I will be leading an up coming webinar on Identity and Access Management (IAM) in the Cloud titled;
The Perfect Storm: Managing Identity & Access in the Cloud
In this webinar and panel discussion we will talk about the key issues surrounding the people, processes and systems used to manage applications and data in the cloud. Topics covered will include;
Trends complicating secure cloud use;
Risks of unauthorized access, identity theft and insider fraud;
Challenges to IAM in the cloud;
Unique IAM considerations in the cloud;
Cloud features and functionality to improve IAM;
New approaches, including effective policy enforcement and the benefits of single sign-on;
Q and A panel session after the initial presentations.
This webinar is to be hosted by Tom Field of the Information Security Media Group, and we will by joined by thought-leaders from security vendors Ping Identity, McAfee and Aveksa, who will weigh in on how new cloud security solutions can help organizations improve IAM, as well as compliance, provisioning and policy management.
This should be a great presentation and discussion so please do register to view and participate;
Chris Hoff, who is the author of the Rational Survivability blog, gave a great closing keynote covering the last few years via his previous presentation titles and content. I can recommend reading / viewing the mentioned presentations. This was followed by a brief overview of current issues and trends, and then coverage of upcoming / very new areas of focus we all need to be aware of.
2008 – Platforms dictate capabilities (security) and operations – Read ‘The four horsemen of the virtualisation security apocalypse’
– Monolithic security vendor virtual appliances are the virtualisation version of the UTM argument.
– Virtualised security can seriously impact performance, resiliency and scalability
– Replicating many highly-available security applications and network topologies in virtual switches don’t work
– Virtualising security will not save you money. It will cost you more.
2009 – Realities of hybrid cloud, interesting attacks, changing security models – Read – ‘The frogs who desired a king – A virtualisation and cloud computing fable set to interpretive dance’
– Cloud is actually something to be really happy about; people who would not ordinarily think about security are doing so
– While we’re scrambling to adapt, we’re turning over rocks and shining lights in dark crevices
– Sure bad things will happen, but really smart people are engaging in meaningful dialogue and starting to work on solutions
– You’ll find that much of what you have works.. Perhaps just differently; setting expectations is critical
2010 – Turtles all the way down – Read – ‘Cloudifornication – Indiscriminate information intercourse involving internet infrastructure’
– Security becomes a question of scale
– Attacks on and attacks using large-scale public cloud providers are coming and cloud services are already being used for $evil
– Hybrid security solutions (and more of them) are needed
– Service transparency, assurance and auditability is key
– Providers have the chance to make security better. Be transparent.
2010 – Public cloud platform dependencies will liberate of kill you – Read ‘Cloudinomicon – Idempotent infrastructure, survivable systems and the return of information centricity’
– Not all cloud offerings are created equal or for the same reasons
– Differentiation based upon PLATFORM: Networking security, Transparency/visibility and forensics
– Apps in clouds can most definitely be deployed as securely or even more securely than in an enterprise
– However this often required profound architectural, operational, technology, security and compliance model changes
– What makes cloud platforms tick matters in the long term
2011 – Security Automation FTW – Read ‘Commode computing – from squat pots to cloud bots – better waste management through security automation’
– Don’t just sit there: it wont automate itself
– Recognise, accept and move on: The DMZ design pattern is dead
– Make use of existing / new services: you don’t have to do it all yourself
– Demand and use programmatic interfaces from security solutions
– Encourage networks / security wonks to use tools / learn to program / use automation
– Squash audit inefficiency and maximise efficacy
– DevOps and security need to make nice
– AppSec and SDLC are huge
– Automate data protection
2012 – Keepin it real with respect to challenges and changing landscape – Read – ‘The 7 dirty words of Cloud Security’
2012 – DevOps, continual deployment, platforms – Read – ‘Sh*t my Cloud evangelist says …Just not to my CSO’
– [Missing] Instrumentation that is inclusive of security
– [Missing] Intelligence and context shared between infrastructure and application layers
– [Missing] Maturity of “Automation Mechanics” and frameworks
– [Missing} Standard interfaces, precise syntactical representation of elemental security constructs
– [Missing] An operational methodology that ensures and commone understanding of outcomes and ‘agile’ culture in general
– New application architecture and platforms (Azure, Cloud foundry, NoSQL, Cassandra, Hadoop etc.)
– APIs – everything connected by APIs
– DevOps – Need to understand how this works and who owns security
– Programmatic (virtualised) Networking and SDN (Software Defined Network)
– Advanced adversaries and tactics (APTs, organised crime, nation states, using cloud and virtualisation benefits to attack us etc.)
– Security analytics and intelligence – security data is becoming ‘big data – Volume. Velocity. Variety. Veracity.
– AppSec Reloaded – APIs. REST. PaaS. DevOps. – On top of all the existing AppSec issues – how long has the OWASP top threats remained largely unchanged??
– Security as a Service 2.0 – “Cloud.” SDN. Virtualised.
