I came across one of the more entertaining recent vulnerability announcements this morning - take a look at http://www.kb.cert.org/vuls/id/261869. I think it falls into the "well it's obvious now I think about it" category however I hadn't really thought about it... In summary, the way that clientless VPN servers re-write URLs breaks the same origin policy - pretty obvious if you've ever used one of these products and looked at the various URLs that get returned. This means that "bad things" can happen - take a look at the advisory. I'd suggest that any organisation using these kinds of clientless VPNs to provide remote access functionality prevent Internet browsing through these servers; after all, if a user can get to the VPN server he/she has Internet access so why do they need to go through the VPN server?
Why do I view this as entertaining? Well, it's always a little ironic when security products present attack vectors and I'm a big fan of irony. I also know several organisations that make use of this technology and I can't wait to point them to the link...
Tuesday, 1 December 2009
Thursday, 5 November 2009
AWS in the Enterprise
I managed to get to the Amazon Web Services in the Enterprise event earlier this week. It was a well attended event, with an audience predominantly suited and enterprisey in appearance. Despite an equipment failure (dodgy projector), which necessitated some juggling around with the schedule, I think Amazon managed to get their messages across with respect to the way that their services are currently being used to generate real business value. As ever with these kinds of events, it was the customer presentations that generated the most interest as far as I am concerned. Vendor presentations are fine and dandy but I’m much more interested in what real organisations are doing and the lessons that such organisations have learned during their initial experiences. The presentation from Bob Harris of Channel 4 was particularly encouraging – especially the statement that AWS is now their default platform of choice for web facing applications; C4 projects now need to justify any decision not to use AWS. Bob also provided an interesting anecdote of a senior technical architect from a major SI making a particularly ill-informed comment regarding the security implications of using S3. Lesson here is to be even more diligent than usual when choosing your SI if working in the cloud space. I will admit to a vested interest here :-).
Overall, I think the message that most people will take away from the event is that the AWS platform is maturing and that confidence is increasing amongst enterprises that tricky issues such as compliance and security can be managed. The other message that AWS clearly wanted to get across is that early adopters are likely to obtain a substantial competitive advantage over their more timid competitors due to increased agility and speed to market. We’ll have to see how that one plays out…
Overall, I think the message that most people will take away from the event is that the AWS platform is maturing and that confidence is increasing amongst enterprises that tricky issues such as compliance and security can be managed. The other message that AWS clearly wanted to get across is that early adopters are likely to obtain a substantial competitive advantage over their more timid competitors due to increased agility and speed to market. We’ll have to see how that one plays out…
Friday, 30 October 2009
Hostage to fortune
So in my previous blog I provided my thoughts from the Cloud World Forum event. During that event I was asked what I believed the cloud market would be like in 5-10 years time. Well I had a stab at an answer at the time but I've had more time to think now and I think I'd revise my answer a little. As much as I hate offering up a hostage to fortune, I think it may be fun to check back in a year or two to see just how wrong I am :o)
First things first. I'll be using the NIST definitions for cloud computing - check them out, they're good and they're vendor-independent. [One beef I did have with the speakers at the Cloud WF was that they all insisted on giving us their own definition of cloud computing. We really should be over that by now... Particularly when they all mentioned the Internet and then a number went on to talk about private clouds.]
Let's have some initial assumptions:
i) IaaS will become more interoperable and portable - either provider-supported through the use of standard APIs (check out http://www.occi-wg.org) or by default through meta-cloud providers reverse engineering closed APIs.
ii) PaaS and SaaS vendors will have a big question to answer around the granularity of the services that they offer.
iii) Consumers will have some serious thinking to do with respect to the amount of lock-in (and subsequent pricing consequences) they are willing to endure.
So in my future IaaS will become seriously commoditised with consumers able to switch loads or other basic IT needs as and when necessary through the use of meta-clouds or other mechanisms for managing multiple cloud providers. I think that's a given. [I'm not going to talk about private or community clouds much in this post, let's just assume that most internal IT systems will be delivered by either private or community cloudy resources - let's face it, there's not much that won't be virtualised in 5 years time other than the obvious usual suspects, y'know those guys still running Cobol on legacy kit...]
The PaaS and SaaS space is much more interesting. In an ideal world, these kinds of providers would completely open up and offer very granular services, presumably charged per transaction or subscription, that consumers could use on a per-service basis from outside of the provider environment. Enabling SOA via cloud services. That would be good. What I fear is that PaaS providers in particular will be very close minded in their thinking and actually encourage the PaaS lock-in that has many cloud commentators (including this one) worried. Why would they do this? Well, once a consumer is effectively locked-in there'll be every temptation to start upping the prices - as long as the pain to the consumer is less than migrating away from the PaaS it's a definite win for the provider. Ah, but competition will prevent this I hear you say. Well, only if the competition isn't doing the same thing!
So that's my view of how the future will pan out. Anyone care to share theirs?
First things first. I'll be using the NIST definitions for cloud computing - check them out, they're good and they're vendor-independent. [One beef I did have with the speakers at the Cloud WF was that they all insisted on giving us their own definition of cloud computing. We really should be over that by now... Particularly when they all mentioned the Internet and then a number went on to talk about private clouds.]
Let's have some initial assumptions:
i) IaaS will become more interoperable and portable - either provider-supported through the use of standard APIs (check out http://www.occi-wg.org) or by default through meta-cloud providers reverse engineering closed APIs.
ii) PaaS and SaaS vendors will have a big question to answer around the granularity of the services that they offer.
iii) Consumers will have some serious thinking to do with respect to the amount of lock-in (and subsequent pricing consequences) they are willing to endure.
So in my future IaaS will become seriously commoditised with consumers able to switch loads or other basic IT needs as and when necessary through the use of meta-clouds or other mechanisms for managing multiple cloud providers. I think that's a given. [I'm not going to talk about private or community clouds much in this post, let's just assume that most internal IT systems will be delivered by either private or community cloudy resources - let's face it, there's not much that won't be virtualised in 5 years time other than the obvious usual suspects, y'know those guys still running Cobol on legacy kit...]
The PaaS and SaaS space is much more interesting. In an ideal world, these kinds of providers would completely open up and offer very granular services, presumably charged per transaction or subscription, that consumers could use on a per-service basis from outside of the provider environment. Enabling SOA via cloud services. That would be good. What I fear is that PaaS providers in particular will be very close minded in their thinking and actually encourage the PaaS lock-in that has many cloud commentators (including this one) worried. Why would they do this? Well, once a consumer is effectively locked-in there'll be every temptation to start upping the prices - as long as the pain to the consumer is less than migrating away from the PaaS it's a definite win for the provider. Ah, but competition will prevent this I hear you say. Well, only if the competition isn't doing the same thing!
So that's my view of how the future will pan out. Anyone care to share theirs?
Friday, 23 October 2009
Cloud World Forum
I attended the rather grandly titled Cloud World Forum in London yesterday. Have to say that it was an excellent event, certainly more business focussed than other events such as Cloud Camp (which is always good fun if more IT oriented) or the rather disappointing CloudStorm event a couple of weeks ago.
Highlights and interesting tidbits from the event:
o Kate Craig-Wood of Memset, Intellect and the BCS is now co-leading the technical architecture stream of the Cabinet Office data centre consolitation work
o Asite are a public cloud service that have apparently obtained HMG accreditation for use by the Environment Agency. Unfortunately the presenter left before I had a chance to quiz him on the accreditation aspect!
o Lots of good presentations from the likes of Gartner and BT and some interesting panel sessions, particularly interested in the Gartner research that showed security was still the leading concern with organisations yet to adopt cloud computing. Also interesting that the main drivers for those organisations that have adopted cloud computing were cost and functionality. Who'd have thought it? ;-)
o If you have an interest in collaboration then certainly check out www.huddle.net - collaboration tools, video conferencing etc all in one user-friendly cloud-based offering.
o BT's virtual data centre is an interesting proposition - they do not run VMs for more than one customer on a physical blade. Of course, from a paranoid perspective you may still have de-commissioning concerns when the blade is returned to the wider resource pool. Not dug into the real low-level details here.
o Mimecast have released a Forrester Consulting report into the "total economic impact" of their solution. Yes, the report is specific to Mimecast, however the methodology of the report is of interest and it's useful to have a (vaguely) independent, albeit funded, report showing a detailed ROI argument for a cloud-based service. The report should be downloadable from the Mimecast web-site but I don't think it's there yet.
Downsides:
o Terribly dull presentation from VMWare, Cisco and EMC. Everybody else talking about business benefits, these guys droning on for a long time about IT and infrastructure issues. Bored everyone to tears. Content was actually not bad from a technical perspective but was wrong for the event and the delivery was way too dry. [Example of the problem with the presentation, when talking of moving to cloud services "...got to start with server virtualisation" - well, only if you're talking IaaS and I'd personally start with identifying what you want to do from a business perspective!]
o Still a general ignorance with respect to security - lots of mentions of it during the day but no real understanding of how to manage risk in a cloud environment. [One panellist even described escapes from VMs as 'a bit of a myth' - a bit problematic given that exploits have been published which do just that...]
o Slightly disappointing presentation on cloud security from Cryptocard which was basically yet another demonstration of using Cain and Abel to intercept passwords (*yawn*) and an overly broad statement that 2 factor authentication solves all authentication issues in a cloud environment. Yes, they would say that being as they sell 2FA solutions but it's blatantly not true!
