Secure Cloud Review

You Can’t Outsource Responsibility

by ashimmy on January 12, 2012 · 18980 commentsYou+Can%27t+Outsource+Responsibility2012-01-12+19%3A23%3A56ashimmy

My friends over in Belgium at the /dev/random blog had a good post up the other day called “Everything Can Be Outsourced But Not Your Responsibility“. The post was really about a recent incident regarding Arcelor Mittal which had a website compromised by Anonymous Belgium. The gist of the article was that though in fact Arcelor Mittal had outsourced almost every aspect of the website from design and creation to hosting and maintenance, at the end of the day when something went wrong, all of the outsourcing did not absolve Arcelor Mittal from responsibility.

The same thing is true in Cloud Security. Many organizations think that by outsourcing to the cloud or letting someone else deal with it, they are absolved of responsibility. They are mistaken. While they may have someone to blame, they are still responsible. Outsourcing does not include shifting responsibility. If your name is on it, it is yours. If it breaks, you own it.

So does this mean that outsourcing is a mistake? Of course not. The reasons for outsourcing are many. The outsource provider can do it better, cheaper and/or faster. These are not outweighed by the fact that you still bear ultimate responsibility. What it does mean though is that you should be careful about who you outsource to. This is doubly important when talking about security.

I have been involved with outsourcing and managed security for over 10 years. I remember back in 1999 when a company I helped get started was one of the largest Checkpoint firewall resellers and we managed hundreds of checkpoint boxes. The biggest selling point was that we were better prepared to do the job than our customers were. That fundamental fact has not changed. Customers realize they are responsible. Part of that responsibility is picking the right outsourcing partner and doing your due diligence on your choice.

At Alert Logic this basic tenet still holds true. With over 1500 end user customers and representing over half of the 30 leading hosting/cloud providers you can rest assured that the question of responsibility and due diligence comes up again and again. This is why even though they are a private company they release financials just about every quarter. It is also why they strive to maintain a high level of transparency for the business. Alert Logic’s customers know that even though they outsource their security, they ultimately will bear responsibility. Having someone to blame is not enough.

So the responsibility issue is not a reason to stop your outsourcing. But it does place the burden on any company outsourcing to perform their due diligence on any 3rd party they outsource to.

Everything Can Be Outsourced But Not Your Responsibility! (rootshell.be)
Regulator’s concern over outsourcing (thehindu.com)
Hackers hit ArcelorMittal’s Belgian website (expatica.com)
Cut Costs and Save Money by Outsourcing (savingaddict.com)

Tweet This Post

{ 0 comments }

Linked In Poll on Cloud Adoption

by ashimmy on December 16, 2011 · 18900 commentsLinked+In+Poll+on+Cloud+Adoption2011-12-16+19%3A17%3A28ashimmy

A poll was conducted on Linked In, sponsored by Comcast. It asked, “What’s your biggest concern with moving your applications to the cloud?”
Not very scientific granted, but with over 8000 responses, the results are pretty interesting:

I was surprised that more than half of respondents still listed security as the biggest issue. Again this is a rather random survey, but it ended December 15, 2011, so is rather current. Even adding performance and reliability together, they don’t approach security.

If you get a chance click through and read some of the comments as well (there are over 250 of them)l. Very interesting indeed!

Announcing Rackspace Cloud Monitoring Private Beta (rackspace.com)

Tweet This Post

{ 0 comments }

Simon Crosby- Virtualization And The Cloud Are Great For Security

by admin on November 15, 2011 · 18810 comments2011-11-15+20%3A26%3A50admin

Simon Crosby knows a thing or two about virtualization and the cloud. He was the driving force behind Xen and then was CTO of Citrix‘s virtualization and cloud business. Crosby left Citrix a few months ago to team with some other former Xen execs to form Bromium, which promises to deliver new levels of security using the cloud and virtualization.

True security by the cloud, for the cloud, delivered by the cloud where ever IT goes is what Bromium seeks. Crosby says that the isolation inherent in virtualization provides a tremendous opportunity for security advancements. It seems like some folks agree with him, as the company raised 9.2 million dollars while still in stealth mode.

I had a chance to sit down with Simon and discuss cloud, virtualization, security and open source the other day. This podcast will be available on Network World, but I wanted to give Secure Cloud Review readers an early sneak peak.

Have a listen and enjoy!

Former Citrix CTO says virtualization will solve security problems (infoworld.com)
Simon Crosby leaving Citrix to tackle cloud security (gigaom.com)
Security by virtualization: where is the secure OS? (securitybalance.com)

Tweet This Post

{ 0 comments }

Rackspace Cloud Builders: Private Edition

by ashimmy on November 11, 2011 · 18690 comments2011-11-11+16%3A18%3A10ashimmy

Image representing Rackspace as depicted in Cr...

Image via CrunchBase

Recently over on my Network World blog I wrote about a new service from the folks over at Rackspace Cloud Builders (Rackspace is a partner of Alert Logic). They have released Rackspace Cloud:Private Edition. It is based on the Rackspace Cloud, the 2nd largest public cloud and on OpenStack. The open source cloud platform which so many companies are supporting now.

The new service to me represents a new category called Cloud Management as a Service (CMaaS). Cloud Builders will not only help you set up your own cloud where ever you want, they will manage it for you to. In that regard, it is not different than the concept behind Security as a Service (Sec-aaS) at Alert Logic. Security that goes wherever IT goes and can be managed for you.

Anyway I had a chance to sit down with Jim Curry, GM of Cloud Builders and Jesse Andrews who is a key technical person at Cloud Builders. I recorded this for the Open Network on Network World but thought readers of Secure Cloud Review would find it interesting. Below is the podcast of our conversation.

Enjoy!

Rackspace Launches OpenStack Private Cloud (datacenterknowledge.com)
Rackspace delivers OpenStack for private clouds (gigaom.com)
Rackspace: ‘We want to be your OpenStack maniac’ (go.theregister.com)
Rackspace to offer support for OpenStack clouds (infoworld.com)

Tweet This Post

{ 0 comments }

Over 66% of Large Enterprises Using Cloud IaaS

by ashimmy on November 4, 2011 · 18660 comments2011-11-04+14%3A28%3A02ashimmy

According to George Hulme story over on CSOonline.com a recent Forrester report said that 67% of large enterprises are using cloud based Infrastructure-as-a-Service (IaaS) to support product applications. This is significant in that previous studies always seemed to indicate or at least measure that enterprises were doing testing and development on the cloud, but not actually deploying live product apps.

Based on this it would appear that whether security concerns are real or not organizations are forging ahead with their migration to the cloud. Now it could be that the benefits outweigh the risks or it could be that the risks themselves have been taken out of proportion to the reality of the situation.

As George points out in his article though, there have been recent surveys by the Ponemon Institute (that are sponsored and financed by security vendors with their own axe to grind) that show half of the respondents don’t think their organizations ability to secure the cloud is adequate.

While I am not saying the Ponemon Institute survey is wrong, it could certainly be biased. It could be that the majority of the respondents are security admins. Security admins are more likely to say that they are worried about security than IT folks in general and certainly more likely than non-IT types. Of course as is common in security, the numbers would seem to indicate that at the end of the day the security concerns are being brushed aside by the non-security types as they move to the cloud.

Another possible take is that cloud providers are doing a better job of showing how security is built into the cloud infrastructure today. While perhaps not satisfying the concerns of the security pros, it would seem to be enough to allay the fears of everyone else.

In any event it seems the march to the cloud continues to gain momentum, security be damned.

Are you ready for networking in the cloud? (infoworld.com)
Terremark Cloud Services Pass DOD Security Test (informationweek.com)
Clouds Vs. Outsourcing: The Next Battleground (informationweek.com)
PwC Survey Says IaaS Will Count for a Third of IT Resources in 2014 (readwriteweb.com)

Tweet This Post

{ 0 comments }

Alert Logic Partner Red Legg, Joins HP, Tipping Point, Eric Irvin and Alan Shimel to Discuss Security Metrics

by admin on October 28, 2011 · 18610 comments2011-10-28+15%3A11%3A41admin

Metrics in security is a topic that can be and has been debated until the cows come home. What to measure, how to measure it and what to do about it are questions that can have the brightest security minds spinning like a top. But that didn’t stop this all star panel from tackling the tough questions.

Our panel consists of Rafal Los of HP Application Security, Will Gragido of HP/Tipping Point’s security research team, Elizabeth Martin, Director of security services at Alert Logic partner, Red Legg, Alert Logic solutions engineer, Eric Irvin and your host, Alan Shimel.

Of course going into this discussion we all knew that we were not going to have hard and fast answers that would fit everyone, but it is a topic that every security practitioner needs to think about.

So have a listen to the fast moving 30 minute conversation and see if you might learn from a few folks who have the experience and knowledge that you may find useful.

Podcast: Can Open Source Provide The Protein For Security Below The Poverty Line (ashimmy.com)
Open Source Fact and Fiction: HP Should Open Source WebOS (networkworld.com)
Alert Logic CAPP Service (ashimmy.com)

Tweet This Post

{ 0 comments }

Cloud Security Marches On

by ashimmy on October 20, 2011 · 18521 commentCloud+Security+Marches+On2011-10-20+15%3A54%3A44ashimmy

The other day I saw one of those Facebook question polls asking what was the biggest thing holding you back from moving to the cloud. I forget who actually posted the question but the choices were availability, security, features and cost. Security was still the biggest inhibitor by a large amount. Now granted, Facebook users may not be the demographic that you would rely on for that answer, but it is a data point nonetheless.

But in spite of what the survey says on Facebook, I continue to see cloud security marching on with new offerings and new ways of securing the cloud. I wanted to highlight some of the ones that have caught my eye recently:

Cloud Passage Halo Professional – This company and product have received a lot of attention since coming to market almost a year ago. With the new pro version of Halo announced recently it brings host-based firewall administration, vulnerability management, account auditing, and security alerting capabilities to protect cloud servers.

“The Professional version adds to Halo’s value through comprehensive APIs that extend and integrate these capabilities into existing environments. Professional users also benefit from easier compliance management through instant access to historical cloud server security data, critical to achieving compliance with PCI, FISMA, HIPAA and other industry standards. GhostPorts, another outstanding Professional feature, provides stealth access to network services.”

GhostPorts allow admins to open the firewall to specific IP’s for a set time.

Cloud Passage is a company which has built a cloud solution from the ground up instead of taking a traditional security product and trying to make it fit the cloud. Their use of APIs instead of appliances and virtual appliances is the model to follow I believe. I think they represent a new breed of pure play cloud security provider.

Red Lambda MetaGrid™ – Web applications and the cloud have given rise to a whole new class of programs collectively referred to as “Big Data“. Programs like Hadoop and all of the NoSQL databases have allowed for the collection of massive amounts of data distributed in the cloud on commodity hardware.

Analyzing and securing all of this data creates the same challenges that storing and using it does. Traditional appliances and single server solutions don’t work. Even virtual appliance are not the answer. Instead Red Lambda is using smart grid technology to tackle this big job. Also they do it without signatures or rules because they don’t scale to this level either.
The MetaGrid solution uses another Red Lambda technology they call Neural Foam.

Patent-pending Neural Foam™ uses artificial intelligence to cluster massive amounts of data into its simplest, natural structure without a single rule. Neural Foam’s unique ability to continuously learn all knowledge and anomalies from any data, over any timescale, event by event revolutionizes operations. In one pass, MetaGrid makes it possible to see every aspect of an infrastructure, from the most normal activity, to threats, to things that only happen once or differ by a single unusual bit. Quite simply, it’s the ultimate weapon against the unknown, inside or out.

It is certainly a new approach to the big data security issue which (no pun intended) is big and getting bigger everyday.

Cisco ASA 1000v – Yes that’s right Cisco. They just announced the virtual version of their ASA firewall and security appliance built for multi-tenant cloud environments. ASA 1000V provides firewall capabilities, comprehensive real-time threat defense, always-on remote access and comprehensive network security. Yes it is a virtual appliance, but it works with the Cisco Virtual Appliance Network Management Center to assign policies and rules across multiple virtual instances. It may not be the same as an enterprise class Checkpoint or next gen Palo Alto box, but inexpensive, available virtual firewalls will be commodity items available to every cloud user very soon!

Between the host based firewalls that many companies are using to protect cloud instances and the virtual firewalls from Cisco and others we are seeing the firewall once again play a foundational role, this time in cloud security.

AlertLogic fully managed Security-as-a-Service – Just having security available in the cloud is not enough. Security whether it be virtual or physical, cloud based or on premises is beyond many organizations today. Taking Alert Logic‘s “in the cloud, for the cloud” security offerings and wrapping it with a world class security research team and always on SOC allows any organization peace of mind knowing that security is taken care of.

The recent announcement of a joint Alert Logic/Datapipe managed security solution for the Amazon cloud shows that managed security as a service can go anywhere in the cloud and protect you.

So while some say security is still a hindrance to cloud adoption, the facts show that the industry is responding. Companies big and small, old and new are bringing new solutions to solve the cloud security issue.

Announcing the Cisco ASA 1000V Cloud Firewall (blogs.cisco.com)
Cloud Security Alliance – Looking Out for the Users (rackspace.com)
vShield App, vShield Edge, vShield Manager, Use Cases and Comparisons (cleanclouds.wordpress.com)
Security remains a top concern for cloud app builders (infoworld.com)
A New virtual ASA: On Full Display at VMworld in Las Vegas (blogs.cisco.com)
How to Secure Federal Data in the Cloud | SmartData Collective (tphnewsfromtheworld.wordpress.com)
Greatest Threats to Cloud Security (ponderingtechnology.wordpress.com)

Tweet This Post

{ 1 comment }

Security Below The Poverty Line Podcast with Wendy Nather

by ashimmy on October 17, 2011 · 18450 comments2011-10-17+16%3A41%3A33ashimmy

A while back I wrote a blog post called “Brother Can You Spare A Dime: Life Below The Security Poverty Line“. It was in response to a report written by The 451 Group and Tier 1 research. Since then I have had a chance to see Wendy Nather present on Security Below the Poverty Line (including referencing my article) and have spoken to her at length about it.

I was able to get Wendy to take time out of her crazy busy schedule to sit down over skype and record a podcast on “security below the poverty line”. We spoke about a great number of things including open source security helping those on a tight security budget (and who isn’t on a tight security budget).

Another idea is that by utilizing Security-as-a-Service type of offerings those organization who may not be able to afford it otherwise can be protected.

Wendy has some great insight on this topic and this 17 minute interview is a great listen. So please listen in to Wendy and I discussing security below the poverty line.

The Challenges of Cloud Security Below 10,000 Feet, by Wendy Nather, Research Director, Enterprise Security Practice at The 451 Group (thesecuritysamurai.com)

Tweet This Post

{ 0 comments }

Cloud Security Transfers Some Responsibility But Not Accountability

by ashimmy on October 14, 2011 · 18410 comments2011-10-14+13%3A10%3A42ashimmy

Andrew Rose at Forrester Research has a good blog post up on CSO online. He talks about the distinction and often times confusion between Accountability and Responsibility. In Andrews mine the critical distinction is that while you can delegate or transfer responsibility, accountability does not follow to the newly responsible person.

To me this is similar to another dilemma that security managers often face, responsibility (in this case almost synonymous with accountability) without authority. You can’t tell someone it is their job to secure some critical data or other task without the authority to implement what is required to accomplish the task.

In the area of compliance and the cloud this distinction is even more clear. No matter where your assets are, no matter the cloud you rely on, if your company has a compliance requirement, you are accountable to be compliant. The fact that you rely on 3rd parties to be compliant in order for you to be compliant is your burden. You need to do the due diligence to make sure these 3rd parties are in fact compliant and don’t jeopardize your compliance status. At the end of the day you are accountable, even if it is someone else’s responsibility.

As Rose points out, this is going to be a key factor in cloud adoption and compliance in the near term future. As the move towards the cloud gathers momentum, due diligence of 3rd parties compliance status will become more important. Evolving standards like Cloud Audit seek to help with that. But the bottom line is you can outsource responsibility for compliance in the cloud, but you remain accountable and suffer the consequences of non-compliance.

10 Questions to Ask Before Storing Data on the Cloud (rackspace.com)
Microsoft Azure and the Cloud Security Space (cleanclouds.wordpress.com)
Are You Accountable or Responsible? (crystalkeyministries.wordpress.com)
HIPAA vs The Cloud (your-story.org)
New Cloud Security and Compliance Solutions Added to the Akamai Intelligent Platform (prnewswire.com)

Tweet This Post

{ 0 comments }

8 Ways To Becoming A Cloud Security Expert? Come On There Has Got To Be More Than This

by ashimmy on October 12, 2011 · 18360 comments2011-10-12+16%3A46%3A34ashimmy

Christine Burns over at Network World has been doing a good job of covering the Cloud Security space. She has been running a series called, Public Cloud Security: Mission Impossible. It is a 6 part “comprehensive” series on cloud computing. Before you head over and read it though, read this first.

Some of you are going to read Burn’s series and say “come on shimmy give me a break” can you spell Captain Obvious”? Yes, your right much of what is in Christine’s series is rather elementary. But there are good reasons for this. First reason is a lesson I learned in writing for almost 2 years at Network World. That is that the readers of Network World tend to be IT generalists, not specialists. For many of them cloud and cloud security are maybe terms they have heard, they don’t really know all that well. You need to run before you walk, so the fact that Burns series has some simple steps is more a case of the IT public not being very cloud security savvy, than Burns ability to write a deeper story on cloud security that peels the onion back a few more layers.

Secondly, beyond the Network World readership issue the whole cloud security space is still finding its way. As a result we tend to get cloud security coverage that is highly specific and technical and frankly over the heads of many readers unless they follow the CSA mailing lists or we get vanilla which is a lot of what Burns gives us in this series.

A case in point is where Burns asks some “experts” what they think are the greatest threats to cloud security. I personally know some of these folks and know of the rest of them by reputation. They are on the whole a good bunch of people, though not sure they would all be on the top of my list for cloud security experts. The answers they give are good even if easily connected to the companies they work for.

But I think the article on 8 ways to becoming a cloud security expert just crossed over the line. Basically the advice is to attend some smaller conferences like CSA, Cloud Camp and SANS and then go to RSA and Black Hat. Oh yeah, follow the blogs of two friends of mine Chris Hoff and Ed Haletky. Two good blogs BTW.

Beyond the obvious of why wasn’t Secure Cloud Review included on the list , the bigger issue is: Is that all it takes? I don’t think so. You might as well add sleeping in a Holiday Inn Express last night to the list. Even playing to a generalist crowd I think some better advice may be in order. Maybe actually opening a cloud account at a public provider and getting some hands on experience with whats available perhaps?

In any event, overall the series by Burns puts a spotlight on cloud security and that is a good thing. You should go check it out and depending on your level dig out the pearls that are valuable to you.

8 Ways to Become a Cloud Security Expert (pcworld.com)
4 essential cloud security tips (infoworld.com)
4 Essential Cloud Security Tips (pcworld.com)
Incite 10/12/2011: Impact and Legacy (securosis.com)
Public cloud security remains MISSION IMPOSSIBLE (socialmediaobserver.wordpress.com)

Tweet This Post

{ 0 comments }

← Previous Entries

The Cloud, Service Providers, Security & You

You Can’t Outsource Responsibility

Linked In Poll on Cloud Adoption

Simon Crosby- Virtualization And The Cloud Are Great For Security

Alert Logic Partner Red Legg, Joins HP, Tipping Point, Eric Irvin and Alan Shimel to Discuss Security Metrics

Security Below The Poverty Line Podcast with Wendy Nather

About Secure Cloud Review

Follow Secure Cloud Review

Lijit Search

Recent Posts

Tags

Categories

The Cloud, Service Providers, Security & You

Related articles

Related articles

Related articles

Related articles

Related articles

Related articles

Related articles

Related articles

Related articles

Related articles

About Secure Cloud Review

Follow Secure Cloud Review

Lijit Search

Recent Posts

Tags

Categories