Welcome to CloudCentrics Technology Blog

CloudCentrics is a blog dedicated to cloud computing architectures and Cybersecurity technologies. The posts will be a discussion of concepts and technologies that make up emerging threats and techniques related to Cyber Defense. Sometimes we get a little off-topic.

Securing Your Data In The Cloud: an insider’s perspective

May 18, 2012 By 1 Comment

Cloud Centrics would like to thank Kate Craig-Wood at Memset for their guest blog. The PDF version of their whitepaper can be downloaded here:  Securing Your Data In the Cloud: an insider’s perspective

INTRODUCTION

As the increasing use of cloud computing and other technologies is changing the world of data management, keeping your data private and secure is an ongoing concern for everyone. Memset, a cloud computing Infrastructure as a Service (IaaS) provider gives an insider’s perspective on what you should be doing to keep your data safe.

IS THERE A SECURITY THREAT?

As you move data to the cloud there are many different challenges. Applications have to be designed differently. Security gets pushed further and further away from perimeter-based approaches. Security threats change when data moves to the cloud, with threats from the network or from the provider’s personnel being more pertinent than concerns over physical attack.

However, it need not be a big concern, you just need to apply the same common sense you would to sourcing any other service. Ask questions about your prospective cloud supplier; Are they financially sound? Do they have good security procedures in place? Is the infrastructure your data will be on shared with lots of other users, or will it be in its own virtual or dedicated environment?

WHO TO TRUST?

Up until the existence of cloud computing the norm was to trust the IT department internally. Now that the IT department is outsourced people are asking the right questions about IT security. The focus must be on the security processes and procedures rather than the physical perimeter around the data storage devices. In many ways using the cloud can be much safer than hosting data on your own systems in your own building since a putative attacker no longer knows where to look. Even if, somehow, an individual were able to breach the heavy physical security of our data centres, they would be faced with thousands of identical-looking machines and no way of identifying their target.

The most likely source of data theft is always from within an organisation, therefore for data management when it is not on your own systems, it comes down to trust. Just as if it were hosted on a computer in your office, then you need to trust everyone who has access to that machine, so if outsourcing to the cloud you need to trust the organisation that has access to the underlying infrastructure. Look for companies that have appropriate certifications like ISO27001 (as a minimum), and ask them about how they regulate and monitor their systems administrators’ access to servers holding client data.

THREATS FROM THE NETWORK

The other increasingly common source of attacks on cloud-based services is via the network itself. This can be greatly mitigated with good firewall systems, and if your services only need be accessed from a small number of office locations then the firewall should restrict access to only those IP addresses. That can prevent the helpful feature of universal access, however, so it may not be practical, but even then firewalling is important. Talk to the provider and they should be able to advise you.

For public-facing services there is also the danger of Distributed Denial of Service attack (dDoS), where servers are flooded with millions of bogus requests from hacked computers (a “bot-net”). Most providers should have a system for automatically detecting and blocking the source of such attacks, so ask them, but in cases where the attack is massively distributed the only defence is to have more bandwidth than the attackers, which means you need to be using an operator with large scale.

CONFIDENTIALITY

Confidentiality is a major question to ask your cloud hosting provider. Having the right tools in place to ensure that confidentiality is also being maintained is critical. So, some questions would be:

• What mechanism do you have to protect and securely deliver logs?

• What are you actually able to log?

• What activity are you recording within your cloud?

• Can the integrity of those logs be proven regardless of when and where they are sent?

 

BACKUPS & DATA RESILIENCE

When entrusting a cloud provider to look after your data it is essential to ensure that there is adequate resilience in their storage systems. At a minimum they should be using RAID (Redundant Array of Independent Disks) systems, but most cloud storage providers will store multiple copies of your data across many independent machines.

Memset’s cloud storage solution stores all data in triplicate, for example. Most providers will offer additional backup services, and these should certainly be considered when operating cloud based applications so that in the event of a serious hardware failure you can roll back to an earlier state. Also ask the provider what their normal restore times are. Finally, as we have seen with the recent failure of Amazon’s Simple Storage Service, which included irrecoverable loss of some customer data, sometimes it is not enough to trust one provider. To help overcome this problem there are tools that allow you to use one cloud storage provider to backup another, as with Memset’s cloud backup service.