Overall - good event, will definitely try to attend next year's. The attendees were left with the feeling that cloud computing is here, is real and is delivering benefits to the early adopters.
Highlights and interesting tidbits from the event:
o Kate Craig-Wood of Memset, Intellect and the BCS is now co-leading the technical architecture stream of the Cabinet Office data centre consolitation work
o Asite are a public cloud service that have apparently obtained HMG accreditation for use by the Environment Agency. Unfortunately the presenter left before I had a chance to quiz him on the accreditation aspect!
o Lots of good presentations from the likes of Gartner and BT and some interesting panel sessions, particularly interested in the Gartner research that showed security was still the leading concern with organisations yet to adopt cloud computing. Also interesting that the main drivers for those organisations that have adopted cloud computing were cost and functionality. Who'd have thought it? ;-)
o If you have an interest in collaboration then certainly check out www.huddle.net - collaboration tools, video conferencing etc all in one user-friendly cloud-based offering.
o BT's virtual data centre is an interesting proposition - they do not run VMs for more than one customer on a physical blade. Of course, from a paranoid perspective you may still have de-commissioning concerns when the blade is returned to the wider resource pool. Not dug into the real low-level details here.
o Mimecast have released a Forrester Consulting report into the "total economic impact" of their solution. Yes, the report is specific to Mimecast, however the methodology of the report is of interest and it's useful to have a (vaguely) independent, albeit funded, report showing a detailed ROI argument for a cloud-based service. The report should be downloadable from the Mimecast web-site but I don't think it's there yet.
Downsides:
o Terribly dull presentation from VMWare, Cisco and EMC. Everybody else talking about business benefits, these guys droning on for a long time about IT and infrastructure issues. Bored everyone to tears. Content was actually not bad from a technical perspective but was wrong for the event and the delivery was way too dry. [Example of the problem with the presentation, when talking of moving to cloud services "...got to start with server virtualisation" - well, only if you're talking IaaS and I'd personally start with identifying what you want to do from a business perspective!]
o Still a general ignorance with respect to security - lots of mentions of it during the day but no real understanding of how to manage risk in a cloud environment. [One panellist even described escapes from VMs as 'a bit of a myth' - a bit problematic given that exploits have been published which do just that...]
o Slightly disappointing presentation on cloud security from Cryptocard which was basically yet another demonstration of using Cain and Abel to intercept passwords (*yawn*) and an overly broad statement that 2 factor authentication solves all authentication issues in a cloud environment. Yes, they would say that being as they sell 2FA solutions but it's blatantly not true!
Overall - good event, will definitely try to attend next year's. The attendees were left with the feeling that cloud computing is here, is real and is delivering benefits to the early adopters.
Thursday, 15 October 2009
Resources for the busy security pro...
I'm going to step away from cloud computing for a change and go back to the main day job - security. Like many security pro's I'm a busy guy but at the same time my clients (and I) expect me to remain up to date with the latest happenings in the security space. Over the years I've whittled down the number of Internet resources I keep track of - I'm going to talk about a couple that I still check on a daily basis in this post.
Firstly: http://archives.neohapsis.com/
There are loads of security mailing lists - the site above is a convenient method for keeping track of the most useful ones. I'd recommend their Yesterday, Today, Full-Disclosure and DailyDave archives. There are other aggregators but I've been using this one for years and I'm a loyal soul...
Secondly: http://www.monkey.com/~jose/secblogs.html
As with mailing lists, there are loads of security blogs and loads of blog aggregators. I tend to use the one above as it aggregates blogs I'm interested in and provides a manageable number of links per day - I don't feel overwhelmed by the sheer volume of posts!
Hope you find them useful. If you have any other resources that you think would help a busy security guy keep up to date (in a quick and manageable way!) please add some comments.
Firstly: http://archives.neohapsis.com/
There are loads of security mailing lists - the site above is a convenient method for keeping track of the most useful ones. I'd recommend their Yesterday, Today, Full-Disclosure and DailyDave archives. There are other aggregators but I've been using this one for years and I'm a loyal soul...
Secondly: http://www.monkey.com/~jose/secblogs.html
As with mailing lists, there are loads of security blogs and loads of blog aggregators. I tend to use the one above as it aggregates blogs I'm interested in and provides a manageable number of links per day - I don't feel overwhelmed by the sheer volume of posts!
Hope you find them useful. If you have any other resources that you think would help a busy security guy keep up to date (in a quick and manageable way!) please add some comments.
Thursday, 1 October 2009
Cloud Security Summit
I presented my first ever web-cast yesterday as part of the BrightTALK Cloud Security Summit. An interesting experience and strangely enjoyable. I found the BrightTALK platform fairly straightforward to use, although the voting system could be a little more slick. It's a little uncomfortable whilst you're presenting as you've no way of knowing whether you're carrying your audience with you - fortunately the ratings have been quite positive and so I think I got away with it :-)
If you're interested in cloud security, my web-cast can be found here:
http://www.brighttalk.com/webcasts/5688/play
If you have any questions or want to leave any feedback, feel free to comment :-)
If you're interested in cloud security, my web-cast can be found here:
http://www.brighttalk.com/webcasts/5688/play
If you have any questions or want to leave any feedback, feel free to comment :-)
Monday, 28 September 2009
CloudCamp London 5
I was lucky enough to attend the 5th London Cloud Camp last week. Once I got my lightning talk out of the way it was an enjoyable event combining an opportunity to catch up with an old friend, make some new contacts and engage in some interesting conversations! [I think my talk went pretty well other than being a little rushed - my own fault for trying to fit a 10 minute talk into a 5 minute slot!]
After the talks we broke into Vendor Tracks and Open Space discussions - one of the attendees suggested a session around security which I volunteered to moderate. I've written up these discussions and the write-up is shown below. If any of the attendees feel I missed anything out or have misrepresented the conversation please feel to comment or drop me an email. Enjoy!
London CloudCamp #5 Open Space – Security (Room 3)
After the talks we broke into Vendor Tracks and Open Space discussions - one of the attendees suggested a session around security which I volunteered to moderate. I've written up these discussions and the write-up is shown below. If any of the attendees feel I missed anything out or have misrepresented the conversation please feel to comment or drop me an email. Enjoy!
London CloudCamp #5 Open Space – Security (Room 3)
Chatham House rule applies!
i) Public sector in the Cloud
Discussion began with whether the Public Sector would adopt cloud due to their security requirements. It was noted that the UK Government is planning a G-Cloud as part of the Data Centre Consolidation Strategy – this was also a recommendation into the Carter Review (Digital Britain). Attendees were also pointed towards the blog of John Suffolk, the HMG CIO – http://johnsuffolk.typepad.com. It was thought unlikely that public clouds would be suitable for processing of protectively marked information (i.e. RESTRICTED and above) – although it may be possible to use them for storage and transport if data is encrypted and decrypted on-premise. There was thought to be more likelihood of public clouds being used within local government where security requirements are less stringent due to their data typically being at PROTECT. The main sticking point from a security perspective was currently thought to be around the lack of assured products to support domain separation.
ii) Certificate based authentication
There was a discussion as to whether cloud computing made it difficult to use server certificate based authentication due to the need to tie certificates to domain names or IP addresses. It was not thought to be a problem with IaaS (where this can be controlled by the consumer – if the right technologies are used). Thought to be problematic with PaaS and SaaS.
iii) PCI-DSS and ISO27001
There was a question as to the overlap between PCI-DSS and ISO27001. The group believed that there is significant overlap between the two standards but that PCI-DSS was more prescriptive and so compliance with ISO27001 did not mean compliance with PCI-DSS. PCI-DSS has specific requirements around handling of cardholder data, vulnerability assessments etc that are more granular than those within ISO27001. The recent blog post including the AWS statement that it was not possible to be completely PCI-DSS level 1 compliant using only their EC2 and S3 services was discussed. It was noted that you can simply hand off payment processing to a third party payment processor or keep such processing in-house. It was also noted that there is a separate PCI standard covering the development of payment processing applications.
iv) Privacy
We had a brief discussion around privacy legislation – one of the attendees noting that Germany is about to enact a notification law such that any organisation suffering a data breach must notify all affected customers (either by individual letter or by taking out a 2 page advert in a national newspaper).
v) Use of cloud resources for illegal purposes
We had a particularly interesting conversation around the use of cloud computing resources for illegal purposes – for example the distribution of cracked software keys. This discussion was illustrated through real examples of previously identified instances of such activity. This does raise interesting questions about whether cloud providers should be monitoring for such activity or whether they, like telco's, should act simply as carriers.
vi) Data leakage
The idea that data could be split throughout the cloud to make re-constitution more difficult was discussed. It was thought that this was already one of the benefits of cloud computing – should a service provider lose a disk, it is most likely to contain fragments from a number of clients rather than a substantial chunk of a single organisation's data.
Miranda Mowbray's obfuscation tool and the Vanish tool (Washington State University) were mentioned as being of interest to those looking to keep sensitive data under control. Both noted as being primarily of academic interest at this time.
vii) Virtual Desktop Infrastructures
There was some discussion of VDI in the cloud. Noted that the public sector may “browse-down” from a more sensitive domain to a lesser domain, e.g. to offer Internet access via terminal services but that "browse-up” was frowned upon.
viii) Security Benefits
It was thought that the cloud model can offer some security benefits – e.g. Increased/improved security monitoring, patching, security expertise and physical security. Likely to be of more benefit to SMEs but could also be of benefit to larger organisations (most of whom should already have invested in the necessary functions).
ix) Security as a Service
The prospects of security as a service were discussed. It was noted that businesses such as MessageLabs have been doing this for years! Security filtering in the cloud is a valid service. Could also expect to see identity providers in the cloud in the future.
Monday, 21 September 2009
Cloud miscellany
It's been a busy few weeks hence the lack of posts here. Admittedly one of the things taking my time was a week by the seaside so I've not been that hard done by!
But back in the real world it's been interesting at work with respect to how many of our current bids and engagements are now considering delivery, at least in part, via cloud computing models. There seems to be a real shift to treating cloud computing as just another part of the delivery model a la outsourcing, right shoring etc. I have to say that I thoroughly approve of this change - technology for the sake of technology, or even change for the sake of change, is never a wise thing unless of course you're in a particularly bad place and are due a change in luck! What we do have to remember is the potentially game-changing nature of certain cloud computing characteristics - in particular increased agility - which means that we need to be careful not to limit our imaginations to doing just the same things but in a different way. Don't forget to think different, but most importantly don't forget to think!
But back in the real world it's been interesting at work with respect to how many of our current bids and engagements are now considering delivery, at least in part, via cloud computing models. There seems to be a real shift to treating cloud computing as just another part of the delivery model a la outsourcing, right shoring etc. I have to say that I thoroughly approve of this change - technology for the sake of technology, or even change for the sake of change, is never a wise thing unless of course you're in a particularly bad place and are due a change in luck! What we do have to remember is the potentially game-changing nature of certain cloud computing characteristics - in particular increased agility - which means that we need to be careful not to limit our imaginations to doing just the same things but in a different way. Don't forget to think different, but most importantly don't forget to think!
Friday, 21 August 2009
BrightTALK Cloud Security Summit
I've been lucky enough to ask to web-cast at the BrightTALK Cloud Security Summit on the 30th of September - if anybody fancies listening to me rabbiting on about security in the cloud, you'll be able to attend by clicking on http://www.brighttalk.com/webcasts/5688/attend
There are some well-known and well-respected figures presenting during the summit - details of the other presentations and presenters can be found at:
http://www.brighttalk.com/summit/cloudsecurity
Come along, I'm sure it'll be fun. I may even have thought of some interesting voting topics by that point as well - I'd welcome suggestions if anyone out there would care to volunteer some?
There are some well-known and well-respected figures presenting during the summit - details of the other presentations and presenters can be found at:
http://www.brighttalk.com/summit/cloudsecurity
Come along, I'm sure it'll be fun. I may even have thought of some interesting voting topics by that point as well - I'd welcome suggestions if anyone out there would care to volunteer some?
Monday, 10 August 2009
I hate that question...
So I've found another question that irritates me. It's this one: "What's the most secure; SaaS, PaaS or IaaS?". There are lots of things wrong with this question - firstly, define what is meant by secure. Secondly, define your perspective - are you a provider or a consumer. Thirdly, assuming you're a consumer, define what you're doing in the cloud - it's a big concept, there's lots you can do and lots of ways of doing it! And so on and so on...
I think it's a naive question to ask and that it's even sillier to come out with an answer (unless you've spent the time to understand a very specific situation). There are lots of different perspectives and lots of different classes of organisation with different needs and capabilities. For example, if you're a small business with little experience with an application then it's likely that a SaaS provider will provide a more secure (albeit multi-tenant) solution than you could build yourself. However, if you're a large enterprise then I think a fair argument could be made that you could build a more secure, single tenant application on your own platform on a shared IaaS cloud infrastructure than the multi-tenant equivalant offered by a SaaS provider. Of course, the observant amongst you may have noticed that I said "more secure" without actually defining secure - look at the name of the blog, I'm musing :0)
Upshot, as with most things, know your requirements and choose the solution that's the best fit. This cloud stuff really is not rocket science. (Unless of course you're NASA: http://nebula.nasa.gov :-)
I think it's a naive question to ask and that it's even sillier to come out with an answer (unless you've spent the time to understand a very specific situation). There are lots of different perspectives and lots of different classes of organisation with different needs and capabilities. For example, if you're a small business with little experience with an application then it's likely that a SaaS provider will provide a more secure (albeit multi-tenant) solution than you could build yourself. However, if you're a large enterprise then I think a fair argument could be made that you could build a more secure, single tenant application on your own platform on a shared IaaS cloud infrastructure than the multi-tenant equivalant offered by a SaaS provider. Of course, the observant amongst you may have noticed that I said "more secure" without actually defining secure - look at the name of the blog, I'm musing :0)
Upshot, as with most things, know your requirements and choose the solution that's the best fit. This cloud stuff really is not rocket science. (Unless of course you're NASA: http://nebula.nasa.gov :-)
Thursday, 6 August 2009
Enabling confidence in the cloud
My latest Computer Weekly column is now on-line:
http://www.computerweekly.com/Articles/2009/08/05/237195/enabling-confidence-in-the-cloud.htm
In other news: I gave a presentation on cloud computing to some senior executives of a major HMG department yesterday. I have to say that I was encouraged by the nature of the questions being asked by the audience - they demonstrated both a solid grasp of the underlying concepts of cloud computing and also a genuine interest in understanding the commercial and business benefits that the cloud model offers. I think that's one of the strengths of cloud computing - the business benefits in terms of flexibility and removal of some of the barriers to business innovation are obvious, the trick is going to be to derive the appropriate assurance models and drive the necessary cultural changes. Time for everyone to learn some new skills methinks :-)
http://www.computerweekly.com/Articles/2009/08/05/237195/enabling-confidence-in-the-cloud.htm
In other news: I gave a presentation on cloud computing to some senior executives of a major HMG department yesterday. I have to say that I was encouraged by the nature of the questions being asked by the audience - they demonstrated both a solid grasp of the underlying concepts of cloud computing and also a genuine interest in understanding the commercial and business benefits that the cloud model offers. I think that's one of the strengths of cloud computing - the business benefits in terms of flexibility and removal of some of the barriers to business innovation are obvious, the trick is going to be to derive the appropriate assurance models and drive the necessary cultural changes. Time for everyone to learn some new skills methinks :-)
Friday, 24 July 2009
Securing data in the cloud?
One of the big concerns for would-be users of cloud services at the moment is around the protection of their private or sensitive data from other users of the service or the providers of the service. Data can hang around for a long time once it's in the cloud or even just on the Web. There have been some interesting developments in this space, albeit of an academic nature i.e. stuff to take a look at but not necessarily to use in real life!
Firstly, back at Cloud Camp London 4, Miranda Mowbray of HP presented a mechanism for obfuscating data on-premise and then processing only that obfuscated data within the cloud. The unobfuscated data is then only available within the secure (*cough*) on-premise location. There are some problems with Miranda’s approach from the point of view of an enterprise whereby the cost of a data compromise could outweigh the cost of a frequency analysis (or even better a chosen plaintext) attack, however it may have some value for the more casual user or for less sensitive data. It was stated that Miranda hoped to open source the project but I don’t believe that’s happened yet – an abstract of the HP Labs technical report can be found at http://www.hpl.hp.com/techreports/2009/HPL-2009-156.html but no link to the full paper unfortunately.
Secondly, there’s the Vanish project of the University of Washington - http://vanish.cs.washington.edu/index.html. It’s an interesting method for ensuring the inaccessibility of data after a set period of time that utilises the churn of peer to peer hash tables to ‘lose’ elements of a distributed encryption key over time. Once the key is no longer available, the data is no longer accessible. I can see how this may be of value to individuals looking to ensure their individual privacy – I’m really not as convinced that this is acceptable in the corporate or government worlds given their discovery and reporting requirements. But I’m no lawyer – take a look for yourselves!
Hmmm… it’s going to be an interesting space – at least until someone can come up with a practical mechanism implementing homomorphic encryption. I’m not holding my breath :0)
(http://www.schneier.com/blog/archives/2009/07/homomorphic_enc.html)
Firstly, back at Cloud Camp London 4, Miranda Mowbray of HP presented a mechanism for obfuscating data on-premise and then processing only that obfuscated data within the cloud. The unobfuscated data is then only available within the secure (*cough*) on-premise location. There are some problems with Miranda’s approach from the point of view of an enterprise whereby the cost of a data compromise could outweigh the cost of a frequency analysis (or even better a chosen plaintext) attack, however it may have some value for the more casual user or for less sensitive data. It was stated that Miranda hoped to open source the project but I don’t believe that’s happened yet – an abstract of the HP Labs technical report can be found at http://www.hpl.hp.com/techreports/2009/HPL-2009-156.html but no link to the full paper unfortunately.
