Posts Tagged 'cloud security'

Microsoft Publishes Cloud Security Assessment

The biggest inhibitor to Cloud Computing adoption is, without doubt, security. The Cloud Security Alliance (CSA) has been working to alleviate these concerns–or at least bring transparency to the security procedures and processes of cloud providers. Their mission statement is stated as follows : “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”

The CSA have put together a group of initiatives known as the Governance, Risk Management and Compliance (GRC) stack. This provides details and guidelines for all cloud users, from auditors, end users and implementors to instrument and assess both private and public clouds against industry established best practices, standards and critical compliance requirements. Part of the GRC stack is a questionnaire known as the Consensus Assessments Initiative Questionnaire (CAIQ). This questionnaire is provided in spreadsheet format and covers security procedures and processes undertaken by a cloud provider and how they comply with the CSA best practices. It is a form of self-assessment as an organisation completes this themselves.

Any organisation that wishes to publish their assessment can do so at the CSA Security, Trust & Assurance Registry (STAR). This central resource could evolve to be the go-to resource on cloud security best practices. As a start,  Microsoft is the first cloud provider to publish their CAIQ response to the STAR. They have done so for the following products:

  • Office 365
  • Windows Azure
  • Microsoft Dynamics CRM

A major benefit the STAR registry provides cloud consumers is that they are now provided with the transparency on the security of cloud services for registered organisations, in a way that is based on standards (ISO 27001) and best practices and easily accessible for no charge for. The information provided by the CAIQ questionnaire details what procedures are in place without disclosing how they are undertaken, thus protecting the provider from exposing both commercially and technically sensitive information.

With Microsoft leading the way in providing this information, it will be interesting to see if other major providers will follow suit. Amazon for instance have, for a long time now, published many of their processes and procedures at their Security and Compliance Centre. Will they complete the CAIQ questionnaire too ? What about Google, Salesforce.com and the other major vendors ? Over the next few months it will be interesting to see how these, and other vendors react to what  Microsoft has done. One thing is for sure:  the more information on security and best practices that vendors release, the better informed the cloud adoption decision makers will be to make better choices.

Chris Czarnecki

Learn more about cloud computing security with Learning Tree’s course Cloud Security Essentials: Best Practices for Secure Cloud Computing.

Compare Cloud Security to Your Security

There’s an assumption people make that if they put their data in the cloud it is less secure. There are three aspects to security: confidentiality, integrity, and availability. They are known as the CIA security model.

Confidentiality

Private data is kept confidential using encryption. This might require encrypting the data in the database. When transporting data across the internet, it requires using the HTTPS protocol. Whether using the cloud or local servers this does not change. It is our responsibility to secure our data no matter where it is physically stored.

Integrity

Integrity is maintained in distributed systems by verifying messages sent between computers have not tampered with. This is also achieved by using the HTTPS protocol. Again, this does not change when using the cloud.

Availability

Data should only be made available to those who are allowed to see it. This is done through some sort of authentication process, along with rules that govern access to the data. Authentication can be done using passwords, digital certificates, biometrics, passcodes, keys etc.

Securing the Infrastructure

Without a secure infrastructure, you can’t achieve the CIA’s of security. Servers must be patched, firewalls need to be configured, access to physical hardware needs to be limited, intrusion-detection systems need to be put in place, etc. Securing the infrastructure is very expensive and requires a great deal of administration.

This is where we can take advantage of a cloud provider’s economies of scale and expertise, to make our systems more secure! The fact is, very few people can afford to do what Microsoft and Amazon do to secure their data centers. And even if you can afford it, do you have the people who know how to do it?

To better understand why this is so, read the links below which describe what Microsoft and Amazon do to secure their data centers. Then, compare what they do, to what your organization does. You will likely realize that your data would be considerably MORE secure in the cloud than it is in your computer room.

Links

Windows Azure Security Overview – Microsoft

AWS Security and Compliance Center – Amazon Web Services

If you want to learn more about cloud computing and how it can benefit your organization, come to one of the courses in Learning Tree’s Cloud Computing curriculum

Doug Rehnstrom

 

Amazon EC2 Security Groups for Elastic Beanstalk

Amazon’s Elastic Beanstalk is an elegant Platform as a Service (PaaS) for Java application deployment. Anybody who has provisioned servers with the Elastic Compute Cloud (EC2) will be familiar with configuring security groups. A security group is like a firewall, and defines a set of permissions for accessing Amazon Web Services (AWS) resources. More details can be found here.

When deploying an application using Elastic Beanstalk, a security group is automatically created for you and it allows access from all IP addresses on port 80. In many cases applications will use a database that is hosted on Amazon’s Relational Database Service (RDS). When a database instance is configured, this also requires a security group to be configured. To enable access from the beanstalk hosted application an extra rule allowing access from the beanstalk application must be added. For administrating the database, a rule for your local machine based on your IP address is also added. This process is straightforward, it just requires an awareness of what needs to be done.

Amazon provide an incredible set of Infrastructure services with AWS. To use these services effectively and integrate them into a coherent whole requires a good knowledge of how they work individually and the role they should play in your systems. Acquiring this knowledge is not a trivial task, so to fast track this process Learning Tree have developed a four day course that provides hands-on experience of what is available, how it works and how you can best use it for your systems. If you are interested in, or considering using Amazon AWS, I think you will find the course invaluable. You can even attend from your office using the Anyware system. Details and a schedule can be found here.

Chris Czarnecki

What’s Different about Security in the Cloud?

Well, in many ways, nothing, really.

Since the advent of “cloud computing” we are certainly considering “security” under a microscope and in a new light. The truth is, though, that security is still just security. Maybe the cloud model has changed the specifics of “who does what” but all the stuff we’ve learned before still applies.

There are some who would have us believe that there is some mystical element to security now that there is the “Cloud”. What about “Hypervisor Security” they say? Yes, I suppose there may be an example or two of a rogue VM jumping into another’s space, but these are almost surely Type II Hypervisors. The reality is that this is extremely unlikely (i.e. probability ~= 0) with Type I Hypervisors used by Cloud Providers. Anyway, what are you going to do? Write your own Hypervisor? I don’t think so.

So where does that leave us?

If you are doing a self-hosted, on-premises Private Cloud then the responsibility is all yours. These are the same responsibilities that you have always had, by the way, as a data center administrator. If you are out-sourcing some or all of your cloud then you are into a shared-responsibility model. By definition “shared” means that you trust someone else to some degree.

So, why should you trust your cloud provider? Surely you could do a better job by yourself, right? Well, maybe, maybe not.

Today most Cloud Providers are certified. That means that they have been able to comply with various standards which are meant to assure us that they can do what they say. If you are a SMB then there is a good chance that your provider will have way more certifications than you would ever care to achieve. If you are an Enterprise then maybe you have this all taken care of on your own.

So, what? Is there a magical formula to security in the cloud? No. When talking about security in the cloud we have to consider all the usual topics: Authentication/Authorization, Encryption, Digital Certificates, etc. These apply equally in or out of the cloud.

Learning Tree International has a number of security courses. Enroll now for an upcoming course at an Ed Center near you! Alternatively you may like to attend the course remotely using our proprietary AnyWare technology.

Either way, I hope to see you soon!

Kevin Kell

Could Cloud Have Prevented Security Concerns of Home Secretary?

Today I awoke to the news that UK Home Secretary Teresa May had left her engagement book in an auditorium last Sunday. There were concerns that the lapse put the home secretary and her colleagues at risk because of the details it contained. The book was left by her personal protection secretary.

So what has this got to do with Cloud Computing you may be asking ? During my consulting activities and when teaching Learning Tree’s Cloud Computing course the comment I hear most is that people and organisations will not store their data in the cloud because of security concerns. They often make these comments without any consideration of the current safety and security of their data. Things such as how secure currently are their servers, networks and software ? Who in their organisation has access to the data and is it stored/copied in multiple places ? What happens to their data if they delete it ? These plus many more are valid questions that should be asked about on-premise as well as for cloud computing based solutions.

In the case of Teresa May, would it have been safer if her appointment book had been stored in the cloud ? Not only would she have had anywhere access but the above incident would not have occurred. I therefore used this incident as an example of where data held in paper form or even locally on PC’s is often more vulnerable than when located in the cloud, where, when encrypted and then protected by world class security experts can be anonymous.

Evaluating Cloud Computing and in particular its security risks is not a trivial task. To help people make informed decisions Learning Tree have developed a three day Cloud Security course. Find out how this course can help you gain practical, in-depth knowledge of Cloud Computing security.