 

WHERE IS YOUR DATA BEING STORED?

Although pushing data into the cloud is proving increasingly attractive for many organisations, there’s a growing realisation that geographic considerations remain important. While the overriding concept of cloud involves the decoupling of data and applications from the underlying hardware on which they reside, knowing where that hardware is located can be vitally important. For reasons of security, legal jurisdiction and privacy, many organisations are obliged to be aware where sensitive data is stored. For British companies, data may need to be stored within UK borders for data protection purposes. For the majority of UK public sector IT requirements the data absolutely must remain within national boundaries.

 THE PATRIOT ACT

Any data which is housed, stored or processed by a company, which is a U.S. based company or is wholly owned by a U.S. parent company, is vulnerable to interception and inspection by U.S. authorities. Microsoft has recently admitted that any EU-stored data, held in their EU-data centres, is subject to the US Patriot Act as Microsoft is a US headquartered company.

If you don’t want your data subject to the PATRIOT Act, then you have to use a non-US based company, in addition to a non-US data centre, for storing your data.

WHO CONTROLS YOUR DATA?

 

One risk with Software as a Service (SaaS) is that all your eggs are effectively in one basket, and if something goes wrong with that one provider you could face serious challenges. Memset’s approach is to disintegrate the stack enabling you to be able to move your software from one place to another. A typical example of this is using third party open source solutions to deliver hosted software services on their infrastructure. That way if the software provider fails you can still get to the data, and if the hosting company fails (assuming you have good backups) the software company can help you transfer to a new host.

 

DATA SEGREGATION

Many SaaS providers are essentially running one application for thousands (or many more) client organisations, with their data commingling on the same infrastructure and in the same databases separated only by the software itself. This presents a potential security risk, since if

there is a flaw in the provider’s code it could be exploited to allow access to other customers’ data. For some services this may not be a problem, but for critical company or personal data it may be advisable to obtain additional segregation.

Memset’s stack disintegration approach solves this problem also. By using open source solutions (eg. Zimbra for Web email or Trac for integrated project management and Wiki), each hosted on virtual or dedicated servers dedicated to just one client, there are additional layers of segregation between the software instances, thus providing greater security. While many SaaS solution’s code bases are not heavily tested, network and virtual machine segregation is very robust.

DATA PORTABILITY

You also need to think about data portability; the ability to be able to reuse your data across interoperable applications. When weighing up SaaS suppliers, see if they have a “portability policy”. Where a privacy policy discloses what a company can do with your data, a portability policy discloses how a user can access and transfer their own data once it’s stored with that company. For IaaS providers this is normally a given, since they are just providing the infrastructure and you are able to extract the data as and when you wish at a root level.

MIGRATING OUT

Once you’re clear on who has your data, where that data is held, what they are doing with it and how they are protecting it, you also need to establish what procedures are in place to allow you to migrate your data out. Key characteristics to look for include:

• a clearly defined and established procedure for data migration

• low or no cost for migration

• data can be extracted in a meaningful, useful form for immediate re-use For SaaS providers, look for an API or tools to download your data in a meaningful context.

This could be as simple as a widget to download a CSV file (like with Google Contacts), or it might be a fully-fledged XML API. Failing that, and if taking the stack disintegration approach, ensure that the database in which the information is stored is transparent and well-documented. It is frequently not in a SaaS provider’s interest to make data portability easy though, so this can be a difficult item.

 

M ITIGATE RISK WITH CLEAR SLAs

As with any service provider contract, you should negotiate clear SLAs for your cloud provider. These should include, but not be limited to, clear metrics around performance (both networking and computing), provisioning, change management, patching and vulnerability remediation.

To ensure your data is safe in the cloud at all times, make sure you think about the following:

• Who has your data

• Where that data is held

• What they are doing with it

• How they are protecting it

CONCLUSION

In summary, the cloud is, and will continue to be, a critical part of many companies’ IT strategy

so must it therefore be considered in their security policies. This role is likely to grow as a raft of new services are developed and commercialised and users’ level of familiarity and comfort with this approach to service delivery develops and grows. But it is also likely that the most effective

network security strategies will be a hybrid model that takes the best that the cloud has to offer and combines it with the skills and focus of experts working on the ground.

Filed Under: Compliance, Data Center and Cloud Computing, Information Security Tagged With: , , , ,

Tips to Set Up a Full Development and Staging Environment for a Cloud Application

May 10, 2012 By Leave a Comment

Tips to Set Up a Full Development and Staging Environment for a Cloud Application

By Jennifer Marsh

Jennifer Marsh is a software developer, programmer and technology writer and occasionally blogs for Rackspace Hosting.

Before promoting any code, the software developer tests the code in a development environment. In some companies, the business skips out on a quality analysis environment (also called “staging”) to test the code on a mirrored production environment. The money saved is not worth the increased chance for promoting bugs into the production cloud environment. To improve the quality of the business cloud application, a proper development and staging environment should be set up. Here are some tips for proper staging and development environments for cloud application testing.

Create a Complete Mirror of Production

The staging environment is where the quality analysis is performed on the new code. Take a complete snapshot of production and copy it to a staging cloud server. The complete copy of the production cloud server lets the business accurately test new code in an environment that directly emulates the current production environment.  The mirrored copy opens up any issues and bugs that were not found in the development environment. Test the code in staging before promoting the code to the production cloud server. The tests can be done by the departments within the business, or the IT manager can hire quality analysis staff to fully test the code.

Give Developers Full Control of the Development Environment

Developers need to understand how the code runs in the development environment, so they should have full control of the data and cloud servers in the development environment. The development environment should not be locked down, so developers can read the data, manipulate the code and fully debug the application. This also helps the developer understand the code, so bugs can be quickly identified.

Keep Staging and Development Separated

Because staging and development are two separate environments, they should be on different servers and databases. Mixing the two environments leads to bugs and unintended consequences. Developers can have complete control of the development servers, but separating the staging environment stops them from accidentally introducing bugs into the staging environment, which should always mirror production instead of mix development and production.

Schedule Promotions and Keep a Rollback Plan

With scheduled promotions, changes made can be documented. If the IT manager promotes code at a scheduled time, the business can expect the changes and knows to notify the manager if bugs are found after a rollout. With a rollback plan, the manager can remove the code changes in case the bug adversely impacts the business sales and income.

A rollback plan includes a list of application pages uploaded, any database changes, and any extra files uploaded to the system. Create a full backup of the files and database tables before uploading changes to production, so the rollback is quick and accurate. With the right rollback plan, the changes can be made within a few minutes, and the business does not suffer from a prolonged outage.

With the right staging and development setup, the business can properly promote new code, even if the promotions are weekly. The best time to promote code is during off-hours, but with the staging environment setup, the number of bugs and coding issues are reduced.

 

Filed Under: Data Center and Cloud Computing Tagged With: , ,

Cocoon sheathes iOS browsing in privacy layer

May 9, 2012 By Leave a Comment

 

 

 

Cocoon sheathes iOS browsing in privacy layer

 

 

CNET has posted a story on Cocoon Secure iOS Web browser. Cocoon has expanded its privacy-enhancement browsing tools to iPhones and iPads today with a new iOS browser called GetCocoon. The Safari alternative, which like the iOS default browser is based on WebKit, creates a buffer around your browsing habits.

GetCocoon uses Cocoon’s privacy tech from its desktop browser plug-in to anonymize your browsing. In GetCocoon, as with Cocoon’s add-ons, your site requests are run through Cocoon’s secure servers, stripped of your identifying details.

The browser supports desktop Cocoon features such as anonymous e-mail address creation, history syncing through your Cocoon account, and single-PIN sign-on. It also lets more

 

 

Filed Under: Mobile Security Tagged With:

Secure erase your mobile phone data

May 8, 2012 By Leave a Comment

 

 

 

 

 

 

 

 

Mobile devices have more information than most people give them credit for. In some cases your mobile phone may contain more personal information than any other computing platform you own.

Many mobile phones contain your location information (based on GPS, WiFi hotspots, and tower locations), text and picture messages, other pictures, web history, voicemails, and much more.

What is the best way to delete sensitive information from your phone? In most cases it is the factory default reset feature that will purge your data in the most secure and reliable way.

Before you reset your phone to factory default, make sure you have all your important data backed up to a computer. The Apple iOS allows users to backup to iCloud and restore to a new device. This makes it very simple to switch devices and restore your settings.

The location of factory reset is different on each type of device. It is also important to note if you have any type of removable media (such as an SD card), the factory default reset does not always purge the data from the removable media. You should remove the media, or format it first before you do a factory reset. Many Android phones come with removable media such a SD card that is hard for users to access. Apple devices have no removable media.

For Apple iOS Devices:

1)      Go to Settings

2)      General

3)      Reset

4)      Erase All Content and Settings

 

For Blackberry Devices:

1)     Go to Options

2)     Security Options

3)     Security Wipe

4)     (in some cases you will need to hit the menu button again to see the security wipe option)

 

For Android Devices:

1)     Go to Settings

2)     Privacy

3)     Factory Data

4)     Select Reset

5)     If the option presents itself select erase all data (documents and apps). In some cases it will ask you if you want to format the SD card as well. Select yes.

 

 

 

 

 

Filed Under: Mobile Security Tagged With:

TechWiseTV 110: Embracing the Bring-Your-Own-Device Trend

May 7, 2012 By Leave a Comment

That hats for to the team at Cisco for putting this together. It is was one of the best discussions on BYOD I have seen. Check it out!

The TechWiseTV team invites you to “BYOD” or Bring Your Own Device as they hit CiscoLive in London to track down the strategies and technologies to address this wireless multi-device phenomenon, and how to adapt to the ever-changing landscape. This is one show you will NOT want to miss! For a deeper dive on this topic, click here: http://bit.ly/HkR1Rr

Filed Under: BYOD, Videos Tagged With: ,

Dilbert and his iPad

May 6, 2012 By Leave a Comment

Dilbert is at it again. Poor fellow is just trying to be more productive with his BYOD iPad.

 

Filed Under: BYOD, Videos Tagged With: ,

Dilbert tries BYOD and fails

May 6, 2012 By Leave a Comment

I have said before BYOD is really about users demanding and finding ways to increase their productivity.

Did you really expect Dilbert not to get pulled into the BYOD mania?

 

 

 

Filed Under: BYOD, Videos Tagged With: ,

BYOD Survey Results

May 6, 2012 By Leave a Comment

Last week we ran a survey. First of all thank you! Over 6,000 unique responses! Interesting mix of responses two different questions.

Filed Under: BYOD Tagged With:

BYOD Survey

May 3, 2012 By Leave a Comment

Take Our BYOD Survey

Do you use a personal device to connect to a corporate network?



Does your corporation have an official BYOD policy?





Filed Under: BYOD Tagged With:

Tactical Network Solutions Reaver WPS – WPA/WPA2 cracking tool

May 1, 2012 By Leave a Comment

Tactical Network Solutions showed off their WPS WiFi cracking tool at ShmooCon earlier in the year. It was quickly sold out. Fear not, now you can get your own WiFi cracking tool.

Reaver is a WPA attack tool developed by Tactical Network Solutions that exploits a protocol design flaw in WiFi Protected Setup (WPS). This vulnerability exposes a side-channel attack against Wi-Fi Protected Access (WPA) versions 1 and 2 allowing the extraction of the Pre-Shared Key (PSK) used to secure the network. With a well-chosen PSK, the WPA and WPA2 security protocols are assumed to be secure by a majority of the 802.11 security community.

WPS allows users to enter an 8 digit PIN to connect to a secured network without having to enter a passphrase. When a user supplies the correct PIN the access point essentially gives the user the WPA/WPA2 PSK that is needed to connect to the network. Reaver will determine an access point’s PIN and then extract the PSK and give it to the attacker.

Current attacks against WPA networks involve the computation of rainbow tables based on a dictionary of potential keys and the name (SSID) of the network being attacked. Rainbow tables must be re-generated for each network encountered and are only successful if the PSK is a dictionary word. However, Reaver is not restricted by the limitations of traditional dictionary-based attacks. Reaver is able to extract the WPA PSK from the access point within 4 – 10 hours and roughly 95% of modern consumer-grade access points ship with WPS enabled by default.

Go to Tactical Network Solutions website to learn more

Filed Under: Hacking Tagged With: ,
« Older Posts