Technology Trends & Management Consulting

Changing the Dynamics of IT Planning

Daniel Ruggles — Fri, 27 Jan 2012 17:25:06 +0000

Most organizations spend a large portion of their IT budget “keeping the lights on” and maintaining the status quo, save for a couple of major initiatives. Each of those initiatives undergoes a business analysis and total cost of ownership review and with great fanfare begins the journey to completion.

The fallacy of this planning approach is that it typically involves:

Using technology with planned built-in obsolescence from the vendor
Package software that has a whole other set of upgrades and patches complicating schedules and support costs to the organization
Vagaries of customizing software or creating add-ons through some development life-cycle (read: it always takes longer than expected)

The business usually wants to know “how much is it going to cost to create this solution?” and “will it work consistently?” and they want a predictable annual cost to maintain. Using a service model associated with adoption of Cloud computing gets everyone closer to creating a more consistent cost model, with a fairly predictable solution model that meets business objectives.

Actively reviewing and considering Software as a Service (SaaS) solutions or Platform as a Service (PaaS) will begin to drive more organizations towards a more predicable model that better aligns solutions to business objects. If more custom software solutions are really required, building and managing solutions using a virtualized cloud computing infrastructure focuses everyone on using scalable Infrastructure as a Service (IaaS) and will ultimately begin to change the dynamics of IT planning.

Barriers to Cloud Adoption

Let Daniel L. Ruggles and the team at PM Kinetics, LLC help you navigate the complexities of IT Governance, Cloud Computing, Sourcing & Capital Planning, Vendor Management, IT Security, and Infrastructure planning & execution.

Is a Private Cloud Solution to PCI?

Daniel Ruggles — Thu, 14 Oct 2010 17:28:52 +0000

Enterprises at the early stages of cloud adoption are deploying private clouds and internal cloudlets, which can be thought of as local access points and logical divisions of their own larger infrastructure. Private clouds are characterized by scalability through virtualization but the actual physical infrastructure is kept local to the Enterprise. This provides scalability and capital cost reduction but does not incur lack of control normally associated with moving data and processing to the cloud.

In this architecture, a gateway can be used to create an internal virtual application perimeter from the existing Enterprise information systems to the Enterprises’ own internal cloud. This type of architecture also works as a precursor and testing ground for a hybrid cloud deployment when the actual physical resources live off-site to the Enterprise. In this environment, the gateway can be used to enforce attribute based access control, authentication and data protection policies required for PCI DSS and other compliance standards.

Gateways could be firewalls, but they lack the sophistication of logging, identity management, accounting and reporting that will be required to meet the demands of PCI DSS and other standards. This gateway “product” is quickly evolving from several major vendors and may become the stepping stone for large and more pervasive cloud deployments in the future. As PCI compliance becomes more complex and as those standards evolve, the “gateway” appliance approach seems to have credible merit.

Who is responsible for risk mitigation in the Cloud?

Daniel Ruggles — Wed, 06 Oct 2010 17:05:41 +0000

*RISK*	*THREAT*	*MITIGATING PARTY*
Insecure, Porous APIs	Man in the middle, content threats, code injection, DoS attacks	§ Enterprise and Cloud Provider
Logical Multi-Tenancy	Virtual machine attacks, malicious code execution, comingled tenant data	§ Cloud Provider
Data Protection and Confidentiality	Reduced confidentiality and privacy for private data stored in the clear at the cloud provider	§ Enterprise and Cloud Provider
Data Loss and Reliability	Unavailability or permanent loss of critical Enterprise data	§ Cloud Provider
Audit and Monitoring	Increased risk due to rogue uses of cloud services within the Enterprise	§ Enterprise
Cloud Provider Insider Threats	Mismatched security practices at the cloud service provider creates a weak link for a determined attacker	§ Cloud Provider
Account Hacking, Access Control, and Authorization	Coarse account access control at the cloud provider increases the value of a stolen account	§ Enterprise and Cloud Provider

A number of posts and comments on these type of risks would lead many readers to believe that cloud computing (private or public) might never really get off the ground. A couple of counter-points to that impression is that many businesses will explore this option as yet another means of reducing their IT costs, the U.S. government is a big proponent of this concept, as are local and state governments. Time will tell whether the latter point is good or bad for this concept.

