Archive for December, 2009

The Great Cloud Security Challenge: I Triple-Dog-Dare You…

December 27th, 2009 15 comments


There’s an awful lot of hyperbole being flung back and forth about the general state of security and Cloud-based services.

I’ve spent enough time highlighting both the practical and hypothetical (many of which actually have been realized) security issues created and exacerbated by Cloud up and down the stack, from IaaS to SaaS.

It seems, however, that there are a select few who ignore issues brought to light and seem to suggest that Cloud providers are at a state of maturity wherein they not only offer parity, but offer better security than the “average” IT shop.  What’s interesting is that while I agree that “Cloud Security is not insurmountable,” neither is non-Cloud security — but it’s sure as hell not progressed much in 40 years.

What’s missing is context.  What’s missing is the very risk assessment methodologies they reference in their tales of fancy.  What’s missing is that in the cases they suggest that security is not an obstacle to Cloud, there’s usually not much sensitive data or applications involved.

Ignore the U.S. CIO’s words of wisdom when he discusses the reality of security and moving to the Cloud. Ignore the CIO’s and CISO’s of the Fortune 500. Ignore everything in my Cloudifornication presentation and recent issues related to such. Ignore pragmatism.

Take my challenge instead…Here’s my dare:

  1. I’ll pay for an AWS EC2 instance for a month
  2. You choose the OS and LAMP stack components you’ll deploy in this AMI
  3. You harden it however you see fit, but ensure the web server can be reached via port 80 from the Internet*
  4. You put a .txt file somewhere on a readable filesystem (mounted) or create a row in a DB accessible via the web server
  5. This .txt file or row in the DB contains the following: Your name, (billing) address, social security number, credit card number, mother’s maiden name and your bank’s ABA routing number and checking account number
  6. I’ll invite some people I know to test your hypothesis for you

Let’s see if they want to put their money (literally) where their mouths are?  After all, they claim that Cloud providers will be able to secure their applications and data.

I triple-dog-dare you.

The only diatribes that we ought to be spared from are those that themselves don’t offer a balance of reality, responsibility and maturity as those they accuse of doing the same.

It’s not that Cloud deployments *can’t* be at least as secure as non-Cloud deployments with appropriate adjustments.  My issue with these wanderlust expressions is that the implication today that Cloud providers not only achieve parity but also exceed it — and that Cloud providers have some capability or technology the rest of us do not — given the challenges we have, is incredulous.

I’m all for evangelism, but generalizing about the state of security (in Cloud or otherwise) is a complete waste of electrons.  Yes, Cloud brings us opportunity and acts as a forcing function and we *will* see improvements, but NOT because we put blinders on and pretend that the delivery model (Cloud) will fix 40 years of legacy computing challenges — especially since Cloud is built upon most of them in the first place!

See here.


* Feel free to use SSL if it makes you feel any better.

How Many Open Letters To Howard Schmidt Do We Need? Just One.

December 23rd, 2009 4 comments

My friend Adam at the The New School Information Security Blog wrote An Open Letter to the New Cyber-Security Czar:

Congratulations on the new job! Even as a cynic, I’m surprised at just how fast the knives have come out, declaring that you’ll get nothing done. I suppose that low expectations are easy to exceed. We both know you didn’t take this job because you expected it to be easy or fun, but you know better than most how hard it will be to make a difference without a budget or authority. You know about many of the issues you’ll need to work through, and I’d like to suggest a few less traditional things which you can accomplish that will help transform cyber-security.

Adam’s thoughtful post was chock full of interesting points and guidance associated with what he and others think Howard Schmidt ought to consider in his “new” role as Cyber-Security Coordinator.

My suggestion was a little more simple in nature:

Dear Howard:

I’ll keep it short.

Let me know how we can help you be successful; it’s a two-way street. No preaching here.



In addition, here’s my simple open response to all those who have suggestions for Howard — it’s not an attempt to be self-righteous, critical of others or antagonistic — but I, like Adam, am amazed at how cynical and defeatist people in our community have become.