– Offensive security – Cyber. Cyber. Cyber. Cyber… Instead of just being purely defensive, do things more proactive – not necessarily actually attacking them, can mean deceiving them to honeypots / honynets, fingerprinting the attack, tracking back the connections etc. all the way up to actually striking back.
– Public clouds are marching onward; Platforms are maturing… Getting simpler to deploy and operate and the platform level, but have heavy impact on application architecture
– Private clouds are getting more complex(as expected) and the use case differences between the two are obvious; more exposed infrastructure connected knobs and dials
– Hybrid clouds are emerging, hypervisors commoditised and orchestration / provisioning systems differentiate as ecosystem and corporate interests emerge
– Mobility (workload and consuming devices) and APIs are everywhere
– Network models are being abstracted even further (Physical > Virtual > Overlay) and that creates more ‘simplexity’
– Application and information ‘ETL sprawl’ is a force to be reckoned with
– Security is getting much more interesting!
This was a great wrap up highlighting the last few years’ issues, how many of these have we really fixed? Along with where we are now, and a nice wrap up of what’s coming up. Are you up to speed with all the current and outstanding issues you need to be aware of? How prepared are you and your organisation for what’s coming up? Don’t be like the 3 monkeys.. 😉
While the picture is complex and we have loads of work to do, Chris’s last point aptly sums up why I love security and working in the security field!
Trusted cloud initiative – not there to sell product, just to help organisations (possibly everyone?) to be safer and more secure in the cloud.
This tool addresses the 10 key Cloud Security Control Areas from the CSA guidance.
The tool also allows you to select your industry, then maps this back to the regulatory bodies that are likely to regulate your industry. This then maps the specific regulations and controls you will need to meet.
Considerations to aid adoption;
– Consult guidance from organisations such as the CSA
– Require that provider has obtained their party certifications and audits such as ISO/IEC 27001:2005
– Ensure clear understanding of security and compliance roles and responsibilities for delivered services
– Know the value of your data and the security and compliance obligations you need to meet
This talk was much more about the Microsoft Cloud readiness tool than the CSA STAR (Security, Trust, and Assurance Registry), but was still interesting and I can highly recommend both the STAR registry for CSPs and consumers, and the Microsoft tool.
Advanced Persistent Response – Tim Kellermann – Vice President of Cybersecurity – Trend Micro
How might organisations learn from elite hackers?
– 52% of companies failed to report or remediate a cyber-breach in 2011 (retains plausible deniability, but we all trade with these companies)
– A new piece of malware is created every second
– Trend Micro evaluations find over 90% of enterprise networks contain active malware!
Targeted attacks are becoming increasingly common. Attackers take time to gain intelligence about you and your networks.
Offence Informs Defence: The Kill Chain;
5. Command and Control
Advanced Malware examples include;
– IXESHE – The attackers behind this advanced malware use compromised hosts inside organisations networks to control other systems.
– Jacksbot – bot malware that is multi-platform across multiple O/Ss including mobile. (check)
We need to conduct more tests and assessments of our environments, using Zeus, BlackHole exploit kit, Metasploit, Spy Eye etc.
Tactical trends in Hacking;
– Professionalism and Commoditisation of Exploit Kits
– Man in the Browser attacks becoming more common
– Android Framework for exploitation (BYOD = BYOM (Bring Your Own Malware)
– Proximity attacks realised (Microphones turned on in laptops / phones / tablets, Bluetooth attacks)
– Mobile malware proliferation
– Application attacks
– Botnets migrating from IRC to HTTP
– Attacks against Macs
Cloud security issues / considerations;
– Server and VM integrity (virtualisation attacks, Inter VM attacks, Instant on Gaps)
– Network and Intrusion management and monitoring in a cloud / virtual environment
Custom attacks need intelligent and custom defences. We must recognise that APTs are consistent and part of ongoing campaigns.
Risk management in 2012;
– Has the cyber security posture of all third parties been audited?
– Is access to all sensitive systems governed by 2-factor authentication?
– Does a log inspection program exist? How frequently are they reviewed?
– Does file integrity monitoring exist?
– Can vulnerabilities be virtually patched?
– In MDM and mobile management software utilised?
– Do you utilize DLP?
– Can you migrate layered security into the cloud environment?
– Do you maintain multi level, rule based event correlation?
– Do you have access to global intelligence and information sharing?
There was a lot to think about in this presentation from Trend Micro, and it nicely builds on / reinforces the points made both here and at RSA – the attackers are getting increasingly more sophisticated and we need to work hard to not just keep up but to try and get ahead of them. The closing points under the heading ‘Risk management in 2012‘ are well worth bearing in mind when thinking about your risk management process / strategy.
Aligning Your Cloud Security with the Business: A 12-Step Framework
This talk was actually very light, but I thought I would share the 12 points they covered as the points around creating business cases and defining value in business not IT terms are worthwhile;
Implementing data centric security in the cloud;
Key ingredients – Data, Users, Business Processes, Clouds, Controls, Compliance
Define business relevance of each data set being moved to the cloud
Classify each data set based on business impact – must be business driven, not IT
Inventory data – technical and consultative. Mentioned that DLP one of the best ways to discover and maintain data inventories.
