When Encryption Doesn’t Mean More Secure

By Ken Smith

I have had a number of clients reach out to me about how to implement whole disk encryption, SQL transparent data encryption, and encryption of VMware VMDK files in order to satisfy “data at rest” security requirements. My response is usually something like “Say that again?”

These types of encryption approaches are designed to better protect data at rest on media that may be accessible to individuals who are not authorized to access such data. This is usually some form of portable media such as a hard drive in the notebook computer, a portable USB hard drive, a USB stick, a backup tape, etc. And by “at rest” we are talking about files that have been saved to media and are not currently open or active. So to summarize, these types of encryption solutions are intended to protect data at rest on some form of portable media or media that is generally accessible to individuals that should not have access to sensitive data stored on that media. What I’m seeing, however, is that this type of encryption is being adopted to address “encrypt sensitive data” compliance requirements such as PCI DSS.

The intent of such “encryption of data at rest” requirements is to protect specific data from unauthorized access whether it be via application access, network file system access, or physical access. If the sensitive information is on storage media that is physically secured in a data center and this data is protected with appropriate network file system access controls, then the only thing remaining is to render the data unreadable to any unauthorized party at the application access level. This is where column or field level encryption comes in. Only authorized individuals or processes have access to the sensitive information in unencrypted form, and only authorized individuals or processes have access to the decryption keys that allow such access.

Let’s switch back to whole disk encryption and SQL transparent data encryption. When a system that’s running either of these is brought online, all users of the system have access to unencrypted data. Not just specific users who have been authorized to access specific sensitive information, but all users. When a server running BitLocker has finished booting, every process and user running on that host has access to data that BitLocker is decrypting for them on the fly every time it’s read from disk. A SQL database server running TDE makes all of its data accessible to all processes and users that have access to the database. While the database is running, the encrypted data is decrypted on-the-fly for all to see. The decryption keys are automatically presented regardless of who is requesting them. This isn’t really “protecting specific data from unauthorized access with encryption” is it?

With the proliferation of virtualization and cloud-based systems, we are now seeing this same thinking applied to protecting sensitive virtual systems. For a VMware environment, VMDK files can be encrypted to protect them from unauthorized access and use, but this is also a method that’s identical to solutions like whole disk encryption and SQL TDE. The data is only protected after it’s been written to disk, the VM is not actually running, and the decryption keys are only accessible to specific services and users that require access to the sensitive data. In most environments, this is not the case.

This type of encryption does have its place. For example, in multi-tenant or public cloud environments, it may be desirable to only allow specific authorized hypervisors to use certain virtual instances. It may make sense for SQL TDE to encrypt every database write to disk if you are using a public cloud providers’ storage and backup solutions. It might be a good idea to use whole disk encryption on a system that is physically at risk of being stolen. But just throwing these types of solutions at a system because they have the word encryption in them and they are easy doesn’t always mean that you’re actually doing a better job protecting sensitive information.

 

MapR Goes to Europe

MapR Technologies, the Hadoop outfit, is launching European operations in
support of its growing community of customers and partners there.

Its new headquarters in London will provide MapR with a base for sales to
accelerate the adoption of its high-performance enterprise-grade Hadoop
distribution.

MapR CEO John Schroeder says, “There has been phenomenal Hadoop
demand across Europe.”

The new office will help support existing strategic agreements between
MapR and EMC, Google, Cisco and Amazon as well as system integration
partners across the region.

read more

Cloud Bridges Gap Between Your Mobile’s SIM Card and Your Money

What happens when you cross a SIM Card and a Credit Card? You get SmartPass the new cloud based NFC-based payment system that allows cashless payments via the users smartphone.

Developed as as a joint venture of both Visa and Vodafone and recently unveiled in Australia, SmartPass is essentially an app. It is available to all smartphones on the Vodafone network that are equipped with Near Field Communication (NFC) capability. Most mid to high end smartphones purchased over the past year would have NFC.
You get SmartPass the new cloud based NFC-based payment system that allows cashless payments via the users smartphone.

Developed as a joint venture of both Visa and Vodafone and recently unveiled in Australia, SmartPass is essentially an app. It is available to all smartphones on the Vodafone network that are equipped with Near Field Communication (NFC) capability. Most mid to high end smartphones purchased over the past year would have NFC.
In addition to downloading the app you would need to order an NFC SIM card from Vodafone. The SIM card and the App work together with a cloud based user account that tops itself up from the users Visa or MasterCard before a payment.

read more

Headed to Foggy London To Talk Cloud

I’m headed to London this week, to talk to people about the future of cloud computing. Although innovation and progress today spread more uniformly throughout the world more quickly than in the past, there are still some severe discrepancies in technology adoption.

For example, the United States will be the site of more than half of all global cloud budgets in 2013, according to different reports I’ve read, even though it has less than 5% of the world’s population and about 25% of the world’s IT budget.

Our research at the Tau Institute over these past few months has shown differences of 10X among how nations score on a logarithmic scale – a difference of 1,000 times on an unadjusted numerica scale. Broadband connectivity ranges from close to zero percent to more than 40 percent. The highest average speeds are more than 30X the slowest. And the difference in the number of dataservers per capita has a range of several-thousand-X.

Open for Business
Yet the world is your technology marketplace today. It’s not uncommon for large enterprises have sources, contractors, and locations in 100+ countries. I knew an open-source software entrpreneur who had developers in Pakistan several years ago. Today, I’m working with a small developer who has a small team in the fifth-largest tech area in the Philippines – not the primary area in Metro Manile, or even in the country’s “second city” in Cebu, but in an emerging area in the south of the country.

I’ve met several entrepreneurs who are now working in Tanzania, others who are focusing on Ghana.

Our own research shows strong potential in such far-flung areas as Ukraine, Jordan, Uganda, and Mongolia.

