Cloud Security

The Resilient Cloud for Defense

Fri, 17 Feb 2012 07:30:00 EST

Skill at computing comes naturally to those who are adept at abstraction. The best developers can instantly change focus—one moment they are orchestrating high level connections between abstract entities; the next they are sweating through the side effects of each … Continue reading →

Money Thrown at Finding Proof in the Cloud

Wed, 15 Feb 2012 05:15:00 EST

Last year marked a 10-year high for venture capitalists in terms of deals and dollars. This year is starting off just as hot. Joyent just announced an $85 million D round, bringing its total to date to about $115 million.

Cloud Expo New York Speaker Profile: Dave Asprey – Trend Micro

Mon, 13 Feb 2012 07:45:00 EST

With Cloud Expo 2012 New York (10th Cloud Expo) just four months away, what better time to start introducing you in greater detail to the distinguished individuals in our incredible Speaker Faculty for the technical and strategy sessions at the conference... We have technical and strategy sessions for you every day from June 11 through June 14 dealing with every nook and cranny of Cloud Computing and Big Data, but what of those who are presenting? Who are they, where do they work, what else have they written and/or said about the Cloud that is transforming the world of Enterprise IT, side by side with the exploding use of enterprise Big Data – processed in the Cloud – to drive value for businesses...? We have technical and strategy sessions for you every day from Nov 7 through Nov 10 dealing with every nook and cranny of Cloud Computing, but what of those who are presenting? Who are they, where do they work, what else have they written and/or said about the Cloud that is transforming the world of Enterprise IT?

The Big Crack in Cloud Security

Mon, 09 Jan 2012 06:00:00 EST

With the New Year having rolled in, you’ve probably had your fill of “This is the year of (pick your technology, fill in the blank)” predictions. After all, for how many years now have we heard, “This is the year for cloud computing?” While there’s no doubt that the wave of cloud computing continues to swell, real-world IT organizations are clearly not as quick to jump aboard as prognosticators. That’s because there are a lot of unknown aspects of the cloud, and security is chief among them. Deployment of cloud applications is daunting when you consider the risks of having applications, infrastructure, IP and private information in the cloud. While we’re still learning how to harness the powers of the cloud, there are several things we know right off the bat: we must secure cloud servers, including our applications and data; and we must have cloud security that is simple, manageable and scalable – ensuring that our cloud security is as elastic as the infrastructure it protects.

The Cyber-Crime Landscape

Fri, 06 Jan 2012 08:00:00 EST

Joe Menn explores the current cyber-crime landscape, the underground cyber-gang movement, and the motive behind governments collaborating with organized crime in cyber space. Maybe you can make your enterprise a little trickier to get into than the other guy’s enterprise, but crime pays very, very well, and in the big picture, their ecosystem is better than ours. They do capitalism better than we do. They specialize to a great extent. They reinvest in R&D. On our end, on the good guys’ side, it's hard if you're a chief information security officer (CISO) or a chief security officer (CSO) to convince the top brass to pay more. You don’t really know what's working and what isn't. You don’t know if you've really been had by something that we call advanced persistent threat (APT). Even the top security minds in the country can't be sure whether they’ve been had or not. So it's hard to know what to spend on.

The Alignment of Cloud and Security: 2012 Cloud Predictions

Fri, 30 Dec 2011 06:00:00 EST

Here are my thoughts on what we can expect in the cloud space in 2012. Cloud data will become more insightful for business as a whole With companies sitting on zetabytes of data, many organizations are in possession of tremendously powerful knowledge and insight about their employees, customers and the world they live in. Companies are beginning to know they could get lift from this data, but few are harnessing it. In 2012, the buzz around big data will drive the need to consolidate data storage for real-time access. Once data consolidation happens, we’ll open the door to advanced analytics of data. By the end of 2012, we’ll begin to see third parties white label private data for aggregate insights, i.e., ADP jobs numbers.

CloudPassage: "Only Security Platform Purpose-Built for Cloud"

Wed, 21 Dec 2011 06:00:00 EST

CloudPassage delivers a server security platform that's been “purpose-built for the cloud,” according to the company. I spoke at Cloud Expo with Joerg Rathenberg, the company's VP of Marketing. Joerg was with IBM early in his career, “helping to build a new IBM in Eastern Europe as the cold war came to an end,” he says. Today, he focuses on CloudPassage's Halo product, which provides automated vulnerability management, compliance monitoring, network access control, server account administration, and security event alerting through REST APIs in all types of cloud environment. “CloudPassage is securing cloud servers on the IAAS level,” he told me. “Any company that runs its servers in the cloud will need to secure these servers, and CloudPassage will help them do this in an automated and scalable way.” Me: And delivered as SaaS, right? Joerg: Yes, being a true cloud player, of course our product is delivered as Software-as-a-Service. Pricing is on a utility model – pay as you go – although as you know, we offer a free version as well. Me: So what sort of customer engages initially with the free version? And how do you convince them to upgrade? Joerg: The main group of people signing up are the ones responsible for running the cloud servers. In medium and small companies, these can be part of the development team, typically run by DevOps, SysAdmins and others. In enterprises, often the Business Units go and subscribe o their own cloud servers for development. Here it is often the developers, product managers or product architects who come and sign up for Halo Basic, our freemium product, which is available for up to 25 servers without time limitation. They don't need a credit card or sign contracts, and they can secure their servers within a few minutes. The upgrade to Halo Professional happens when companies start running more than 25 servers in the cloud. Other features include a very comprehensive API, and full access to two years' worth of detailed security log data. This is important to those companies with compliance requirements like PCI, HIPAA, and others. Me: What sorts of security and related technical burdens do you eliminate for your customers? And how do you provide them the control they need? Joerg: Companies go to the cloud to take advantage of economies of scale and flexibility.So, if an eTailer does not need the 500 additional cloud servers that the used to get through the holiday season, they simply turn them off and don't have to pay for them any longer. Any company that subscribes to an Amazon EC2, Rackspace, Terremark, Gogrid or other cloud server solution is sharing the responsibility of securing their cloud servers. The problem is that traditional security systems don't support the architectural challenges and elastic capabilities of the cloud. CloudPassage Halo is the only cloud infrastructure platform expressly designed for the cloud and delivered as a service. Me: How flexible is this, really? Joerg: Using Halo, our customers can move their servers from one provider to another anytime they want – such as, if it's cheaper for them to do so – and retain their security. They can scale up and down, automatically deploy thousands of servers and be assured that they are secure. It doesn't matter if these servers are located in the public, private or hybrid cloud. (Additionally,) a “single pane of glass” allows them to manage their entire cloud infrastructure from one central place. Security functionality includes host-based firewalls, vulnerability scanning, account management, two-factor authentication, and more. Me: Revisiting an earlier question, then, what sorts of companies - by vertical markets and size - benefit the most from CloudPassage? Put another way, are there any limits to the type of customer that can succeed with your company? Joerg: Because Halo is delivered as a service hosted in the cloud, it is infinitely scalable. At this stage, a lot of our customers come from business models that are leveraging the cloud. In particular SaaS providers are a perfect match. Me: Oh, I see... Joerg: For example, companies like Zappos, Foursquare, Avatar NewYork, ExoIS and others are investing in could deployments and rely on Halo for securing their infrastructure. Three business models are particularly prominent: App Development – Development shops, integrators, but also Enterprise BU's who need fast, inexpensive and agile environments and need to protect their IP; Permanent App Hosting – these are the SAAS providers, social media and gaming companies that require scalable, elastic computing; Temporary Elastic Workloads – retail, life science, financial services and media companies with seasonal or project-driven spikes who need to protect their IP and their big data deployments. Me: How do you continue to improve Halo? That is, how much do you learn from your customers? How much additional research are you doing to ensure continuous improvement? Joerg: We are working closely with a number of Lighthouse customers for different use cases. As an agile development shop we rely on beta programs and are able to react quickly. We also rely on primary research – just in the process of wrapping up a survey administered to several thousand IT professionals, where we are testing for their cloud plans and their preferences.” Me: What are the Three Big Reasons a company should engage with CloudPassage? Joerg: First, to remain competitive, companies have to invest in cloud technology today. CloudPassage has everything they need to secure their cloud servers. Second, tt this point CloudPassage offers the only security platform available, that is purpose-built for the cloud and delivered as a service. Third, we understand that security is one of the main inhibitors for massive cloud deployment. So CloudPassage makes cloud security fast, simple and automated so that companies can leverage the elasticity and the economics of the cloud.

Complex IT Security Risks Can Only Be Treated with Comprehensive Response

Fri, 02 Dec 2011 06:45:00 EST

In just the past year, the number of attacks are up, the costs associated with them are higher and more visible, and the risks of not securing systems and processes are therefore much greater. Some people have even called the rate of attacks a pandemic. The path to reducing these risks, even as the threats escalate, is to confront security at the framework and strategic level, and to harness the point solutions approach into a managed and ongoing security enhancement lifecycle. As part of the series of recent news announcements from HP, this discussion examines how such a framework process can unfold, from workshops that allow a frank assessment of an organization’s vulnerabilities, to tailored framework-level approaches that can transform a company based on its own specific needs.

Risk and Its Impact on Security Within the Cloud - Part 2

Wed, 16 Nov 2011 09:30:00 EST

In Part 1 we discussed risk, security and cloud computing at a high level. Having been a part of design teams as a contributor as well as project manager to include security and assessment team management over the last few years, I still find the same security concerns and issues directed at the cloud. Here is my take on a few of them with respect to a private cloud environment. Remember a private cloud can be housed within the infrastructure of a service provider (more cost effective for you) or within your own in-house network. Some of these thoughts can be translated into the public cloud environments, although some additional controls may be in order. It's a given that security of data is a major concern for any entity considering a move toward a cloud computing environment. How your data will be kept secure from unauthorized access, modification or distribution can be a nagging concern. Data loss, modification, or misplacement will affect the entire organizational structure up to and possibly including shareholder value.

Cloud Expo Day 4 Keynote Speaker Profile: Jill T. Singer - NRO

Thu, 10 Nov 2011 09:00:00 EST

With Cloud Expo Silicon Valley (9th Cloud Expo) now in its final day, Thursday November 10 at the Santa Clara Convention Center, CA, here's who is round off the four-day event in our keynote hall this morning...none other than the CIO of the National Reconnaissance Office, Jill T. Singer.

Cloud Expo Speaker Profile: George Gerchow - VMware

Mon, 07 Nov 2011 06:45:00 EST

With Cloud Expo Silicon Valley (9th Cloud Expo) starting today Monday November 7 at the Santa Clara Convention Center, CA, let's introduce you in greater detail to the distinguished individuals in our incredible Speaker Faculty for the technical program at the conference... We have technical and strategy sessions for you dealing with every nook and cranny of Cloud Computing, but what of those who are presenting? Who are they, where do they work, what else have they written and/or said about the Cloud that is transforming the world of Enterprise IT?

Cloud Expo Speaker Profile: Vikas Jain - Intel

Mon, 07 Nov 2011 01:15:00 EST

Cloud Expo Speaker Profile: Anna Claiborne - Open Data Center Alliance

Mon, 07 Nov 2011 01:00:00 EST

With Cloud Expo Silicon Valley (9th Cloud Expo) starting today Monday November 7 at the Santa Clara Convention Center, CA, let's introduce you in greater detail to the distinguished individuals in our incredible Speaker Faculty for the technical program at the conference... We have technical and strategy sessions for you every day from Nov 7 through Nov 10 dealing with every nook and cranny of Cloud Computing, but what of those who are presenting? Who are they, where do they work, what else have they written and/or said about the Cloud that is transforming the world of Enterprise IT?

Cloud Expo Speaker Profile: Scott Chasin - McAfee

Mon, 07 Nov 2011 00:30:00 EST

With Cloud Expo Silicon Valley (9th Cloud Expo) starting today Monday November 7 at the Santa Clara Convention Center, CA, let's introduce you in greater detail to the distinguished individuals in our incredible Speaker Faculty for the technical program at the conference... We have technical and strategy sessions for you every day from Nov 7 through Nov 10 dealing with every nook and cranny of Cloud Computing, but what of those who are presenting? Who are they, where do they work, what else have they written and/or said about the Cloud that is transforming the world of Enterprise IT?

Stop, Drop, and Roll: Tips for Managing IT When Disaster Strikes

Fri, 04 Nov 2011 06:00:00 EDT

For many, the word “disaster” conjures up images of gale-force winds ripping rooftops off buildings or post-tremblor streets littered with concrete and rebar. IT, however, knows that the disasters most likely to interrupt a company’s ability to operate are not at the hand of Mother Nature – they’re most often the result of hardware failures, faulty software upgrades or man-made errors. Regardless of what type of disaster they’re facing, businesses of all sizes should have a plan that keeps them covered. Advanced planning can ensure business continuity even in the most severe situations. By focusing on the following priorities, business leaders can avoid revenue loss and rest at ease knowing their company is prepared for the worst.

Cloud Expo Speaker Profile: Terry Woloszyn - PerspecSys

Thu, 03 Nov 2011 06:30:00 EDT

What better time, with just a few days now to go before Cloud Expo Silicon Valley (9th Cloud Expo), to bring you a series in which we introduce you in greater detail to our incredible Speaker Faculty for the technical program at the conference? We have technical and strategy sessions for you dealing with every nook and cranny of Cloud Computing, but what of those who are presenting? Who are they, where do they work, what else have they written and/or said about the Cloud that is transforming the world of Enterprise IT?

Philippine Experts Discuss Data Security & Cloud

Tue, 04 Oct 2011 22:15:00 EDT

Data security – with a focus on virtualization and cloud computing – was the topic of a CIO Roundtable held in Makati City, Philippines this week, produced by Computerworld Philippines. The conference was staged at the Asian Institute of Management. The “consumerization” of IT was a prominent topic, in a discussion led by Emiliano “Third” S. Librea, partner and CIO at llocal consultancy Punongbayan & Araullo. Librea noted how the new generations of smartphones and tables are being purchased by consumers but making their way into corporate offices, where their owners expect them to be integrated into enterprise IT. (This book-ends the trend in the 80s when PCs first found their way into corporate culture in the same manner.) Not only that, but large numbers of people use cloud-based Google gmail and similar services, providing an unyielding challenge to enterprise IT management to control where potentially proprietary information is flowing, who is seeing it, and to what degree it can be misplaced, lost, or hacked. Librea noted that any form of control will impede productivity to some degree, so the challenge is how to balance what a company's employees are doing with the need to control and protect data. Ogie Tabor, a sales engineer with security software company Sophos, pointed out the costs of data breaches, saying the loss or theft of a single record costs in excess of $200US, with the average breach costing companies more than $7 million. He also noted that only 10% of data breaches were criminal hacks; the vast majority are due to employee carelessness or ill will. The conference featured presentations and exhibits from security vendors Symantec, Sophos, Trend Micro, and Kaspersky Labs, as well as a review by Brother of the weak link encompassed by corporate printing infrastructures. There was also a presentationb by Arnold C. Carlos from local datacenter company ePLDT, in which he laid out the CAPEX-to-OPEX argument for third-party (public) cloud computing, and went through his company's security regimen. I'll be following up with an interview about this datacenter in a few days. Note: Computerworld Philippines has published some of my initial Tau Index findings, and has invited me to speak on the topic at an upcoming Web 2.0 roundtable in November. The magazine has been published in the Philippines for more than 20 years, and has taken an aggressive editorial stance in covering cloud computing and the enterprise.

A Layered Approach to Securing the Cloud: Defense in Depth

Tue, 27 Sep 2011 07:15:00 EDT

As enterprise networking technology has evolved, so too has enterprise security. What began simply as setting up a perimeter around the network via fairly basic security tools like firewalls and email gateways, has evolved into adding an array of virtual private networks (VPNs), virtual local area network (VLAN) segmentation, authentication, and intrusion detection systems (IDS)—necessary to handle the consistently growing number of threats to the corporate network. The answer lies in the notion of maintaining a layered approach or “defense in depth” when it comes to enterprise-class security.

Most Powerful Voices in Security

Thu, 08 Sep 2011 14:50:00 EDT

The security community has a growing number of influential and important people, especially as the industry rises to meet the need to address more advanced security threats, such as targeted attacks. But how does a company in the security industry truly identify the influential people? And then once identified, how does one use influential voices to help promote their brand? In this study, we answer the first question – how to identify the most powerful voices in your industry (in this case focusing on the security space), and as part of this we provide you a list of people to follow for the best, most up to date information, and who have the loudest voices to help carry some of your key messages. In a future study, we will discuss how to further exploit that knowledge to market your brand.

Risk and Its Impact on Security Within the Cloud - Part 1

Wed, 27 Jul 2011 09:15:00 EDT

These days when we hear the term "cloud computing" there is an understanding that we are speaking about a flexible, cost-effective, and proven delivery platform that is being utilized or will be utilized to provide IT services over the Internet. As end users or researchers of all things "cloud" we expect to hear about how quickly processes, applications, and services can be provisioned, deployed and scaled, as needed, regardless of users' physical locations. When we think of the typical traditional IT security environment, we have to be cognizant of the potential for an onslaught of attacks, be they zero day, the ever-evolving malware engines and the increase in attacks via social engineering, the challenge for any security professional is to develop and ensure as secure an IT system as possible.

Cloud Computing: Abiquo CEO Anticipates FBI Server Seizure

Wed, 22 Jun 2011 12:00:00 EDT

In the wake of yesterday's FBI seizure of servers, it is interesting to note that one of the industry's most seasoned executives, Abiquo CEO Pete Malcolm, has been anticipating just such an eventuality for a while. In a SYS-CON.tv Power Panel recorded on the eve of Cloud Expo New York, he spoke of exactly this scenario.

Zenprise Mobile Security Cloud Offers 100% SLA

Wed, 22 Jun 2011 07:00:00 EDT

Zenprise has got itself a cloud, the ZenCloud that jacks its on-premise mobile device management software on up there. CMO Ahmed Datoo says mobiles are the cloud and that Zenprise means to protect the entire mobile enterprise end-to-end. It’s the first cloud-based security and device management solution with an unusual 100% SLA. That doesn’t mean Zenprise is guaranteeing 100% uptime. It’s merely willing to put its money where its mouth is and reimburse users with service credits for any downtime due to an outage. That should comfort CIOs. Based on Citrix’ XenServer and its virtualization, the widgetry is designed to protect the corporate perimeter from mobile threats and guard the information, applications and network being accessed from tampering and theft. Zenprise calls it its “Triple Defense” and says it goes everywhere the data goes, securing every point in the enterprise’s mobile environment. Aside from being always-on, Zenprise says it’s massively scalable and can safeguard hundreds of thousands of tablets and phones with a level of resilience and redundancy that hasn’t been available before. ZenCloud runs as a public cloud, a private cloud and a hybrid cloud. Enterprises can do core mobile device management functions, set security policies on devices, and enforce those policies to seal the enterprise perimeter from mobile threats, making it a “closed-loop” solution. New user enrollment, device configuration, application provisioning and security policies are handled in the public cloud. The optional hybrid mode adds more security, leveraging the Zenprise Secure Mobile Gateway, effectively an “enforcer” that pats down any device coming into the corporate network to ensure it ain’t carrying a virus and blocks unmanaged devices, users and blacklisted applications at the perimeter. Customers can set up rules to permit certain device types or operating systems. The widgetry is now in closed invite-only beta. Pricing will be posted when the stuff goes GA in July. It’ll work with iPads and Android tablets as well as BlackBerries, iPhones, Palms, Windows Mobile and Android phones. Zenprise reportedly has 500 enterprise customers of its on-premise mobile device management software including Volkswagen, the Bank of England, Comcast, Boeing and Vodafone. One of them uses it for more than 65,000 devices. It claims to cut mobile TCO costs by 25%, increase customer service levels by 75% and ensure corporate compliance rates of 100%. An added benefit of the cloud – at least for Zenprise – is the fact that it will make it a lot easier for companies, including SMBs, to evaluate its stuff. Competition could come from Juniper, McAfee and Symantec but none of them have made it to the cloud yet. Zenprise expects to partner with top security vendors. It says it’s also focused on managed and hosted services partners looking to create hosted offerings powered by Zenprise to complement their existing services. It notes that these companies generally have millions of desktops under management. Around since 2003, Zenprise is backed by Bay Partners, Ignition Partners, Mayfield Fund, Rembrandt Venture Partners and Shasta Ventures that are into it for at least $34.5 million.

Kaspersky Says Crooks Using AWS To Steal Financial Data

Tue, 07 Jun 2011 18:47:00 EDT

Kaspersky Lab believes it’s found evidence that crooks are using Amazon Web Services to spread “financial data stealers.” And that’s after EC2 was implicated in the recent attacks on Sony. Dmitry Bestuzhev, one of the Russian security company’s experts, traced the financial malware to Brazil and figures the bad guys “used several previously registered accounts to launch the infection.” He says he alerted Amazon over the weekend but more than 12 hour later the malicious links were still online and active so he went public on Sunday. He finds that “more and more criminals use legitimate cloud services for malicious purposes” and in most cases they’re successful. The Trojan on AWS “comes with a bunch of different malicious codes, all of them dropped to the victim’s machines and acting in different ways such as like a rootkit, “looking for and denying normal execution of four different anti-viruses and a special security application called GBPluggin” common in Brazil in online banking. It appears from Bertuzhev’s blog that it’s been used to steal financial data from nine Brazilian banks and two international banks. At least it’s capable of it. It can also steal Microsoft Live Messenger credentials; digital certificates used by eTokens; and customer login data like the CPU, volume hard drive number and PC name used by the banks for authentication. The thieves can e-mail the data to their Gmail accounts or use a special PHP to insert the data in a remote database. The malware itself is protected by the anti-piracy software Enigma Protector to make reverse engineering harder for analysts.

RSA Reportedly Replacing Tokens After Hack

Mon, 06 Jun 2011 23:48:00 EDT

In the wake of an attempted hack at Lockheed Martin, the Wall Street Journal reported late Monday that EMC unit RSA Security is offering to replace the two-factor SecurID authentication tokens its 40 million users use to log into their computers “securely.” Most of its users are major corporations. It’s unclear exactly what happened at Lockheed but Bloomberg says the company is blaming a data theft at RSA in March for the “significant and tenacious” breach it just suffered. Supposedly no sensitive data was taken because of Lockheed’s monitoring systems. The defense contractor, whose codes could be used to hack into other companies, is reportedly replacing all its tokens. It could wind up switching security vendors. Meanwhile, the FBI is investigating. RSA told customers to double check their servers for rogue programs and beef up their security after a widespread cyber attack in March that apparently singled out defense contractors. It will now provide transaction monitoring and other detection capabilities for customers, particularly financial institutions, the Journal said. Lockheed is reportedly the only confirmed hack although L-3 Communications and Northrop Grumman have supposedly had problems too. And wouldn’t you know China is thought to be behind it all. Google accused China last Wednesday of breaking into the personal Gmail accounts of human rights activists, journalists, even the White House using Advanced Persistent Threats (APTs) or seemingly innocuous e-mails from colleagues to trick users into opening innocent-looking attachments whose malware will infiltrate their machines, duplicate keystrokes and access passwords, the same way the Lockheed caper was reportedly tried. That technique was also used to poach Google’s IP last year and get into other companies’ drawers. It was one of the reasons besides censorship that Google withdrew to Hong Kong and lost hard-won market share in China to Baidu. China, which of course denies the latest breech, used the front page of the Monday edition of its official mouthpiece, the People’s Daily, to threaten Google with becoming “a target to be sacrificed by politics” and “discarded by the market.” The Pentagon, on the other hand, is muttering something about viewing such cyber attacks as acts of war. The FBI and the Department of Homeland Security are investigating the Google attack. Washington officialdom isn’t supposed to communicate business via personal accounts but persists in doing so to avoid intrusive oversight.

Dedicated Server and Cloud Hosting Security in the UK

Thu, 02 Jun 2011 16:45:45 EDT

I'm afraid to say I spend a lot of time reading and watching programmes about our industry. Call me a bit of a trainspotter but I do find it extremely interesting. This week on a show on the BBC was quite a long item about cloud security, to be fair it really was around smart phone security and tablet security but it did really relate to our business. The main point was the fact that people are much more willing to interact with their phones and their tablets in a way that you would have only considered a few years ago using a desktop PC with a hard wired connection. Essentially as time goes by and people get more used to the pervasiveness of these gadgets their attitude to cloud hosting security and perhaps their paranoia diminishes progressively.

The Patriot Act Threatens Cloud Computing

Fri, 27 May 2011 06:50:00 EDT

"When the clock strikes midnight tomorrow, we will be giving terrorists the opportunity to plot against our country undetected. Now, the Senator from Kentucky is threatening to take away the best tools we have for stopping them." And with that, Senate Majority Leader Harry Reid reached a new low-water mark in the modern history of debate in the US Senate. His ad hominem attack on newly elected Sen. Rand Paul were part of this week's Kabuki theater exercise to extend the major provisions of the Patriot Act; doing so became a done deal behind the scenes in the Senate last week, and President Obama quickly signed them into law. This is one occasion in which one wishes for the gridlock that has ostensibly characterized Congress for the past two decades. The reality is, when it comes to trampling on civil liberties (and particularly the 4th Amendment), Congress speaks with one voice. He's Not Alone Sen. Reid is hardly a lone wolf among fellow Democrats on this issue. Sen. Dianne Feinstein of California – who last week said that as she's seen the pictures of a dead Osama bin Laden no one else “needs to see them” - has mastered the Fear Game as well as anyone. “This is a time of heightened threat,” she recently said. “Maybe no specific threat, but certainly heightened threats.” And there you have it. The never-ending War on Terror. Launched by George W. Bush, ridiculed by Democrats for eight years, embraced by both parties now that there is a Democrat in the White House. Steve Jobs was right in 1984. He proved that 1984 won't be like 1984. Too bad he can no longer say that. We've always been at war with Eastasia. Ignorance is strength. War is peace. Thoughtcrime is death. And if you oppose the Patriot Act, you are double plus ungood; the good folks from the Ministry of Love may wish to have a chat with you. Without Further Ado, Welcome to Cloud Expo! I take this sunny, optimistic view as we enter the final countdown for Cloud Expo (June 6-9 at the Javits Center in New York), which promises to be the most dynamic Cloud event ever produced. I've recently written brief overviews of a few of the sessions, and am genuinely pumped by the breadth and depth of the four-day program. It seems all the major Cloud vendors will be there, so everyone should come away fully informed and ready to remake their world somewhere within the Cloud taxonomy. Cloud Expo also presents a golden opportunity for buyers and vendors to drill down into their hot-button issues: security, integration with legacy IT, security, enforceable SLAs, true TCO, security, data migration between vendors, security, etc. The Coming Sturm But to me, a larger threat looms with errant twaddle such as that found in the Patriot Act. The Obama Administration has shown that the Bush Administration's jackboots fit well (see Bradley Manning, threats against Julian Assange, the International Cyberspace Strategy, and now the Patriot Act extension). Ironic in that Federal CIO Vivek Kundra has put forward the most forward-looking government Cloud strategy on the planet, and the NIST continues to set the global standard for clarifying what Cloud Computing is all about. The US government has a golden opportunity to lead the charge for Cloud Computing, but its paranoia about newfangled communications is strangling this effort. It is, in essence, attemping to control the Internet. In doing so, it threatens to undercut Cloud technology providers, most of whom are American companies, which develop the exact type of 21st century business that can lead the country out of its malignant economic woes. Meanwhile, Facebook, Google, and all the other big data collectors—and there are thousands of them—think they are in a fight against state authorities who wish to institute privacy safeguards. They take the view that we have had no privacy for some time and they we need to get over it. They believe they are being open and upfront with their users in saying what they collect. But they're fighting the wrong battle. They're fighting their own customers and the laws that would protect them. Meanwhile, a far darker, more onerous situation already exists at the federal level. Evil in this case doesn't come through thundering denunciations by charismatic demagogues, but in the small-minded bleatings of the mediocre Harry Reid and his fellow travelers. Major data collectors have already shown they'll grab the hook, line, and sinker when the Feds go on fishing expeditions. With the International Cyberfascist Strategy and Patriot Act extension in full sail, expect to see any number of trawling nets. Whether you're a little fish, a big fish, or a dolphin, you're going to get swept up.

Wading Through the Cloud Security Swamp

Wed, 25 May 2011 05:05:00 EDT

When you're up to your (neck) in alligators, you forget that you were hired to drain the swamp. This insight is germane to Steve Riley and his talk, “Wading Through the Cloud Security Swamp,” to be presented at Cloud Expo at the Javits Center in New York. Steve's presentation is scheduled at 9:55am on Tuesday, June 7. “How should a company evaluate its own risk profile?,” he asks. “What questions do you need to ask your Cloud services provider? How about the whole idea of transferring risk and indemnity?” He promises to “survey the swamp, clarify what’s real and what’s hype, and help provide some kind of realistic basis for making risk judgments and deployment decisions.” His session at Cloud Expo in Santa Clara last November was one of the most popular on the program. Steve Riley is Technical Leader in the Office of the CTO at Riverbed Technology. His role “is to research cutting-edge developments that help customers maximize their infrastructure investments. This includes working with customers to develop and improve technical architectures, incorporating feedback into the product planning and development processes.”

Obama's Int'l Strategy for Cyberspace: A Really Bad Idea

Tue, 17 May 2011 06:49:00 EDT

The Obama administration has announced something called “The International Strategy For Cyberspace.” It's being presented as something that's reasonable and reflective of a technology-savvy administration that understands the big cyber-issues and what to do about them. We should all be very, very dubious of its claims. Here are the problems, as I see them: Use of the word “International.” This is at once implies that the United States knows what's best for the world, and plans to adopt a sort-of Monroe Doctrine for all of cyberspace. This is precisely the sort of overweening obnoxiousness that steals any potential moral high ground from the US. The bellicose words used by Howard Schmidt, the White House's “Cyber-Security Coordinator,” who serves at the pleasure of the President. He started by talking about insecure credit cards and finished by noting the US promise to use military force in response to cyber-hostility. Missiles for MasterCards? A strategy that calls for no fewer than five Cabinet-level departments to get involved—State, Defense, Homeland Security, Commerce, and Justice. Is there any chance of this turning into a big, muddled government goat rope that marks everyone as a potential perp yet is powerless to stop real criminals? The presumed acquiescence of Congress. The Bush Administration's war on terror proved, if nothing else, that Republicans and Democrats rise equally to the occasion of intruding on civil liberties if they can spend a lot of money in the process. This new Obama Administration strategy, an ostensible war on cyberterror, will no doubt receive equal support. Initial reports say that the US is “urging” countries to sign the Cybercrime Convention treaty, something dreamed up by the Council of Europe in Strasbourg 10 years ago. The US has signed it; Russia and China have not. The apparent goal here is to put pressure on China to stop pirating software and on Russia to crack down on its virus-writers. The inevitable human rights angle comes into play as well, something I view as a very weak position coming from a country that still holds unclassified prisoners in Gitmo, enforces a Patriot Act that keeps my local library from keeping a record of the books I read, and still considers my 80-year-old mother a security threat when she flies. The onerous domestic aspect of this strategy is its effort to “invite” utilities and financial services companies to report and rank the cybersecurity threats they face. This is nothing but that damnable Intnernet kill switch in a different mask. I'm sure companies would be glad to cooperate if they didn't have this nagging fear that the government's goal is control, not remedy. The one useful component of this strategy are the announced efforts to protect the government's networks. But one would hope that they already have a lot of smart people all over this, right? Why announced a new, bloated, jurisdictional strategy? This thing will have meetings just to determine when to have meetings. President Obama just proved that even very hard, cancerous problems can be erased with a clear mission, tactical focus, and a team of Navy SEALs. How I wish he would take the same approach with specific cyber-problems.

Trail of Sony Hack Leads to Amazon: Bloomberg

Mon, 16 May 2011 18:43:00 EDT

Whoever hacked Sony and compromised the data in 100 million user accounts, reportedly the second-biggest US data theft ever, used Amazon’s EC2 cloud to do it. Bloomberg says the culprit or culprits simply rented a server using a fake name. It was quoting an unnamed source, who told the wire service the account has been shut down. As Bloomberg explained all it takes to rent servers from EC2 is a name, an e-mail address, a password, a phone number, a billing address and a verified credit card. Presumably it was a stolen credit card. The FBI, which joined the hunt for the perpetrator after Sony discovered the breach last month, is now expected to subpoena Amazon or get a search warrant to trace transactions, access to the specific Internet address and the payment data. This kind of news is likely to make enterprise accounts twitchy about using public clouds, according to Abiquo CEO Peter Malcolm. Abiquo sells private clouds. Meanwhile, Sony started putting its PlayStation Networks back up again over the weekend but only in the Americas, Europe, Australia, New Zealand and the Middle East. Not in Asia. The Dow Jones says Japanese officials haven’t sanctioned a return to the domestic market yet. According to the Ministry of Economy, Trade and Industry Sony’s promised security measures haven’t all materialized and it wants more information on what Sony’s gonna do to regain consumers’ trust with their credit cards. Reuters reported a US security expert saying Sony had still security holes too. If it’s any consolation Sony hasn’t put its storefront back up yet. Sony took PlayStation and Qriocity down April 20 to assess the damage, improve the security and create an early warning system sensitive to unusual activity. On May 2 Sony Online was determined to have been hacked too and that went offline. Customers have to change their passwords with the upgrade. CNET repeated reports that the resuscitated PlayStation Network didn’t stay up long and was turned off for a while because of a “heavy load of password resets.” Sony would like to be fully functional by May 31.

Sony Clouds Badly Compromised

Tue, 26 Apr 2011 22:00:00 EDT

Tuesday might not have been the absolutely best time for Sony to divulge that it, like so many others, is going to go skipping after Apple into the media tablet business later this year with two Android Honeycomb models code named S1 and S2. See, as the last of the top 10 laptop makers to declare its intentions, by fall when the widgets are due, it’ll be coming from behind and to differentiate itself in an already overcrowded field it intended to borrow or piggyback on the cloud-ified media services in its PlayStation franchise.

Managing Risk and Compliance in the Cloud

Tue, 26 Apr 2011 11:45:00 EDT

Cloud computing represents today’s big innovation trend in the information technology (IT) space. Because it allows enterprises to deploy quickly, move swiftly, and share resources, cloud computing is rapidly replacing conventional in-house facilities at enterprises of all sizes. Unfortunately, in their eagerness to adopt cloud platforms and applications, enterprises are neglecting to recognize and address the compliance and security risks that come with implementation. Often the ease of getting a business into the cloud – a credit card and a few keystrokes is all that is required – provides a false sense of security. However, shortcomings in the cloud providers’ security strategy can trickle down to the businesses that leverage their services. In this context, damages can range from pure power outages impacting business performance, data loss, unauthorized disclosure, data destruction, copyright infringement, to brand reputational loss.

In Cloud We Trust?

Fri, 08 Apr 2011 12:00:00 EDT

‘In God we trust,’ yet the currency of the Cloud is at odds with trust. Is it possible to trust applications that reside in a Cloud that seems so porous? Cloud Computing Journal sat down with GuardTime CEO Mike Gault, whose keyless signature technology is used to secure cloud hosting provider Joyent, whose customers include LinkedIn, Gilt, and Twitter.

How to Make Public and Private Clouds Secure

Mon, 14 Mar 2011 08:45:00 EDT

With Gartner predicting $150 billion in cloud-related revenues by 2013, the march towards “the cloud” is not abating. As the market grows, “Is the cloud secure?” is a very familiar refrain frequently asked by corporate management. While those in IT will certainly tell you no environment will be completely secure, there are measures you can take when moving to the cloud to mitigate security risks to reasonable levels. Transitioning to the cloud can often be more secure than a traditional in-house solution. Cloud providers have collectively invested billions in implementing standards and procedures to safeguard data. They need to compete based on not only price, but the breadth of their security, driving innovation to the benefit of the customer. In a public cloud environment the end user has a solution that is highly automated. Customers can put their applications in the cloud and control all of the individual attributes of their services. If you develop products and services in a testing or development environment, the high level of scalability offered by an on-demand computing solution makes it easy to clone server images and make ad-hoc changes to your infrastructure.

Suspected WikiLeaks Tipster Could Face Death Penalty

Thu, 03 Mar 2011 08:21:00 EST

The US Army has charged suspected WikiLeaks tipster Pfc Bradley Manning, 23, with 22 counts of knowingly “aiding the enemy” – a death penalty offense – theft of public property, computer fraud, and downloading classified information that was published on the Internet – obviously by WikiLeaks whose name was not mentioned. Manning was charged last year with 12 counts of illegal downloading and transferring the information to an unauthorized person. He’s probably looking at life in prison. Meanwhile, Sweden’s version of the Bar Association is investigating WikiLeaks founder Julian Assange’s Swedish lawyer Bjorn Hurtig after the UK court that ordered Assange extradited to Sweden last week said Hurtig misrepresented how many times the Swedish authorities tried to interview Assange on rape charges while he was still in Sweden. Hurtig, who testified at the three-day extradition hearing, has until March 14 to answer. Meanwhile, Assange, who is appealing the extradition decision, is reportedly trying to get his name trademarked in the UK.

Cloud Computing From "Agile Cloud Integration" to "Zero Latency"

Sat, 19 Feb 2011 05:00:00 EST

Delegates, speakers, sponsors and exhibitors will be traveling from all over the world to New York this coming June 6-9 to attend 8th International Cloud Expo in New York City, co-located at the Jacob Javits Convention Center with 11th Virtualization Conference & Expo. Here is an early sneak-peek at some of the many Cloud & Virtualization themes and topics due to be discussed in the breakout technical sessions scheduled in the course of the four days.

Is Cloud Computing Secure?

Thu, 17 Feb 2011 07:00:00 EST

Obviously, the answer is it depends … on your security needs … on what you are comparing it with … on which cloud offering you are looking at. Therefore, instead of providing a one word “Yes” or “No” answer let me ask you a set of questions that will help you answer the question for yourself. These questions will help you in identifying, for your given context, if the cloud application that you are evaluating is more or less secure compared to status quo or the alternatives that you are considering. The important point is to decide what threats are more significant than others and what can become a show stopper.

Single Sign-On to Cloud Services

Mon, 14 Feb 2011 07:45:00 EST

As a practitioner in this area, it is striking how service providers such as Google Apps enable access to their service (corporate Gmail inboxes, Google Docs) via API keys. In the case of Google Apps, the key is used to sign a SAML 2.0 assertion sent up to log the user into their email inbox.

Information Security from a Business Perspective

Wed, 09 Feb 2011 06:00:00 EST

As enterprises struggle to remain profitable in an ever-changing risk environment, the current economic crisis has elevated the need for effective business risk management. Information security is a key parameter that affects business risk. The academic definition of information security is the “preservation of confidentiality, integrity and availability of information.”[1] Confidentiality is the preservation of secrecy of information (e.g., business reports, technical designs or financial projections) by ensuring that viewing is conducted solely by authorized people. Integrity is ensuring that information is accurate and consistent and has not been manipulated. Availability ensures that information is accessible to authorized people when needed.

How to Secure the Cloud?

Fri, 04 Feb 2011 08:00:00 EST

I'm in the process of getting the Boston chapter of the Cloud Security Alliance started. I'm just waiting for the "paperwork" to go through, but I'm really excited about what I'm hearing from customers about the cloud. Coming from Oracle, you get a bit of the "Larry Hates the Cloud" mindset, but in my limited time here at Vordel, I can see the deep interest from customers. Mark O'Neill has published a few articles recently on a few topics within cloud security (SSO to Google Mail and Security Checklist for Cloud Security) but there is single "Cloud Security" solution. Probably the only term less well defined than "Cloud" is "Security". CSA is starting a whole new focus are on "Security as a Service" - again we could have/and will continue to have a debate over what is a "Service".

Preventive Security Through Behavior Modification

Tue, 01 Feb 2011 19:00:00 EST

Over the next few weeks, we'll investigate how the expression "An ounce of prevention is worth a pound of cure" could also be applied to the IT world, and what are the tools to foster preventive security through behavior modification. When looking at IT security, it seems that most of the security solutions today are based on Defensive Security. Technologies such as AntiVirus, Firewalls, Intrusion Detection Systems and Intrusion Prevention Systems, Anti-Trojan, Anti-Worms, and Anti-Spyware belong in this category. The primary focus of these technologies is defending against security attacks in progress. Other categories of security exist of course, such as Proactive Security (including Vulnerability Management) and Remediation Security (e.g. Patch Management), but the industry focus these past few years has been on Defensive Security.