Cloud security: Try these techniques now

For Logiq³ Inc., the decision to go with a cloud-based provider of IT infrastructure as a service (IaaS) was a matter of cost and flexibility. So Logiq³ instead chose cloud computing and managed IT services provider BlueLock LLC to handle its data needs in the cloud. A start-up that began operations in 2006, the Toronto-based life reinsurance management firm could not afford to build and staff a data center from scratch, according to David Westgate, Logiq³'s vice president of technology.

BlueLock's virtualized environment allowed data and volumes to move between systems in a dynamic, low-cost way that would be impossible with a traditional, hosted environment, Westgate says. The life reinsurance company handles death records, which include personal information like social security numbers, as well as financial data and information about major assets that its large financial customers have on their books. There were, however, security concerns to be addressed before Logiq³ would entrust its critical systems to BlueLock's cloud. Although Logiq³ isn't regulated by the U.S. government's Sarbanes-Oxley Act, its customers in the financial sector are, "so they'll be auditing us," says Westgate. Logiq³ is far from alone. As a result, Logiq³ needed potential cloud vendors to demonstrate that they were in compliance with applicable regulations and could provide high levels of security.

While security and compliance issues crop up in any Web-based outsourcing arrangement, businesses are justifiably concerned about putting everything in a virtualized cloud. If you are going with an infrastructure-as-a-service provider, ask what tools it can provide you to protect your virtual environment. * Encrypt data at rest and in transit; otherwise, don't put sensitive information in the cloud. * Divvy up responsibilities between your administrators and the service provider's administrators, so no one has free access across all security layers. * Check whether a vendor has been accredited as meeting SAS 70 Type 2 and ISO 27001 security standards. It's a comparatively new service area where risks are unknown - "which in itself is a risk," says Jay Heiser, an analyst at Gartner Inc. "If I can't figure out how risky something is, I have to assume it isn't secure." 5 tips for effective cloud security * Find out as much as you can about a software-as-a-service provider's security measures and infrastructure. If you are an international company, check for European Safe Harbor accreditation as well. * Go with a high-end service provider with an established security record. "You get what you pay for," says Gartner analyst Jay Heiser. So far, there have been few instances of a successful, large-scale data breach on a public cloud.

The extent to which hackers can take advantage of unique cloud vulnerabilities is being hotly debated at Web sites like Linkedin.com's Cloud Computing Alliance. Just recently, however, someone managed to set up the Zeus password-stealing botnet inside Amazon.com Inc.'s EC2 cloud computing infrastructure by first hacking into a Web site that was hosted on Amazon servers. Cloud vendors are, in some instances, playing catch-up on the security front, and IT managers are trying to figure out just exactly what the risks are and how to counter them. It is, in other words, early days yet in the cloud computing industry. Divvy up responsibility A crucial first step is for cloud-based service providers and their potential clients to sit down and determine who has responsibility for securing and protecting what components of the IT infrastructure, which often spans both companies' systems. For example, at Logiq³, Westgate decided to let BlueLock handle patching and configuration management because he was familiar with the software BlueLock was using, a tool from Shavlik Technologies LLC. The division of labor between Logiq³ and BlueLock actually strengthened security, because "no one person, or company, has all the keys to the kingdom." says Westgate.

Sometimes, particularly with an IaaS provider, the division of labor is negotiable. Because BlueLock manages the firewall, for example, "none of my admins can go in and decide to sell or move the data," he notes. "And BlueLock admins can't do it either, because they don't control the systems." How much responsibility lies with the cloud-based service provider largely depends on the type of service. The terms of service for Amazon's IaaS offering, for example, state that the customer is responsible for protecting the data it puts into the public cloud, he adds. With an IaaS setup, for example, the customer is usually responsible for protecting everything above the middleware and APIs, including the applications and operating system, says Todd Thiemann, senior director of security vendor Trend Micro Inc.'s Data Protection group. In contrast to IaaS arrangements, a software-as-a-service provider is usually responsible for protecting whatever customer applications and data reside on its cloud.

IBM's LotusLive SaaS offering, for example, which was launched January 2009, utilizes "the same standards, security, compliance and governance we use to run major business systems for some very large and important companies," says Sean Poulley, IBM's vice president of online collaboration services. That setup often works well for budget-challenged businesses, because it gives them access to advanced security technologies and resources that they might not be able to afford in-house. For example, LotusLive data centers are protected by environmental and biometric controls, including closed-circuit TV. Access control is handled by IBM's enterprise-scale Tivoli software. This means companies have to take the vendor's word that its systems are indeed secure and compliant. "Vendors have done little to accommodate security risk evaluation," says Gartner's Heiser. "They may have incredibly secure and robust systems, but there's no sensible way to ensure this." Security accreditation standards such as ISO 27001 and SAS 70 Type 2 provide some assurance, he adds, noting that "27001 is more relevant to cloud security issues, but weak when applied to new forms of technology." Playing nicely with the cloud Many SaaS vendors are understandably reluctant to have a customer insert third-party security products into their proprietary platforms, even if it's just an agent that would permit a customer's security system to interact with theirs. However, many cloud-based service providers - and SaaS providers in particular - feel that their security practices and technologies give them a competitive advantage, so they don't like to reveal details about how they approach security. For example, Pfizer Inc. had outsourced some security services to D3 Security Management Systems Inc. and was interested in using Oracle Corp.'s Access Manager in D3's incident management applications.

Anderson solved the problem by using Symplified Inc.'s SinglePoint Cloud Access Manager, which does not use an agent, but rather interacts with D3's published APIs, he says. But D3 expressed concerns about installing Oracle agents on its systems, says Kurt Anderson, the pharmaceutical company's manager of global operations business technology. Since IaaS customers technically own their virtualized slice of a vendor's infrastructure, they can install security software and controls. One such product is Trend Micro's Deep Security 7. Once its agent is installed in a private or public cloud infrastructure, it can perform deep packet inspection, monitor event logs and monitor system activity such as file changes for unauthorized activities, Thiemann says. However, only a few vendors provide products that can protect both private and public cloud-based environments. Shavlik, a cloud-based vendor that provides systems management for private cloud installations, tackles public cloud security from a different angle.

For Logiq³'s Westgate, BlueLock's use of Shavlik's software was a definite selling point. "I am very familiar with Shavlik: I've been using it for patch and configuration management for years," he says. It licenses its patch and configuration management and compliance-monitoring software to cloud-based service providers - including its own IaaS provider, says Mark Shavlik, the company's CEO. Cloud-based service providers are catching on to the fact that using an established commercial security product can attract customers. Access control in the cloud The dynamic, flexible resource provisioning that makes virtualization and cloud services so attractive to cost-challenged IT executives also makes it difficult to track where data is located at any given time, and who is accessing it. Pfizer uses Symplified's Single Point Cloud Access Manager to provide single sign-on (SSO) functionality across different SaaS providers and applications. This is true in private clouds, and even more so in public cloud-based systems, where access control has to be correlated between the customer and the service provider - and often several service providers.

When the end user moves between an Oracle- and a Symplified-managed domain, for example, he still has to log on again but he can use the same set of credentials, Anderson says. However, Anderson feels that it's up to the SaaS vendors to adopt a more holistic and standardized form of access management, so the customer would no longer have to bear that burden. Symplified and Ping Identity Corp. are two vendors that currently provide SSO systems for both internal and SaaS cloud-based applications, using federated identity technology that coordinates user identity and access management across multiple systems. Another access management concern when dealing with a cloud-based service - or any outsourced service for that matter - is how to ensure that the service provider's system administrators don't abuse their access privileges. IaaS providers, in contrast, will often allow a customer to install event log monitoring software on their virtualized portion of the infrastructure.

Again, SaaS customers don't have a lot of control or oversight of how the service provider addresses that issue. Logiq³, for instance, uses Sentry Metrics Inc.'s security event management service, which monitors event logs, does trend analysis and reports on anomalies. Checking bona fides Customer control and monitoring of a carrier's cloud can only go so far, however, no matter what the type of service. So the Sentry Metrics system could, for example, alert Logiq³ when a BlueLock administrator logs on without being given a specific job to do, Westgate says. So how do you ensure that sensitive data is adequately secured and protected? Therefore, due diligence is critical, Anderson says.

Service level agreements with monetary penalties don't cut it, says Pfizer's Anderson, especially for a Fortune 50 company, since "the small amount they get back is a pittance" compared to the cost of a major security breach. Pfizer uses SAS 70 Type 2 certification, in which an independent third party audits the service provider's internal and data security controls. Another standard by which to evaluate a service provider is ISO 27001, which defines best practices for designing and implementing secure and compliant IT systems. Anderson also verifies the vendor's level of Safe Harbor compliance and checks Dun & Bradstreet research to make sure it's legitimate, he adds. While such standards provide a useful starting point, their criteria tend to be generic, says Gartner's Heiser.

For example, after checking out BlueLock's SAS 70 Type 2 accreditation, Logiq³'s IT staff did a further evaluation to "make sure the controls we require are supported by the controls they have in place," Westgate says. Companies still need to match a service provider's specific controls to their specific requirements, he adds. His team then followed up on discrepancies, identifying missing controls and working with the vendor on solutions. Cautioning users doesn't work Many companies that want the cost benefits of cloud-based services but still have security concerns tell their end users not to put sensitive data on the cloud. The company plans to repeat the process at least once a year, he says. But this is generally an exercise in futility, according to Heiser. "The problem is that users often don't know what's sensitive, and probably won't follow the rules anyway," he says. "You can assume that any application or data service end users can pump with data will get sensitive data eventually." Pfizer is in the process of establishing a SaaS center of excellence to educate users about the correct way to deal with SaaS activities, Anderson says.

Among other things, those best practices forbid applications that involve competitive or personally identifiable information from being included in a SaaS setup. In addition, his group is establishing best practices for procurement of SaaS services. Basic security tasks such as access control and rights management become even more complicated when, as often happens, a SaaS provider outsources its infrastructure or development platform to another cloud-based service provider - adding yet another party to the equation. The company entrusted its infrastructure to Amazon because it's the most proven service provider, according to founder Robbie Forkish. Take the case of Cloud Compliance Inc., which provides access-control monitoring services for private cloud environments.

However, he acknowledges that the arrangement introduces potential security problems. "There are certain areas where we, as a consumer of their services, need to fill in security capabilities they lack" in order to meet Cloud Compliance's internal security requirements and to reassure its customers. The latter option involves a performance hit, since customers have to re-upload data into the cloud every time an application is run, but some customers accept that trade-off in return for a higher level of security, Forkish notes. For example, Cloud Compliance encrypts data in transit and gives customers the option of either encrypting data at rest - on Cloud Compliance's Amazon-hosted servers - or not putting any data in the cloud. Cloud Compliance's external customers do ask about Amazon's security, Forkish says. Cloud Computing will either address their concerns or, if it can't, pass them on to Amazon. "In some cases, we don't get a response, and we figure this is a real issue, but they're working on it," Forkish says. The concerns they raise change from month to month, depending on what vulnerabilities the press has been writing about, he adds.

But the recent Zeus botnet incident on Amazon, he says, "as far as we can tell, was not a threat over and above what we would expect for an Internet service, cloud-based or not." Compliance in the cloud

IBM adding data centers, cloud computing lab in Asia

IBM opened a new data center in South Korea on Thursday and said it is building another one in Auckland, New Zealand, to address a surge in demand for cloud computing and IT services in the Asia-Pacific region. The total investment by IBM in these three facilities is about US$100 million, said James M. Larkin, a spokesman for IBM Global Services. The company also announced the opening of a cloud computing lab in Hong Kong.

The company, which already has over 400 data centers worldwide, will continue to invest in new data centers that offer cloud computing capabilities, while upgrading existing data centers to support cloud computing, Larkin said. The data center at Auckland will be in operation by 2010 with IBM investing about US$57 million in that center over the next ten years. IBM is planning to announce by February next year a new data center in Raleigh, North Carolina, he added. IBM will locate the data center at Highbrook Business Park in East Tamaki. The company can add more stages to expand the data center as demand rises, it added. The 56,000 square-foot facility will include a 16,000 square-foot data center, IBM said.

The center will support IBM's clients in New Zealand and neighboring countries in the Asia-Pacific region, Larkin said. The center was built using green technology, according to the company. The data center in Seoul will provide IT services including strategic outsourcing, e-business hosting and disaster recovery to more than 20 clients which have entered into outsourcing agreements with the company, IBM said. The Cloud Computing Laboratory in Hong Kong is a development and services center, focusing on LotusLive messaging development, testing, technical support and services delivery, IBM said. The lab, which is IBM's tenth cloud computing lab worldwide, builds on the email technology and expertise of Outblaze, a company in Hong Kong, whose messaging assets were acquired by IBM earlier this year and included in the Lotus brand of collaboration services. LotusLive is IBM's collection of integrated, online collaboration solutions and social networking services for businesses.

The lab is part of the IBM China Development Laboratory which has over 5,000 developers.

Profile of an IT forensics professional

A snapshot look at the IT forensics profession from the perspective of Rob Lee, an IT forensics expert at Mandiant. He is a graduate of the U.S. Air Force Academy and a founding member of the USAF's Information Warfare Squadron, the first U.S. military operational unit focused on information operations. Name: Rob Lee Title: Director and IT forensics expert at Mandiant, a Washington-based information security software and services firm Related work: Curriculum lead for digital forensics training at the SANS Institute. 30-second résumé: Before joining Mandiant, Lee served as the technical lead for a vulnerability discovery and exploit development team that worked for a variety of law enforcement, government and intelligence agencies. Skills boost: To stay current, Lee does hands-on work in the field and is an avid reader of and contributor to information security journals and blogs.

He also recommends specializing in a particular area of computer forensics. "If you're choosing forensics, be a specialist in firewalls or hacking or mobile devices," Lee says. "Mobile devices alone are extremely complex and constantly changing. "If you're just beginning, classes are the way to go," he advises. "After that, you can continue to learn online. A passion to learn and to continue learning - rather than a formal computer science degree or security certification - is the top requirement for an IT forensics expert, says Lee, who also teaches SANS certification classes. The best thing you can do once you attain a certain level [of expertise] is give of yourself back to the community. Always do research and publish it." Next: Opinion: Web 2.0 security depends on users Choose something you don't think anyone else has [expertise in] and research that.

Wall St.: HP-3Com union a real Cisco threat

Financial analysts see HP's pending purchase of 3Com as a threat to Cisco because it means 3Com Ethernet switches that are inexpensive and very popular in China will have better access to U.S. businesses via well-established HP sales channels. "We see HP's acquisition as primarily a response to Cisco's converged network/CPU strategy," writes Catharine Trebnick, an analyst with Avian Securities. "With Cisco owning the bulk of the enterprise Ethernet market, they have the most to lose if HP is successful in integrating the 3Com portfolio." Trebnick says HP's 3Com acquisition is filling a gap in its high-end networking to better compete with Cisco, and that 3Com's success in China will be a boon to HP. "Our conversations indicate that HP is well on its way to successfully maintaining [3Com's] China presence," she writes in a memo reacting to news of the deal. Trebnick is also optimistic that HP can use its established sales channels to expand 3Com's market share in North America where "success has been limited." "This acquisition has negative implications for every other provider of networking equipment," Trebnick says, spelling out some specifics, with Cisco being the main target with the most to lose by the new HP. She says it seems logical that if HP wants to compete with Cisco on all fronts, it needs to make more purchases, possibly Avaya for unified communications and Polycom for telepresence and videoconferencing gear. A Brief History of 3Com  Nikos Theodosopoulos and Jack Monti of UBS Warburg write that Cisco faces a long-term threat from the beefed-up HP because it could come at Cisco with aggressive pricing. 3Com's plan has been to sell its low-cost H-3C gear that is popular in China in countries around the world, they say.

The deal is bad news for Brocade, she says, because HP sells Brocade storage gear under the name StorageWorks and might have hoped to make inroads with its Ethernet gear as well. Ittai Kidron and Joseph Park of Oppenheimer write that it is now unlikely that HP will try to buy Brocade, and also calls into doubt possible OEM relationships with Brocade and Juniper for data center switching and fibre channel over Ethernet products, because HP will probably try to develop this equipment in-house. But she writes that 3Com has been doing R&D on fibre channel over Ethernet, "raising the possibility that HP may build that functionality organically." Juniper is not affected as directly, she says, but if HP becomes stronger with corporate customers, it could blunt Juniper's momentum in enterprise sales. Near-term, though, the deal could be good for Cisco as well as Juniper and Brocade because integrating 3Com into HP will be disruptive, Kidron and Park write. Still, if HP wants to offer a complete array of network offerings it will have to make other purchases, strike OEM deals or develop its own technology, Theodosopoulos and Monti write in their bulletin about the deal. Analysts were impressed with 3Com's success in China, with Trebnick noting the Chinese government and corporate customers represent 30% of 3Com revenue, and Theodosopoulos and Monti noting its claim to 300 of the top 500 enterprises in China and a low-cost R&D center in that country.

In general, the purchase reduces the probability of other large networking mergers and acquisitions in the near term, they write, and that is likely to put pressure on the price of stocks of other companies they think might be acquisition targets, naming Brocade and F5. They also think that IBM is unlikely to buy networking vendors in the near term because it has OEM deals in the works with Juniper and Brocade that aren't fully up and running yet.

Analysis: Real ID program on life support

A decision by lawmakers to slash funding for the unpopular Real ID national driver's license program has put an already struggling program on life support. But continuing hesitation by Congress to kill the program entirely highlights the somewhat touchy political nature of the program, he said. "A straightforward repeal of Real ID is too much for our Congress to handle at this point," Harper said. "There isn't any love for Real ID in Capitol Hill. Earlier this week, the U.S. Senate approved a $43 billion budget for the U.S. Department of Homeland Security (DHS) for fiscal year 2010, which began Oct. 1. The measure included substantial increases in DHS spending in several key technology areas, but slashed Real ID funding by 40%, from $100 million to $60 million in 2010. That reduction all but ensures that Real ID is going nowhere, said Jim Harper, director of information policy studies at the Cato Institute.

Most in the Senate and the House don't want it." At the same time, many lawmakers are reluctant to openly reject it for fear of being seen as being too soft on national security issues, he said. The law requires states to follow a single national standard for identifying and authenticating people who apply for a driver's license. The Real ID Act was approved by Congress and signed into law by President Bush in 2005 as part of the government's effort to combat terrorism. It spells out specific technical and process requirements, including the use of biometric identifiers, for issuing licenses. Several have expressed particular concern over a Real ID requirement that all state driver's license databases be linked via a central hub for easier information sharing.

But the law has evoked widespread criticism from privacy advocates and civil rights groups who say it would create a de facto national identity card system that would be hard to manage and even harder to secure. Even the DHS itself, which is responsible for implementing the Act, has expressed reservations about Real ID security, privacy and logistics. Many see it as an attempt by the federal government to force costly and unwanted ID standards on them. States, too, have railed against Real ID, largely because it requires them to pay for the program themselves. A majority of states have formally expressed their refusal to participate in the program, including Arkansas, Idaho, Maine, Montana, New Hampshire, Washington and South Carolina. In a bid to make the idea of a national identity standard more palatable to states, several U.S. senators earlier this year introduced a bill proposing some revisions to Real ID . That "Providing for Additional Security in States' Identification" Act of 2009," or Pass ID Act, has the same goal as Real ID, minus some of its more controversial provisions.

DHS Secretary Janet Napolitano, in fact, was one of the first to reject Real ID when she was the governor of Arizona - a fact that many have said makes it especially hard for her to now try and push it on other states. The DHS has also pushed back implementation schedules on numerous occasions in what is seen by some as an attempt to push the issue down the road until someone kills it. But it isn't dead, yet." Pam Dixon, executive director of the World Privacy Forum, said that the proposed budget cuts make it impossible for Real ID to move forward in its present incarnation. "Congress is looking at this realistically and saying that states simply do not have the money to implement Real ID," she said. "For all intents and purposes, real ID has been put on the back-burner.

Rogue Amoeba quits iPhone development

Stories about App Store submission woes have become standard fare in the tech media of late, which has understandably led to some readers groaning "not another App Store sob story" whenever they come across one. Adding its name to a rapidly growing list of disgruntled iPhone developers is Rogue Amoeba, makers of fine audio utilities for the Mac, such as Airfoil, Audio Hijack Pro, and Fission. But, as Dan Moren so ably put it, iPhone developers are entitled "to a little respect," and constantly being on Apple's case with regard to the App Store approval process is the only way to get them to do something substantial about it. The company has also entered the iPhone app market with Radioshift Touch and Airfoil Speakers Touch.

Having submitted the updated version in July, they'd expected the app to be available on the store within a week or two, given that it was almost identical to the version already in the store, with merely minor bug fixes. Having shipped version 1.0.0 of Airfoil for the iPhone earlier this year, the folks at Rogue Amoeba quickly went to work on a 1.0.1 update to fix some bugs relating to audio sync when outputting to multiple sources. If you've read this far, you already know what's coming next: after being rejected three times, Airfoil Speakers Touch 1.0.1 was made available on the App Store on Friday, after floating in App Store submission limbo for three-and-a-half months. This, despite the fact that the first version of Airfoil for the iPhone, which was approved by Apple, had the exact same feature and that the feature uses Mac OS X code provided by Apple expressly for this purpose. I recommend checking out this post on the Rogue Amoeba Website by CEO Paul Kafasis to read about the events in detail, but here's the gist: Apple rejected the update on grounds of trademark infringement because the application displayed a picture of the Mac streaming the audio and an icon of the application whose audio is being streamed. As Kafasis notes in his missive, it's no worse than Apple displaying third-party app icons in the Dock and Finder.

Instead, there's a graphic that you can tap on to visit a Web page about why the icons are missing. That page also suggests that you consider donating to the Electronic Frontier Foundation (EFF), an organization that lobbies for Internet freedom. After having unsuccessfully re-submitted an unchanged binary to Apple for reconsideration, they took the only available recourse and removed the feature from the app, in accordance with Apple's demands. Perhaps the most important part of Kafasis's post comes at the end, where he states that Rogue Amoeba will be scrapping any plans to develop new iPhone applications for the foreseeable future and that updates to existing applications will also be few and far between. It's been more than a year since the App Store opened its doors; there are currently more than 100,000 applications that have cumulatively been downloaded more than two billion times. And, just like that, yet another passionate Mac developer walks out of the App Store, frustrated by its inane and inconsistent policies and their heavy-handed implementation. The argument that Apple is still new to this just doesn't fly anymore.

It's hard to believe that the company that produced the Mac, Mac OS X, the iPod, iPhone, Apple Online Store, and the iTunes Store is incapable of making the App Store work the way it should. Apple's attempts to fix the App Store in the past year have been lukewarm at best.

2009 geek gift guide: Toys and books for techies

Finding the perfect gift for techies is no easy matter. To help you find the perfect gift for the techie in your life - or to steer a loved one toward something you'd really like - InfoWorld.com has looked beyond the obvious to uncover 10 seriously cool new gadgets and 24 must-read tech books that will appeal to the geek in all of us. After all, by definition, geeks are steeped in the latest and greatest of tech gadgets, and it's just as difficult to find a tech-based subject they don't already think they know everything about.

You won't find the iPhone or Droid here, nor will you light upon the latest external network drive; more likely than not, your geek already has those. Sometimes that means toying around with a somewhat esoteric gadget. Instead, you'll find items aimed at satisfying every geek's innermost desire: to explore. [ Discover the 10 best gifts for techies in the InfoWorld.com's "2009 geek gadget gift guide" slideshow. | Discover the 24 best new books for techies in the InfoWorld.com's "2009 geek book gift guide" slideshow. ] Because if there's one thing we geeks all love to do, no matter what type of science, engineering, or tech discipline floats our boat, it's to play with technology that is both cool and useful. Other times that means soaking up new tech know-how we can apply at home or at work. This year's geek book gift guide has recommendations in seven categories: "something different" explorations, personal tech guides, hands-on deep technology how-tos, cloud and architecture expositions, business management primers for IT people, IT management how-tos, and tech best-practices "rethink" books.

This year's geek gadget gift guide includes the 55-cent Animal Clips for budding young geeks to the seriously useful and cool personal Pogoplug cloud storage device to a touch-based laptop that could show the way for real tablet computing. This article, "2009 geek gift guide: The best toys and books for techies," was originally published at InfoWorld.com.