Chris Czarnecki

Missile Defence Agency Adopts Cloud Computing

Today, whilst on a consulting assignment related to mobile development, we discussed the integration of mobile and Cloud Computing. My client immediately said “the big problem with cloud computing is security, applications co-hosted with other organisations applications is dangerous …”. As you know, this is something that I have written about before. Having then began to discuss the merits of Cloud Computing to provide a more balanced view to my client, an email arrived that did the job for me – in fact in a much better way than I was doing. The email contained an article by Jim Armstrong, CIO of the Missile Defence Agency. In the article he explained how the agency had deployed the cloud to better serve their customers. Key features in achieving this were to provide:

  • Optimal service
  • Reduce failure points
  • More maintainable environment
  • Reduce operating costs

Given the data integrity and information assurance compliance requirements the Missile Defence Agency has, a private cloud was deployed to meet the demanding requirements. The cloud has been extended to a hybrid cloud for integrating with defence service providers.

The agency has been very careful and considered in what has been moved to the cloud, but for those services that are appropriate many benefits have been achieved, not only those listed above but also:

  • Speed of provisioning
  • Move or duplicate workloads across different regions

By utilising cloud computing as they have, the agency has acknowledged that it simplifies access for their mobile workforce. It resources are accessed in a seamless manner regardless of the device type or location. The reason that Jim Armstrong’s article motivated me to write this post, is that the experiences he has reported are something I have seen many times on consultancy assignments for those organisations that have embraced Cloud Computing. Equally I hear so many people dismiss Cloud Computing, listing concerns that can mostly be addressed and in fact improved by using Cloud Computing over traditional data centres.

If you are not sure about Cloud Computing, why not consider attending Learning Tree’s Cloud Computing course. It will provide you with a thorough introduction to all the technologies and products form vendors and how these can be used effectively by business. The risks and concerns are also addressed. We have just added a private cloud hands-on exercise too so you will get a true feel for private clouds also. It may not convince you to adopt Cloud Computing for your organisation, but at least you will have a more balanced view and having been taught by an expert will be able to make a more informed decision for your organisation.

Chris Czarnecki

Improved Amazon Private Cloud Security: EC2 Dedicated Instances

Back in October last year I posted an article titled ‘How Dedicated is Your Private Cloud ?‘. The main theme was that whilst organisations like Amazon offer private clouds on Amazon infrastructure, your virtual machines may actually be co-hosted on the same physical hardware as other organisations virtual machines. What is private in such scenarios is the virtual network your instances are connected to.

Without a good understanding of cloud computing and the underlying technologies that make this possible, private cloud means one thing, yet to those with a good understanding of cloud computing will know that there are different levels of ‘private’ cloud when that cloud is hosted by a third party. Amazon, as part of their AWS have offered a virtual private cloud (VPC) for some time now. With the Amazon VPC, instances are co-hosted with instances from other organisations. Until today that is. Today, Amazon have announced EC2 dedicated instances which ensure that all EC2 compute instances will be isolated at the hardware level. It is possible to create a VPC in EC2 that has a mixture of dedicated and non-dedicated machine instances all on the same network based on application requirements.

In addition, earlier this month Amazon made some changes to the way VPC’s can be accessed. Originally, the only way of accessing an Amazon VPC was from an IPSec Virtual Private network (VPN). This required extra onsite resources for many organisations. The VPN restriction has now been relaxed and and Amazon VPC can now be accessed by the Internet. Amazon are certainly making the private cloud something that is now comfortably within reach of all organisations.

For anybody who would like to gain an understanding of what cloud computing is, the underlying technologies and how it can benefit their organisation, Learning Tree have developed a Cloud Computing course that provides hands-on exposure to a variety of cloud computing tools and services. In addition, currently under development is a course dedicated specifically to Amazon AWS. If you are interested, more details are provided here.

Chris


Learning Tree Logo

Cloud Computing Training

Learning Tree offers over 210 IT training and Management courses, including Cloud Computing training.

Enter your e-mail address to follow this blog and receive notifications of new posts by e-mail.

Join 53 other followers

Follow Learning Tree on Twitter

Archives

Do you need a customized Cloud training solution delivered at your facility?

Last year Learning Tree held nearly 2,500 on-site training events worldwide. To find out more about hosting one at your location, click here for a free consultation.
Live, online training
.NET Blog

%d bloggers like this: