uncompiled.com

We’re pleased to release today a Preview Beta of a new AWS feature: AWS Identity and Access Management (IAM). IAM enables you to create multiple Users and manage the permissions for each of these Users within your AWS Account. A User is an identity (within your AWS Account) with unique security credentials that can be used to access AWS Services. IAM eliminates the need to share passwords or access keys, and makes it easy to enable or disable a User’s access as appropriate. IAM offers you greater flexibility, control and security when using AWS.

We are excited to offer you early access to this new functionality. As part of this Preview Beta, we are enabling you to programmatically add Users to your AWS Account, set groups and permissions for these Users, and enable your Users to call AWS Service APIs.

In the near future, we plan on adding support for your Users to login to the AWS Management Console. We also plan to extend the AWS Management Console to support IAM, providing a web-based interface to manage your Users, groups, and permissions.

Learn more about AWS Identity and Access Management Preview Beta at: http://aws.amazon.com/iam

Source

We’re always looking for ways to make AWS an even better value for our customers. If you’ve been reading this blog for an extended period of time you know that we reduce prices on our services from time to time.

Effective September 1, 2010, we’ve reduced the On-Demand and Reserved Instance prices on the m2.2xlarge (High-Memory Double Extra Large) and the m2.4xlarge (High-Memory Quadruple Extra Large) by up to 19%. If you have existing Reserved Instances your hourly usage rate will automatically be lowered to the new usage rate and your estimated bill will reflect these changes later this month. As an example, the hourly cost for an m2.4xlarge instance running Linux/Unix in the us-east Region from $2.40 to $2.00. This price reduction means you can now run database, memcached, and other memory-intensive workloads at substantial savings. Here’s the full EC2 price list.

As a reminder, there are many different ways to optimize your costs. When compared to On-Demand instances, Reserved Instances enable you to reduce your overall instance costs by up to 56%. You pay a low, one-time fee to reserve an instance for a one or three year period. You can then run that instance whenever you want, at a greatly reduced hourly rate.

For background processing and other jobs where you have flexibility in when they run, you can also use Spot Instances by placing a bid for unused capacity. You job will run as long as your bid is higher than the current spot price.

Source

The Cloud Security Alliance’s Certificate of Cloud Security Knowledge (CCSK) is now open for testing.

The industry’s first user certification program for secure cloud computing, the CCSK is designed to ensure that a broad range of professionals with responsibility related to cloud computing have a demonstrated awareness of the security threats and best practices for securing the cloud.

“Critical services are being provided via the cloud, creating an urgent need for cloud security skills among IT professionals,” said Jim Reavis, CSA executive director. “The CCSK is a low cost certification that establishes a robust baseline of cloud security knowledge. Combined with existing professional certifications, it helps provide necessary assurance of user competency in this important area of growth.”

The CSA’s CCSK already has broad industry support from numerous organizations that plan to certify employees, including eBay, ING, Lockheed Martin, Sallie Mae, Zynga, CA, CaseCentral, HCL Technologies, Hubspan, LogLogic, Fiberlink, McAfee, Novell, Ping Identity, Qualys, Solutionary, Symantec, Trend Micro, Veracode, VeriSign, Vordel, WhiteHat Security and Zscaler.

“We have already been leveraging the CSA’s ‘Security Guidance for Critical Areas in Cloud Computing’ as a best practices manual for our information security staff,” said Dave Cullinane, CISO and VP for eBay. “We plan to make this certification a requirement for our staff, to ensure they have a solid baseline of understanding of the best practices for securing data and applications in the cloud.”

Discounted pricing of $195 for the CCSK exam is available through Dec 31st; regular pricing at $295 begins January 1st.

Source

Trend Micro is blazing a new trail with a service called SecureCloud intended to give enterprises a way to encrypt data in cloud-computing environments.

SecureCloud allows you to maintain control over the encryption key used to secure data stored in the Amazon EC2, Eucalyptus or VMware vCloud cloud infrastructures. Other cloud-computing variants could be added in the future.

“IT operations may be firing up [a remote virtual machine] image but we have security validating the integrity, and it’s encrypted until it hits the cloud, and it’s encrypting data at rest,” according to Todd Thiemann, senior director of data center security and marketing at Trend Micro.

He notes that SecureCloud allows the IT department using either public or private cloud-computing services to answer the basic questions, “Is this image OK? And is it mine?”

Now in beta with general availability expected by year end, SecureCloud is provided through a Web site portal and makes use of policy-based encryption to allow access to a virtual-machine image as well as storing related activity logs.

In addition to offering the security service, Trend Micro is looking at making comparable software available to companies for on-premises use.

In a separate announcement, Trend Micro also unveiled an antimalware protection module for its VMware server security software, Deep Security 7.5. It includes integrity monitoring, log inspection and stateful firewall capabilities, and leverages the most recent VMware vShield Endpoint APIs. Trend Micro Deep Security 7.5 is expected to ship in October.

Source

There’s a tremendous buzz today about cloud computing, but before outsourcing your critical business systems to the cloud let’s review some security concerns.

The most critical business applications deal with corporate HR, finance, credit card, and other sensitive data. If any of this information is compromised lawsuits may ensue and your corporate brand is tarnished. This is a nightmare that could lead to customers avoiding purchasing your products or services. How can cloud computing effectively protect sensitive data?

There are three areas that need to be addressed to effectively push your applications into the cloud:

Let’s start with defense in depth.

First, put sensitive data in a second tier of firewall segments behind the main corporate firewalls. This second-tier firewall and corresponding network shields sensitive applications and their data from being easily accessed if the Web-facing firewalls are breached. For example, let’s look at grocery stores. It would be wise to deploy at least four firewall/network segments: one for HR data, one for financial data, one for credit card PCI (Payment Card Industry) data, and one for services that the other segments share. The segment containing services that are shared could contain common support services such as network and systems management, encryption and PKI functions, access control services, and security event management functions.

Another architectural implementation that protects corporations from internal data theft is the creation of a Tunneling Access Protocol. The Tunnel Access Protocol is an access control function that forces all administrators to log information before they perform administration on segment systems. Hence, all administrative access is tracked, discouraging internal theft of information

The second area that needs addressing is the analysis needed to determine successful migration of the application to behind the cloud’s second-tier firewalls. I recommend starting with the application design document first. It gives you a big-picture understanding of which business need the application performs, what middleware is used, what databases are used, and what protocols it uses. It also often contains the logical architecture.

It is important to focus on all the systems the application interacts with. Your security team will have a variety of information collected about the application: what data is sensitive, how and what tools are used to encrypt the data, and penetration testing results if it is a Web-facing application. Also, I recommend creating a protocol diagram showing all servers and their IP addresses, the protocols being used, and the protocol (TCP or UDP) ports being used. This network view specifically shows which servers need to talk to each other and what protocols (ports) they will use to do it. It is not necessary to include switches, routers and other network infrastructure components because the protocols/ports just ride over them. If the protocol diagram is thorough, it should be a simple step to create the firewall rules. Firewall rules are made up of source and destination IP (Internet Protocol) addresses, protocol used, and ports that ride on top of those protocols.

Lastly, I recommend a thorough collection of system and application metadata. The need to port your application well requires this work. Plus, if you have a disaster, business interruption or want to pull your application from the cloud — you need this data. System information exists per firewall/network segment. All applications share the same system data such as the same firewall, routers, switches, encryption algorithm (if used for all applications in a segment), and storage subsystem. System metadata includes vendor, model, software release and version, and other system-wide configuration data. Application data is similar but it addresses load balancers, encryption method, middleware, database, server hardware and operating system, and services, protocols, and ports that ride on top of those systems. Application metadata includes vendor, model, software release and version, and other application configuration data.

The next debate is where this metadata should be contained. I recommend containing this information in a hierarchy in a LDAP repository. I would create two tiers in the directory: one called Segment System for each of the four segments in the example above, and lastly one called Application for all applications within a given segment. This ordering enables a systematic collection of all metadata so that sensitive cloud applications can quickly be deployed. And, most importantly, it enables a quick deployment of the application and/or segment into a cloud.

In summary, migrating critical cloud applications involves putting data behind a second tier of firewalls. Common services exist in one of the segments that can be shared by all segmented applications. Applications should be in separate segments based upon the type of data that is being protected such as credit card data, finance data and HR data, and services that are shared. A variety of documentation should be created and/or reviewed to make sure that the porting of applications behind the second-tier ‘deep theater’ defense firewalls goes well. This collected metadata is from a hierarchy of two layers: common system per segment and different applications within each segment. I recommend the metadata be saved in a directory where it can be easily retrieved.

Source

Eucalyptus Systems, supplier of Amazon EC2-compatible software for building the private cloud, has brought out version 2.0 of its Eucalyptus open source system.

The Santa Barbara, Calif., company was founded to support the output of the Eucalyptus open source project, founded at the University of California at Santa Barbara’s computer science department. Prof. Rich Wolski and associates produced interfaces compatible with Amazon Web Services’ EC2 APIs and packaged them together as a way to start building out an enterprise cloud.

Eucalyptus 2.0 is the second major release of the open source code. In it, “we have improved scalability all over the product,” said Marten Mickos, CEO, in an interview. The firm provides technical support for Eucalyptus open source code. The open source version is not to be confused with the Eucalyptus commercial Enterprise edition, also labeled 2.0, although based on a pre-2.0 version of the open source code.

The Eucalyptus open source code is issued under the GPL, contains features and functions ahead of the Enterprise edition, and can be freely downloaded. The firm is seeing 12,000 downloads in peak months and Eucalyptus is included in Canonical’s Ubuntu Linux distribution, he said.

Eucalyptus scales across a larger server cluster more easily because the 2.0 version “has been clearer about the segregation of tasks. We no longer locate the cluster controller and the node controller on the same node,” where they sometimes ended up in contention over resources, Mickos noted. The former CEO of MySQL, now part of Oracle, joined Eucalyptus Systems in March.

Version 2.0 supports iSCSI disks as elastic block store volumes and allows the cloud builder to place an iSCSI storage controller on any server in a cluster, including outside the cloud domain of the cluster, if he chooses, Mickos said.

Version 2.0 also supports the open source virtio, an API for virtualizing I/O that is used by the open source KVM hypervisor. KVM is included in distributions of Red Hat Enterprise Linux and Novell’s SUSE Linux Enterprise System. Virtio uses a common set of I/O virtualization drivers that are both efficient and potentially adaptable for use by other hypervisor suppliers, Mickos said. Virtual I/O consists of a virtual machine sending both its communications traffic and storage traffic through the hypervisor to a virtual device, rather than through a server’s network interface card or host bus adapter. From the virtual device, it can be moved off the virtualized server into the network fabric and handled more efficiently there.

Eucalyptus 2.0 also supports retrieval of specific versions of objects stored in Walrus, the Eucalyptus storage system that is compatible with Amazon’s S3 storage service. Users may perform version control on objects as they are stored in Walrus and retrieve a specific version, as needed.

Eucalyptus to some extent now mimics the slogan of the OpenStack project, started recently by Rackspace, which claims it’s building governance software for a million-node cloud, a prospect that even the largest service providers have yet to attain.

“Sure Eucalyptus can support a million-node cloud, but the more important question is how large an application can you run on your cloud” and how effectively can you manage it there with your cloud software. Eucalyptus is concentrating on effective management for private clouds, not massive public infrastructure providers, Mickos said.

Source

In our continuing series of groundbreaking tests of cloud computing services, we take a look at what enterprises can expect if they decide to entrust data to a cloud storage provider.

We found that cloud storage lives up to its advance billing in two key areas: cloud storage can be fast and the pay-as-you-go model can be a real cost saver. We also found that security could be an issue for enterprise shops, and the formulas for trying to predict overall costs can be complex.

The services that we tested were Amazon S3, Rackspace’s CloudFiles, Egnyte’s On Demand File Server, Nasuni Cloud Storage, and Nirvanix’s Storage Delivery Network.

Amazon, Rackspace and Nirvanix represent the containerized/object-oriented model. Egnyte embodies the file/folder metaphor, while Nasuni offers a different twist – it’s a front-end that simplifies cloud storage for enterprise customers and connects to other cloud storage vendors on the back end.

To test cloud-based storage, we accessed the cloud vendor’s site through their supplied APIs, where applicable. We moved data either from virtual machines in our cabinet at n|Frame in Indianapolis at 100Mbps, or from our lab connected via standard Comcast broadband.

We pounded each site with a variety of file sizes ranging from 500KB to 1GB. We also tested in two periods, daytime and nighttime, to see if Internet congestion played a role in cloud storage performance.

Overall, performance was strong, although it was also somewhat random and unpredictable. Generally speaking we did get faster uploads and downloads at night, when Internet congestion is lower. And we found that download speeds were considerably slower than upload speeds for all the vendors tested.

Rackspace delivered the best overall performance, with an average speed 2.57Mbps for uploads and roughly 650Kbps for downloads. But all of the vendors delivered impressive performance.

Nirvanix delivered an average upload speed of 1.3Mbps and Egnyte topped 1Mbps. Amazon had the lowest average upload speed at 835Kbps, but also the highest download speed at 773Kbps, giving it the best balance between upload and download speeds.

Security concerns
Those desiring comfortable high security may be disappointed. While all of the vendors we tested provided link encryption, data encryption was glossed over by the container providers. We wanted to see port scrambling, and IP address access control lists, but these were missing across the board. Admittance control would, for some thinkers, break the cloud model by creating an extranet relationship between a subscriber and the cloud storage area, but we’d feel happier if there were greater admittance control by IP address. At press time, Amazon announced such IP address admittance control, along with HTTP_Referrer control (URL-based admittance), but we were unable to examine it at deadline.

Source

A tug-of-war intensified yesterday between America’s top two computer makers, Dell and Hewlett-Packard, as the pair of hardware titans outbid each other in a billion dollar takeover fight for a hitherto obscure data storage firm, 3Par.

Early on Thursday, Texas-based Dell slapped down an improved offer of $1.52bn for 3Par, topping a $1.5bn proposal tabled by HP three days earlier. But HP struck back after the close of markets on Wall Street, raising its bid to $1.6bn.

The unusually aggressive head-to-head confrontation comes as the computer manufacturers jostle for position in the potentially lucrative market for so-called “cloud computing”.

3Par, which is based near San Francisco, offers flexible data storage solutions to companies that do not want to invest capital in owning their own servers. It is considered well placed to benefit from higher information technology spending when the corporate world eventually stages a recovery from the recession.

HP’s latest offer for 3Par is pitched at $27 per share, a significant premium on Dell’s bid of $24.30. The auction began last week when Dell offered $18 in a deal initially accepted by 3Par’s board. Financiers expressed surprise at the rapid upward march of the price.

“It’s a very rich valuation,” said Jeffrey Fidacaro, an analyst at Susquehanna Financial Group. “At what point does someone cry uncle? It’s difficult because valuations don’t seem to be making a whole lot of sense here. But then again, we don’t know the revenue synergies they expect out of this.”

3Par has 670 staff but has lost money for much of its 11-year history. Admirers say it could cash in from a trend where organisations shift away from spending money on their own server hardware to having technology resources delivered over the internet by third-party suppliers according to need – known as “cloud computing”.

Toan Tran, a technology analyst at research firm Morningstar, said HP, the bigger of the two bidders, could be the hungrier: “At the end of the day, 3Par is worth more to HP than it is to Dell, given HP’s existing enterprise hardware and services business.”

HP splashed out $13.9bn two years ago on Electronic Data Systems, bolstering its presence in business IT services. But it is hobbled by a lack of a permanent chief executive: its boss, Mark Hurd, was forced out earlier this month in a scandal over allegations of sexual harassment and improper expense claims.

Source

Novell announced the general availability of their Cloud Security Service which gives cloud providers the ability to deliver secure access and compliance in the cloud for their customers.

Novell Cloud Security Service is hosted in the cloud, either where the provider hosts its application or via a Novell hosting partner. A user can log on directly or via the enterprise identity system. The service first verifies the identity and, if successful, will generate an identity token in the format needed by the SaaS provider.

The user is now authenticated to the SaaS service. Once inside the application, the application connectors that are provided with the service capture deep page-level user activity and provide the audit stream for compliance purposes.

With this service, enterprises can extend their identity infrastructure to any public cloud. Any changes that are made to their users or permissions are immediately replicated in the cloud environment, thus ensuring one consistent identity and security framework for the enterprise, regardless of where the computing is actually taking place.

The Novell Cloud Security Service currently has several beta deployments globally. With today’s announcement of general availability, Novell’s cloud services team will target more than 200 IaaS, and 1,300 SaaS and PaaS vendors to get them started with this ground-breaking technology that is supported by more than 60 patents.

Source

For enterprises, one of the biggest challenges with cloud computing include transparency into the operational, policy and regulatory, and security controls of cloud providers. For cloud providers, one of their pressing challenges is answering all of the audit and information gathering requests from customers and prospects. CloudAudit aims to change that.

Not being able to assess and validate compliance and security efforts within various cloud computing models is one of the biggest challenges cloud computing now faces. First, when a business tries to query a cloud provider, there may be lots of misunderstanding about what is really being asked for. For instance, when a business asks if the provider conducts periodic vulnerability assessments, and the provider responds affirmative they could be acknowledging an annual review, a quarterly review, or a daily vulnerability assessment. Perhaps they check yes when really all they perform is an annual penetration test. Too much ambiguity.

Additionally, cloud providers can’t spend all of their time fielding questions about how they manage their infrastructure. And, regrettably, not many public cloud providers offer much transparency into their controls. And no, SAS 70 audits don’t really account for much of anything when it comes to security.

To help clear the fog, an organization that just formed this year and is moving fast in the area of cloud management, CloudAudit.org, has emerged with what it hopes will be part of the solution. The group is developing a common way for cloud computing providers to automate how their services can be audited and assessed and assertions provided on their environment for Infrastructure-, Platform-, and Software-as-a-Service providers. Consumers of these services would also have an open, secure, and extensible way to use CloudAudit with their service providers.

The group currently boasts about 250 involved in the effort, from end users, auditors, system integrators, and cloud providers representing companies such as Akamai, Amazon Web Services, enStratus, Google, Microsoft, Rackspace, VMware, and many others.

Last week the group released its first specification to the IETF as a draft, as well as CompliancePacks that map control objectives to common regulatory mandates, such as HIPAA, PCI DSS, and ISO27002 and COBIT compliance frameworks.

As (if) CloudAudit is embraced by cloud providers, businesses should be able to shop and compare services much more intelligently. Also, it could help some cloud business users feel more comfortable moving regulated data (where it’s permitted) to a public provider. For cloud service providers, CloudAudit can help them to more cost-effectively handle the number of audit requests each year. And, who knows, such transparency may even be a boost to business.

Building a standard is one thing, getting it adopted, working, and embraced by industry is quite another. Next post I’ll will bring you a discussion with a cloud management provider who has already begun putting CloudAudit to use.

Source