Tag Archives: security

A More Practical View of Cloud Brokers

#cloud The conventional view of cloud brokers misses the need to enforce policies and ensure compliance

cloudbrokerviews During a dinner at VMworld organized by Lilac Schoenbeck of BMC, we had the chance to chat up cloud and related issues with Kia Behnia, CTO at BMC. Discussion turned, naturally I think, to process. That could be because BMC is heavily invested in automating and orchestrating processes. Despite the nomenclature used (business process management) for IT this is a focus on operational process automation, though eventually IT will have to raise the bar and focus on the more businessy aspects of IT and operations.

Alex Williams postulated the decreasing need for IT in an increasingly cloudy world. On the surface this generally seems to be an accurate observation. After all, when business users can provision applications a la SaaS to serve their needs do you really need IT? Even in cases where you’re deploying a fairly simple web site, the process has become so abstracted as to comprise the push of a button, dragging some components after specifying a template, and voila! Web site deployed, no IT necessary.

While from a technical difficulty perspective this may be true (and if we say it is, it is for only the smallest of organizations) there are many responsibilities of IT that are simply overlooked and, as we all know, underappreciated for what they provide, not the least of which is being able to understand the technical implications of regulations and requirements like HIPAA, PCI-DSS, and SOX – all of which have some technical aspect to them and need to be enforced, well, with technology.

See, choosing a cloud deployment environment is not just about “will this workload run in cloud X”. It’s far more complex than that, with many more variables that are often hidden from the end-user, a.k.a. the business peoples. Yes, cost is important. Yes, performance is important. And these are characteristics we may be able to gather with a cloud broker. But what we can’t know is whether or not a particular cloud will be able to enforce other policies – those handed down by governments around the globe and those put into writing by the organization itself.

Imagine the horror of a CxO upon discovering an errant employee with a credit card has just violated a regulation that will result in Severe Financial Penalties or worse – jail. These are serious issues that conventional views of cloud brokers simply do not take into account. It’s one thing to violate an organizational policy regarding e-mailing confidential data to your Gmail account, it’s quite another to violate some of the government regulations that govern not only data at rest but in flight.

A PRACTICAL VIEW of CLOUD BROKERS

Thus, it seems a more practical view of cloud brokers is necessary; a view that enables such solutions to not only consider performance and price, but ability to adhere to and enforce corporate and regulatory polices. Such a data center hosted cloud broker would be able to take into consideration these very important factors when making decisions regarding the optimal deployment environment for a given application. That may be a public cloud, it may be a private cloud – it may be a dynamic data center. The resulting decision (and options) are not nearly as important as the ability for IT to ensure that the technical aspects of policies are included in the decision making process.

And it must be IT that codifies those requirements into a policy that can be leveraged by the  broker and ultimately the end-user to help make deployment decisions. Business users, when faced with requirements for web application firewalls in PCI-DSS, for example, or ensuring a default “deny all” policy on firewalls and routers, are unlikely able to evaluate public cloud offerings for ability to meet such requirements. That’s the role of IT, and even wearing rainbow-colored cloud glasses can’t eliminate the very real and important role IT has to play here.

The role of IT may be changing, transforming, but it is no way being eliminated or decreasing in importance. In fact, given the nature of today’s environments and threat landscape, the importance of IT in helping to determine deployment locations that at a minimum meet organizational and regulatory requirements is paramount to enabling business users to have more control over their own destiny, as it were. 

So while cloud brokers currently appear to be external services, often provided by SIs with a vested interest in cloud migration and the services they bring to the table, ultimately these beasts will become enterprise-deployed services capable of making policy-based decisions that include the technical details and requirements of application deployment along with the more businessy details such as costs.

The role of IT will never really be eliminated. It will morph, it will transform, it will expand and contract over time. But business and operational regulations cannot be encapsulated into policies without IT. And for those applications that cannot be deployed into public environments without violating those policies, there needs to be a controlled, local environment into which they can be deployed.


Related blogs and articles:  
 
lori-short-2012clip_image004[5]

Lori MacVittie is a Senior Technical Marketing Manager, responsible for education and evangelism across F5’s entire product suite.

Prior to joining F5, MacVittie was an award-winning technology editor at Network Computing Magazine. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

She is the author of XAML in a Nutshell and a co-author of The Cloud Security Rules

 

F5 Networks

clip_image003[5]clip_image004[5]clip_image006[5]clip_image007[5]clip_image008[5]


read more

Aujas Launches Phishnix for Cloud Services

Aujas Information Risk Services today announced the launch of Phishnix for cloud services, a new product that will help clients protect their sensitive information on the cloud by strengthening their weakest link in the security chain, their own employees. The product is targeted for major cloud services such as Salesforce, Google Apps, Netsuite etc.

Salesforce.com is the most popular cloud CRM company in the world with more than 75,000 companies who trust their customer data on Salesforce. The Salesforce security guideline specifically warns against the threat and says, “As the Salesforce.com community grows, it has become an increasingly appealing target for phishers. Phishers often direct users to enter details at a fake website whose URL and look-and-feel are almost identical to the legitimate one.”

One example is a recent scam that involved an email luring receivers to participate in the beta test of ‘Dreamforce,’ promising discounts and requesting receivers to fill a form, in a fake web link. In such a case, employees who are unaware of it being a phishing attack may easily fall prey to it. Any company is likely to face heavy business loss, when employees become victims of phishing attacks. According to the RSA Fraud report 2011, global loss from phishing is estimated to be about $1 billion.

Phishnix does a behavioral analysis of employees when faced with a phishing attack. It is integrated with Salesforce and has ready Salesforce scenarios which the client can select. They can start the assessment in a matter of hours and analyze how their employees react to a phishing attack. That data is then used to create awareness and train the employees on how to respond to a phishing attack.

Speaking on the occasion Mr. Karl Kispert, Vice President at Phishnix said, “A single assessment and training cycle of Phishnix reduces the phishing fall rate by almost 35%. That is a huge reduction in the phishing risk for any organization.”

The product will be showcased by our partner Exafort at Dreamforce 2012, booth number 326 at the Moscone Center, San Francisco, on 18—21 September 2012. Stop by Exafort’s booth and ask for a demo and additional information about Phishnix. Dreamforce 2012 is the cloud computing industry event of the year with more than 50,000 attendees and 350 cloud computing companies showcasing more than 1000 solutions.

“Data security and confidentiality on the cloud is one of the biggest concerns for all our clients using cloud based services to run their business. Cloud service providers are addressing this concern to a large extent by building robust and secure applications and platforms. By adding Aujas’ Phishnix to our tool belt we can now gain valuable insights of our clients’ employees’ behavior with respect to information security and act upon them,” said  Arun Kanchi, CEO of Exafort Inc.

As cloud adoption increases within organizations, more sensitive data will be stored in the cloud. “We will see more focused phishing attacks targeting popular cloud applications. The road-map is to enable Phishnix for all popular cloud platforms, and help clients reduce phishing risk for all their cloud applications. It would become an integral part of their cloud security program,” said Sameer Shelke, CTO at Phishnix.


Next Level Security Systems Cloud Services Releases Cloud Security Management

Next Level Security Systems, a provider of unified, networked security solutions, today announced the availability of NLSS Cloud Services, which offers users remote access and multi-site security management from anywhere in the world.

NLSS Cloud Services are available for use with the entire suite of NLSS Gateway technologies. Powered by NextConnectTM, a patent-pending peer-to-peer technology that efficiently streams live video to an unlimited number of users from a single site, NLSS Cloud Services delivers access to the NLSS Gateway’s features through any Web browser or mobile device. Users can access camera settings, live surveillance video and door controls, and even view video streams from up to four different sites simultaneously on a single screen. In addition, software can be updated remotely, eliminating the need for on-site support.

“NLSS Cloud Services provides our customers with peace of mind that their security systems are operating and updated from anywhere in the world,” said Peter Jankowski, Chairman and CEO, Next Level Security Systems. “Our managed services used in conjunction with the NLSS Gateway truly delivers a comprehensive view of an entire security infrastructure to simplify system administration and management.”

NLSS Cloud Services improves upon traditional models of hosted video and access control by eliminating the need to route video and other data through a host computer for each update. NextConnect establishes a direct connection between the remote user and the NLSS Gateway, allowing video to stream faster and smoother with reduced bandwidth consumption. In addition, video quality is not degraded as more users log in to view the same video stream.


Next Level Security Systems Cloud Services Releases Cloud Security Management

Next Level Security Systems, a provider of unified, networked security solutions, today announced the availability of NLSS Cloud Services, which offers users remote access and multi-site security management from anywhere in the world.

NLSS Cloud Services are available for use with the entire suite of NLSS Gateway technologies. Powered by NextConnectTM, a patent-pending peer-to-peer technology that efficiently streams live video to an unlimited number of users from a single site, NLSS Cloud Services delivers access to the NLSS Gateway’s features through any Web browser or mobile device. Users can access camera settings, live surveillance video and door controls, and even view video streams from up to four different sites simultaneously on a single screen. In addition, software can be updated remotely, eliminating the need for on-site support.

“NLSS Cloud Services provides our customers with peace of mind that their security systems are operating and updated from anywhere in the world,” said Peter Jankowski, Chairman and CEO, Next Level Security Systems. “Our managed services used in conjunction with the NLSS Gateway truly delivers a comprehensive view of an entire security infrastructure to simplify system administration and management.”

NLSS Cloud Services improves upon traditional models of hosted video and access control by eliminating the need to route video and other data through a host computer for each update. NextConnect establishes a direct connection between the remote user and the NLSS Gateway, allowing video to stream faster and smoother with reduced bandwidth consumption. In addition, video quality is not degraded as more users log in to view the same video stream.


Securadyne Systems Acquires Surveillance Specialties

Securadyne Systems, LLC  and Pamlico Capital announced today that they have completed the acquisition of Surveillance Specialties, Ltd., a  New England-based security systems integrator. The SURV acquisition is the second for Securadyne, which was founded in February 2012 in partnership with Pamlico.

“The acquisition of SURV, which enjoys a commanding market presence in New England, ideally complements our build-up strategy focusing on best-in-breed operating platforms,” explained Carey Boethel, President and CEO of Securadyne Systems. “The addition of SURV considerably expands our geographic reach and our ability to deliver high-end, fully integrated solutions in a number of key vertical markets,” Boethel added.

SURV was founded in 1986 as a covert surveillance company by Arthur and Joan Bourque. The company changed its business model to a full-service systems integrator in 1999. Since then, the company has achieved considerable and consistent growth, and has emerged as the top independently-owned and operated security systems integrator in New England. SURV currently has branch offices in Wilmington, MA and Portland, ME.

Arthur Bourque, President and CEO of SURV, stated “We were fortunate to have a number of viable strategic alternatives for our business, but it was clear that Securadyne represents the future of our industry and is the best possible fit for SURV’s employees, customers and shareholders. We’re very excited about joining the Securadyne team and the opportunities for growth that will be created by this partnership.”

Mr. Bourque will join Securadyne’s Board of Directors and be active in setting the business’s strategic direction and helping with future M&A activities. Justin Davis, Chief Operating Officer for SURV, will join the Securadyne Systems executive team and will be responsible for leading the company’s Northeast Region.

Stuart Christhilf, Principal at Pamlico, noted “We are excited to be partnering with Arthur, Justin and the SURV team, as their passion for integrity, quality service, and industry-leading technologies represent exactly what we are trying to build with Securadyne. We expect them to be valuable contributors as we look to expand the combined business going forward.”


Tenable Network Security Gets $50 Million for Vulnerability Management

Tenable Network Security, Inc., whose software identifies network security gaps before they are exploited by attackers, today announced $50 million in first-round funding from Accel Partners.

Tenable will use the funds to expand its innovative security offerings and accelerate global growth – while deepening its research into evolving threats that are becoming a critical trust issue for CEOs, regulators and customers worldwide.

“Security is a mainstream issue – especially with the explosion of mobile, cloud and virtual computing,” said Ron Gula, CEO of Tenable. “Serious network attacks are far more common than anyone wants to publicly admit – and our customers count on us to keep their networks safe.”

Tenable is the top choice for businesses of all sizes, governments and universities to manage network threats. The company’s flagship vulnerability management products, Nessus and SecurityCenter, are used by the most demanding security professionals and compliance auditors at 15,000 organizations worldwide, including:

  • The entire U.S. Department of Defense, where Tenable has become the
    vulnerability management standard
  • 12 of the 14 U.S. Federal Civilian Departments
  • Top Financial Services Companies: Barclays, Deloitte, RBS, Morgan
    Stanley, T. Rowe Price, Visa
  • Technology Leaders: Spotify, Dell, Etsy, Google, Intel, Microsoft,
    Skype, Apple, Yahoo
  • Top Universities: Brown, Dartmouth, Michigan, Ohio State, Purdue
  • Healthcare Leaders: Coventry, HealthSouth, Johnson & Johnson,
    Merck, Scripps, Sutter Health
  • Key Energy Players: Chevron, Chesapeake Energy, ConocoPhillips,
    ConEdison, Duke Energy, TXU
  • Retailer Innovators: Chipotle, GSI, Meijer, Diapers.com, Zappos.com
  • Media Visionaries: British Sky Broadcasting, CBS, Comcast, Time
    Warner, 20
    th Century Fox
  • Telecom Providers: Alcatel Lucent, Bell Canada, British Telecom,
    Softbank Mobile, Verizon

Tenable’s user community has 1 million people who have learned the benefits of automated vulnerability scanning through their viral adoption of Nessus.