Destroy (or archive offline) any unnecessary data
Inventory users – into user roles / role types (can do other things as well like geography)
Associate data access with business processes, users, roles
Determine standard control requirements for each data set
Determine Feasible controls for each cloud environment e.g. you can implement far less of your own controls in a SaaS environment vs. IaaS
For each data set, identify acceptable platform based on the required controls and security level of the data
Ensure only users that need access to data have access to it, and that this access is at the appropriate level
Identify and Implement appropriate controls across each cloud environment
Validate and monitor control effectiveness
So to summarise the presentation;
Start with the business context, not the security controls
Classify based on the business value, not the IT value!
This week I am at the Cloud Security Alliance (CSA) congress in Orlando. The week has been pretty hectic with meeting people and receiving an award etc. I have made some notes from a few of the talks so will share those here, although they are not as comprehensive as the notes I made at the RSA conference a few weeks ago.
Regarding the conference itself, this has been a bit of a busman’s holiday as I have had to take this week as annual leave due to it not being directly linked to my current day job and the fact it’s my third conference in a couple of months.. On a brighter note the CSA actually paid for me to come out here to receive my award, which was an extremely cool gesture.
It terms of organisation and content this one falls somewhere between the service technology symposium and the RSA conference, but much nearer the RSA end of the scale. The conference is obviously a lot smaller than RSA, but was surprisingly well organised. Content we also pretty good, a few too many vendor product focussed talks for my liking, but this is a new conference that has to be financially viable as well as interesting. Overall I would definitely recommend coming to this next year if you have any interest in cloud security.
As with the previous conferences I’ll split the day’s notes into a couple of posts. In order to get these up now rather than waiting until I get home and finding time to write things up, so please be understanding if some of them are not perfectly formatted or as fully explained as they could be. I will be creating more detailed follow up posts for some of the key issues that have been discussed.
Opening Keynote 1 – The world is changing; we must change with it!
– What do you do if you have a security incident in a faraway country? Your Law enforcement / government has no jurisdiction.. eBay has directly indicted over 3000 people globally due to the security / incident response and investigation teams.
– Have to create capabilities to share vital information globally
– Computation is changing
Exponential data growth and big data
– Adversary is professional, Global and Collaborative
We are all fighting alone
– Threat continues to increase
– Business environment is changing
– Change the way you think!
Can we make attack data anonymous enough that is can be shared in a meaningful way to help others and improve overall understanding and security
– Look at things like CloudCert
Computing is changing;
– Cloud computing is just the beginning
Shared datacentres, networks, computers etc..
– Driven by cost savings and need to be competitive in a global marketplace
– Virtualisation – Mobile – BYOD (explosion of devices)
– Increasing reliance on Browser
Secure Browser ‘App’ vs. URL (Apps vs. things like HTML5)
Do we start building Apps / Browsers dedicated to specific tasks for critical / risky tasks such as banking, online shopping with card details etc. This would stop XSS.
Exponential data growth – Big data
– In 2010 humanities data passed 1 zettabyte – (1 with 21 zeros after it).
– Estimated volume in 2015 – 7.9ZB
– Number of servers expected to grow by 10* over the next 10 years.
Malware 26M in 2011 – 2.166M/mo. – 71,233/day. 73% Trojans.
Application lifecycle – how long will the legay apps you use be around?
First attacks on O/S
First mobile drive by downloads
Malicious programs in App stores
First mass Android worm
– Attacks built in the Cloud are invisible, and inexpensive
Role of cloud providers in detecting attack development – what are the implications of this – to prevent attacks CSPs would need some visibility around what you are doing.. Would you want this?
Business Environment Changes
– Drive to innovate
Scrums, agile computing initiatives change the way we work
Security needs to work in a more agile way
– Rapid delivery of features and functions
Build securely – not build and test
– Impact of Intense, Global competition
– SMBs are the foundation of US recovery but need help
– Blurring of home/personal and work
Six Irrefutable Laws of information Security;
Information wants to be free
Code wants to be wrong
Services want to be on
Users want to click
Even a security feature can be used for harm
The efficacy of a control deteriorates with time
The implications for Cloud Security, shared infrastructures and platforms, virtualisation, the proliferation of mobile devices etc. are clear..
Even small or seemingly less interesting companies are now targets – criminals want as much information as they can get.. Again highlights the point that you will be hacked..
What do we need to do? – We need intelligence!
Director of Georgia Tech Information Security Centre, 2011 –
“We continue to witness cyber-attacks of unprecedented sophistication and reach, demonstrating that malicious actors have the ability to compromise and control millions of computers that belong to governments, private enterprises and ordinary citizens.”
We have limited resources so what should we spend our time and money on – malware defence? Mobile? Big Data?
What is needed to get where we need to be?
– Global perspective
– Global Information Sharing
– Intelligence based security
Strategy and Budget
– We MUST eliminate the obstacles!
Global Information Sharing
– We have been trying for decades
– How do we establish trust
Methods to make data anonymous
Attack data sharing
– Who shares?
Needs of SMBs
– Role of Governments (pass treaties around data sharing and cross boundary working)
– Benefits go far beyond incident response
Incident response in the Cloud;
– Where is your data (does it ever get moved due to problems, bursting within the CSPs infrastructure etc. – need very clear contracts)
– Consider model you use – IaaS / PaaS / SaaS and what this means
– Network control
– Log correlation and analysis – where are these, who owns them, who can access them..
– Roles and responsibilities
– Access to event data, images etc. When will you find out about issues and breaches?
– Application functioning in the cloud – consider impacts of applications running is shared and / or very horizontally scalable environments.
– Virtualisation benefits and issues
– Capabilities and limitations of your provider
– CSA and Cloud CERT
– Government initiatives
– Private initiatives
Breaches can impact all of us, finding ways to work together and share data is critical. Cloud is relatively new – we can make a difference and improve this moving forwards.
Recommendation to read the upcoming book from the CISO of Intel (Malcolm) around security that covers various areas including – understanding the world and providing a reasonable level of protection (inc. BYOD, need to be agile etc.)
– Remove Obstacles
– Build subject matter expertise
– Global sharing is critical to success
Who will attack you, using what methods in 2013?
Where should you spend your time / money?
Intelligence based security
– Security sophistication must keep pace with attack sophistication!
The Security as a Service working group implementation guidance papers have now all been published and are available for free download from the Cloud Security Alliance website.
These provide a great overview of, and guidance around the 10 categories of security as a service that we identified last year. The 10 documents have all been created using a standard template to ensure they are easy to use and understand.
Each document contains the following sections;
1. Introduction; Brief overview of the service, along with intended audience and the scope of the document.
2. Requirements Addressed; An overview of the business / security requirements that the service can address.
3. Considerations and Concerns; Details of areas to consider and potential risks / concerns when implementing the cloud based service.
4. Implementation Guidance; This section is the meat of the document providing guidance for anyone looking to implement the service usually including diagrams of example architectures or architecture components.
5. References and Useful Links; References used in the creation of the document and useful links for further research.
The documents and their download links are shown below;
Category 1 // Identity and Access Management Implementation Guidance;
If you are planning on implementing and of the Security as a Service categories, need to evaluate them, or just want to know more, please feel free to download these documents. I hope you find them interesting and useful.
If you have any feedback for the documents don’t hesitate to provide it either via the comment section of this blog, or directly via the CSA website. If you are interested in getting involved and contributing to the next steps of this research we are always looking for more volunteers!
This talk demonstrates some live tools and hacking demos, so starts with the standard disclaimer;
ALWAYS GET PERMISSION IN WRITING!
Performing scans, password cracking etc. against systems without permission is illegal.
Use any mentioned tools and URLs at your own peril!
CIA – Confidentiality, Integrity, Availability / Accountability / Auditability, while still important has gone out of the window in terms of being the core mantra for many security professionals and managers.
Evolution of the environment and hacking;
1st Age: Servers – FTP, Telnet, Mail, Web – the hack left a footprint
3rd Age: Virtual Hacking – Gaining someone’s password is the skeleton key to their life and your business. Accessing data from the virtual world can be simple – Simplest and getting easier!
Virtual World – with virtual back doors. This is the same for cloud computing and local virtual environments. What do you do to prevent your virtual environment administrators copying VMs and even taking these copies home? You need to prove both ownership and control of your data.
The question is posed – how much have we really learnt over the last 15 years or so? We need to go back to basics and re-visit the CIA model. Think of the concept of a ‘secure breach’, if our important data is protected and secure, being breached will still not gain access to this.
Demo against VMWare 4.1 update 1. Using a simple scan, you can find multiple VMware serers and consoles directly to the internet, remember though these attacks can easily be launched from within your environment.
Outside of this talk, this raises the question – how segregated are your networks. Do you have separate management, server, and database etc. networks with strong ACL policies between them? If not I’d recommend re-visiting your network architecture. Now.
Once you find a vCentre server, the admin / password file is easily accessible and only hashed in in MD5. This can be broken with rainbow tables very quickly. You can then easily gain access to the console and thus control of the whole environment.
To make things even easier tools like metasploit make this sort of attack as simple as a series of mouse clicks. I’d recommend checking out metasploit, it’s a great tool.
Look at www.cvedetails.com for details on just how many vulnerabilities there are, this site also classifies the vulnerabilities in terms of criticality and whether they impact CIA. This is a great input into any risk assessment process.
This is described as a password recovery tool, but can do so much more. A prime example of the abilities of this tool is Arp poisoning such that you can see all the traffic on a given subnet / vlan. I have personally used this to record (with approval of course!) VOIP calls in order to demonstrate the need to encrypt VOIP traffic. Cain even nicely reconstructs individual call conversations for you!
This is another personal favourite of mine – if your VOIP is not encrypted, why not? Does your board know if is trivially easy to record their calls or those of finance and HR etc. on your network?
Talk went on to cover some further easy attacks such as those using the power of Google search syntax to gain information such as from Dropbox, Skydrive, Google Docs etc. An example was finding Cisco passwords in Google docs files. This leads onto another question, are you aware of just how much data your organisation has exposed in the wild to people who merely know how to search intelligently and leverage the powerful searching capabilities of engines such as Google?
To make things even easier, Stach and Liu have a project called ‘Google Hacking Diggity Project’ that has created a feely downloadable tool for creating complex Google / Bing searches with specific tasks in mind such as hacking cloud storage etc.
This and various other attack and defence tools can be downloaded here;
I’d recommend you work with your organisation to use these constructively in order to understand your exposure and then plan to remediate any unacceptable risks you discover. The live demonstration actually found files online with company usernames and passwords in, so this exposure is demonstrably real for many organisations.
Talk ended with a brief comment on social networking and how the data available here such as where you are from, which schools you went to etc. can give hackers easy access to the answers to all your ‘secret’ questions.
Remember the term ‘secure breach’ – are important data is all encrypted with strong, robust processes. We were hacked, but it doesn’t matter. The CI part of CIA is critical!
I loved this talk, some great demos and reminders of useful tools!
As mentioned at the start, please be sensible with the use of any of these tools and gain permission before using them against any systems.
Keynote 3 – Francis deSouza – Group president, Symantec – The art of cyber war, know thy enemy, know thyself
For many years IT was standardising on systems from the client to the server room. Now we have BYOD, cloud etc. IT is becoming more diverse with many more devices and data stored across multiple locations and hosting environments.
What does this mean for IT security? What model do we need?
Historically IT security has been defence only and point / issue based. – you get viruses so install AV etc.
We need to look more holistically and look at how we defend against multi flanked attacks and advanced persistent threats. Also consider how we can use the attack against the attacker or to catch the attacker (think Aikido).
What do we mean by multi flanked? Attacks are now increasingly using multiple, seemingly independent attacks, many of which are just diversions so we miss the real attack. When we are busy or focusing on a specific task we often miss obvious things. Look up ‘how many times did the white team pass the ball’ for an example of this!
Phishing attacks are also getting much more advanced and sophisticated, these are now one of the primary ways attackers use to gain a foothold.
An example of this was a recent attack on a bank that used a phishing email to gain access to a bank. The gang then launched a DDoS attack on the bank, while the bank was rushing around trying to keep their site up and prevent the attack being successful. The gang then used the malware installed via the phishing email to steal bank and ATM details. They then passed these to their monetising team who created ATM cards, distributed these to hired people who all went to ATMs, and withdrew cash. This attack walked away with $9M in a couple of hours.
The attackers also do things like ensure they use cards in ways that look legitimate and at times customers (the legitimate card holders) are less likely to spot the use quickly.
How do these gangs create these massive data centres of compute power yet remain invisible to legal organisations such as Interpol, the FBI etc. Sophisticated organisations sell ‘bulletproof’ solutions hosted in one country, managed in another, sold in yet another etc. This is a real market where actual marketing is used, and there is great competition and price pressure – it is a lot cheaper than you think!
There is also the ‘democratisation’ of cyber warfare tools – this follows neatly from the previous talk – increasingly complex and advanced tools are available more and more readily.
On the other side of this is the huge increases in what we are trying to protect – we have more and more complex systems and every growing data volumes. The volume of data stored is likely to increase by 40 times from today’s levels by 2020!
What does this mean for the security industry?
We need to improve our intelligence;
– What do they want?
– What are our key information assets?
– Out of all of our data which is critical, and which is ‘garbage’?
– What is happening in your organisation?
– How are the criminals working and what attacks are they using?
– Look holistically – what is the campaign they are using, and what are the weaknesses of their campaign?
– Who are the actors in the campaign?
Our intelligence and security need to be more agile – we need to improve our understanding of what is happening and the unknowns and unexpected things we discover. Is our security agile enough to change to deal with these new and unexpected things?
Brief comment on having powerful defences and AV (well this is Symantec..) Good point on reputation based computing – if we have never seen this file before should we trust it?
Keynote 4 – Adrienne Hall – General Manager, trustworthy computing, Microsoft – Risks and Rewards in cloud adoption
Microsoft Security Intelligence Report release 13 is available for download as of today, and is available here;
Microsoft recently commissioned a cloud computing survey. This was carried out by an independent survey company so vendor neutral around current barriers and benefits. The full results can be found here;
Unsurprisingly, perceived security risks are still the top barrier, however from those who have adopted the cloud 54% stated they have improved security along with 47% who managed to make cost savings on their overall security spend. The perception and reality currently do not appear align.. How do we address these barriers?
– Collaborate to share information and guidance e.g. Cloud Security Alliance (CSA)
– Drive and support industry standards
– Commit to transparency in cloud offerings
Microsoft has just released a cloud security readiness tool that can be found here;
This is a survey tool that will allow you to assess both the security of your current environment and your readiness for cloud adoption / migration. This is a free tool that will help you plan a cloud migration regardless of the technologies or cloud providers you intend to use. To ensure vendor neutrality this links in with and is based on the CSA Cloud Controls Matrix.
The output of this survey is a report for your organisation which understands controls relevant to your industry and regional location.
Talk summary – Stay informed; Embrace standards, best practices and transparency; Weigh the risks and rewards.
Overall this talk was lighter than the others and fairly Microsoft focused, but had some good points and highlighted some useful tools.
Note, at the time of writing the ‘aka.’ links are giving 404 errors, I have email Microsoft and asked for this to be resolved.
Keynote 5 – Herbert Thompson – Program committee chairman, RSA conference – Security the human: Our industries greatest challenge
In security we set up situations where people are designed to fail especially if they are not security savvy or paranoid.
– Links in emails – how do we know which are real and which are malicious?
– What do we do about site certificate errors?
– What do we do when a site wants us to download a file?
Security currently treats everyone the same regardless of knowledge or talent. One size does not fit all. Think of car insurance; you have to answer many questions, and the outcome is an insurance quote tailored to your risk profile.
We need to be the people that help the business understand the risk; enable them to make decisions and embrace change with a full understanding of the risks of doing so.
Very light talk, but great point around understanding and managing risk appropriately.
Cloud computing’s impact on future enterprise architectures
This talk was fairly light and I didn’t make a huge amount of notes, but thought there were a few points worth noting;
Definitions and boundaries are changing. Instead of defined boundaries we are used to around traditional architectures whether they are hosted locally or at a data-centre we are moving to much more fluid and interconnected architectures. Consider personal cloud, private cloud, hybrid cloud, extended virtual data-centres, consumerism, BYOD etc. The cloud creates different, co-existing architectural environments based on combinations of these models.
Consider why you should move to the cloud, which characteristics are important for your organisation such as;
– Elastically scalable
– Self service
– Measured services
– Virtualised and dynamic
– Reliability (SLAs, what happens when there are issues etc.)
– Economic benefits (cost reduction – TCO, and / or better resiliency)
Do you understand any potential risks;
– What are the security roles and responsibilities? –
IaaS – you
BPaaS (business process as a service) – Them
Sliding scale from IaaS – PaaS – SaaS – BpaaS
– Where is your data?
Your business and regulatory requirements
Jurisdictional rules – who can access your data
Legal / jurisdictional issues amplified
For me some of this talk was outdated, with a lot of focus on where is your data; While where is my data is a key question, there was too much focus on the fact your data will be anywhere in the world with global CSPs, when most big players now offer guarantees that you data will stay within defined regions if you want it to.
So, what does this mean for your ‘future’ cloud based enterprise architecture principles, concepts etc.?
– Must standardise on ‘shared nothing’ concept
– Standardise on loosely coupled services
– Standardise on ‘separation of concerns’
– No single points of failures
– Multiple levels of protection / security
– Ease of <secure> access to data
– Security standards to protect data
– Centralise security policy
– Delegate or federate access controls
– Security and wider design patterns that are easy to adopt and work with the cloud
Combining these different architectural styles is a huge challenge.
Summary – Dealing with multiple architectures, multiple dimensions and multiple risks is a key challenge to integrating cloud into your environment / architecture!
The slides from this talk can be downloaded here;
SOA (Service Orientated Architecture) environments are a big data problem / Big data and its impact on SOA
Outside of some product marketing for Splunk, the premise of these two talks was basically the same, that large SOA environments are complex, need a lot of monitoring and create a lot of data.
Splunk is incidentally is a great open source product for log monitoring / data collection, aggregation and analysis / correlation. Find out more about it here; http://www.splunk.com/
SOA – great for agility, but can be complex – BPEL, ebXML, WSDL, SOAP, ESB, XML, BPM, UDDI, Composition, loose coupling, orchestration, data services, business processes, XML Schema, registry etc.. This can generate a huge amount of disparate data that needs to be analysed in order to understand the system. Both machine and generated data may need to be aggregated.
SOA based systems can themselves generate big data!
We all know large web based enterprises such as Google and Facebook etc. have to deal with big data, but should you care? Many enterprises are now having to understand and deal with big data for example;
Retail and web transaction data
GPS in phones
Log file monitoring and analysis
The talks had the following conclusions;
– Big data has reached the enterprise
– SOA platforms are evolving to leverage big data
– Service developers need to understand how to insert and access data in Hadoop
– Time-critical conditions can be detected as data inserted in Hadoop using event processing techniques – Fast Data
– Expect big data and fast data to become ubiquitous in SOA environments – much like RDBMS are already.
So I’d suggest you become familiar with what big data is, the tools that can be used to handle and manage it such as Hadoop, MapReduce and PIG (these are relatively big topics in themselves and may be covered at a later date)
The slides from these talks can be downloaded from the below locations;
Time for delivery; Developing successful business plans for cloud computing projects
This talk covered some great points around areas to consider when planning cloud based projects. I’ll capture as much as I managed to make notes on, as there was a lot of content for this one. I’d definitely recommend checking out the slides!
Initial things to consider include;
– Defining the link between your business ecosystem and the available types of cloud-enabled technologies
– Identifying the right criteria for a ‘cloud fit’ in your organisation. (operating model and business model fit)
– Strategies and techniques for developing a successful roadmap for the delivery of cloud related cost savings and growth.
– Mobility – any connection, any device, any service
– Social Tools – any community, any media, any person
– Cloud – computing resources, apps and services, on demand
– Big Data – real time information and intelligence
In a nice link with the talk on HPC in the cloud, this one also highlighted the competitive step change that cloud potentially is; small companies can have big company levels of infrastructure, scalability, growth etc. Anyone can access enterprise levels of computational power.
Cloud computing can be used to drive a cost cutting / management strategy and a growth / agility strategy.
Consider your portfolio and plans – what do you want to achieve in the next 6 months, next 12 months etc.
When looking at the cloud and moving to it, what are the benefit cases and success measures for your business? These should be clearly defined and agreed in order for you to both plan correctly, and clearly understand if the project / migration has been a success.
What is your business model, and which cloud service business models will best fit with this? What is the monetization strategy for your cloud migration project; Operational, Growth, Channel etc. Initially cloud based projects are often driven by cost saving aspirations, however longer term benefits will likely be better if the drivers are better and faster, cost benefits (or at least higher profits!) will follow. To be successful, you must decide and be clear on your strategy!
As with all projects, consider your buy vs. build options.
Is IT a commodity or something you can instil with IP? Depending on your business you will be at different places on the continuum. Most businesses can and should derive competitive advantage by putting their skills and knowledge into their IT systems rather than using purely SaaS or COTS solutions without at least some customisation. This of course may only be true for systems relating to your key business, not necessarily supporting and administrative systems.
Cloud computing touches many strategies – you need a complete life-cycle 360 approach.
– Storage strategy
– Compute strategy
– Next gen network strategy
– Data centre strategy
– Collaboration strategy
– Security strategy
– Presence strategy
– Application / development strategy
Consider the maturity of your services and their roadmap to the cloud;
Service Management – Service integration – Service Aggregation – Service Orchestration
This talk highlights just how much there is to think about when planning to migrate to, or make use or, the cloud and cloud based services.
The talk also highlighted a couple of interesting things to consider;
Look up ‘The Eight Fallacies of Distributed Computing’ from 1993, and ‘Brewer’s Theorem’ from 2000 (published in 2002) to understand how much things have stayed the same just as much as how much they have changed!
This talk focused on the changes to security / security mindsets required by the move to cloud hosted or hybrid architectures. The title was mainly as an attention grabber, but the talk overall was interesting and made some good points around what is changing, but also the many concerns that are still basically the same.
– Fat guy with keys; IT focused; “You can’t do that”; Does not understand software development.
– Processes and gates; Tools and people; Good for Building; Not as good for acquiring / mashing
Traditional security wants certainty –
– Where is the data? – in transit, at rest, and in use.
– Who is the user?
– Where are our threats?
What happens to data on hard drives of commodity nodes when the node crashes or the container is shipped back to the manufacturer from the CSP? (data at rest etc.). The new world is more about flexible controls and polices than some of the traditional, absolute certainties.
Security guys want to manage and understand change;
– Change control process
– Risk Management
– Alerts when things change that affect the risk profile
Whole lifecycle – security considered from requirements onwards, not tacked onto end of process.. This for me is a key point for all security functions and all businesses. If you want security to be ingrained in the business, effective, and seen as an enabler of doing things right rather than a blocker at the end, it must always be incorporated into the whole lifecycle.
Doing it right – Business –Development – Security – Working together..
– Render the Implicit Explicit
– Include security in design
Even in acquisition
Even in mash ups
– Include security in requirements / use cases
– Identify technical risks
– Map technical risks to business risks (quantify in money where possible)
– Trace test cases
Not just to features
But also to risks (non functional requirements!)
– Provide fodder (think differently, black hat / hacker thinking)
– Provide alternative reasoning
– Provide black hat mentality
– Learn to say “yes”
– Provide solutions, not limitations!
Goal – Risk management
Identify how the business is affected?
What can techies bring to the table?
– Estimates of technical impact
– Plausible scenarios
– Black Hat thinking
Compliance – does not equal – Security!
– Ticking boxes – does not equal – Security!
So the key take away points from this are that regardless of the changes to what is being deployed –
– Work together
– Involve security early
– Security must get better at saying ‘yes, here’s how to do it securely’ rather than ‘no’
No PDF of this presentation is currently available.
Moving applications to the cloud
This was another Gartner presentation that covered some thoughts and considerations when looking at moving existing applications / services to the cloud.
– What are our options?
– Can we port as is, or do we have to tune for the cloud (how much work involved?)
– Which applications / functions do we move to the cloud?
– Which vendor?
– IaaS, PaaS, SaaS…?
– How – rehost – refactor – revise – rebuild – replace – which one?
Rehost or replace most common, quickest and likely cheapest / easiest
You need to have a structured approach to cloud migrations, likely incorporating the following 3 stages;
– Identify candidate apps and data
Application and data-portfolio management
Apps and data rationalisation
– Assess suitability
Based on cloud strategy goals
Define an assessment framework
Risk, business case, constraints, principles
– Select migration option
rehost – refactor – revise – rebuild – replace
This should all be in the context of;
– What is the organisations cloud adoption strategy
– What is the application worth? What does it cost?
– Do we need to modernise the application? How much are we willing to spend?
In order to make decisions around what to move to the cloud and how to move it you should define both your migration goals and priorities which should include areas such as;
– Gain Agility
Rapid time to market
Deliver new capabilities
Support new channels (e.g. Mobile)
– Manage costs
Avoid operational expenses
Leverage existing investments
– Manage resources
Free up data centre space
Gain operational efficiencies
Some examples of what we mean by rehost / refactor / revise / rebuild / replace;
Rehost – Migrating application – rehost on IaaS
Refactor – onto PaaS – make changes to work with the PaaS platform and leverage PaaS platform features
Revise – onto IaaS or PaaS – at least make more cloud aware for IaaS, make more cloud and platform aware for PaaS
Rebuild – Rebuild on PaaS – start from scratch to create new, optimised application.
Note – some of these (rebuild definitely, refactor sometimes) will require data to be migrated to new format.
Replace – with SaaS – easy in terms of code, data migration, business process and applications will change (large resistance from users is possible).
The presentation ended with the following recommendations;
– Define a cloud migration strategy
– Establish goals and priorities
– Identify candidates based on portfolio management
– Develop assessment framework
– Select migration options using a structured decision approach
– Be cognizant of technical debt (time to market more important than quality / elegant code!)
Do organisations ever plan to pay back ‘technical debt’? Where Technical debt refers to corner cutting / substandard development that is initially accepted to meet cost / time constraints.
A pdf of this presentation can be downloaded from here;
The main premise of this talk was that you need to understand the cloud paradigm when designing services that you plan to run in the cloud. Everything you do in the cloud costs, minimise unnecessary actions and transactions.
Why is the cloud an attractive solution? – Cloud computing characteristics..
– Uses shared and dynamic infrastructure
– Elastic and scalable (horizontally NOT vertically!)
– On demand as a service (self-service)
– Meters consumption
– Available across common networks
Features you should consider for any services that will be hosted in the cloud; where + indicates patterns / beneficial designs, – indicates ‘anti-patterns / designs that will be more challenging to run successfully in the cloud;
– Motivation – Hardware will fail, software will fail, people will make mistakes
This talk was one of my favourites, and somethign I find very interesting. Traditionally High Performance Computing (HPC) has been the preserve of large corporations, reasearch depatements or governements. This is due to the size and complexity of computing environemtns required in order to perform HPC. With the advent of HPC in the cloud access to this level of compute resource is becoming much more widespread. Both the cost of entry and expertise requried to set up this type of environment are lowering dramatically. Cloud service providers are setting up both tradtional CPU based HPC offerings, and the newer, potentially vastly more powerful, GPU (Graphics Processor) based HPC offerings.
Onto the talk;
Cloud HPC can bring HPC levels of computational power to normal businesses for things like month / year level processing, and risk calculating etc.
In order to think about how you can use HPC, look to nature for inspiration – longest chain – how small a pieces can a process be broken down into in order to parallelise it?
– Traditional HPC – message passing (MPI), head node and multiple compute nodes, backed by shared storage. Scale issues – storage performance (use expensive bits)
– Newer HPC, more ‘Hadoop’ type model, data stored on compute (worker) nodes – they then just send back their results to the master node(s).
Look at things like hive and pig that sit atop hadoop. More difficult to set up than MPI.
– Newest HPC – GPU – simpler cores, but many of them.
CPU – ~10 cores maximum. CPU – hundreds cores (maybe thousands).
Some super computers looking at 1000’s GPUs in a single computer.
4.5 teraflop graphics card < $2000!!
Cloud scale vs. on premise –
– On premise = measured by rack at a time.
– Cloud = lorry trailers added by simply plugging in network, cooling and power then turning on, left until enough bits fail, then returned to manufacturer..
Cloud = Focused effort! – Cloud power managed by CSP, researchers work.. No need for huge amount of local infrastructure.
How to move to the cloud, largely as with other stuff –
– Go all in – pure cloud. –
MPI cluster – just have images of head and compute nodes – scale out. 10 node cluster hosted on amazon made top 500 computer list with minimal effort in setup / config.
Platform as a service – e.g. Apache Hadoop – based services for windows azure – just go through how big you want the cluster through the web interface – has excel interface already so excel can directly use this cluster for complex calculations!
– Go hybrid – add compute nodes from the cloud to existing HPC solution (consider – latency issues, and security issues (e.g. VPN to the cloud)).
You really don’t care about how the technology works. Only how it helps you work!
Final note – GPU development is currently mostly proprietary and platform specific. Microsoft is pushing their proposed open standard that treats CPU and CPU as ‘accelerators’ it does abstraction at run time rather than compile time. This would allow much greater standardisation of HPC development as it abstracts the code from the underlying processing architecture.
These are exciting times in the HPC world and I’d expect to see a lot more people / companies / research groups making use of this type of computing in the near future!