Posts Tagged 'security'

EC2 Security Revisited

A couple of weeks ago I was teaching Learning Tree’s Amazon Web Services course at our lovely Chicago area Education Center in Schaumburg, IL. In that class we provision a lot of AWS resources including several machine instances on EC2 for each attendee. Usually everything goes pretty smoothly. That week, however, we received an email from Amazon. They had received a complaint. It seemed that one of the instances we launched was making Denial of Service (DoS) attacks to other remote hosts on the Internet. This is specifically forbidden in the user agreement.

I was doubtful that any of the course attendees were intentionally doing this so I suspected that the machine had been hacked. The machine was based on an AMI from Bitnami and uses public key authentication, though, so it was puzzling how someone could have obtained the private key. Anyway, we immediately terminated the instance and launched a new one to take its place for the rest of the course.

In Learning Tree’s Cloud Security Essentials course we teach that the only way to truly know what is on an AMI is to launch an instance and do an inventory of it. I was pretty sure we had done that for this AMI but we might have missed something. I decided that I would do some further investigation this week when I got a break from teaching.

Serendipitously when I sat down this morning there was another email from Amazon:

>>

Dear AWS Customer,

Your security is important to us.  Bitrock, the creator of the Bitnami AMIs published in the EC2 Public AMI catalog, has made us aware of a security issue in several of their AMIs.  EC2 instances launched from these AMIs are at increased risk of access by unauthorized parties.  Specifically, AMIs containing PHP versions 5.3.x before 5.3.12 and 5.4.x before 5.4.2 are vulnerable and susceptible to attacks via remote code execution.   It appears you are running instances launched from some of the affected AMIs so we are making you aware of this security issue. This email will help you quickly and easily address this issue.

This security issue is described in detail at the following link, including information on how to correct the issue, how to detect signs of unauthorized access to an instance, and how to remove some types of malicious code:

http://wiki.bitnami.com/security/2013-11_PHP_security_issue

Instance IDs associated with your account that were launched with the affected AMIs include:

(… details omitted …)

Bitrock has provided updated AMIs to address this security issue which you can use to launch new EC2 instances.  These updated AMIs can be found at the following link:

http://bitnami.com/stack/roller/cloud/amazon

If you do not wish to continue using the affected instances you can terminate them and launch new instances with the updated AMIs.

Note that Bitnami has removed the insecure AMIs and you will no longer be able to launch them, so you must update any CloudFormation templates or Autoscaling groups that refer to the older insecure AMIs to use the updated AMIs instead.

(… additional details omitted …)

<<

So it seems there was a security issue in the AMI that had gone undetected. This is not uncommon as new exploits are continually discovered. That is why software must be continually patched and updated with the latest service releases. Since Amazon EC2 is an Infrastructure as a Service offering (IaaS) this is the user’s responsibility.

It was nice to have a resolution to the issue since it had been bothering me since it occurred. It was also nice that Amazon sent out this email and specifically identified instances that could have a problem. They also gave links to some specific instructions I could follow to harden each instance or a new AMI I could use to replace them.

In the end I think we will be replacing the AMI we use in the course. This situation was an example of the shared responsibility for security that exists between the cloud provider and the cloud consumer. You don’t always know exactly if you have a potential security issue until you look for it. Even then you may not be totally sure until something actually happens. In this case once the threat was identified the cloud provider moved quickly to mitigate damage.

Kevin Kell

Security, Privacy and Compliance in the Cloud

I have been teaching Learning Tree’s Introduction to Cloud Computing Technologies course for almost two years now. I also teach the Cloud Security Essentials course. Each time I have taught these courses spirited discussions have arisen concerning the separate but related topics of Security, Privacy and Compliance.

For example students that come from a healthcare background have expressed interest regarding HIPAA compliance of various cloud providers. In addition people have expressed concerned about things like SAS 70, ISO 27001 and PCI.

As of June 24th, 2012, it appears that Microsoft Azure core services have established HIPAA compliance. This should come as welcome news to anyone considering cloud computing for healthcare applications. It seems that Microsoft have been upping the ante recently with regard to various certifications and compliance. It was not too long ago that Microsoft published their Cloud Security Assessment. Now with this latest announcement they have even taken it a step further. At a minimum these moves by Microsoft will force other cloud providers to step up their games. I expect this trend to continue as cloud providers respond to these concerns to achieve competitive advantage. This will definitely be a benefit to consumers of cloud services.

Fundamentally the issues of Security, Privacy and Compliance in the public cloud come down to trust. Do you, as a consumer, have confidence that the vendor will do what they say they will do to achieve the desired goals on your behalf? In many cases a cloud provider can actually do a much better job of securing your data and complying with regulatory standards than you can. This is particularly true if you are in an organization whose first priority is not IT. It is not always easy to convince people of this, however!

My esteemed colleague, Bob Cromwell, has made what I think is a very poignant illustration of this concept:

Figure 1 Cloud Security Concerns

Twenty years ago many people did not accept the idea that online banking would ever evolve to what it has now become. Ten years (or less!) from now people will wonder what the big deal was with regard to security in the cloud. It will just become accepted as a way in which things are done.

Are there risks? Of course! Have cloud providers ever been breached? Yes. Will hackers become more sophisticated and will there be more breaches in the future? Yes, almost certainly. Does this mean you should ignore what is happening on the public cloud? No!

Cloud computing is here to stay. In a few years, perhaps, people won’t talk about cloud computing as a separate concept in IT. It will just have become an accepted way of doing things to get the job done for the lowest cost. IT resources will have become a commodity. This was best said way-back-when by Nicholas Carr in The Big Switch. It continues to be true today and it will ultimately be proven in the days to come.

Kevin Kell

The Bad Guys Use the Cloud Too

In the aftermath of the recent Sony PlayStation data breach, which is considered to be in the top 5 data breaches ever, the cloud is once again at the forefront of discussion. What is becoming clear is that hackers used servers provisioned on Amazon EC2 to launch the attack against Sony. Some are taking this opportunity to criticize security in the cloud.

While I am all in favor of proceeding cautiously and for continually re-examining and improving security implementation, if you really look at it the Sony incident has almost nothing to do with “security in the cloud”. The fact of the matter is that Sony’s own private network was hacked. The tie-in to cloud is that the hackers were able to provision servers anonymously and utilize Amazon’s public cloud to leverage their attack with very little up-front investment.

But, isn’t this exactly what the public cloud offers as a benefit? The answer, of course, is yes. Although this attack against Sony was, from the hacker’s viewpoint, particularly successful, using cloud technology in a malicious manner is not new. There have been several reported incidents of Denial of Service attacks launched from EC2 servers. Why not? If you are inclined that way anyway it is very cost effective.

Should Amazon be held responsible for this? That is an interesting question. Amazon has been criticized, in some cases, for being slow to respond. In my opinion, though, it is not necessarily their job to respond. Why should Amazon be placed in a position of deciding what is a “good” and what is a “bad” use of their service? Those are ethical, not technological, questions. To be fair, though, Amazon actually does respond to these types of incidents in a reasonable manner.

What is clear is that whether or not your organization does choose to adopt cloud computing, the ante has been raised as far as security is concerned. Attackers now have available, at their disposal, a seemingly infinite pool of computing resources for pennies per hour. This, by the way, is the same pool that the good guys have access to as well. What this means is that cloud-based hackers can attack your non-cloud datacenter for the cost of just a few dollars. It matters little that you have carefully chosen to avoid using cloud computing in your organization. Security provisions at all sites be they public or private, will have to up their game. This is the new reality.

For a comprehensive treatment of security fundamentals and in particular how they relate to cloud computing, you may want to consider attending Learning Tree’s Course 1220, Securing the Cloud: Hands-On. This course discusses security in a cloud-based environment. It is a security course that happens to be set in a cloud environment; it is not a cloud course that happens to address security issues.

I hope to see you at a Learning Tree Education Center soon!

Kevin

 

Cloud Computing Security Course

Some great news for technology professionals working with Cloud Computing. Learning Tree is developing a new course titled Securing the Cloud: Hands-On. This welcome addition to the Cloud Computing curriculum covers all those difficult aspects cloud computing raises from a security and disaster recovery perspective.

Questions I am repeatedly asked when teaching the Cloud Computing course include :

  • Is the cloud secure ?
  • How do I ensure my data can always be accessed in the cloud ?
  • How do I secure my server instances in the cloud ?
  • Can I restrict access to members of my organisation to my cloud computing accounts on Amazon EC2 ?

These are just a sample of the types of questions I get asked. Another is “Is cloud security different from standard IT security?”. The new course being developed by Learning Tree aims to answer these questions. The focus of the course is very specifically on Cloud Computing security – that is, those features of security that are new or specific to cloud computing as against traditional computing security. Traditional computing security is already covered by the existing security curriculum. The security requirements of SaaS, PaaS and IaaS are considered, analysed and best of breed solutions provided.

Anybody who is working with Cloud Computing must consider the security requirements and implications. This course will provide those professionals with the skills they require to secure their environments. The first run is on December 8th in Washington DC (Reston, VA). You can sign up here if you are interested.

Chris

AWS Security: Identity and Access Management

For an organisation adopting Cloud Computing, one of the benefits is the self service nature of the cloud. If a developer requires a test machine for a short period of time, using an Amazon EC2 instance or Azure server instance is an obvious cheap solution. Not only is the machine only paid for the time it is being used, there is no capital investment required.

A question to be asked for organisations when working with a cloud provider such as Amazon is who will have responsibility for provisioning and releasing resources. One account with a credit card is created but ideally this would not be shared with all personel who require cloud access.

The solution for Amazon EC2 is Amazon Identity and Access Management (IAM). This welcome addition to the Amazon toolset allows the creation of multiple users on a single amazon account. Each user can be assigned permissions on the main account eliminating the need to share passwords or access keys. This enables fine grained security to be configured based on users. For example, an individual user could be allowed permission to start EC2 instances but not terminate them.

Currently IAM is available from the command line tools and the API interface. Plans for incorporating the toolset into the management console have also been announced. No new or extra work is required to use IAM with existing AWS API’s – the security is incorporated seamlessly.

In summary, Amazon have provided a cloud specific transparent security solution that enables a simple, yet elegant solution to enabling controlled multiple user access to AWS resources. Even better, there is no charge for this service – you just pay for the resources utilised as before.

Chris

More Than A Million Reasons the Cloud May Be Safe

I am back on the theme of cloud security. Why cloud security again ? Because cloud security raised its head again last week on a consultancy assignment I undertook. My client requires a new business application. This is available as Software as a Service(SaaS), but can also be purchased as a self hosted application. On the analysis I provided, my client could see many business advantages that a cloud solution could provide them – significant cost savings, transparent scalability, an ability to improve business process efficiency, more effective use of staff time …. the list continued. On the downside, security of the cloud was the factor that was pulling the company away from the cloud.

When I questioned which aspects of security were the primary concerns they listed data privacy and access control and then added availability and reliability. Ok, I know these are not all security but they were perceived as security issues by my client. I know from other consulting assignments and also from teaching the Learning Tree Cloud Computing course that many people have exactly these concerns and see them as a barrier to cloud adoption.

As an example of SaaS that works in a secure, highly available and reliable manner I provided the example of SalesForce.com. Here is an organisation that has been providing SaaS for over 10 years. This company has over a million users, all of who have data that is stored securely, and accessed with high availability and reliability. They have major customers such as Starbucks and Cisco. SalesForce.com show their availability, reliability and performance statistics to all users in real time – an approach that builds confidence based on transparency. The reason I use SalesForce.com as an example is that they prove that Cloud Computing works – over a million user cannot be wrong surely ?

Now, just because SalesForce.com works does not mean everything cloud related will work too. However, they are an example of a company doing things incredibly well and providing major benefits to their customers. There are many other cloud providers who do similar great things. The key in selecting a Cloud Computing provider is understanding the cloud and knowing what questions to ask of a provider. Its this kind of knowledge that is gained in Learning Tree’s Cloud Computing course which provides a vendor neutral technical and business view of Cloud Computing.

Chris

Cloud Computing Security and Audit Moves Forward

A key concern for many organisations adopting cloud computing is security. Moving to the cloud means many aspects of security are handled by the cloud provider, especially when using Platform as a Service (PaaS). In addition to security, the operational, policy and regulatory procedures of cloud providers is a concern.

Businesses who require information on security policies and auditory and compliance from a cloud provider have many problems in gathering the information. Firstly, public cloud providers cannot spend all their time providing this information for their customers. Secondly, it is easy to misunderstand what is actually being asked of the provider by their customers resulting in the incorrect information being provided.

To help solve this problem for both cloud providers and cloud consumers, a welcome development is the formation of the Cloud Audit Organisation. The goal of this organisation is to provide a common interface and namespace that enables cloud computing providers to automate the audit, assertion, assessment and assurance of their Infrastructure (IaaS), Platform (PaaS) and Application (SaaS) environments. The result will be the ability of authorised cloud consumers to automatically gather the required security and audit information in a standard manner without any misunderstanding or ambiguity and with no burden on the cloud provider. This follows a key benefit of the cloud – self service.

The Cloud Audit Organisation is a cross industry effort that currently has over 250 participants comprising members of all the leading Cloud Computing providers including Google, Amazon, Microsoft, VMWare, Cisco and many others. As anybody who has attended Learning Tree’s Cloud Computing course and participated in the course workshops knows, this organisation is a welcome and vital development in removing one of the perceived barriers to Cloud Computing adoption.

Chris


Learning Tree Logo

Cloud Computing Training

Learning Tree offers over 210 IT training and Management courses, including Cloud Computing training.

Enter your e-mail address to follow this blog and receive notifications of new posts by e-mail.

Join 53 other followers

Follow Learning Tree on Twitter

Archives

Do you need a customized Cloud training solution delivered at your facility?

Last year Learning Tree held nearly 2,500 on-site training events worldwide. To find out more about hosting one at your location, click here for a free consultation.
Live, online training
.NET Blog

%d bloggers like this: