Thursday, August 23, 2012

Podcast: Cloud Security with Ellen Newlands

Ellen Newlands is the product manager for Red Hat's cloud security productds. This dicussion covers some of the ways that the "cloud"--large-scale network-connected computing really--introduce new challenges for IT security. Topics include:
  • What makes the cloud secure or not?
  • What new challenges the cloud brings
  • Social engineering and security
  • Two factor authentication
  • Why open source and hybrid clouds are important
Listen to MP3 (0:18:20)
Listen to OGG (0:18:20)

------------------
[TRANSCRIPT]


Gordon Haff:  Hello everyone. This is Gordon Hat, Cloud Evangelist with Red Hat, and I'm sitting here with Ellen Newlands who is the product manager for our Cloud security offerings. Welcome, Ellen.
Ellen Newlands:  Welcome, Gordon.
Gordon:  Although there are still headlines every now and then about the Cloud being insecure as some macro thing, most observers at this point realize that these blanket statements really don't have any meat to them.
Ellen:  Gordon, I completely agree with you on that score. Whether the Cloud is secure or insecure depends on a number of things. It depends on what kind of Cloud computing you choose, whether you go with public or private or a combination of the two, hybrid Cloud, who you choose for your Cloud provider, what kind of technology you pick, what is your use case, and how carefully you have set up and thought out what information you are putting in the Cloud and how best to secure that as you move to Cloud computing. There are a number of factors to consider with what you call or we call Cloud secure computing. One of the first things I think that we really ought to think about is going into the Cloud, public Cloud, for example, can actually make you more secure depending on the level of expertise and the kind of programs you had for security on premise in your enterprise or your agency.
You can find that there are public Cloud providers who can give you a more holistic view of security and provide you with even better security than you might previously have had. And, of course, as we see from the number of break‑ins, the opposite can also be true.
Gordon:  One of the things that I think is often overlooked is that people raise various types of issues related to public cloud providers, whether it's security or really more commonly it's outages of various types. Obviously, we conflate things like social networks into there. There's lots of questions and issues around privacy and so forth, also. I think often that discussion takes place in a way that ignores the fact that particularly when you're talking smaller businesses, in many cases businesses that don't have full time IT staff. Those types of businesses haven't historically had very good security backup or really IT practices in general.
Ellen:  I think that that is actually true, especially now, IT security expertise is scarce and expensive and in great demand. Setting up your own internal secure software network, bringing in those people, can be expensive and that's very, very hard to judge. I think that security as provided by a knowledgeable public cloud provider can, in many cases, up your security rather than reduce it.
Another thing that I think I've found very interesting is you still read about security breaches in the public cloud. It is interesting to me that many of the breaches that you read about in the public cloud have nothing to do with public cloud computing and are the same old scams that we have always seen on premise and now just move, perhaps, to cloud providers.
One of the ones I think is very interesting recently was a fellow who writes for many of the security journals. He had his account hacked and lost information at Google and Amazon, et cetera because somebody called up the support services and talked them into giving out the password. Same old same old, same old wetware.
Gordon:  Social engineering plays a huge part in those break‑ins. I think this does reveal, though, some of the tension that you have here because, in the case that you mentioned involving Apple and Amazon, social engineering a password. Of course, one approach that those types of companies can take is to simply say, "Well, if you have lost the key, so to speak, to your account, that's just too bad because...So that we don't risk exposing someone else's through social engineering."
It is somewhat of a trade‑off that the easier you make it for someone to recover an account of theirs, for example, the harder you make it for somebody who has a legitimate need to recover an account, which is frankly probably the more common instance, at least with consumer services.
Ellen:  As you know, one of the things that we're seeing used in public cloud or even in enterprise security is identity management. Two of the areas that are very common now are what we call two factor authentication, sometimes known as something you have and something you know.
Gordon:  If you haven't turned on two factor authentication for your Google account, finish listening to this podcast but then go off and do that right away.
Ellen:  Let's say it's something you have and something you know, traditionally. It's something that you have like a token, et cetera and something that you know like your own PIN. If you lose one, you still know the other. Both are "secrets," and the combination is what unlocks your account. You find the two factor authentication is far more secure and you can recover one without the other without jeopardizing the private account.
The other thing that we see a lot of now, as you may know, are the security questions where you fill out the forms in advance with information theoretically known only to you, although, I personally believe everybody's first pet was named "Sam." This set of what I'm going to call "20 questions" is also a way to identify you.
Gordon:  So many of those questions are terrible, though, because so many of them are either things that someone who has any appreciable information about you they do know or can easily find out, or they're questions like, "What's your favorite color?" which may vary from one day to the next.
Ellen:  Absolutely. And remembering your own information sometimes can be a little bit difficult.
Gordon:  Let's switch gears here maybe a little bit. I think, hopefully, we've made the case that security in some macro sense isn't worse in the cloud than anything else, even in the public cloud. But I think we can still say that some security concerns are somewhat different in the cloud, especially with public cloud, but even in private cloud resources. What are some of those that security's different?
