モデルを実現する

クラウドに接続する: 第 3 回 クラウドのガバナンスとセキュリティー