So, after a four month hiatus, due to illness and life in general, we’re back and ready to roll. I hope to keep a consistent pace going forward.

Fingers crossed and stapled. OW!

(Image used under CC from Seth W)

Intel raised the bar in the processing game when this Tuesday they announced the release of the first 32nm processors. The big selling point here, according to the vendor, is the security aspects.

From The Taiwan Economic Times:

According to world`s No.1 chipmaker, the new processors are the industry`s first 32nm enterprise-grade devices integrating security capabilities that enhance data integrity and server virtualization as well as first six-core embedded computing processors. New structures enable the processors to deliver up to 60% greater performance than the 45nm Intel Xeon 5500 cousins, allowing data centers to replace 15 single-core servers with only one Xeon 5600-driven server and achieve a return on their investment in as little as five months.

The big selling points here being cloud computing and the financial sector. The real rub here will be how it will stand up against Joanna Rutkowska this time. Last time this is what happened (.pdf).

Article Link

(Image used under CC from Josh Bancroft)

Originally posted on Liquidmatrix Security Digest

Made the trip to RSA 2010 in San Francisco last week. I went a day early with the hopes of attending the Cloud Security Alliance meeting.

From Cloud Security Alliance:

If you are attending the RSA Conference 2010 in San Francisco with either a delegate or expo pass, please consider attending the Cloud Security Alliance Summit. The next generation of computing is being delivered as a utility. Cloud Computing is a fundamental shift in information technology utilization, creating a host of security, trust and compliance issues. The Cloud Security Alliance is the world’s leading organization focused on the cloud, and has assembled top experts and industry stakeholders to provide authoritative information about the state of cloud security in the Cloud Security Alliance Summit.

I registered.

Silly me. I figured that would mean that I was going to be permitted entry.

Nope.

When I arrived I discovered that not only were they way over capacity but, the staffers working the door weren’t checking to see if people had registered. So to them I say, bite me.

I had planned a long write up on the summit.

No love.

(Image used under CC from noone)

With the growing move to cloud computing so to grows the interest of the ne’er do well hackers. Nothing like a juicy target that spin up resources as required and be billed to someone else.

Here is an account of an attack on a cloud instance. This attack took place over the past weekend.

From Cloud Ave:

Over the weekend, my cloud computing infrastructure survived a major hacking attack. Here is what happened and what it took to recover it.

This weekend my servers out in the cloud space fended off a major hacking attack across two of the systems that I have given the public access to use them. The attack started simply on Friday night as a simple series of scans to see if there was anything in the IP space that I am using. This is the fairly standard attack pattern that many information security people see every day. Thinking that this was normal I closed up shop on Friday and went home.

Very interesting article. Read on.

Article Link

(Image used under CC from Dan Barak)

What is the threat landscape for cloud computing? A survey is being conducted by the Cloud Security Alliance.

Want to participate? Join in.

Link: http://www.surveymonkey.com/s/VRPMBRM

There are times where I am amazed at what people will put forward to an unsuspecting (or in this case suspecting) public.

This company, Private Planet, headed by Dr Janko Mrsic-Flagel aspires to lead us down the primrose path.

From UK Technology Live:

“Well both are paramount,” explains Dr. Mrsic-Flagel. “One of the great differences between us and the likes of Amazon and Google is that in our model you actually OWN your own cloud computer. This is a big difference. The telecom operator will host it for you. You will be the telecom operator’s customer, but you will own that computer. The privacy issue goes away, because you own the equipment that holds your data and it is not shared with any others. Unless you want it to be.”

In a datacenter that you have no control over and…and…

I have no words.

Read on.

Article Link

(Image used under CC from purplemattfish)

There are times when cloud computing must seem like a pretty sweet option. I would imagine that the folks at WordPress were pondering something to that effect today. Earlier today they had an outage that lasted 110 minutes. Their worst outage in 4 years apparently.

From WordPress.com

What Happened: We are still gathering details, but it appears an unscheduled change to a core router by one of our datacenter providers messed up our network in a way we haven’t experienced before, and broke the site. It also broke all the mechanisms for failover between our locations in San Antonio and Chicago. All of your data was safe and secure, we just couldn’t serve it.

I imagine that a LOT of coffee was downed while they scrambled to fix the outage. Change control is there for a reason. Which can only mean that as soon as the dust settles that someone will be looking for a new job. And that single point of failure will surely haunt them.

Article Link

(Image used under CC from bitzcelt)

About a year ago, I put down my thoughts on cloud security from the CISO’s standpoint in a blog post. In it, I said that for the CISO, the transition to the cloud was the act of gracefully losing control. By that I meant that when computing assets (regardless of OSI layer) are moved – the CISO no longer has control over that aspect of the platform while maintaining the responsibility for it’s security.

I also believe that in the transition to the cloud, the CISO will begin to lose their religion. And that’s a good thing.

METRICS CREATING TRANSPARENCY

I had the pleasure of asking the Security Architect of a really big company with lots of security and cloud computing pressures how much transparency he needed from a cloud provider. His answer was, “I have no idea”.

So last week there was some noise about groups developing sets of security metrics for cloud computing, I was pretty happy because I think this is a good thing. We need a commonality between vendors and customers about what security information should be shared, when it should be shared, and how it should be shared. An attempt to create the first round of “transparency” intersubjectivity.

CLOUD SECURITY METRICS CAN BE REASONABLE, BUT NEED TO BE INFORMATIVE

That said, I think we need to acknowledge that cloud metrics are going to carry significant uncertainty in them. When you hear phrases in press releases like, “completely objective metrics” any knowledgeable metrician should be raising scores of red flags. Why that is, is another blog post for another blog, but it’s my opinion that it is more accurate to wish for “reasonable” metrics with uncertainty and subjectivity in them – as long as the collection methods and limitations are well understood.

Unfortunately, the “reasonableness” of metrics requires their ability to create good information for security or impact models, and this is where all these metrics efforts tend to break down. We don’t realize it, but I’ll offer that when you go to conferences and meetings and such and you hear somebody whining about not getting “good” metrics, a good portion of the time what they’re really saying is that they don’t have a good model within which to understand how they can begin to create measurements. Metrics are only as informative as their ability to be understood in the context of a model. Note that for the cloud, your model must not just require which metrics give you a reasonable notion or security or impact, but the must require what I’ll (incorrectly) call “entropy” requirements – how often these metrics must be gathered in order to be informative.

AT THE END OF THE DAY, THE CISO WILL HAVE TO HAVE FAITH IN THEIR PROVIDER

The ability to have good state of wisdom (what I should do) requires a good state of knowledge (what does this mean) which requires a good understanding of the state of nature (that is, the development and communication of reasonable metrics). Unfortunately, the CISO isn’t going to get a full or maybe even reasonable state of nature from their XaaS vendor. So what can we do?

With all apologies to thousands of years of theologians, I’ll simply describe the act of faith as operating in the face of significant uncertainty. When we have to act (have wisdom) with a less then reasonable understanding of state of nature, we’re operating by faith. I’ll offer that with this definition, faith can be optimistic in nature, trusting that the individual will fulfill their promises, or pessimistic in nature, trusting that the individual will fail.

What will be the important outcome of any metrics sharing between vendor and customer for cloud computing is how those “readings” of state of nature move us towards an optimism or pessimism. That optimism or pessimism is generated in the context of a model. Thus, what we can do is have a good model, and create reasonable metrics that feed the model.

GAINING FAITH BUT LOSING RELIGION?

If you’ll let me continue to carry the analogy, if faith is operating based on acknowledged uncertainties in evidence, then religion we might define (with a slight negative connotation) as the performance of actions that attempt to increase faith but have no known real correlation to reducing the uncertainty. In other words, the Shaman attempts to reduce uncertainty about the weather, volcano, outcome of battle, what have you, by performing rituals that have no real ability to, or even logical linkage to, reducing uncertainty about those things.

In this sense, it is my sincere hope that moving assets to the cloud will drive a reduction in the religion we build for ourselves (if I buy this technology, I might get hacked less, I guess) by driving us towards a more certain faith (I have more or less security due to changes in the metrics I’m getting from my provider.

In my little opinion, this would be a very good thing for our industry.

About time. There was a great deal of resistance to cloud computing from federal government hinged largely on security and privacy concerns. Now, faced with escalating costs and and ageing IT staff the move into the cloud seem inevitable. We’ve already seen this sort of behaviour in different parts of the world. A couple of easy examples are the cities of Los Angeles and Orlando.

From Network World :

There are 325,000 employees in federal government, 140 departments (all with their own CIO), 124 networks and 144 data centres across the country that he knows of. And 120,000 Wintel and Unix servers use less than 10 per cent of their capacity. “To make matters worse, 40 per cent of IT professionals are eligible for retirement in next five years,” he said. “So we have to leverage the private sector a lot more.”

The Treasury Board of Canada has obtained agreement across departments on the language and definitions for cloud computing and received endorsement for the Government of Canada’s cloud computing roadmap — one that can be validated with countries such as the U.S., the U.K., Australia and New Zealand.

Great news to see them move forward. My only hope being that they do not crash forward without proper due care.

Article Link

(Image used under CC from dani-santana)

From ZDNet:

A 24-strong consortium of service providers, vendors, government organisations and consultants has begun work on a set of measurements designed to make it easier for businesses to compare the security features offered by cloud-computing providers.

The Common Assurance Metric or CAM was launched on Monday Feb 7, 2010. So, who is a part of this consortium?

Participants include Amazon, Google, Microsoft, the European Network and Information Security Agency (Enisa), the Cabinet Office, HM Revenue & Customs, KPMG, McAfee and Oracle.

Which is odd when you consider Microsoft’s push for government legislation and their comments on security just recently.

(Image used under CC from Evan Hamilton)

Article Link