Ellen:  Well, security is different when you move from your traditional way of managing IT into the cloud. Again, as you point out, whether that is a public or a private cloud. One of the things that's different is, on average, you'll have more servers on the Internet when you're in a cloud architecture. The more servers you have on the Internet, the more exposed, frankly, you are. When you have moved from using VPN technology to allowing access to all users with certain credentials, the more entry points you have given to malicious users to hack into your larger network.
A second area where cloud computing is quite different, especially with public cloud computers, is the concept of what we call "multi‑tenancy." A public cloud offers space‑‑think of it like the apartments in a large apartment building. Each area that the public cloud provides, each container, is assigned to one account, one company, whatever.
In a multi‑tenancy area, you don't want one "tenant" to get out of their container and start wreaking havoc in the others, either by design or by accident.
One of the things to really consider is making sure that the containers in a multi‑tenant environment have fairly secure walls. Again, an analogy would be you don't want to make it real easy for malicious neighbors to just wander into your own apartment in an apartment complex.
Gordon:  Yes, I think I'd probably take a couple of things away there. The first is that you assume that everything is on the network, and that there are bad people out there who are constantly probing everything that is on the network. So, it's really important to have security.
If you have a PC‑‑by way of analogy‑‑sitting at home 15, 20 years ago, not connected to a network or dialup modem, if you weren't 100 percent up to date with everything, maybe you'd get a virus or something, but by and large, it really wasn't that big a deal if you hadn't updated your security stuff in a while.
If you're in a computer that's constantly connected to a public network, whether we're talking about client or a server device, bad stuff can happen very quickly.
Ellen:  I think, of course, that's absolutely true. When you say you must assume that there are bad people out there probing, increasingly, of course, bad people are frankly bad corporations. There are businesses run nine to five whose sole purpose is to find and exploit any weaknesses in security and take whatever can make them a profit. As such, that's one of the reasons why in theory moving into a public cloud can be safer because public clouds from reputable vendors are updated. They are patched consistently on time and quite thoroughly.
Gordon:  You also mention multi‑tenancy, and, obviously, you get multi‑tenancy on premise or multi‑tenancy in a public cloud. But multi‑tenancy is pretty fundamental to how and what public clouds operate. So, I think it's fair to say that a reputable public cloud is using technology such as Security‑Enhanced Linux, for example, that has some really good mechanisms to provide that additional level at process level for security for multi‑tenant environments. Now configuring SELinux isn't necessarily the easiest thing in the world. So, again, going back to how secure is a public cloud versus a SMB. Well, it's quite fair to say that most SMBs aren’t properly exploiting SELinux whereas that, along with other techniques and other technologies, large reputable Cloud providers certainly are.
Ellen:  That's a very good point, Gordon. The Red Hat Enterprise operating system is foundational and is used in the largest number of available public Clouds and SaaS offerings today. It's very well installed. Part of the reason for that is because it does have the security features that allow for more secure multi‑tenancy, more secure virtualization. For example, the SE Linux that you mentioned, the fact that the operating system itself is common criteria certified.
One of the things I think to bring into focus, too, is that open source software means that it's been peer group reviewed. It's transparent. It's open to the sunshine. Errors are found. Bugs are found and patched relatively rapidly.
You do find that these fundamental, base level layers that underpin a public Cloud can be very useful in providing security.
Gordon:  It's actually a little ironic when you go back to early days of open source becoming really mainstream. By way of analogy, [a lot of people back then thought] even if you thought you had a good alarm system, you wouldn't put the schematics on your door for a potential burglar to see. For a lot of people, who weren't necessarily in the security industry, didn't understand how exploits happen. They just assumed open source must be less secure because that the people could see the code. Write exploits because they can see the code. Of course, that's not how most exploits happen.
Ellen:  No, as a matter of fact, it's not at all. The fact that you can see the code, that it is transparent, that there is a large international group that uses the code, that inspects the code, means that it becomes more secure rather than less so.
Gordon:  Thanks for spending some time with me today. I think, hopefully, doing a little bit more on our part to show there's nothing inherently insecure about the cloud, whether we're talking public clouds or private clouds. At the same time, educating people about things that they need to think about. I'm not sure it's so much the cloud, but simply a world in which increasingly everything is network connected, and there are bad actors trying to take advantage of that fact.
Ellen:  I agree. I think that the one thing to always bear in mind is that your data, your information can be lost, can be stolen, can be compromised, whether you're using public cloud, private cloud or a hybrid, is to take whatever steps are necessary to layer on the security that gives you the protection at the level of the value of the information you're protecting.
Gordon:  That's a good point. Everything, at the end of the day, is about mitigation. There's no such thing as a 100 percent elimination of risk, 100 percent security. If you're talking nuclear launch codes, that is probably a little different from pictures of your cat. Basically, as you say, the backup procedures, encryption, whatever, the cost in both dollar cost and time and effort on your part, shouldn't be out of whack with the value of the data and the privacy associated with that data.
Ellen:  It does seem that a lot of companies now, things that they choose to run in the public Cloud are the things that are, perhaps, consumer based where the security capabilities match the value of the information. Some things that are extremely proprietary are kept in the private Cloud. The combination makes for great flexibility, faster deployments, and very reasonable economics.
Gordon:  That also speaks to why hybrid is a big deal and why Red Hat is making a lot of noise around opening hybrid because it really is a mixed world.
Ellen:  As you say, just as Cloud computing is neither secure nor insecure, public and private Clouds are neither the right choice nor the wrong choice. It's nice to have a little of both.
Gordon:  Great. Thank you very much.