“Tenable is the thought leader in the rapidly growing and critical area of vulnerability assessment,” said Ping Li, General Partner at Accel, who will join Tenable’s board of directors. “IT security practitioners fight the constant battle to stay ahead of network attacks, and it’s only getting harder. Many of these practitioners globally rely on Tenable for their vulnerability management platform.”

Tenable’s SecurityCenter is the only security platform combining essential active and innovative passive vulnerability scanning, real-time network monitoring, and configuration and compliance management. Tenable’s Nessus, the industry’s most widely deployed vulnerability scanner, provides the deepest database of known vulnerabilities and compliance risks on the market today.

 


Four Things You Need to Know About PCI Compliance in the Cloud

By Andrew Hay, Chief Evangelist, CloudPassage

Andrew HayAndrew Hay is the Chief Evangelist at CloudPassage, Inc. where he is lead advocate for its SaaS server security product portfolio. Prior to joining CloudPassage, Andrew was a a Senior Security Analyst for 451 Research, where he provided technology vendors, private equity firms, venture capitalists and end users with strategic advisory services.

Anyone who’s done it will tell you that implementing controls that will pass a PCI audit is challenging enough in a traditional data center where everything is under your complete control. Cloud-based application and server hosting makes this even more complex. Cloud teams often hit a wall when it’s time to select and deploy PCI security controls for cloud server environments. Quite simply, the approaches we’ve come to rely on just don’t work in highly dynamic, less-controlled cloud environments. Things were much easier when all computing resources were behind the firewall with layers of network-deployed security controls between critical internal resources and the bad guys on the outside.

Addressing the challenges of PCI DSS in cloud environments isn’t an insurmountable challenge. Luckily, there are ways to address some of these key challenges when operating a PCI-DSS in-scope server in a cloud environment. The first step towards embracing cloud computing, however, is admitting (or in some cases learning) that your existing tools might be not capable of getting the job done.

Traditional security strategies were created at a time when cloud infrastructures did not exist and the use of public, multi-tenant infrastructure was data communications via the Internet. Multi-tenant (and even some single-tenant) cloud hosting environments introduce many nuances, such as dynamic IP addressing of servers, cloud bursting, rapid deployment and equally rapid server decommissioning, that the vast majority of security tools cannot handle.

First Takeaway: The tools that you have relied upon for addressing PCI related concerns might not be built to handle the nuances of cloud environments.

The technical nature of cloud-hosting environments makes them more difficult to secure. A technique sometimes called “cloud-bursting” can be used to increase available compute power extremely rapidly by cloning virtual servers, typically within seconds to minutes. That’s certainly not enough time for manual security configuration or review.

Second Takeaway: Ensure that your chosen tools can be built into your cloud instance images to ensure security is part of the provisioning process.

While highly beneficial, high-speed scalability also means high-speed growth of vulnerabilities and attackable surface area. Using poorly secured images for cloud-bursting or failing to automate security in the stack means a growing threat of server compromise and nasty compliance problems during audits.

Third Takeaway: Vulnerabilities should be addressed prior to bursting or cloning your cloud servers and changes should be closely monitored to limit the expansion of your attackable surface area.

Traditional firewall technologies present another challenge in cloud environments. Network address assignment is far more dynamic in clouds, especially in public clouds. There is rarely a guarantee that your server will spin up with the same IP address every time. Current host-based firewalls can usually handle changes of this nature but what about firewall policies defined with specific source and destination IP addresses? How will you accurately keep track of cloud server assets or administer network access controls when IP addresses can change to an arbitrary address within a massive IP address space?

Fourth Takeaway: Ensure that your chosen tools can handle the dynamic nature of cloud environments without disrupting operations or administrative access.

The auditing and assessment of deployed servers is an addressable challenge presented by cloud architectures. Deploying tools purpose-built for dynamic public, private and hybrid cloud environments will also ensure that your security scales alongside your cloud server deployments. Also, if you think of cloud servers as semi-static entities deployed on a dynamic architecture, you will be better prepared to help educate internal stakeholders, partners and assessors on the aforementioned cloud nuances – and how your organization has implemented safeguards to ensure adherence to PCI-DSS.

 


Woz on Cloud Dangers Started a Useful Conversation

When Apple co-founder and all-around tech icon Steve Wozniak was quoted as saying he expected horror stories from the cloud, and in the wake of a cautionary tale of total cloud hack horror from xxxxxx, it set off a useful round of comment.

Yesterday we had a guest post on the topic.

Today you might read the I,  Cringley take, which as can be expected is full of his usual cobbled-together, but pretty effective, roll-your-own solutions.