Secondly, there’s the Vanish project of the University of Washington - http://vanish.cs.washington.edu/index.html. It’s an interesting method for ensuring the inaccessibility of data after a set period of time that utilises the churn of peer to peer hash tables to ‘lose’ elements of a distributed encryption key over time. Once the key is no longer available, the data is no longer accessible. I can see how this may be of value to individuals looking to ensure their individual privacy – I’m really not as convinced that this is acceptable in the corporate or government worlds given their discovery and reporting requirements. But I’m no lawyer – take a look for yourselves!
Hmmm… it’s going to be an interesting space – at least until someone can come up with a practical mechanism implementing homomorphic encryption. I’m not holding my breath :0)
(http://www.schneier.com/blog/archives/2009/07/homomorphic_enc.html)
Saturday, 11 July 2009
CloudCamp London 4
I got to attend the latest Cloud Camp in London last Thursday night (there has to be some advantages to working the less civilised parts of the UK :-)...
Highlights for me were the lightning talk from Mark Cusack from Rainstor outlining some very interesting ideas around storing data in the cloud for compliance purposes when retiring database applications and the Microsoft talk on Azure. In particular the .NET Service Service Bus demo was both pretty cool and pretty scary at the same time. I can certainly appreciate the benefits from being able to quickly and easily publish web services securely via the .NET Services Service Bus (c'mon Microsoft, call it Azure Service Bus and save our typing fingers!) however securing the services in transit is not the be all and end all. What scares me is the almost certain eventuality of employees deciding to write their own wrappers around internal services that should never be exposed outside of the organisation and using the Service Bus to make such services available over the Internet. But, hey, the network traffic's encrypted over an authenticated channel so everything's ok... no?
I've previously blogged about the need for organisations to start monitoring for potential unauthorised use of cloud services. I'd like to emphasis that need again - and organisations shoud also consider blocking access to the .NET Services service bus until they have a suitable policy in place regarding use of such services.
Highlights for me were the lightning talk from Mark Cusack from Rainstor outlining some very interesting ideas around storing data in the cloud for compliance purposes when retiring database applications and the Microsoft talk on Azure. In particular the .NET Service Service Bus demo was both pretty cool and pretty scary at the same time. I can certainly appreciate the benefits from being able to quickly and easily publish web services securely via the .NET Services Service Bus (c'mon Microsoft, call it Azure Service Bus and save our typing fingers!) however securing the services in transit is not the be all and end all. What scares me is the almost certain eventuality of employees deciding to write their own wrappers around internal services that should never be exposed outside of the organisation and using the Service Bus to make such services available over the Internet. But, hey, the network traffic's encrypted over an authenticated channel so everything's ok... no?
I've previously blogged about the need for organisations to start monitoring for potential unauthorised use of cloud services. I'd like to emphasis that need again - and organisations shoud also consider blocking access to the .NET Services service bus until they have a suitable policy in place regarding use of such services.
Monday, 29 June 2009
UK Government Cloud?
So, it looks like the UK Government really may go for cloud. The Carter Report, "Digital Britain", includes a number of references to cloud computing and particularly the use of cloud computing in Government - the fabled G-Cloud. I've quoted a paragraph from the report below.
"The establishment of a G-Cloud will however require investment in
technical development and physical facilities, and the CIO Council and the
Intellect Public Sector Council are now developing the strategic business
case to justify funding the G-Cloud. Provided that this business case can be
properly developed, the adoption of the G-Cloud will be a priority for
Government investment to secure efficiencies, even within the very
constrained framework for public expenditure, over the next 3 years."
The nice thing about this paragraph is that they've even put some timelines in there - 3 years. I don't know about you, but I always feel that things are more likely to happen once people put numbers in timelines rather than aspirational references to the future.
The Carter Report, coupled with the well-publicised posting by John Suffolk to the Cloud Computing Interoperability Forum (CCIF) (see http://groups.google.com/group/cloudforum/browse_thread/thread/c75cde1d7c519363) is all very positive for the adoption of cloud within HMG. But what really makes me believe this is a serious initiative? Well, according to several reports in the IT press Martin Bellamy (formerly Head of Connecting for Health) has moved to the Cabinet Office primarily to look after the G-Cloud strategy - a significant investment by HMG at this time of budget cuts. Watch this space :-)
[Disclaimer: I am a small part of the CIO Council/Intellect Public Sector Council work referenced above so may well have an interest or two here].
"The establishment of a G-Cloud will however require investment in
technical development and physical facilities, and the CIO Council and the
Intellect Public Sector Council are now developing the strategic business
case to justify funding the G-Cloud. Provided that this business case can be
properly developed, the adoption of the G-Cloud will be a priority for
Government investment to secure efficiencies, even within the very
constrained framework for public expenditure, over the next 3 years."
The nice thing about this paragraph is that they've even put some timelines in there - 3 years. I don't know about you, but I always feel that things are more likely to happen once people put numbers in timelines rather than aspirational references to the future.
The Carter Report, coupled with the well-publicised posting by John Suffolk to the Cloud Computing Interoperability Forum (CCIF) (see http://groups.google.com/group/cloudforum/browse_thread/thread/c75cde1d7c519363) is all very positive for the adoption of cloud within HMG. But what really makes me believe this is a serious initiative? Well, according to several reports in the IT press Martin Bellamy (formerly Head of Connecting for Health) has moved to the Cabinet Office primarily to look after the G-Cloud strategy - a significant investment by HMG at this time of budget cuts. Watch this space :-)
[Disclaimer: I am a small part of the CIO Council/Intellect Public Sector Council work referenced above so may well have an interest or two here].
Wednesday, 24 June 2009
Nessus web app tests
Well well well. For years now I've enjoyed laughing at pen test firms who answer the question "So what do you use to do your web app testing?" with "Nessus". But, looking at the blog post linked to below:
http://blog.tenablesecurity.com/2009/06/enhanced-web-application-attacks-added-to-nessus.html
it appears that Tenable have stepped up their game somewhat to deliver some useable web app security tests. I have to state that I haven't had chance to try out this new functionality but it certainly looks to be an improvement on the old cgi checks. Maybe I'll have to stop laughing now and just chortle a little instead... (it's still not the tool of choice for serious web app testing - as Tenable acknowledge. Horses for courses.)
http://blog.tenablesecurity.
it appears that Tenable have stepped up their game somewhat to deliver some useable web app security tests. I have to state that I haven't had chance to try out this new functionality but it certainly looks to be an improvement on the old cgi checks. Maybe I'll have to stop laughing now and just chortle a little instead... (it's still not the tool of choice for serious web app testing - as Tenable acknowledge. Horses for courses.)
Friday, 5 June 2009
Cloud proliferation
In some ways I believe that the adoption of cloud computing services within enterprises will take a very similar form to that which we saw for wireless networking a few years back. And for very similar reasons - convenience, cost and the lack of reliance on central, often unresponsive, IT departments.
So what should we do about it? Well, rather than let it get out of control which (let's be honest!) happened to a number of organisations with respect to wireless networking, organisations should be
i) adopting policies governing acceptable cloud usage and
ii) monitoring network traffic to ensure that no unauthorised cloud usage is occuring.
More to the point organisations should be doing this now - regardless of whether they have any organisational desire to embrace cloud services. Just because a central IT function does not fancy the prospect of cloud computing, there is no guarantee that projects and programmes will not strike out independently. Time to get a grip now, don't you think?
So what should we do about it? Well, rather than let it get out of control which (let's be honest!) happened to a number of organisations with respect to wireless networking, organisations should be
i) adopting policies governing acceptable cloud usage and
ii) monitoring network traffic to ensure that no unauthorised cloud usage is occuring.
More to the point organisations should be doing this now - regardless of whether they have any organisational desire to embrace cloud services. Just because a central IT function does not fancy the prospect of cloud computing, there is no guarantee that projects and programmes will not strike out independently. Time to get a grip now, don't you think?
Saturday, 30 May 2009
Latest article
No posts for a couple of weeks now - mainly as I was on holiday for one of them :-)
As a gentle way back in to the blogosphere, my latest column was in Computer Weekly this week and it can also be found on-line at:
http://www.computerweekly.com/Articles/2009/05/13/236008/security-zone-penetration-testing-define-your-objectives.htm
My main thrust in the article is that penetration testing should not always be the first option with respect to obtaining a realistic view of the actual implemented and operated security posture of an organisation. I am of course aware that there are situations where nothing other than a full-blooded pen test will be appropriate but there are other times where a simple configuration review will provide more bang per buck. I'm expecting a bit of a bashing over the definition I provided for penetration testing but what's the point of writing articles if you can't have a bit of fun!
As a gentle way back in to the blogosphere, my latest column was in Computer Weekly this week and it can also be found on-line at:
http://www.computerweekly.com/Articles/2009/05/13/236008/security-zone-penetration-testing-define-your-objectives.htm
My main thrust in the article is that penetration testing should not always be the first option with respect to obtaining a realistic view of the actual implemented and operated security posture of an organisation. I am of course aware that there are situations where nothing other than a full-blooded pen test will be appropriate but there are other times where a simple configuration review will provide more bang per buck. I'm expecting a bit of a bashing over the definition I provided for penetration testing but what's the point of writing articles if you can't have a bit of fun!
Friday, 15 May 2009
Talking to lawyers. For fun :-)
An interesting week.
I was fortunate enough to be invited along to present at the Society for Computers and Law conference on Information Governance which was held last Tuesday. I was part of a panel session discussing the current increased focus on data security - initial indications are that the session was well received. I think it's important that we security types occasionally step outside of our usual haunts and talk to those in related fields.
For example, Lorna Brazell's presentation on how Identity is defined within law was particularly enlightening. I think security professionals tend to view the law as something relatively fixed rather than something that is also evolving and finding its place in the modern information society. The final presentation of the day on the legal requirements related to cloud computing seemed a good example of where lawyers and security professionals could work together to the benefit of both parties. Overall, a good event and one I'm glad I attended - and not only because of the bottle of bubbly generously donated by the SCL to each of the speakers :-)
I was fortunate enough to be invited along to present at the Society for Computers and Law conference on Information Governance which was held last Tuesday. I was part of a panel session discussing the current increased focus on data security - initial indications are that the session was well received. I think it's important that we security types occasionally step outside of our usual haunts and talk to those in related fields.
For example, Lorna Brazell's presentation on how Identity is defined within law was particularly enlightening. I think security professionals tend to view the law as something relatively fixed rather than something that is also evolving and finding its place in the modern information society. The final presentation of the day on the legal requirements related to cloud computing seemed a good example of where lawyers and security professionals could work together to the benefit of both parties. Overall, a good event and one I'm glad I attended - and not only because of the bottle of bubbly generously donated by the SCL to each of the speakers :-)
Thursday, 7 May 2009
Is CC evaluation worthwhile?
I had cause to read through the VMWare ESX Server 3.0.2 EAL4+ certification documentation earlier today and it has given me a bit of a problem. Not a real-world work problem, more of a general problem with the evaluation process and it's value.
Reading through the Security Target, the following assumption immediately jumped out at me (ok, it's a few pages in so immediately is a bit of an overstatement):
"The threat agents are assumed to:
Now let's pretend I'm working for a Government client with Foreign Intelligence Services as an attack source - low skill level? Low level of motivation? Low attack potential? I should be so lucky... Oh well, at least the evaluation included some penetration testing - let's take a look at the certification report:
"The evaluator conducted a port scan of the VMware® ESX Server and VirtualCenter. Only the ports required for operation of the TOE were found to be open. The evaluator used a publicly available tool to scan the VMware® ESX Server and VirtualCenter for generic vulnerabilities, and none were found. In addition, the evaluator performed direct attacks on the VMware® ESX Server and VirtualCenter, attempting to bypass or break the TOE’s access control security mechanisms."
Is it me, or is that a little light for a penetration test? I'm not particularly re-assured.
Of course, the big problem is this: organisations (private and public sector) looking to deploy EAL4+ certified products are usually those with highly skilled, highly motivated threat actors. If some EAL4+ certifications do not cater for these threat actors what is the real value of those certifications?
(At least here in the UK, HMG organisations can turn to the CTAS process for assurance of specific technical barriers.)
Reading through the Security Target, the following assumption immediately jumped out at me (ok, it's a few pages in so immediately is a bit of an overstatement):
"The threat agents are assumed to:
- have public knowledge of how the TOE operates
- possess a low skill level
- have limited resources to alter TOE configuration settings
- have no physical access to the TOE
- possess a low level of motivation
- have a low attack potential"
Now let's pretend I'm working for a Government client with Foreign Intelligence Services as an attack source - low skill level? Low level of motivation? Low attack potential? I should be so lucky... Oh well, at least the evaluation included some penetration testing - let's take a look at the certification report:
"The evaluator conducted a port scan of the VMware® ESX Server and VirtualCenter. Only the ports required for operation of the TOE were found to be open. The evaluator used a publicly available tool to scan the VMware® ESX Server and VirtualCenter for generic vulnerabilities, and none were found. In addition, the evaluator performed direct attacks on the VMware® ESX Server and VirtualCenter, attempting to bypass or break the TOE’s access control security mechanisms."
Is it me, or is that a little light for a penetration test? I'm not particularly re-assured.
Of course, the big problem is this: organisations (private and public sector) looking to deploy EAL4+ certified products are usually those with highly skilled, highly motivated threat actors. If some EAL4+ certifications do not cater for these threat actors what is the real value of those certifications?
(At least here in the UK, HMG organisations can turn to the CTAS process for assurance of specific technical barriers.)
Friday, 24 April 2009
It's getting real now...
Well it's been an extremely interesting couple of weeks with respect to cloud security.
(Yes, I know there've been some other happenings in the wider world - Obama releasing TS documents, Darling admitting the UK will be broke for the next decade etc etc but let's concentrate on the really important stuff :-)
The Open Group's Jericho Forum released it's Cloud Cube paper on cloud security which describes possible cloud 'formations' according to four different dimensions - Internal/External, Proprietary/Open, Insourced/Outsourced and Perimeterised/De-Perimeterised. I don't believe that there's anything earth-shatteringly novel contained in the paper however the model itself will, I think, prove extremely valuable as a common reference point when discussing cloud computing.
The other major event has been the release of the first deliverable from the Cloud Security Alliance - a guidance paper on the critical security issues with respect to cloud computing. On first glance it looks like a fairly comprehensive paper that could perhaps be used to populate the framework provided by the Jericho Forum Cloud Cube model. And with names like Chris Hoff and Jeff Forristal (better known to some of you with memories longer than a goldfish as rfp) involved you can be sure that the content is going to be at least sensible and likely very good.
In conjunction, I think these two papers put the industry in a much better place to have sensible and informed discussions using a set of hopefully commonly understood definitions - something that's been sorely lacking in the past.
(Yes, I know there've been some other happenings in the wider world - Obama releasing TS documents, Darling admitting the UK will be broke for the next decade etc etc but let's concentrate on the really important stuff :-)
The Open Group's Jericho Forum released it's Cloud Cube paper on cloud security which describes possible cloud 'formations' according to four different dimensions - Internal/External, Proprietary/Open, Insourced/Outsourced and Perimeterised/De-Perimeterised. I don't believe that there's anything earth-shatteringly novel contained in the paper however the model itself will, I think, prove extremely valuable as a common reference point when discussing cloud computing.
The other major event has been the release of the first deliverable from the Cloud Security Alliance - a guidance paper on the critical security issues with respect to cloud computing. On first glance it looks like a fairly comprehensive paper that could perhaps be used to populate the framework provided by the Jericho Forum Cloud Cube model. And with names like Chris Hoff and Jeff Forristal (better known to some of you with memories longer than a goldfish as rfp) involved you can be sure that the content is going to be at least sensible and likely very good.
In conjunction, I think these two papers put the industry in a much better place to have sensible and informed discussions using a set of hopefully commonly understood definitions - something that's been sorely lacking in the past.
Tuesday, 14 April 2009
No More Free Bugs?
Charlie Miller (famed in part for his past successes at the CanSecWest pwn2own contests over the last couple of years) has started an email thread over on the DailyDave mailing list regarding the No More Free Bugs initiative. The rationale behind this initiative can be found over here:
http://blog.trailofbits.com/2009/03/22/no-more-free-bugs/
Whilst I have every admiration for the past work of people involved with NMFB such as Miller, Alex Sotirov and Dino Dai Zavi, I can't help feeling that this initiative is either doomed, misguided or both. I can understand why security researchers may feel that they get a rough deal through a lack of financial recompense for the time, effort and frustration they go through when finding and exploiting a vulnerability and then managing a responsible co-ordinated disclosure with vendors. However, there is no real commercial incentive for vendors to want to pay for this service – sure customers may end up with a more secure product due to the work of security researchers but at the same time, customers may not have been aware that they had an insecure product without the work of the security researchers (a much better position for the vendors, if not the customers!).
The NMFB guys are keen to avoid being dragged into a debate about disclosure but I'm not sure how you can avoid the topic when talking about paid-for security research. For example, I really don't see the benefit that vendors would gain from paying for bugs and then advertising the details of the vulnerabilities via full disclosure. Maybe I'm just cynical but I can't avoid believing that such paid-for bugs may be fixed on the quiet with paying customers never finding out about the risks that they had been exposed to... unless a few guys are still happy to publish details of reverse engineered patches for free. There's also a pretty vicious circle out there – if bugs are no longer disclosed, end users will stop worrying about them and any commercial drivers that do exist will start to wither away reducing the value placed on discovered bugs.
It's an imperfect world out there, and the current situation with respect to the handling of security vulnerabilities is certainly far from perfect, but I'm afraid that I don't believe that moving to a paid-for approach to security research will improve matters in the long run.
Tuesday, 7 April 2009
CloudForce
Last week the ExCel centre in London was host to the leaders of the G20 as they continued their attempts to save the global economy. This week, the ExCel centre was host to Marc Benioff on his CloudForce world tour as he attempts to save the global IT economy. Ok, that's maybe a bit tenuous...
On a more serious note, I got a lot more out of the CloudForce event than I was expecting, almost all of it positive. The event started off well (any event being introduced by the music of the Foo Fighters is off to a flyer in my book ;-) with the keynote being delivered by Mr Benioff himself with a few guest spots filled by satisfied customers together with a sprinkling of highly impressive demonstrations of the capabilities of salesforce.com. I was particularly keen on the customer service abilities of what was termed the "Service Cloud" - customer service integrated across a number of different channels from the traditional call centre through to integration with Twitter and Facebook all delivered over the cloud. Impressive.
The afternoon was made up of a series of presentations split into a number of different tracks - I'll have to admit that I spent all of my time in track 3 which was dealing with technology issues rather than the more business and sales-enabling tracks available elsewhere. The first session included an extremely informative presentation from Paul Cheesebrough of the Telegraph describing how his organisation was moving processing into the cloud - and not just with Salesforce.com; they are also using Amazon Web Services for intensive analytics and Google Apps for email and collaboration services. What I found enlightening was how easy it appeared to be for the Telegraph to move data from the salesforce.com cloud into the AWS cloud for analytics work. I find the possibilities opened up by this kind of information technology incredibly exciting.
The second session was around integration of salesforce.com with backend ERP systems - three options were presented:
i) move ERP data to the cloud
ii) copy the data to the cloud and make occasional call-backs to the backend for consistency checks
iii) have the cloud act as a mash-up presenting data hosted on-premises
Very important area, but frankly one that I find a little dull. Of course, with my security hat on, I can see a lot of opportunities for work in this area trying to decide which approach is appropriate for different categories of data and then deciding on appropriate means for transferring, managing and securing data. The latter options also have some interesting implications regarding how you secure access from the cloud into the on-premises systems. Limiting this to web service traffic and implementing something like a Vordel XML gateway may be one approach to making sure that nothing leaks out that shouldn't.
The final session was a salesforce.com presentation on the technologies underlying the force.com platform. Definitely appealed to the geek in me but I would have preferred more detail on the security mechanisms under the hood rather than simple statements around the use of the OrgId to segregate data belonging to different customers.
What were my major takeaways from the event? (Other than the numerous flyers and freebies?)
On a more serious note, I got a lot more out of the CloudForce event than I was expecting, almost all of it positive. The event started off well (any event being introduced by the music of the Foo Fighters is off to a flyer in my book ;-) with the keynote being delivered by Mr Benioff himself with a few guest spots filled by satisfied customers together with a sprinkling of highly impressive demonstrations of the capabilities of salesforce.com. I was particularly keen on the customer service abilities of what was termed the "Service Cloud" - customer service integrated across a number of different channels from the traditional call centre through to integration with Twitter and Facebook all delivered over the cloud. Impressive.
The afternoon was made up of a series of presentations split into a number of different tracks - I'll have to admit that I spent all of my time in track 3 which was dealing with technology issues rather than the more business and sales-enabling tracks available elsewhere. The first session included an extremely informative presentation from Paul Cheesebrough of the Telegraph describing how his organisation was moving processing into the cloud - and not just with Salesforce.com; they are also using Amazon Web Services for intensive analytics and Google Apps for email and collaboration services. What I found enlightening was how easy it appeared to be for the Telegraph to move data from the salesforce.com cloud into the AWS cloud for analytics work. I find the possibilities opened up by this kind of information technology incredibly exciting.
The second session was around integration of salesforce.com with backend ERP systems - three options were presented:
i) move ERP data to the cloud
ii) copy the data to the cloud and make occasional call-backs to the backend for consistency checks
iii) have the cloud act as a mash-up presenting data hosted on-premises
Very important area, but frankly one that I find a little dull. Of course, with my security hat on, I can see a lot of opportunities for work in this area trying to decide which approach is appropriate for different categories of data and then deciding on appropriate means for transferring, managing and securing data. The latter options also have some interesting implications regarding how you secure access from the cloud into the on-premises systems. Limiting this to web service traffic and implementing something like a Vordel XML gateway may be one approach to making sure that nothing leaks out that shouldn't.
The final session was a salesforce.com presentation on the technologies underlying the force.com platform. Definitely appealed to the geek in me but I would have preferred more detail on the security mechanisms under the hood rather than simple statements around the use of the OrgId to segregate data belonging to different customers.
What were my major takeaways from the event? (Other than the numerous flyers and freebies?)
- The Force.com infrastructure is ISO 27001 certified as well as SAS70.
- Salesforce.com appear to be very good at what they do.
- When they say multi-tenant, they really, really mean it.
- The promised cost and resource savings can actually be realised
- Perhaps the penalty of greater lock-in to PaaS and SaaS providers is worth paying if they can provide (and can continue to provide) excellent facilities and levels of service. Certainly something to consider further.
- Salesforce.com appear to be very open and accomodating to having their security measures reviewed by clients - something of which I heartily approve.
Friday, 3 April 2009
Open Cloud Manifesto
I'm a little late to the party on this one. Perils of having to actually work for a living. The open cloud manifesto over at
http://opencloudmanifesto.org/
has been getting a fair amount of coverage in the past week, primarily for the politics around the organisations that have not signed up to the manifesto and the way in which the manifesto was drawn up.
Looking at the list of supporting organisations and those that have chosen not to associate themselves with the process at this stage, there's a fairly clear (and fairly obvious) divide between those organisations that will be providing the kit supporting cloud computing (IBM, VMWare, Cisco etc) and those organisations that provide services over cloud infrastructures (Microsoft, Google, Amazon etc). Now, if I was being cynical I'd have to ask myself which organisations have the most to lose from open, interoperable clouds? The infrastructure players don't particularly care - the service providers will always need the tin. The service providers? Well, I daresay they don't necessarily see lock-in as all bad... but then, how can I be cynical when it's such a lovely sunny day with hardly a cloud in sight? :-)
http://opencloudmanifesto.org/
has been getting a fair amount of coverage in the past week, primarily for the politics around the organisations that have not signed up to the manifesto and the way in which the manifesto was drawn up.
Looking at the list of supporting organisations and those that have chosen not to associate themselves with the process at this stage, there's a fairly clear (and fairly obvious) divide between those organisations that will be providing the kit supporting cloud computing (IBM, VMWare, Cisco etc) and those organisations that provide services over cloud infrastructures (Microsoft, Google, Amazon etc). Now, if I was being cynical I'd have to ask myself which organisations have the most to lose from open, interoperable clouds? The infrastructure players don't particularly care - the service providers will always need the tin. The service providers? Well, I daresay they don't necessarily see lock-in as all bad... but then, how can I be cynical when it's such a lovely sunny day with hardly a cloud in sight? :-)
Tuesday, 24 March 2009
Database State report - FAIL
Let me start by stating that, in general, I'm a pretty even-tempered chap. It usually takes a lot to make me grumpy, excepting those days when I'm hungover or suffering from a lack of sleep. Today I am neither hungover not tired however I am more than grumpy. I'm positively angry. The reason? The Rowntree report entitled Database State – available from
http://www.cl.cam.ac.uk/~rja14/Papers/database-state.pdf
I've rarely seen such an unbalanced piece of FUD - and I've been working in IT Security for over a decade! I don't doubt that the intentions of the authors are noble but would it have been too outrageous to ask them to leave their personal agendas behind and take a more mature approach to the subject? (The subject by the way being the legality and justifications underlying a number of UK Government databases. I'll stick up my hand and admit an interest having been working in HMG IT security since 2001 and being employed by a major supplier to HMG since 2002. I must also stress here that the opinions in this blog are my own – this is my blog not theirs :-)).
Wherever a pejorative could be used in the report, it is. Wherever a picture could be painted grey, it's painted as the darkest shade of black. Examples of interpretive liberties include:
“In Scotland, where the SCR project has been completed, there has already been an abuse case in which celebrities had their records accessed by a doctor who is now facing charges.”
I'm sorry but how is this a negative for the system? The guy got caught. That suggests that the system is working to me. What's the alternative – prevent all doctors from accessing data without explicit consent? It may just be me, however if I were taken to a hospital unconscious I would much rather have my records available and accessed rather than have those providing my care debate whether my privacy was more important! The sensible compromise is to provide access to those who need it (subject to role based access control) and audit (and discipline) any violations of the acceptable use policies. Shockingly enough that's what's happening. Besides which, it's not as if privacy violations do not happen when the data is held locally – I could link to a number of stories where local health trusts have inappropriately accessed records of celebrities held locally or displayed other poor practice such as this story today:
http://www.theregister.co.uk/2009/03/24/hospital_data_breach_notice/
Another example of biased picture painting - the following quote from the Deloitte report into the ContactPoint database is used as an indication of bad security:
“It should be noted that risk can only be managed, not eliminated, and therefore there will always be a risk of data security incidents occurring.”
That's more of a statement of the bleeding obvious than a criticism of data sharing. Given the calibre of the authors I'm sure they could have done better than this.
Another tendency of the report that I find objectionable are baseless statements such as:
“For these reasons, the use of SUS in research without an effective opt-out contravenes the European Convention on Human Rights and European data-protection law. It is also considered morally unacceptable by millions of UK citizens.”
Really? I'm surprised the report was ever finished if they've been off polling everyone in the country for their moral perceptions of government IT. Oh. They didn't? And then there's this statement referring to the Police National Database:
“Soft intelligence includes opinion, hearsay, tips from informants and even malicious accusations; letting such things leak from the world of intelligence into that of routine police operations is dangerous, and some intelligence officers think it a mistake.”
Hmmm... I wonder if that 'some' is 10% of intelligence officers? 20%? 90%? 3? That bloke down the pub next to New Scotland Yard? This kind of comment is fine in conversation but surely not in a report that's supposed to be taken seriously.
What is lacking in this report is any discussion of the background to the creation of the databases it criticises. For example, the ContactPoint database was initiated following the tragic death of Victoria Climbie. The Police National Database was initiated following the Bichard enquiry into the deaths of the Soham schoolgirls. Lack of information sharing was a factor (not a cause!) in the deaths of these children. What price privacy vs personal safety? I don't have the answer but it would be a good debate to have rather than the pantomime we currently see between HMG and privacy campaigners.
I find some of the recommendations to be naive. In particular, Recommendation 4,
“By default, sensitive personal information must be kept on local systems and shared only with the subject’s consent or for a specific lawful purpose. Central systems must be simple and minimal, and should hold sensitive data only when both proportionate and necessary.”
Have the authors actually seen the local systems in places like NHS surgeries and trusts or within the police service? If so, are they really comfortable that our data is more secure in such systems than in centrally managed databases? The use of a distributed federated information sharing model is often suggested as an alternative but this is the worst of both worlds – almost unfettered access to information in dribs and drabs controlled by manual procedure with no central ability to monitor misuse. (Apologies I seem to have slipped into overgeneralisation and hyperbole – must be contagious.) Sigh...
Now, please don't get the idea that I'm an avid supporter of all HMG databases and information sharing schemes. I'm not. There are two in particular that I'm really not convinced have any justifiable business case or overall positive effect for the citizen. What I do believe in is informed debate, unfortunately any debate on the security of HMG systems is never going to be fully informed – the security requirements for the most sensitive systems will be protectively marked and therefore (rightly) will not be made available to those who do not have a need to know. Commenting on the security of systems when you don't have access to the facts is verging on foolish and leads to mistakes such as referring to a “SECRET” level of clearance in the recommendations when there is no such clearance level. Pedantic I know but a display of basic ignorance of HMG security mechanisms which is worrying.
What can we do? Have debate but have sensible debate. Perhaps if we start by banning the use of overly emotive terms such as “database state” or “big brother” on one hand and the over use of “part of the fight against terrorism” as a justification for intrusion into the lives of citizens on the other we might get to a common position where information can be shared where necessary to protect life and safety whilst maintaining an acceptable degree of privacy. But where's the fun and headlines in that?
Saturday, 14 March 2009
Just like buses...
No posts for a week and then two in one day...
Thought I'd post some more cloudy musings
i) It's not all new – we've been doing computing on shared resources since forever. I remember working at one of the high street banks who were running their production and development environments on the same MVS mainframe
ii) What is new can be new in subtle and interesting ways, examples:
- the hypervisor; like it or not the hypervisor is a definite point of failure for security controls
- network security – you'll find that some of your firewalls and IDS are a little useless when all of the comms take place within a single piece of hardware (caveat, some software firewalls are supported in virtual environments but I'm guessing there are still a few niggles to be ironed out. And you can get IDS that operate inside the hypervisor – simplification - checkout http://www.catbird.com/)
- the potential hypervisor problems mean that your threats have just increased – you now need to worry about the threats facing all the systems processed within the same virtualised infrastructure – how can you do this if you don't know who's sharing the kit?
- incident management – what happens when a client has an incident on shared hardware? How do you limit the exposure to co-located services?
iii) private and closed community clouds are good, let's not just dismiss them as an edge case
iv) cloud computing is going to drive Jericho-style deperimeterisation at an increased pace; move the protection closer to the data
v) compliance is still going to be a pig. But then what's new?
vi) Organisations need to be honest with themselves with respect to their current physical and technical security controls before scoping out what they expect from a cloud provider – clouds should not necessarily have to be better than the existing controls, simply acceptable from a cost/risk ratio perspective
vii) oldie but goodie – organisations need to decide what they want to do (with whom and with what data) before deciding that cloud is the answer
viii) It's probably the most interesting security problem out there at the moment from policy and technology perspectives.
So that's an unconference....
I attended the CloudCamp event in London last Thursday night. Here are my thoughts:
i) Between 600 and 700 attendees. I think those kinds of numbers show that it's not really correct to view cloud as fringe or up and coming - it's here and it's real. Not everyone was there just for the free beer and pizza ;-)
ii) It was not simply vendors pitching to vendors. The Enterprise Cloud discussion track after the lightning talks clearly included attendees from large organisations either already doing cloud or in the process of considering cloud. One example was that of an investment bank who run their Monte Carlo simulations in the cloud.
iii) Nice thing about the event - vendor pitches are banned. Some of the lightning talks came perilously close but the lack of blatent pitches in the discussion tracks made for a better quality of discussion.
iv) Some interesting topics covered in the cloud talks around federation, particularly regarding http://www.arjuna.com/agility and http://bitbucket.org/dotcloud/dotcloud/wiki/Home (the latter being academic and open sourcey at present but interesting nonetheless).
v) The fate of Coghead - http://www.coghead.com/ - vividly demonstrates the dangers of SaaS vendor lock-in. If you're going to do cloud you're probably better going lower down in the the stack to IaaS where there is less lock-in. (It should be easier to migrate your Linux VM plus hosted apps in multiple clouds than moving your Force.com or GoogleApps proprietary assets!).
vi) It's not just vendor lock-in to worry about - you also need to consider data lock-in. What happens when you have so much data in the cloud that you can't get it back out again? For example, you may have insufficient local storage or insufficient bandwidth to extract the data in the required timeframe. Interesting problem, possibly an argument for distributing storage amongst different clouds so that you don't amass too much in one place - but this does cause other issues. This is the kind of problem that makes this cloud stuff so much fun!
i) Between 600 and 700 attendees. I think those kinds of numbers show that it's not really correct to view cloud as fringe or up and coming - it's here and it's real. Not everyone was there just for the free beer and pizza ;-)
ii) It was not simply vendors pitching to vendors. The Enterprise Cloud discussion track after the lightning talks clearly included attendees from large organisations either already doing cloud or in the process of considering cloud. One example was that of an investment bank who run their Monte Carlo simulations in the cloud.
iii) Nice thing about the event - vendor pitches are banned. Some of the lightning talks came perilously close but the lack of blatent pitches in the discussion tracks made for a better quality of discussion.
iv) Some interesting topics covered in the cloud talks around federation, particularly regarding http://www.arjuna.com/agility and http://bitbucket.org/dotcloud/dotcloud/wiki/Home (the latter being academic and open sourcey at present but interesting nonetheless).
v) The fate of Coghead - http://www.coghead.com/ - vividly demonstrates the dangers of SaaS vendor lock-in. If you're going to do cloud you're probably better going lower down in the the stack to IaaS where there is less lock-in. (It should be easier to migrate your Linux VM plus hosted apps in multiple clouds than moving your Force.com or GoogleApps proprietary assets!).
vi) It's not just vendor lock-in to worry about - you also need to consider data lock-in. What happens when you have so much data in the cloud that you can't get it back out again? For example, you may have insufficient local storage or insufficient bandwidth to extract the data in the required timeframe. Interesting problem, possibly an argument for distributing storage amongst different clouds so that you don't amass too much in one place - but this does cause other issues. This is the kind of problem that makes this cloud stuff so much fun!
Friday, 6 March 2009
CloudCamp!
I came across this post
http://www.doxpara.com/?p=1274
over at Dan Kaminsky's blog earlier this week. It links to an excellent set of slides that Kaminsky gave at CloudCamp in Seattle. It's really enthusing to see guys like Kaminsky getting excited by Cloud Computing - it would be really easy for the 'name' security researchers to give the Cloud concept a good kicking (it's an easy target) but Kaminsky (unsurprisingly) shows a good understanding of the pros and cons of Cloud and comes down firmly on the side of Cloud being a positive way ahead for IT service delivery. I'm hoping that there are going to be some equally good presentations at the upcoming CloudCamp event here in London on the 12th March.
Feel free to get in touch if anyone out there wants to meet up for a beer or two at the event!
http://www.doxpara.com/?p=1274
over at Dan Kaminsky's blog earlier this week. It links to an excellent set of slides that Kaminsky gave at CloudCamp in Seattle. It's really enthusing to see guys like Kaminsky getting excited by Cloud Computing - it would be really easy for the 'name' security researchers to give the Cloud concept a good kicking (it's an easy target) but Kaminsky (unsurprisingly) shows a good understanding of the pros and cons of Cloud and comes down firmly on the side of Cloud being a positive way ahead for IT service delivery. I'm hoping that there are going to be some equally good presentations at the upcoming CloudCamp event here in London on the 12th March.
Feel free to get in touch if anyone out there wants to meet up for a beer or two at the event!
Friday, 20 February 2009
Public vs Private Sector security
So, I was looking through the various blogs hosted over at Computer Weekly when I came across a discussion on Stuart King's Risk Management blog. See
http://www.computerweekly.com/blogs/stuart_king/2009/02/public-sector-vs-private-secto-1.html
Stuart and his co-blogger Duncan Hart have started one of those discussions that you should never start. A subject almost as delicate as religion, politics and questioning the choice of allegiance of that big group of blokes in the football shirts. The question? Whether security is better in the public or private sector. Ouch.
It's one of those discussions bound to stir up opinions – often uninformed and vitriolic. It's a good excuse for those in the private sector to dig out the well-worn cliches and condescending attitudes with respect to public sector security whilst those in the public sector can come back with their own traditional ripostes. My own opinion – I have to admit a little bias here having spent the last few years predominantly in the public sector – is that the two areas are so vast as to make such trivial comparisons worthless. You can find good security in the public sector as surely as you can find weak security in the private sector – yes, I'm looking at you utility and manufacturing organisations (amongst others).
I spent the early part of my career doing penetration testing and vulnerability assessments across a wide spread of sectors and I found as many problems in certain private sectors as I did in HMG. Yes, you will tend to find pretty good security in those organisations where a lack of control will tend to result in a monetary hit but there was certainly no guarantee.
HMG have at least taken steps to improve security with the release of the Security Policy Framework and other initiatives aimed at making the (usually) adequate guidance that was previously embodied within the Manual of Protective Security more widely available Think ISO27001 with extra doses of physical security, personnel security and various other goodies. Together with the public Good Practice Guidance on offer from both CESG and the CPNI and there's a wealth of information available – never mind the stuff that does not make it into the public domain. More importantly still, following the Hannigan Review of Data Handling Procedures in Government, there is an added impetus to making sure that the mandatory minimum requirements within the various HMG standards are enforced. It may take time, but information assurance in the public sector is on the way up.
Can the same be said for the private sector?
Given the length of this posting, I'll leave that topic for another day.
http://www.computerweekly.com/blogs/stuart_king/2009/02/public-sector-vs-private-secto-1.html
Stuart and his co-blogger Duncan Hart have started one of those discussions that you should never start. A subject almost as delicate as religion, politics and questioning the choice of allegiance of that big group of blokes in the football shirts. The question? Whether security is better in the public or private sector. Ouch.
It's one of those discussions bound to stir up opinions – often uninformed and vitriolic. It's a good excuse for those in the private sector to dig out the well-worn cliches and condescending attitudes with respect to public sector security whilst those in the public sector can come back with their own traditional ripostes. My own opinion – I have to admit a little bias here having spent the last few years predominantly in the public sector – is that the two areas are so vast as to make such trivial comparisons worthless. You can find good security in the public sector as surely as you can find weak security in the private sector – yes, I'm looking at you utility and manufacturing organisations (amongst others).
I spent the early part of my career doing penetration testing and vulnerability assessments across a wide spread of sectors and I found as many problems in certain private sectors as I did in HMG. Yes, you will tend to find pretty good security in those organisations where a lack of control will tend to result in a monetary hit but there was certainly no guarantee.
HMG have at least taken steps to improve security with the release of the Security Policy Framework and other initiatives aimed at making the (usually) adequate guidance that was previously embodied within the Manual of Protective Security more widely available Think ISO27001 with extra doses of physical security, personnel security and various other goodies. Together with the public Good Practice Guidance on offer from both CESG and the CPNI and there's a wealth of information available – never mind the stuff that does not make it into the public domain. More importantly still, following the Hannigan Review of Data Handling Procedures in Government, there is an added impetus to making sure that the mandatory minimum requirements within the various HMG standards are enforced. It may take time, but information assurance in the public sector is on the way up.
Can the same be said for the private sector?
Given the length of this posting, I'll leave that topic for another day.
Monday, 9 February 2009
Round-up
So what caught my eye over the last week or so?
A couple of interesting stories concerning the exploitation of a couple of well-known organisations - Kaspersky and phpbb:
http://hackersblog.org/2009/02/07/usakasperskycom-hacked-full-database-acces-sql-injection/
http://hackedphpbb.blogspot.com/
It's good to the level of detail provided by the attackers of how exploitation took place, and the level of proof provided that the events occurred roughly as described.
I also came across a couple of informative papers, one by Bas Alberts of Immunity providing a useful critique of the Microsoft Exploitability Index and a paper by David Chappell which provides an overview of the Microsoft Azure cloud computing platform. Both available from Microsoft:
http://download.microsoft.com/download/3/E/B/3EBDB81C-DF2F-470B-8A64-981DC8D9265C/A%20Bounds%20Check%20on%20the%20Microsoft%20Exploitability%20Index%20-%20final.pdf
http://download.microsoft.com/download/e/4/3/e43bb484-3b52-4fa8-a9f9-ec60a32954bc/Azure_Services_Platform.pdf
Enjoy...
UPDATED: Kaspersky have now announced that they are bringing Dave Litchfield in to perform an audit of their database - and to publically share his findings. Now the public sharing of the results if security audits is certainly something I would like to see more of! It's a great way of establishing trust - provided that the auditor is someone well-respected by the community you are seeking to establish trust between.
A couple of interesting stories concerning the exploitation of a couple of well-known organisations - Kaspersky and phpbb:
http://hackersblog.org/2009/02/07/usakasperskycom-hacked-full-database-acces-sql-injection/
http://hackedphpbb.blogspot.com/
It's good to the level of detail provided by the attackers of how exploitation took place, and the level of proof provided that the events occurred roughly as described.
I also came across a couple of informative papers, one by Bas Alberts of Immunity providing a useful critique of the Microsoft Exploitability Index and a paper by David Chappell which provides an overview of the Microsoft Azure cloud computing platform. Both available from Microsoft:
http://download.microsoft.com/download/3/E/B/3EBDB81C-DF2F-470B-8A64-981DC8D9265C/A%20Bounds%20Check%20on%20the%20Microsoft%20Exploitability%20Index%20-%20final.pdf
http://download.microsoft.com/download/e/4/3/e43bb484-3b52-4fa8-a9f9-ec60a32954bc/Azure_Services_Platform.pdf
Enjoy...
UPDATED: Kaspersky have now announced that they are bringing Dave Litchfield in to perform an audit of their database - and to publically share his findings. Now the public sharing of the results if security audits is certainly something I would like to see more of! It's a great way of establishing trust - provided that the auditor is someone well-respected by the community you are seeking to establish trust between.
Sunday, 1 February 2009
Well, here we go then. Time to enter the wild and wacky world of the security blogger. Whilst I search for fresh inspiration, I'll use this first post to link to some of my past writings over at Computer Weekly:
http://www.computerweekly.com/Articles/2007/12/14/228602/virtualisation-is-not-a-theoretical-risk.htm
http://www.computerweekly.com/Articles/2008/04/09/230220/database-administration-security-strategy.htm
http://www.computerweekly.com/Articles/2008/09/03/232119/metrics-programmes-need-right-design-to-justify-security.htm
http://www.computerweekly.com/Articles/2009/01/23/234393/security-zone-cloud-security-pie-in-the-sky.htm
No promises of regular updates or ground-breaking thinking, but hopefully there'll be something of vague interest here every so often. And if you're one of those types who hates blogs that mix business and personal lives, please move along - I really can't be bothered to maintain two of these things!
Until next time...
http://www.computerweekly.com/Articles/2007/12/14/228602/virtualisation-is-not-a-theoretical-risk.htm
http://www.computerweekly.com/Articles/2008/04/09/230220/database-administration-security-strategy.htm
http://www.computerweekly.com/Articles/2008/09/03/232119/metrics-programmes-need-right-design-to-justify-security.htm
http://www.computerweekly.com/Articles/2009/01/23/234393/security-zone-cloud-security-pie-in-the-sky.htm
No promises of regular updates or ground-breaking thinking, but hopefully there'll be something of vague interest here every so often. And if you're one of those types who hates blogs that mix business and personal lives, please move along - I really can't be bothered to maintain two of these things!
Until next time...
Subscribe to:
Posts (Atom)