Wednesday, August 22, 2012

Links for 08-22-2012

Monday, August 20, 2012

Links for 08-20-2012

Friday, August 17, 2012

Beyond Open Source in the Cloud

I'm wrapping up the week putting the final touches on my Beyond Open Source in the Cloud presentation for CloudOpen week after next. The next week is going to be crazy;  I need to get everything ready for VMworld and CloudOpen and then vacation in the Sierras the week after that.

As for the topic at hand, through, here's the description from the program:

Openness doesn’t stop and end with the submission of some format to a standards body or with the announcement of partners endorsing some specific technology platform. It doesn’t stop and end with open source either. An open cloud isn’t about having some singular feature. It’s about maximizing a wide range of characteristics that push the needle from closed to truly open. These include open source and open standards for sure. But they also include portability of applications and data, viable and independent communities, freedom from IP encumbrances, and APIs that are independent of specific implementations.

I've previously given a "lightning" version of this presentation at CloudCamp and some of the material is touched on during my broader cloud presentations. However, for this event, I've fleshed out my discussion of the various aspects of openness. The whole topic is very timely.

One need only look to Twitter API Apocalypse version 2,654 this past week to see just how timely. (And the fact that there's a story about APIs on CBS says something about just how important APIs--and, by extension other aspects of openness--to the modern computing world even for those who have never written a line of code in their lives. 

My paper: Why the Future of the Cloud is Open

I'm on Wednesday, August 29 right after the keynotes. Come to San Diego and join us!

I'll be Speaking at CloudOpen 2012! Join me!

Thursday, August 16, 2012

Links for 08-16-2012

Halema'uma'u Crater at Night


Halema'uma'u Crater at Night
Originally uploaded by ghaff

My Hawaii pix are up on Flickr: http://www.flickr.com/photos/bitmason/tags/hawaii/

Wednesday, August 15, 2012

Links for 08-15-2012

Tuesday, August 14, 2012

Links for 08-14-2012

Monday, August 13, 2012

How Red Hat's Cloud Portfolio Fits Together

As part of Red Hat's announcement of an OpenStack technology preview today, I wrote a blog that provides some additional background. Here, I'm going to delve a bit more deeply into one of the topics that I cover in that blog--namely, how do the different pieces of Red Hat's open hybrid cloud portfolio fit together? I'll be referring to the below diagram throughout this discussion.

