CloudNod

Chris Hoff wrote a good post today on his blog about how security folks are pulling out the same-old DMZ models to “secure” the cloud that they used in their datacenters 15 years ago.  While this may seem like the right thing to do, it’s not very cloudy, really not very effective, and not the way it should be done if “cloud” is ever going to be what we all hope it will be in the enterprise world.

What stood out for me in that post is that most enterprises are still neglecting their auditors.  Organizations that are interested in cloud computing must educate not just their security teams about how cloud is different, they must educate the auditors.  Don’t just think about your internal auditors, even go as far as to pay for a few days of training for your key external auditors if you have the budget.  Teach them that although this is a new model of computing, security levels can be maintained even though they may look different.  Help them to help you.

Cloud storage (IaaS) services like Amazon Simple Storage Service (S3) or Rackspace CloudFiles have become part of the IT vocabulary these days, with S3 now storing over 124 billion objects as of the second quarter of 2010.  Paying 15 cents per gig per month, with no up front capex investments required and practically unlimited ability to scale and amazing reliability (AWS claims they build for 99.999999999)  is obviously attractive.

Despite the benefits, there are a number of concerns that I hear from enterprises that are considering or dabbling with cloud storage:

1. Security: The ‘trust us’ model continues to be the norm from providers.  This leaves a lot to be desired and will make it very difficult, if not impossible to pass an audit – especially a regulatory audit.
2. Location: Nice that you copy my data to different places to make it more reliable.  Would be nicer if you would tell me where that is, how it happens, and exactly what is stored where.  Oh, you can’t do that?  Well guess what, that’s a show stopper that’s going to prevent me from moving most of my data to the cloud.
3. Integration: It still isn’t seamless and easy to integrate and migrate enterprise applications to use cloud storage.  There are a bunch of kludgey things that need to be done to make cloud storage appear local, keep things in sync, cache, buffer, etc.  Even if there are some enterprise software packages starting to implement S3 as an option for data storage, then they need to integrate a satisfactory method of encryption, key management, etc (takes us back to concern #1 – security).  The high cost of integration and the added risks you need to take while kludging up your enterprise apps really hurts the business case.

Here are my suggestions for a cloud storage providers that want to increase enterprise business:

1. Be more transparent: both with security and location, give customers the ability to see WHAT you are doing, HOW it is being done, and WHERE it is being done.
2. Make integration easier: partner with integrators, ISV’s and cloud companies beyond just giving them access to your API’s.  Provide tools and methodologies that reduce the time it takes enterprises to figure all of this out.  I’m not talking about 10 lines of sample code, that might be fine for a guy in his basement hacking together another “web 2.0″ site… it is not what an enterprise needs.

If you can help enterprises overcome their security, compliance, integration and risk concerns about cloud storage… the flood of data moving to the cloud will be unstoppable.

Follow Scott Sanchez on twitter for more ramblings: http://twitter.com/scottsanchez

Notice: This article was originally posted at http://www.CloudNod.com by Scott Sanchez and is his personal opinion.  Copyright 2010 Scott Sanchez, All Rights Reserved.

This is a living blog post where you will find pointers to cloud security resources that I find valuable.  Reference material, standards efforts, articles, blogs, tweets… whatever I think might help someone else will get shared here.  Essentially, a place where I can (eventually) point people interested in learning something about cloud security.  For now, you’ll get a few random links off the top of my head.

• Cloud Computing on Alltop – not a cloud security specific site, but a fantastic collection of the top cloud computing blogs and news all in one place
• Cloud Security Alliance – an group of smart security folks working on guidelines, evaluation criteria and more
• CloudAudit – helping consumers of cloud get the information they need about how a particular cloud is run, secured, etc.
• Cloud Security & Privacy Book – you have read this, right?
• Chris Hoff’s Rational Survivability Blog – @beaker on twitter, a fixture in the cloud security world
• That’s it for now… just wanted to get this blog post started.  Stay tuned.

Follow Scott Sanchez on twitter: @scottsanchez

Cloud isn’t secure because it is multi-tenant.  This is a weak argument that I’m tired of hearing.

Here’s my short and sweet rebuttal to that position.

Your internal data centers are multi-tenant today, and you aren’t managing them as well as a public cloud is managed.

I can hear you going “Huh?”.

Yeah.  Unless you are a three letter agency or one of a handful of super paranoid (or regulated) commercial organizations, your data center is multi-tenant today.  You have gaping holes opened so business partners can come in and help you make money, employees coming in from ‘dirty’ networks like their house, the airport, Starbucks, etc., vendors that service your applications and systems come in (physically and virtually), and who knows what else goes on.

How well do you control, isolate and manage each one of those additional tenants?  Do you think it is 1/2 as good as what any of the top public cloud providers are doing?

Follow Scott on twitter for more ramblings: @scottsanchez

What enterprises WANT, and their first choice when thinking about the benefits of cloud, is PaaS and SaaS.  Just like what you WANT to be warm in front of the TV is a crackling fire and a thick down blanket.  Since nobody has the time to make and tend a fire and a blanket requires you to do lose access to those things you call hands, we buy a snuggie.  And they’ve sold millions of snuggies not because it’s a sexy first choice, but because it works, it’s cheap, easy, etc.  Same as SaaS/PaaS (the warm, crackling fire and thick cozy blanket) vs IaaS (the snuggie).

[Let's exclude the people doing hadoop, monte carlo simulations, and people that really need a grid but are using the cloud from this thought.]  When enterprises pick PaaS/SaaS to migrate existing business functionality or apps to the cloud, it usually comes with considerable cost and time to migrate their legacy spaghetti to get there.  Since they don’t have the time, budget or business commitment for a project like that, they start with IaaS- but it wasn’t their first pick.  They don’t want to start with IaaS, because that’s really exactly what they have now- a bunch of VMs, but now in exchange for better scale/agility/price they get higher latency and more security threats to worry about.

Bottom line: although it is not the first choice, IaaS has an obviously huge market in the enterprise because because there are countless servers sitting in datacenters that are prime candidates to move out to IaaS clouds, and countless more that will be needed in the coming years.  As it becomes easier to take the mess of apps and business functionality in your enterprise and move them to PaaS and SaaS replacements (my guess: 2013), enterprise IaaS demand for migration projects will take a big hit.

Follow Scott on twitter for more ramblings: @scottsanchez

In a previous post I discussed my opinion on why SaaS is the most secure option right now, better than PaaS and IaaS.  The short version is that because security is forced on you at all layers, and that super smart security people are responsible for that security, so the security you get with SaaS is “best” right now.

So why is cluelessness the biggest threat for cloud?  Because the tens of thousands of IT workers who bear some kind of security responsibility inside of IT shops around the world are now fiddling with cloud computing.  If not already, then “soon”, many of these orgs will start asking those IT workers to move data, applications and systems out to the cloud.  Bottom line is that these people are clueless about what it takes to secure IaaS or PaaS environments.  Sure, you can do a lot of reading and follow excellent guidance like what the CSA put out… but best case is that you do a decent job.  Most likely you do a less than decent job, and that is the problem.

That problem for your organization is really a much larger problem for the cloud industry.  The media jumps any time there is even a tiny problem or issue that involves cloud computing right now, and the C-level folks that are writing checks for cloud migration projects jump even higher.

My advice?  If you don’t feel good about your cloud security “skillz”, stick with SaaS or hire someone that knows what they are doing to help you.  There is too much benefit from cloud to let a few bad headlines slow us down.  Don’t be a statistic, mannnnn…..  :)

Follow Scott Sanchez on twitter for more ramblings: @scottsanchez

This came off the top of my head recently when trying to convince a large enterprise that they should at least fiddle around with cloud, and although this is like cloud 101 for most people, I thought it was worth sharing.  This post was almost called “Getting Started With Cloud”, but that was too cheesy. So what would be an easy first cloud project for an enterprise (or any kind and size of organization, really) ?

Image hosting, of course.  Take the static images from an internal (intranet) website and copy them up the the cloud provider of your choice… S3, EC2 with a web server, Rackspace Cloud, ScaleUp, it doesn’t really matter for this test.

Redirect the web browsers looking for those images to the new location… on many web servers, you can do a .htaccess file with mod_rewrite to do something like this:

RewriteRule ^images/(.*)$ http://cloudproviderurl.com/mystuff/images/$1 [L]

This tells the server to give the browser an alternate address for each of the images they request from the page or site, and the browser will magically (and transparently to the user) go fetch the image from the big bad cloud.  The harder way would be to just change your html, css or code to point to a new /images/ location…

In picture form, that flow looks something like this:

There’s something to be said about people with the right focus and experience working every button and lever for you…

Clients frequently like to ask me the “which one is more secure” question about Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS).  My answer usually starts with something like “Well, let’s define ‘secure’ for the purpose of your question” and goes into some high level points about how a cloud computing environment could be considered secure if it:

• Meets your internal policies and/or external regulations across the many domains of security [CISSP domains or Cloud Security Alliance domains are good examples]
• Has enough transparency and control points to feel confident that you are compliant with those policies and regulations (aka point in time and real-time auditability)
• Meets your and the ability to know when something goes wrong (from simply being out of policy up through an actual data breach)
• Has the 500 other things that you could add to this list…

Until recently my opinion has been that IaaS gives you more ability to fiddle and tweak with the system, and as such it is more secure as per the above criteria.  As a user of IaaS and PaaS services, I spend a lot of time making sure that my resources are ‘secure’ before doing anything with them, and perhaps naively assumed that was the norm.

I say until recently because the more I talk to people working on IaaS and PaaS the more I hear them say the phrase “we leave that up to the customer”, and that made a light go off in my head.

The general (enterprise IT) public has at least a few smart security people with a good idea on what it takes to secure things inside their datacenters today, unfortunately they don’t always have the time, budget or business support to actually get the job done.  When it comes to cloud computing, there are really very few people with a clue right now of how all the pieces come together, what the real threats are, and how you can tie things up to be “secure” (see above definition if you’ve been skimming).

So the end result is that very few IaaS or PaaS customers go much further than installing an image, adding some simple firewall rules and hopefully setting a strong password.  They think the provider is keeping them secure, and the provider thinks the customer is responsible.  This is obviously less than ideal.  End result is that SaaS, where all you need to do is log in and everything is taken care of for you, gives you an environment that is more secure.  Of course, every SaaS, PaaS and IaaS provider is different, this is an opinion about the concepts, not a particular implementation.

Scott’s Top 5 Reasons SaaS is more Secure than PaaS or IaaS (sorry for the corny quotes)

5.  Born to be wild – SaaS apps and platforms were designed to be exposed, shared and used over dirty networks.  Every i has been dotted and t has been crossed.

4. I’m sorry, Dave. I’m afraid I can’t do that. - One of the great things about IaaS is that you can make it do virtually anything you want, even if it exposes all of your data.  Not on SaaS!

3. Another Brick in the Wall – The thicker the SaaS wall is, the less of the infrastructure can be accessed.  Security by obscurity, isn’t – but security by unavailability, is.

2. I am Iron Man – There are super smart security nerds focused on every layer of the solution in SaaS environments is very different from the collection of random components that you jumble together to get your enterprise apps running on an IaaS platform.

1. Leave the driving to us - The bottom line is that SaaS providers force you to use a secured, well thought out implementation of a shared software platform.  There The lack of control, which is what bothers most security people, is what actually makes SaaS more secure.  The analogy of flying is safer than driving, but freaks many more people out really holds true here.  Could you bring your car to a safe stop after blowing a tire on the highway while being distracted by a cell phone, crying baby, the radio, etc?    Capt Sully landed a jet on the hudson river!  There’s something to be said about people with the right focus and experience working every button and lever for you, and is something to keep in mind as you plan out how and where you will take advantage of cloud computing.

Follow Scott’s ramblings on twitter: @scottsanchez

I posted an off the cuff comment on twitter earlier that vmforce was attractive to enterprise java shops because it smelled like “easy” cloud. Shortly thereafter, pandora was nice enough to play Nirvana’s Smells Like Teen Spirit, and a blog post was born.

The more I considered my response, the more I really like the vmforce approach.  At first glance it was “eh- another place to host apps in the cloud”, but I think the real story here is how it will be perceived by people with real IT budgets (enterprises).  They will, without a doubt, see vmforce as a trusted (look at the two brands involved), “drag and drop” (regardless of the realities of implementation) way to take their legacy java apps and get them to the cloud.

This is a huge step in the right direction for enterprise cloud adoption – the fact that IT leaders will see vmforce as a viable “easy” option to move to cloud means that 2011 could start to see real enterprise adoption of public cloud.

Follow @scottsanchez on twitter.

This week I attended the cloud computing expo in new york city.  It was pretty well attended and I gave my “how cloud computing improves security” talk on both tuesday and wednesday to a total audience of probably 150 people.  Here is a top ten list of observations made and things that I learned during the conference, in no particular order.  Disclaimer: This is my personal opinion, as is everything on this blog and on my twitter, and does not necessarily reflect the opinion or position of anyone else, especially that of my employer.

1) There were far more “customers” at this show than there were in November in Santa Clara.  While I do attribute some of that to location, it is a good sign for the future of enterprise cloud adoption.

2) In general, attendees have moved from being there to learn what cloud is to learning how they can use it in their business.  Again, a good sign.

3) There was still a VERY high percentage of vendors at this show – my guess from talking to people at the booth and asking questions during my talks is 80% isv/integrators/software/IT services companies/providers/etc.  Suggestion for the conference organizers for upcoming shows would be to give real “customers” a different colored badge lanyard so we can quickly determine who is who.  Sometimes you want to talk to only vendors, sometimes you want to talk to enterprise-type customers – help us figure out who is who.

4) “Cloud Security” is still an oxymoron.  No big surprise here.  Customers know they want it, vendors and software companies say they have it, and few are getting or delivering anything close.  I pointed so many people to the Cloud Security Alliance and CloudAudit projects that I’m actually tired of talking about them.  There were a number of booths that said something like “We are the cloud security experts” – and from talking to them, there wasn’t a single person at the booth that could tell me why they were ‘experts’

5) If you’re going to have a conference about cloud computing, you’d better have GREAT wifi connectivity in the breakout and general session rooms as well as on the expo floor.  The wifi covered about 5 booths on the expo floor and none of the session rooms.  And when you could find that magic spot to stand to get a signal, you got 2400 baud modem speed to the net. #fail

6) There was way, way, way too much vendor pitchyness in the sessions.  Heard this from people over and over, the same way I heard it in Santa Clara last year.  I spent no more than 60 seconds in my 45 minute presentation saying anything about my company – unfortunately, most of the other sessions were flipped the other way.  See #8.

7) There were no real ‘announcements’ or news worthy talking points at the event other than the crazy microsoft cloud in a box that was forklifted in 1 hour before the floor opened on day 1.  I’d love to see a little more of the type of news and coverage that comes out of events like black hat or RSA where interesting things are said.  Hard to do that when the speakers are all from the sponsors, which leads me to #8.

What people say in their sessions is what they say at their booths (see #6).  Suggest opening  at least 25% of the speaker slots to the public via a traditional call for papers, and let people vote on which sessions to approve.  This will help ensure that attendees want to come back to a future event because they left feeling like they learned something.

9) There was a noticeable absence of big media and analyst coverage.  I wish syscon would make nice with the blogger community already, because really both sides have a lot to gain by being friends.  The more time I spend with Jeremy and Fuat the more I like them, and hope they do the right (and necessary) thing.

10) There are a growing number of super smart, very cool people in the cloud industry right now and I’m glad to have met and spent some time with even more of them.  I got a chance finally to really learn how 3Tera works (and it is way better/different than I originally thought – more to come in a future blog post), saw my friends at Adaptivity blueprinting their way to success in cloud and data center transformations, watched Zenoss help customers make sense of spaghetti infrastructure, saw rightscale crush it (as usual) for deploying and managing AWS instances, and spent way too much time eating and drinking with my new and old cloudy friends.  Thanks for a great week!

Follow the author on twitter: @scottsanchez.