If Howard called me tomorrow and asked me to quit my job and make sacrifices in order to join up and help achieve the lofty tasks before him for the betterment of all, I would.

Guaranteed.  Would you?

I’m glad you stepped up, Howard. Thank you.


2010 – It’s Time for Security Resolutions Not Predictions…

December 21st, 2009 2 comments

November and December usually signal the onslaught of security predictions for the coming year. They’re usually focused on the negative.

I’ve done these a couple of times and while I find the mental exercise interesting, it really doesn’t result in anything, well, actionable.

So, this year I’m going to state what I am *going* to do rather than what I think others *might.*  I’ve spent the last couple of years talking about the challenges, now it’s time to focus on the solutions.

It’s quite simple.  I resolve to:

  1. Continue my efforts to make the Cloud Security Alliance work products more useful and impactful, focusing on solutions to the challenges we have with Cloud Security
  2. Push the agenda for transparency in Cloud providers with the A6 API working group
  3. Deliver even more interesting and thought-provoking presentations focused on virtualization and Cloud security
  4. Take our local security scene up a notch: focus on making BeanSec more than just a social event and make it the epicenter for security knowledge sharing in the greater Boston area
  5. Spend more time at local events such as ISACA and OWASP and support regional “non-cons”; many folks don’t get to go to the big shows
  6. Blog more and push the envelope on things I know need to improve.  Also publish the podcast and vlogs on a regular basis
  7. Reach out beyond the U.S. and share more/learn more with folks from other countries/backgrounds
  8. Dig my heels in and participate more actively in the standards bodies and organizations that I lurk in (PCI vSig, DMTF, etc.)
  9. Focus on making my contacts into more of a community; I have the most awesome circle of friends and acquaintances and it’s time to put them to use
  10. Publish a couple of the books I’m working on

These are my top 10.

What are yours?


Cloud Security Alliance v2.1 Security Guidance for Critical Areas of Focus in Cloud Computing Available

December 17th, 2009 No comments

CSA-LogoVersion 2.1 of the Cloud Security Alliance “Security Guidance for Critical Areas of Focus in Cloud Computing” is available for download here.

It’s important to note that in this version of the guidance there are some notable changes in structure and content focus:

The guidance provided herein is the second version of the Cloud Security Alliance document, “Security Guidance for Critical Areas of Focus in Cloud Computing”, which was originally released in April 2009.  The permanent archive locations for these documents are:  (this document)  (version 1 guidance)

In a departure from the first version of our guidance, a decision was made to separate the key guidance from the core domain research.  Each domain’s core research is being released as its own white paper.  These white papers and their release schedule are located at:

In another change from the first version, Domain 3: Legal and Domain 4: Electronic Discovery were combined into a single domain.  Additionally, Domain 6: Information Lifecycle Management and Domain 14: Storage were combined into a single domain, renamed Data Lifecycle Management.  This has caused a renumbering of our (now 13) domains.

We have hundreds of pages of edited/compiled content for each of these domains and the working groups will be releasing their schedules for the domain work products shortly.

Thanks to everyone who contributed!  We look forward to delivering even more value in the follow-on releases.

Technical Advisor CSA

Speaking at the 2009 Federal Identity Management & Cybersecurity Conference

December 15th, 2009 4 comments

ISIMCThe (first annual) 2009 Federal Identity Management & Cyber Security Conference is being held in Washington on December 15-16th.  I’m speaking on day two on a panel moderated by Earl Crane of DHS on “Innovation and security in Cloud Computing.”

The Information Security and Identity Management Committee (ISIMC) of the Federal CIO Council is taking steps to deliver  on the President’s pledge for cybersecurity. ISIMC will discuss strategies and tactics for securing and defending federal IT  systems and networks for trusted and reliable global communication.

The objectives of this conference are awareness, education, and alignment toward a common vision for cyber defense  within the federal community.   This conference will focus on protecting the nation against cyber aggression, while preserving and protecting  the personal privacy and civil liberties that are the core of american values.

