Well it's been an extremely interesting couple of weeks with respect to cloud security.
(Yes, I know there've been some other happenings in the wider world - Obama releasing TS documents, Darling admitting the UK will be broke for the next decade etc etc but let's concentrate on the really important stuff :-)
The Open Group's Jericho Forum released it's Cloud Cube paper on cloud security which describes possible cloud 'formations' according to four different dimensions - Internal/External, Proprietary/Open, Insourced/Outsourced and Perimeterised/De-Perimeterised. I don't believe that there's anything earth-shatteringly novel contained in the paper however the model itself will, I think, prove extremely valuable as a common reference point when discussing cloud computing.
The other major event has been the release of the first deliverable from the Cloud Security Alliance - a guidance paper on the critical security issues with respect to cloud computing. On first glance it looks like a fairly comprehensive paper that could perhaps be used to populate the framework provided by the Jericho Forum Cloud Cube model. And with names like Chris Hoff and Jeff Forristal (better known to some of you with memories longer than a goldfish as rfp) involved you can be sure that the content is going to be at least sensible and likely very good.
In conjunction, I think these two papers put the industry in a much better place to have sensible and informed discussions using a set of hopefully commonly understood definitions - something that's been sorely lacking in the past.
Friday, 24 April 2009
Tuesday, 14 April 2009
No More Free Bugs?
Charlie Miller (famed in part for his past successes at the CanSecWest pwn2own contests over the last couple of years) has started an email thread over on the DailyDave mailing list regarding the No More Free Bugs initiative. The rationale behind this initiative can be found over here:
http://blog.trailofbits.com/2009/03/22/no-more-free-bugs/
Whilst I have every admiration for the past work of people involved with NMFB such as Miller, Alex Sotirov and Dino Dai Zavi, I can't help feeling that this initiative is either doomed, misguided or both. I can understand why security researchers may feel that they get a rough deal through a lack of financial recompense for the time, effort and frustration they go through when finding and exploiting a vulnerability and then managing a responsible co-ordinated disclosure with vendors. However, there is no real commercial incentive for vendors to want to pay for this service – sure customers may end up with a more secure product due to the work of security researchers but at the same time, customers may not have been aware that they had an insecure product without the work of the security researchers (a much better position for the vendors, if not the customers!).
The NMFB guys are keen to avoid being dragged into a debate about disclosure but I'm not sure how you can avoid the topic when talking about paid-for security research. For example, I really don't see the benefit that vendors would gain from paying for bugs and then advertising the details of the vulnerabilities via full disclosure. Maybe I'm just cynical but I can't avoid believing that such paid-for bugs may be fixed on the quiet with paying customers never finding out about the risks that they had been exposed to... unless a few guys are still happy to publish details of reverse engineered patches for free. There's also a pretty vicious circle out there – if bugs are no longer disclosed, end users will stop worrying about them and any commercial drivers that do exist will start to wither away reducing the value placed on discovered bugs.
It's an imperfect world out there, and the current situation with respect to the handling of security vulnerabilities is certainly far from perfect, but I'm afraid that I don't believe that moving to a paid-for approach to security research will improve matters in the long run.
Tuesday, 7 April 2009
CloudForce
Last week the ExCel centre in London was host to the leaders of the G20 as they continued their attempts to save the global economy. This week, the ExCel centre was host to Marc Benioff on his CloudForce world tour as he attempts to save the global IT economy. Ok, that's maybe a bit tenuous...
On a more serious note, I got a lot more out of the CloudForce event than I was expecting, almost all of it positive. The event started off well (any event being introduced by the music of the Foo Fighters is off to a flyer in my book ;-) with the keynote being delivered by Mr Benioff himself with a few guest spots filled by satisfied customers together with a sprinkling of highly impressive demonstrations of the capabilities of salesforce.com. I was particularly keen on the customer service abilities of what was termed the "Service Cloud" - customer service integrated across a number of different channels from the traditional call centre through to integration with Twitter and Facebook all delivered over the cloud. Impressive.
The afternoon was made up of a series of presentations split into a number of different tracks - I'll have to admit that I spent all of my time in track 3 which was dealing with technology issues rather than the more business and sales-enabling tracks available elsewhere. The first session included an extremely informative presentation from Paul Cheesebrough of the Telegraph describing how his organisation was moving processing into the cloud - and not just with Salesforce.com; they are also using Amazon Web Services for intensive analytics and Google Apps for email and collaboration services. What I found enlightening was how easy it appeared to be for the Telegraph to move data from the salesforce.com cloud into the AWS cloud for analytics work. I find the possibilities opened up by this kind of information technology incredibly exciting.
The second session was around integration of salesforce.com with backend ERP systems - three options were presented:
i) move ERP data to the cloud
ii) copy the data to the cloud and make occasional call-backs to the backend for consistency checks
iii) have the cloud act as a mash-up presenting data hosted on-premises
Very important area, but frankly one that I find a little dull. Of course, with my security hat on, I can see a lot of opportunities for work in this area trying to decide which approach is appropriate for different categories of data and then deciding on appropriate means for transferring, managing and securing data. The latter options also have some interesting implications regarding how you secure access from the cloud into the on-premises systems. Limiting this to web service traffic and implementing something like a Vordel XML gateway may be one approach to making sure that nothing leaks out that shouldn't.
The final session was a salesforce.com presentation on the technologies underlying the force.com platform. Definitely appealed to the geek in me but I would have preferred more detail on the security mechanisms under the hood rather than simple statements around the use of the OrgId to segregate data belonging to different customers.
What were my major takeaways from the event? (Other than the numerous flyers and freebies?)
On a more serious note, I got a lot more out of the CloudForce event than I was expecting, almost all of it positive. The event started off well (any event being introduced by the music of the Foo Fighters is off to a flyer in my book ;-) with the keynote being delivered by Mr Benioff himself with a few guest spots filled by satisfied customers together with a sprinkling of highly impressive demonstrations of the capabilities of salesforce.com. I was particularly keen on the customer service abilities of what was termed the "Service Cloud" - customer service integrated across a number of different channels from the traditional call centre through to integration with Twitter and Facebook all delivered over the cloud. Impressive.
The afternoon was made up of a series of presentations split into a number of different tracks - I'll have to admit that I spent all of my time in track 3 which was dealing with technology issues rather than the more business and sales-enabling tracks available elsewhere. The first session included an extremely informative presentation from Paul Cheesebrough of the Telegraph describing how his organisation was moving processing into the cloud - and not just with Salesforce.com; they are also using Amazon Web Services for intensive analytics and Google Apps for email and collaboration services. What I found enlightening was how easy it appeared to be for the Telegraph to move data from the salesforce.com cloud into the AWS cloud for analytics work. I find the possibilities opened up by this kind of information technology incredibly exciting.
The second session was around integration of salesforce.com with backend ERP systems - three options were presented:
i) move ERP data to the cloud
ii) copy the data to the cloud and make occasional call-backs to the backend for consistency checks
iii) have the cloud act as a mash-up presenting data hosted on-premises
Very important area, but frankly one that I find a little dull. Of course, with my security hat on, I can see a lot of opportunities for work in this area trying to decide which approach is appropriate for different categories of data and then deciding on appropriate means for transferring, managing and securing data. The latter options also have some interesting implications regarding how you secure access from the cloud into the on-premises systems. Limiting this to web service traffic and implementing something like a Vordel XML gateway may be one approach to making sure that nothing leaks out that shouldn't.
The final session was a salesforce.com presentation on the technologies underlying the force.com platform. Definitely appealed to the geek in me but I would have preferred more detail on the security mechanisms under the hood rather than simple statements around the use of the OrgId to segregate data belonging to different customers.
What were my major takeaways from the event? (Other than the numerous flyers and freebies?)
- The Force.com infrastructure is ISO 27001 certified as well as SAS70.
- Salesforce.com appear to be very good at what they do.
- When they say multi-tenant, they really, really mean it.
- The promised cost and resource savings can actually be realised
- Perhaps the penalty of greater lock-in to PaaS and SaaS providers is worth paying if they can provide (and can continue to provide) excellent facilities and levels of service. Certainly something to consider further.
- Salesforce.com appear to be very open and accomodating to having their security measures reviewed by clients - something of which I heartily approve.
Friday, 3 April 2009
Open Cloud Manifesto
I'm a little late to the party on this one. Perils of having to actually work for a living. The open cloud manifesto over at
http://opencloudmanifesto.org/
has been getting a fair amount of coverage in the past week, primarily for the politics around the organisations that have not signed up to the manifesto and the way in which the manifesto was drawn up.
Looking at the list of supporting organisations and those that have chosen not to associate themselves with the process at this stage, there's a fairly clear (and fairly obvious) divide between those organisations that will be providing the kit supporting cloud computing (IBM, VMWare, Cisco etc) and those organisations that provide services over cloud infrastructures (Microsoft, Google, Amazon etc). Now, if I was being cynical I'd have to ask myself which organisations have the most to lose from open, interoperable clouds? The infrastructure players don't particularly care - the service providers will always need the tin. The service providers? Well, I daresay they don't necessarily see lock-in as all bad... but then, how can I be cynical when it's such a lovely sunny day with hardly a cloud in sight? :-)
http://opencloudmanifesto.org/
has been getting a fair amount of coverage in the past week, primarily for the politics around the organisations that have not signed up to the manifesto and the way in which the manifesto was drawn up.
Looking at the list of supporting organisations and those that have chosen not to associate themselves with the process at this stage, there's a fairly clear (and fairly obvious) divide between those organisations that will be providing the kit supporting cloud computing (IBM, VMWare, Cisco etc) and those organisations that provide services over cloud infrastructures (Microsoft, Google, Amazon etc). Now, if I was being cynical I'd have to ask myself which organisations have the most to lose from open, interoperable clouds? The infrastructure players don't particularly care - the service providers will always need the tin. The service providers? Well, I daresay they don't necessarily see lock-in as all bad... but then, how can I be cynical when it's such a lovely sunny day with hardly a cloud in sight? :-)
Subscribe to:
Posts (Atom)