As I’ve written before, the United States does not score especially well in our research. Rising income equality, a worsening primary and secondary educational system, and a lack of commitment to customer service by the major telcos are all conspiring to make the US a laggard compared to Canada in its own region, and to a few dozen other countries throughout the world. Cloud technology is being pioneered in the US, and being adopted here more quickly on an absolute basis.

But I’m looking forward to returning to Southeast Asia next year, and traveling to other parts of the world in search of true dynamism within the world of ICT. I’ll report back on what my colleagues in London have to say. London is among the most global of cities, and still in the absolute top tier of economic influence in the world. The UK, by the way, does well in our research, especially in comparison to its Western European neighbors. It will be fun to hear what people think when I meet up with them.

read more

Move to Cloud Accelerates

Many organizations say they rely on real-time processing of big data to fuel their business, and many of them say they are thinking about taking their big data to the cloud.
It’s no surprise that most enterprises are now taking big data more seriously. But what might raise an eyebrow is how many organizations say they rely on real-time processing of big data to fuel their business, as well as the number of companies who say they’re thinking about taking their big data to the cloud.
These findings come from a recent survey conducted by GigaSpaces, which asked 243 IT executives in various industries about their big data perceptions and plans. GigaSpaces, a provider of end-to-end scaling solutions for distributed application environments and an open platform-as-a-service (PaaS) stack for cloud deployment, conducted the survey online during the fall of 2012.

read more

SYS-CON.tv Interview: Service Virtualization Technology

“One of the last things always addressed on every wave of technology is quality and testing and this is where service virtualization, a type of virtualization that resides in the API level, comes in really handy,” explained Wayne Ariola, VP of Strategy & Corporate Development at Parasoft, talks to SYS-CON.tv at Cloud Expo Silicon Valley, in this SYS-CON.tv interview with Cloud Expo Conference Chair Jeremy Geelan at the 11th International Cloud Expo, held November 5-8, 2012, at the Santa Clara Convention Center in Santa Clara, CA.

read more

Security Posture Management Enters the Cloud

When eGestalt of Santa Clara, CA, announced in November they were launching a cloud-based security and compliance solution, it set the stage to change the way enterprise businesses could cope with complex compliance and security issues.
The solution, powered by Rapid7 scanning technology, was to deliver a “pure” cloud-based IT security monitoring and compliance management product that worked in real time without requiring any hardware, “a first of its kind solution,” say the vendors.
Called Aegify, the technology delivers Security Posture Management (SPM), which first measures the security status of all assets within a network, then delivers a report that can be used to remediate problems, strengthen security, and create and manage compliance policies. It leverages the compliance and security engine of eGestalt’s SecureGRC (governance, risk management and compliance) product with Rapid7’s Nexpose vulnerability management technology.

read more

Citrix Buys Zenprise

Citrix is buying mobile device management (MDM) house Zenprise.
Terms weren’t disclosed but Fortune says it’s paying $355 million.
The company, founded in 2003, raised $64.5 million from Bay Partners, Greylock Partners, Ignition Partners, Mayfield Fund, Rembrandt Venture Partners and Shasta Ventures.
When the deal closes in Q1, Citrix means to integrate Zenprise’s solution with its CloudGateway and Me@Work widgetry.
CloudGateway offers a single control point to manage and securely deliver native mobile apps, as well as Windows, web and SaaS apps to any corporate or personal device.

read more

Crittercism, UserVoice Partner for Customer Communication Platform for Mobile App Developers

Crittercism announced that it has partnered with UserVoice to deliver a customer communication platform for mobile app developers. As a result, developers can now monitor and manage app performance, as well as communicate directly with customers in real-time through a single, easy-to-use dashboard on upcoming upgrades, support issues and more via the cloud.

App crashes and user support are the top two issues affecting user retention and in-app purchases. As such, customer support is critical and has a direct impact on app store ratings, reviews, customer engagement and revenues.

With UserVoice for iOS, mobile app developers using Crittercism’s robust Mobile APM solution can now easily insert a customer support contact form into iOS mobile applications, giving users the ability to provide direct feedback from an iPhone or iPad.

Furthermore, mobile app developers can now access hosted feedback forums that allow users to create, discuss and vote on ideas to help prioritize order of importance, giving developers an easy way to collect critical feedback and improve their apps in a timely manner. As a result, developers are able to benefit from a complete customer communication and support service that not only increases customer satisfaction as well as retention.

“Crittercism’s mobile APM solution is extremely flexible and we are able to easily integrate new technologies into our system that make developers’ lives easier,” said Andrew Levy, Crittercism’s co-founder and CEO. “We are pleased to expand on our platform to offer our developers new, unique ways to reach their customers to offer the best user experience possible and provide actionable ideas on how to improve their products.”

“Consumers today expect a seamless mobile app experience, and will often abandon an app based on continued crashes or other issues, especially if they aren’t able to quickly report and resolve them,” said Richard White, CEO of UserVoice. “With Crittercism, we are extending our customer communication, support and feedback capabilities to mobile app developers, giving them the most comprehensive, flexible and intuitive support solution for mobile applications.”

SYS-CON.tv Interview: Accessing the Power of the Cloud

“Green Button is a multi-cloud management environment. It makes it very simple for users to access the power of the cloud,” explained Scott Houston, CEO of Green Button, in this SYS-CON.tv interview with Cloud Expo Conference Chair Jeremy Geelan at the 11th International Cloud Expo, held November 5-8, 2012, at the Santa Clara Convention Center in Santa Clara, CA.
Cloud Expo 2013 New York, June 10–13, at the Javits Center in New York City, New York, will feature technical sessions from a rock star conference faculty and the leading Cloud industry players in the world.

read more

The cloud news categorized.