Hosted by  the Information Security and Identity management committee (ISIMC), which supports the federal CIO Council  in enabling chief Information officers (CIOs) and chief Information Security officers (CISOs) to  collaborate on: (1) identifying high priority cybersecurity and identity management initiatives; and (2) developing  recommendations for policies, procedures, and standards to address those initiatives that enhance the security  posture and protection afforded to federal government networks, information, and information systems.

Topics Include

  • Nation’s top cybersecurity challenges addressed by a
  • Panel of government and Private Sector leaders
  • US-cert and the challenging landscape of
  • Federal cybersecurity
  • Security Performance – What Is next?
  • Innovation, cloud computing and Web 2.0
  • Federal desktop core configuration next Steps
  • Supply chain acquisition best Practices
  • IT Security Policy and legislation
  • Identify, credential and access management

This should be an interesting two days.

Cloud Computing Public Service Announcement – Please Read

December 11th, 2009 1 comment

If your security practices suck in the physical realm, you’ll be delighted by the surprising lack of change when you move to Cloud.

Thank You.


Dear Public Cloud Providers: Please Make Your Networking Capabilities Suck Less. Kthxbye

December 4th, 2009 6 comments

sucklessThere are lots of great discussions these days about how infrastructure and networking need to become more dynamic and intelligent in order to more fully enable the mobility and automation promised by both virtualization and cloud computing.  There are many examples of how that’s taking place in the enterprise.

Incumbent networking vendors and emerging cloud/network startups are coming to terms with the impact of virtualization and cloud as juxtaposed with that of (and you’ll excuse the term) “pure” cloud vendors and those more traditional (Inter)networking service providers who have begun to roll out Cloud services atop or alongside their existing portfolio of offerings.

  • On the one hand we see hardware-based networking vendors adding software-based virtual switching and virtual appliance extensions in order to claw back the networking and security functions which have been abstracted into the virtualization and cloud stacks.  This is a big deal in the enterprise and especially with vendors looking to stake a claim in the private cloud space which is the evolution of traditional datacenter capabilities extended with virtualization and leverages the attributes of Cloud to provide for a more frictionless computing experience.  Here is where we see innovation and evolution with the likes of converged data and storage networking and unified fabric solutions.

  • On the other hand we see massively-scaled public cloud providers and evolving (Inter)networking service providers who have essentially absorbed the networking layers into their cloud operating platforms and rely on the software functionality embedded within to manifest the connectivity required to enable service.  There is certainly networking hardware sitting beneath these offerings, but depending upon their provenance, there are remarkable differences in the capabilities and requirements between them and those mentioned above.  Mostly, these providers are really shouting for multi-terabit layer two switching fabric interconnects to which they interface their software-enabled compute platforms.  The secret sauce is primarily in software.

For the purpose of this post, I’m not going to focus on the private Cloud camp and enterprise cloud plays, or those “Cloud” providers who replicate the same architectures to serve these customers, rather, I want to focus on those service providers/Cloud providers who offer massively scalable Infrastructure and Platform-as-a-Service offerings as in the second example above and highlight two really important points:

  1. From a physical networking perspective, most of these providers rely, in some large part, on giant, flat, layer two physical networks with the actual “intelligence,” segmentation, isolation and logical connectivity provided by the hypervisor and their orchestration/provisioning/automation layers.
  2. Most of the networking implementations in these environments are seriously retarded as it relates to providing flexible and extensible networking topologies which make for n-Tier application mapping nightmares for an enterprise looking to move a reasonable application stack to their service.

I’ve been experimenting with taking several reasonably basic n-Tier app stacks which require mutiple levels of security, load balancing and message bus capabilities and design them using several cloud platform providers offerings today.

The dirty little secret is that there are massive trade-offs with each of them, mostly due to constraints related to the very basic networking and security functionality offered by the hypervisors that power their services today.  The networking is basic.  Just the way they like it. It sucks for me.

This is a problem I demonstrated in enterprise virtualization in my Four Horsemen of the Virtualization Apocalypse presentation two years ago.  It’s much, much worse in Cloud.

Not supporting multiple virtual interfaces, not supporting multiple IP addresses per instance/VM, not supporting multicast or broadcast capabilities for software-based load balancing (and resiliency of the LB engines themselves)…these are nasty issues that in many cases require wholesale re-engineering of app stacks and push things like resiliency and high availability into uncertain waters.

It’s also going to cost me more.

Sure, there are ways of engineering around these inadequacies, but they require additional levels of complexity, more cost, additional providers or instances and still leave me without many introspection options and detective and preventative security controls that I’m used to being able to rely on in traditional networking environments using colocation services or natively within the enterprise.

I’m sure I’ll see comments (public and private) suggesting all sorts of reasons why these are non-issues and how it’s silly to try and replicate the enterprise approach in the cloud.  I have 500 reasons why they’re wrong…the Fortune 500, that is.  You should also know I’m not apologizing for the sorry state of non-dynamic infrastructure, but I am suggesting that forcing me to re-tool app stacks to fit your flat network topologies without giving me better security and flexible connectivity options simply sucks.

In may cases, people just can’t get there from here.

I don’t want to have to re-architect my app stacks to work in the cloud simply because of a lack of maturity from a networking perspective.  I shouldn’t have to. That’s simply backward.  If the power of Cloud is its ability to quickly, flexibly, and easily allow me to provision, orchestrate and deploy services, that must include the network, also!

The networking and security capabilities of  public Cloud providers needs to improve — and quickly.  Applications that are not network topology-dependent and only require a single interface (or more specifically an IP address/socket) to communicate aren’t the problem.  It’s when you need to integrate applications and/or infrastructure solutions that require multiple interfaces, that *are* topology dependent and require insertion between these monolithic applications that things break down. Badly.

The “app on a stick” model doesn’t work when enterprises struggle with taking isolated clusters of applications (tiers) and isolate/protect them with physical or virtual appliances that require multiple interfaces to do so.  ACL’s don’t cut it, not when I need FW, IPS, DLP, WAF, etc. functionality.  Let’s not forget dedicated management, storage or backup interfaces.  These are many of the differences between public and private cloud offerings.

I can’t do many of the things I need to do easily in the Cloud today, not without serious trade-offs that incur substantial cost and given the immaturity of the market as a whole put me at risk.

For the large enterprise, if the fundamental networking and security architectures don’t allow for easy portability that does not require massive re-engineering of app stacks, these enterprises are going to turn to niche or evolving (Inter)networking providers who offer them the capability to do so, even if they’re not as massively scaleable, or they’ll simply build private clouds instead.


Great InformationWeek/Dark Reading/Black Hat Cloud & Virtualization Security Virtual Panel on 12/9

December 3rd, 2009 No comments


I wanted to let you know about about a cool virtual panel I’m moderating as part of the InformationWeek/Dark Reading/Black Hat virtual event titled “IT Security: The Next Decade” on December 9th.

There are numerous awesome speakers throughout the day, but the panel I’m moderating is especially interesting to me because I was able to get an amazing set of people to participate.  Here’s the rundown — check out the panelists:

Virtualization, Cloud Computing, And Next-Generation Security

The concept of cloud computing creates new challenges for security, because sensitive data may no longer reside on dedicated hardware.  How can enterprises protect their most sensitive data in the rapidly-evolving world of shared computing resources? In this panel, Black Hat researchers who have found vulnerabilities in the cloud and software-as-a-service models meet other experts on virtualization and cloud computing to discuss the question of cloud computing’s impact on security and the steps that will be required to protect data in cloud environments.

Panelists: Glenn Brunette, Distinguished Engineer and Chief Security Architect, Sun Microsystems; Edward Haletky, Virtualization Security Expert; Chris Wolf, Virtualization Analyst, Burton Group; Jon Oberheide, Security Researcher; Craig Balding, Cloud Security Expert,

Moderator: Christofer Hoff, Contributing Editor, Black Hat

I wanted the perspective of architects/engineers, practitioners, researchers and analysts — and I couldn’t have asked for a better group.

Our session is 6:15pm – 7:00 EST.

Hope to “see” you there.