Thursday, January 27, 2011

The unexpected link between procreation and password recovery

Let me first say that the interface to FedEx Print Online is a pleasure to use. It did exactly what I wanted me to do, allowed me to view my document as it would look printed, compare shipping options, and then track my order easily.

However, when I registered, I noticed that one of their "password recovery" questions is "What is the middle name of your youngest child?". So what is the problem with this question (apart from the fact that it's publicly available information, often on Facebook, not to mention City Hall)? The problem is that if you have more kids, then the correct answer changes. So you would have to think "OK, what was the middle name of my youngest child at the time when I registered with Fedex Print Online". In fact, having more kids can have the unexpected knock-on effect of locking you out of FedEx Print Online. Maybe they should have a caveat there: "Note: Please take steps to ensure you do not have more children, if choosing this password recovery question for FedEx Print Online".

Tuesday, January 25, 2011

Tracing Cloud Computing back to 1959

This paper on Cloud Computing by CA provides some good solid descriptions of the role of a Cloud Gateway "for IT management facets such as Service Management, Data Center Automation, Application Performance Management, Security Management, and Infrastructure Management to extend the traditional IT management stack". It is a good approach to providing an infrastructural approach to managing usage of Cloud-based services, rather than baking this management into the applications themselves. Overlaying management infrastructure on top of application is, of course, a key aspect of what CA does, so it's not a surprise that this is where they see added value.

The same paper also includes this history of Cloud Computing, which takes the "timesharing" analogy. [ Note, an alternative approach is to see Cloud Computing as an extension of outsourcing, or to see it in terms of object re-use. As with all successful IT trends, like success in general, it has "many fathers"].

A Brief History of Cloud Computing

Despite its new-found prominence today,
cloud computing is not a new concept. In
fact, its roots can be traced back to the
early sixties. In January 1959, John Mc-
Carthy predicted that advances in timesharing
technology would lead to an
ultimate direction in computing, where
computing power would be sold as a utility
similar to water or electricity. This idea
was summarized in memorandum he sent
to MIT Professor P. M. Morse on January
1, 1959:
“This memorandum is based on the assumption
that MIT will be given a transistorized
IBM 709 about July 1960. I want
to propose an operating system for it that
will substantially reduce the time required
to get a problem solved on the machine....
The proposal requires a complete
revision in the way the machine is used....I
think the proposal points to the way all
computers will be operated in the future,
and we have a chance to pioneer a big
step forward in the way computers are
used....” *
In 1961, to mark its centennial anniversary,
MIT (Massachusetts Institute of
Technology) organized a series of lectures
on the future of computing. In one of the
lectures Morse publically voiced his idea.
However, his idea never really developed
given the technology constraints at that
time.
With the Internet offering a significant
bandwidth in the nineties, the cloud computing
concept started making the rounds
again. With the introduction of Salesforce.
com in 1999, it finally arrived with
full thrust. The next big step was Amazon
Web Services in 2002. In 2006, Amazon
launched its Elastic Compute Cloud aka
EC2 as a commercial service, offering
computers on rent. This was the first
widely used cloud computing service. And
since then the world has never been the
same again... cloud computing had finally
arrived!
http://www.ca.com/Files/TechnicalDocuments/ca-technology-exchange_233637.pdf
Also in the same paper has a useful taxonomy of actors in the Cloud infrastructure area:

...based on the Service type, cloud services can be classified into
the following areas:
Cloud Service Provider (CSP):
Organizations that offer the services
(computing services, application services, etc.) for consumption through
a well-defined set of interfaces based on an agreed cost model (for example,
Amazon EC2).
Cloud Service Consumer (CSC):
Consumers that use computing services
provided by a CSP through a well-defined set of interfaces. For example,
cloud services provided by CA Clarity PPM On Demand could be used for
project planning and management without deploying the software inpremises.
Similarly Amazon EC2 services could be utilized by consumers
to handle peak computing load. In this case, the computing resources are
provisioned into Amazon EC2. Once the load returns to normal level these resources could be de-provisioned.
Cloud Broker/Federator:
Organizations that combine multiple trustworthy
services from different CSPs to provide a new computing service, essentially
adding value to improve on specific capabilities. For example, a
broker may combine storage services from one vendor with the identity
and access management services from another vendor to provide rolebased
storage secure storage services (for example, Vordel Cloud Service
Broker).

Monday, January 24, 2011

It's so cold that...

With a hat-tip to Paul Madsen,

It's so cold that ... OAuth tweets are falling out of the sky
It's so cold that ... API keys could get stuck in locks
It's so cold that ... Conditional Routing paths must be shoveled out



(Those temperatures are Fahrenheit, by the way)

Friday, January 21, 2011

Looking back at 2010

From CloudComputingArchitect.com, Vordel highlights of 2010:

Key Highlights of Full Year 2010

* Year over year growth of 82%
* Profit figures ahead of target for FY2010
* Released Vordel 6: re-architected for ease of use and performance
* 30 new customers added in 32 countries.
* Expanding management team includes Ed Jackowiak joining as VP Sales, North America
* New offices opened in Boston, Paris and Düsseldorf
* Webinar series on New Architectures for SOA and Cloud Application launched with ground-breaking Blackhawk/Safeway case study for Facebook Marketplace
* Vordel Cloud Service Broker technical first integration with VMware vCloud Director
* Launched inaugural Vordel User Group meetings in EMEA

Thursday, January 20, 2011

Chess Analogy Redux

Chess is currently top-of-mind chez O'Neill due to my son teaching himself chess by playing gnuchess on xboard on a Puppy Linux box I put together based on an old PC abandoned on the street by a neighbor who skipped the state during the height of the foreclosure crisis. We now play with an actual wooden chess set and have books such as "How to beat your dad at chess" (which, as my son pointed out, was not supposed to be for me to read cover-to-cover, thus defeating the purpose). One thing we've been working on is the chess opening. As an infosec person, it's hard to do anything (take a flight, start a car) without thinking of the infosec analogies. And chess openings are no exception. But Gunnar Peterson is way ahead of me on the infosec/chess analogies...

Last January, I quoted Gunnar Peterson used who a chess analogy for AAA, as part of a larger post:
I think of AAA access control technologies as Opening Game strategies - many people think of Kerberos and other ticketing systems are security, but really they just establish the initial ruleset for operations, the real game begins once they're in place, in use, and under attack. The structure used at the opening does not dictate all or maybe even most of the events that occur in the middle and end game.
http://1raindrop.typepad.com/1_raindrop/2010/01/beyond-the-opening-a-priori-is-a-problem.html
This made me think about AAA in particular, and how it breaks down into its component parts. So much effort is put into the first "A" of it, i.e. to authentication. But much less effort is put into the next steps. Authorization in particular is often murky. Even when you look at how people use Web Access Control products which do authorization, you often find that they are only being used for authentication and their single sign-on feature. I've referenced this chess analogy during 2010 in screencasts and webinars focusing on actual authorization products, including this screencast on Vordel's interop with Oracle Entitlements Server (Vordel as PEP and OES as PDP) and this webinar with Axiomatics. Authorization is "what happens after the opening" and deserves more attention than it's got in the past. The chess analogy is a good way to explain this, since it's not a case of "Make the opening then hope for the best". The opening is important, sure, but there is also the middle game and the endgame.

So, now, a year later and another nice chess analogy from Gunnar. He talks about where a Gateway fits in front of the ESB, saying:
"If you front end the ESB (Or other aggregator) out to the Mobile clients, you are not simply publishing the data and Web services to the Mobile world, you are publishing you entire Enterprise Attack Surface as well. Think about what is exposed if the Gateway is not there to mediate.

So Gateways are quite important because they can play a role across the entire Attack Surface, including

  • Communication channel: proxy network protocols
  • Method: access control, publish only authorized methods
  • Data: content validation, encryption, and integrity services
http://1raindrop.typepad.com/1_raindrop/2011/01/of-gateways-and-hedgehogs.html
So where does chess fit into this?
If you push all these defenses back into your app not only do you have the Attack Surface-bloat problem, you also have the issue of affecting performance and performing the security checks in the same space as that which you are trying to defend. In other words by the time you spot the attack it may already be checkmate.
i.e. if you don't have a Gateway in the architecture, then you're losing out on your well-defined opening, and it's the equivalent of jumping straight into the middle game without a clear opening strategy. This is another nice chess analogy which I'll be using in 2011 - thanks again Gunnar :-)

The usual caveats of infosec analogies apply, as well put by Chris Hoff here.

Wednesday, January 19, 2011

In Paris in the spring-time : Free SOA Architecture Workshops

Paris in the spring-time brings up images of sipping coffee while tearing open a freshly-baked baguette, and admiring the city. So why not combine it with a free SOA Workshop on Security, Performance and Governance for SOA Architectures. My colleague Philippe Leothaud, who recently joined Vordel from Bee-ware, is leading a series of complimentary hands-on, case-study led workshops in Paris next month.

More information here en français:

Description:
http://www.vordel.com/news/press/11_01_11.html

Registration:
http://www.vordel.com/news/events/03-02-2011-Paris.html

Tuesday, January 18, 2011

ScaleXtreme

There are a couple of reasons to keep an eye on ScaleXtreme, who received venture capital from Accel Partners this week.

Firstly, they are focusing on the area of data center server management which has been disrupted due to the fact that organizations are making increasing use of virtual servers hosted by Cloud-based providers such as Amazon and Terremark. Case in point: One of Vordel's customers in the pharmaceuticals area routinely spins up hundreds of servers on Terremark to process clinic trial data, then spins them down again, benefiting from Vordel's VCloud API support. To be able to manage those Terremark-hosted servers alongside on-premises servers is a valuable thing.

Secondly, one of the founders of ScaleExtreme is Nand Mulchandani, who was a co-founder of Oblix. Oblix was a Web Access Management vendor whose main product competed with SiteMinder and Tivoli Access Manager, amongst others. Oblix came relatively late to the game of Web Access Management but brought some key differences. One which stood out for me was its Microsoft interop. I did some Oblix deployments myself, and found it to be a well-designed product, so it wasn't really a surprise when it was bought by Oracle to become Oracle Access Manager ( I recently recorded a screencast video of the Vordel Gateway operating with Oracle Access Manager).

An interesting architectural aspect of ScaleXtreme is how it gets around the "How can I manage my internal servers via a Cloud-based service through mobile devices, when they are behind the firewall?" problem. The way it does this is by using agents which are installed on the internal servers. These then are used to communicate with the Cloud-based service. The Cloud-based service is therefore the main part of the architecture. This justifies the observation by Nand Mulchandani that the Cloud component of ScaleXtreme is intrinsic, not some kind of bolt-on.

Definitely one to watch...

Thursday, January 13, 2011

Drag-and-drop productivity tips in Vordel Policy Studio

Did you know if you can drag and drop a filter onto an existing filter in Vordel Policy Studio, and Policy Studio will automatically create the path from the existing filter to the new filter? You can see this in action in the short screencast video below:


video

You may have noticed another productivity trip in the video above, whereby you can type in search text in order to narrow down the list of filters to drag-and-drop.

Here's another neat productivity tip: If you drag and drop the new filter onto a filter which already has a green "success path", then Policy Studio will create a new red path, as shown in the screencast video below.


video

Tuesday, January 11, 2011

One step forward, one step back

Chris Swan has a good post this week about how the compliance footers added to email messages by Google's Postini actually invalidate the DKIM signatures created by Google Apps. Changing a message will do that to a signature, of course, but it is disappointing to see a model where where layering on more security (the compliance header) actually cancels out an existing layer of security (the signature).

[ Incidentally, the post contains a reference to bacn, a very useful word which I didn't know existed... ]

Tuesday, January 4, 2011

SAML, SSO, and Web Services at the forefront for 2011

Roger Grimes has a piece in Infoworld today on security trends for 2011. Two which I would pick out are (a) Token protection, and (b) the Death of the DMZ.

Follow the token to find the key

He points out that:
Users will want full-range access through one logon name and password/logon token.

As such, you will be asked to make that happen, even between systems you don't control. You'll do this by using Web-based federation standards, cloud gateways, and claims-based identity metasystems. Instead of being worried about authentication protocols and password hashes, you'll be protecting XML-based SAML (Security Assertion Markup Language) tokens.
http://www.infoworld.com/d/security-central/five-security-trends-2011-and-beyond-434?page=0,1

To put this into practical context, consider how one of Vordel's US education-sector customers is using Vordel for single sign-on of college students into Gmail (and Google Apps in general). It is SAML which is used to log the users into Gmail. Roger Grimes points out that the SAML tokens must be secured, which is very true (Google requires them to be signed, that is part of the protocol). But notice the set of keys in the diagram below. Those are the API Keys. If you follow the chain of trust, those are what really needs to be protected. With those keys, a malicious attacker could construct their own signed SAML token which would log them into someone's Gmail account. So it is absolutely vital that those API keys are protected. My own prediction for 2011 is that the sensitivity of API Keys will start to be realized, and organizations will realize that their Gateway/Broker solutions must protect those keys at all costs. After all, the API keys are linked to pay-as-you-use Cloud services, and to sensitive information (like email, sales leads, or shared documents).


DMZ RIP

The second point I'd echo is how Roger Grimes foretells "The Death of the DMZ". Another way to express this, by Bill Mann of CA, is that "We are all on a public network". The solution is not to think about perimeters, but to think about the data. Shrink the perimeter right down to the data itself. Again, Web Services technologies apply here. If (as Roger Grimes recommends in his first point in that article - "What isn't Web will become Web"), you are using Web technologies, then that allows you to make use of WS-Security and XML Encryption in order to selectively encrypt the sensitive data, even within a message itself. Again, Gateways and Brokers are what does this. The problem to overcome is the performance cost of all that cryptography and message processing, which is why XML Gateway products are optimized for performance.

It's going to be an interesting 2011!

Welcome onboard @xmlgatewayguru

I'm very pleased to say that Josh Bregman has joined the Vordel team here in Boston, and has hit the ground running by blogging at http://xmlgateway.blogspot.com.

Over the years I've known Josh, I've found that he's an excellent source of security know-how, product configuration tips, and, last but not least, Red Sox tickets :-)

You can also follow Josh on Twitter at: @xmlgatewayguru