From Blog

First, there is the infrastructure layer. This typically [1] consists of a hypervisor, its associated infrastructure management stack, and APIs providing the ability to control that management stack programmatically.

This is where OpenStack plays. OpenStack is an IaaS solution that manages a hypervisor and provides cloud services to users through self-service. (The OpenStack project supports a variety of hypervisors to various degrees; Red Hat is focused on KVM--the hypervisor used by Red Hat Enterprise Virtualization--which is part of Linux and has become pretty much the default open source hypervisor.) Perhaps the easier way to think of OpenStack, however, is that it lets an IT organization stand up a cloud that looks and acts like a cloud at a service provider. That OpenStack is focused on this public cloud-like use case shouldn't be surprising; service provider Rackspace has been an important member of OpenStack and uses code from the project for its own public cloud offering.

This IaaS approach differs from the virtualization management offered by Red Hat Enterprise Virtualization, which is more focused on what you can think of as an enterprise use case. In other words, Red Hat Enterprise Virtualization supports typical enterprise hardware such as storage area networks and handles common enterprise virtualization feature requirements such as live migration. Both OpenStack and Red Hat Enterprise Virtualization may manage hypervisors and offer self-service—among other features—but they're doing so in service of different models of IT architecture and service provisioning.

Alternatively, the self-service infrastructure may be at a public cloud provider such as Amazon Web Services or Rackspace. Ultimately the goal is to make the underlying infrastructure decisions largely transparent to the consumer of the resources, such as a developer. Of course, where the resources are located, how they are managed, and what types of hardware functions they expose make a big different to the ops team. But they're deliberately abstracted from those developing and using applications.

Then there is open, hybrid cloud management of those “cloud providers.” These providers can consist of the various types of infrastructure just described:  on-premise IaaS like OpenStack, public IaaS clouds, and virtualization platforms (not just a hypervisor) like Red Hat Enterprise Virtualization or VMware vSphere. This is where Red Hat CloudForms comes in. CloudForms allows you to build a hybrid cloud that spans those disparate resources. It lets you build a "cloud of clouds" in a sense. 

However, equally important, is that CloudForms provides the lifecycle management of the content and images that will run across the hybrid cloud infrastructure. For example, CloudForms lets you specify content repositories which feed the construction and ongoing management of single- and multi-tier applications through Application Blueprints created by IT administrators. These Application Blueprints also embed policy. When a user chooses an available application environment through the self-service interface, it can only be deployed to a location enabled by policy. For example, development environments may be deployed to a public cloud while production applications may be deployed to an on-premise virtualization platform.

Platform-as-a-Service (PaaS) is delivered by Red Hat OpenShift PaaS. PaaS is perhaps best thought of as an abstraction focused on the typical concerns of developers. Thus, instead of an operating system image-centric view (as an IaaS provides), PaaS is more oriented to a view that revolves around pushing and pulling code into and from repositories;  the operation of the software needed to run that code is largely kept in the background. 

Unlike a PaaS that is limited to a specific provider, OpenShift PaaS can run on top of any appropriately provisioned infrastructure whether in a hosted or on-premise environment. It then provides application multi-tenancy within the operating system images that make up the infrastructure. It does so using a combination of Linux Containers, SELinux for security isolation, and other Linux features. Red Hat's Matt Hicks spoke with me about some of these technologies in an interview a while back (podcast and transcript).

This approach allows organizations to not only choose to develop using the languages and frameworks of their choice but to also select the IT operational model that is most appropriate to their needs. The provisioning and ongoing management of the underlying infrastructure on which OpenShift PaaS runs is where virtualization, IaaS, and cloud management solutions come in. (After all, someone needs to operate the PaaS infrastructure whether it's on-premise or at a cloud provider.)

Nor does Red Hat Cloud end with "cloud products." For example, Red Hat Enterprise Linux--in addition to providing features used by offerings such as OpenShift--also provides a consistent and reliable runtime for applications as they move across different environments such as on-premise and public clouds. Red Hat Storage (from our Gluster acquisition) provides a distributed, scalable, software-only filesystem that will be an important part of data portability across clouds.

Sound complicated? It is a bit, I guess. But when you're talking about such a big change in the way that IT systems are operated and applications are consumed, some complexity is unavoidable. (Which is one reason we're so focused on solutions. But that's a topic for another day and another blog post.)

 -------------------

[1] In a future version, CloudForms will be able to provision "bare metal" physical servers using Foreman/Puppet components. In this respect, CloudForms includes the ability to build an IaaS. However, for our purposes here, I'm going to focus on how CloudForms builds hybrid cloud resource pools on top of IaaS and virtualization management products and manages the applications running in those pools.

Friday, August 10, 2012

Links for 08-10-2012

Thursday, August 09, 2012

Links for 08-09-2012

A mostly positive take on OpenStack from GigaOm

Derrick Harris at GigaOm has a piece up about the "IT world's love-hate relationship" with OpenStack. It seems a balanced piece overall even if a lot of "Why the hate" either boils down to pre-foundation governance issues or generalized "concerns." The cynical might be inclined to label some of this as FUD coming from those with commercial interests opposed to OpenStack. If you attended GigaOm's Structure 2012 conference, you saw some of this dynamic in play in the debate over APIs. In a nutshell, does a popular de facto API like AWS trump APIs that are actually open? Contrary to the fervent denials one hears, from where I sit, there is very much an anti-OpenStack camp. 

On the "love" side described by Harris, I'd add that, in addition to the "mega-vendor" and large end-user backers, there's also huge breadth of participation; April's OpenStack Conference in San Francisco had over 1,000 people registered. It's hard to argue against the proposition that OpenStack has a lot of momentum going for it.

Leaving aside the pro/con snippets though, Harris' overall conclusion strikes me as fair. Whether or not you agree that all the knocks on OpenStack that Harris details are truly newsworthy, his overall conclusion is pretty positive.

Perhaps it’s just par for the course that any project with so much hype, representing such a lucrative opportunity, and comprised of big egos all around is going to be a hotbed of in-fighting and allegations. But if the companies involved can hold OpenStack together enough to keep everyone headed in the same direction, it’s hard to see how it won’t be a major factor in the cloud space for a long time to come.

My employer, Red Hat, is a platinum member of the OpenStack Foundation.

Wednesday, August 08, 2012

Links for 08-08-2012

Friday, August 03, 2012

Mobile ticketing. Good news but better have good IT.

From Mobile Commerce Daily:

Following a successful test on five routes, Amtrak is expanding a digital ticketing program to all trains, enabling passengers to use their smartphones to present tickets to the conductor...

Passengers using a smartphone or other mobile device can present the eTicket to the conductor by opening the document from the email.

ETickets can also be printed from any printer, including at Amtrak ticket offices and Quik-Trak kiosks.

Additionally, passengers can also buy tickets and display eTicket bar codes with the Amtrak mobile application.

With the eTicket program, passengers can also easily change reservations and lost or misplaced tickets can be easily reprinted.

Following a successful test on five routes, Amtrak is expanding a digital ticketing program to all trains, enabling passengers to use their smartphones to present tickets to the conductor.

Nice. I actually don't find mobile tickets all that big a win with the airlines most of the time; it's just not usually that big a deal to get a boarding pass from an airport kiosk. (Although I typically print out my outbound boarding pass at home when I remember.)

But I use Amtrak, most often from Boston to New York, differently than I use planes. The timing of my outbound leg is pretty set--way too early in the morning. But, for my return, I'm usually in the position of guessing how an event or set of meetings is going to play out and taking a stab at a return time that may or may not turn out to make a lot of sense. 

The problem is that, although you can change train ticket times without penalties, in practice dealing with lines at Penn Station and dealing with call queues with reservations can make changing a ticket more hassle than it's worth. If mobile tickets make the process a lot more streamlines, that's a big win.

Another mentioned advantage is that current Amtrak tickets, once issued, are essentially just like cash--as I know from experience--and are very hard to get refunded/replaced just as airline tickets once were.

For most purposes, this shift away from significant value being embedded in arbitrary bits of paper is a welcome one--but it does raise the stakes on back-end infrastructure. It has to be resilient and scalable. The network pipes going in and out have to be solid. It also potentially creates complications if always-connected mobile devices aren't, in fact, always connected (although mobile apps that store past transactions can help). 

Because, increasingly, there just won't be a good manual fall-back if the digital systems don't work.

Thursday, August 02, 2012

Links for 08-02-2012