With the growing move to cloud computing so to grows the interest of the ne’er do well hackers. Nothing like a juicy target that spin up resources as required and be billed to someone else.

Here is an account of an attack on a cloud instance. This attack took place over the past weekend.

From Cloud Ave:

Over the weekend, my cloud computing infrastructure survived a major hacking attack. Here is what happened and what it took to recover it.

This weekend my servers out in the cloud space fended off a major hacking attack across two of the systems that I have given the public access to use them. The attack started simply on Friday night as a simple series of scans to see if there was anything in the IP space that I am using. This is the fairly standard attack pattern that many information security people see every day. Thinking that this was normal I closed up shop on Friday and went home.

Very interesting article. Read on.

Article Link

(Image used under CC from Dan Barak)

What is the threat landscape for cloud computing? A survey is being conducted by the Cloud Security Alliance.

Want to participate? Join in.

Link: http://www.surveymonkey.com/s/VRPMBRM

Hi, my name is Alex, and I have a tape I’d like to play for you.

About a year ago, I put down my thoughts on cloud security from the CISO’s standpoint in a blog post. In it, I said that for the CISO, the transition to the cloud was the act of gracefully losing control. By that I meant that when computing assets (regardless of OSI layer) are moved – the CISO no longer has control over that aspect of the platform while maintaining the responsibility for it’s security.

I also believe that in the transition to the cloud, the CISO will begin to lose their religion. And that’s a good thing.

METRICS CREATING TRANSPARENCY

I had the pleasure of asking the Security Architect of a really big company with lots of security and cloud computing pressures how much transparency he needed from a cloud provider. His answer was, “I have no idea”.

So last week there was some noise about groups developing sets of security metrics for cloud computing, I was pretty happy because I think this is a good thing. We need a commonality between vendors and customers about what security information should be shared, when it should be shared, and how it should be shared. An attempt to create the first round of “transparency” intersubjectivity.

CLOUD SECURITY METRICS CAN BE REASONABLE, BUT NEED TO BE INFORMATIVE

That said, I think we need to acknowledge that cloud metrics are going to carry significant uncertainty in them. When you hear phrases in press releases like, “completely objective metrics” any knowledgeable metrician should be raising scores of red flags. Why that is, is another blog post for another blog, but it’s my opinion that it is more accurate to wish for “reasonable” metrics with uncertainty and subjectivity in them – as long as the collection methods and limitations are well understood.

Unfortunately, the “reasonableness” of metrics requires their ability to create good information for security or impact models, and this is where all these metrics efforts tend to break down. We don’t realize it, but I’ll offer that when you go to conferences and meetings and such and you hear somebody whining about not getting “good” metrics, a good portion of the time what they’re really saying is that they don’t have a good model within which to understand how they can begin to create measurements. Metrics are only as informative as their ability to be understood in the context of a model. Note that for the cloud, your model must not just require which metrics give you a reasonable notion or security or impact, but the must require what I’ll (incorrectly) call “entropy” requirements – how often these metrics must be gathered in order to be informative.

AT THE END OF THE DAY, THE CISO WILL HAVE TO HAVE FAITH IN THEIR PROVIDER

The ability to have good state of wisdom (what I should do) requires a good state of knowledge (what does this mean) which requires a good understanding of the state of nature (that is, the development and communication of reasonable metrics). Unfortunately, the CISO isn’t going to get a full or maybe even reasonable state of nature from their XaaS vendor. So what can we do?

With all apologies to thousands of years of theologians, I’ll simply describe the act of faith as operating in the face of significant uncertainty. When we have to act (have wisdom) with a less then reasonable understanding of state of nature, we’re operating by faith. I’ll offer that with this definition, faith can be optimistic in nature, trusting that the individual will fulfill their promises, or pessimistic in nature, trusting that the individual will fail.

What will be the important outcome of any metrics sharing between vendor and customer for cloud computing is how those “readings” of state of nature move us towards an optimism or pessimism. That optimism or pessimism is generated in the context of a model. Thus, what we can do is have a good model, and create reasonable metrics that feed the model.

GAINING FAITH BUT LOSING RELIGION?

If you’ll let me continue to carry the analogy, if faith is operating based on acknowledged uncertainties in evidence, then religion we might define (with a slight negative connotation) as the performance of actions that attempt to increase faith but have no known real correlation to reducing the uncertainty. In other words, the Shaman attempts to reduce uncertainty about the weather, volcano, outcome of battle, what have you, by performing rituals that have no real ability to, or even logical linkage to, reducing uncertainty about those things.

In this sense, it is my sincere hope that moving assets to the cloud will drive a reduction in the religion we build for ourselves (if I buy this technology, I might get hacked less, I guess) by driving us towards a more certain faith (I have more or less security due to changes in the metrics I’m getting from my provider.

In my little opinion, this would be a very good thing for our industry.

So what, might you ask, is Cloud Audit? Chris Hoff has a write up on the launch of the new site CloudAudit.org.

From Rational Survivability:

I’m happy to announce that the Automated Audit, Assertion, Assessment, and Assurance API (A6) working group is organizing under the brand of “CloudAudit.” We’re doing so to enable reaching a broader audience, ensure it is easier to find us in searches and generally better reflect the mission of the group. A6 remains our byline.

We’ve refined how we are describing and approaching solving the problems of compliance, audit, and assurance in the cloud space and part of that is reflected in our re-branding.

Here is the preamble from the new site.

From Cloudaudit.org:

The goal of CloudAudit (codename: A6) is to provide a common interface that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology.

CloudAudit is a volunteer cross-industry effort from the best minds and talent in Cloud, networking, security, audit, assurance and architecture backgrounds.

For more read the entire posting over on Hoff’s blog Rational Survivability.

Article Link

(Image used under CC from Florin Mogos)

The vendor gold rush is underway.

From eWeek:

As security vendors have added cloud-based services to their portfolios, there have been ongoing discussions about how best to combine these services with on-premises security products.

While many vendors offer both delivery models, Websense took it a step further Feb. 9 with a new platform that integrates data loss prevention, secure Web gateway and e-mail security while allowing users to manage the company’s on-premises and cloud security offerings through a single console.

Trend Micro announced something similar back in November. Now, this is an offering that is currently only available to early adopters. It would be interesting to see more information on this offering.

Article Link

(Image used under CC from US Army Korea – IMCOM)

The calendar may show a different date but, the argument remains the same. Back in ’99 I had a protracted/heated exchange with my corporate ISP regarding DDoS attacks. Their logic was simple. Not our problem. They used the analogy of a cab. We get you there but, that’s it.

Ugh.

From ZDNet:

At a Cloud Law Summit in London on Wednesday, Microsoft’s head of legal, Dervish Tayyip, said the company would not provide financial guarantees against data-protection issues on cloud contracts.

“We’re not an insurance company,” Tayyip told ZDNet UK. “What is important is that customers understand the [cloud] offerings are standardised — they are what they are. If the offering does not meet customer needs, maybe the cloud is not a realistic offering.”

Wow. How not to win the hearts and minds of potential customers.

Article Link

(Image used under CC from Philipp Klinger)