What remains as the final argument to these risks is that aside from greater use of virtual technology, which does in fact have more inherent risks in shared environment, these threats are the same in most outsourcing agreements. Due diligence, sensible contract terms and market pressure will improve security and economics will pull the adoption along.

Security Risks in the Cloud

Daniel Ruggles — Thu, 30 Sep 2010 17:26:45 +0000

Security risks are concrete negative expressions businesses face when considering moving critical business systems to the cloud. Enterprises should make “demands” and ensure compliance of the cloud provider through the use of contracts or third party audits, but in reality the market will determine the amount of security provided to Enterprises by cloud service providers and the level of acceptable risk.

It may turn out that the cheaper price of cloud computing comes with necessarily increased risk, which may be a self-limiting factor in itself to the pervasive use of cloud computing by Enterprises.

Insecure, Porous APIs: Most cloud services offer two categories of web accessible APIs: Those based on web services (called SOAP) and those based on pure HTTP (called REST). REST style APIs lack robust “Enterprise class” message level security and authentication mechanisms and should be avoided.

Logical Multi-Tenancy: With shared cloud computing infrastructure, the division of Enterprise data is now logical rather than physical. This logical separation is typically achieved through the use of virtualized infrastructure which is a cheap and easy way to support a multi-tenant architecture at the cloud service provider. The perceived risk in this scenario is for an attacker to subvert the logical division provided by the guest virtual machine and gain access to the data of another tenant. A number of attacks on virtual machines, from detecting the presence of a hypervisor to running arbitrary code on the host have been documented. These attacks highlight the uncertain security of multitenant, shared environments for critical data. Technology and virtualization software will improve his security uncertainty.

Data Protection and Confidentiality: Data stored, processed or indexed in a remote cloud service defines the extent of the new perimeter for the Enterprise. This new boundary changes and moves with the data itself. The Enterprise may have to give up encryption and data privacy requirements for some of its data but should also recognize the option of applying selective field or message level protection mechanisms for data before it reaches the cloud. The point is that the Enterprise can control security characteristics on data before it reaches the cloud service provider.

Data Loss and Reliability: When critical business data is moved to a cloud service, there is some inherent risk of data loss. It may be argued that this is a false risk because the Enterprise has a similar risk of catastrophic data loss inside its own datacenter and simply moving the data to the cloud doesn’t change the equation. Quantifying this risk over time may very well turn out that this may the lowest risk.

Audit and Monitoring: The first step in managing the security of any system to know when specific events occur. Enterprises need to audit when these services are accessed to evaluate risk and to know when data flows to and from the cloud. Enterprises need to know who is making the service request, when the request is happening, how much data is sent or received and how the data is used. Methods of audits will likely need to improve, because none of these points are new.

Cloud Provider Insider Threats: A potential weak spot with cloud services is the mismatch between the security requirements inside the Enterprise as compared to those employed by the cloud service provider. This applies to any outsourced service provider and is not new.

Account Hacking, Tiered Access Control and Authorization: Hacking an account through a stolen password or compromised credential is not new. This is a benefit of the somewhat localized security inherent in individual operating systems and the uses of role based (RBAC) and attribute based access control (ABAC) within the Enterprise. If an attacker gains root access to a networked system or database they may have access to other assets, but the breach of a single system is more often than not directly localized to the breached system.

There will always be reasons to outsource to external service provider and reasons that do not justify the risk. Enterprises need to logically weigh the risk and benefits and have an approach that examines these risks with some degree of rigor.

Barriers to Cloud Adoption

Daniel Ruggles — Thu, 23 Sep 2010 15:59:41 +0000

Many businesses are reluctant to deploy cloud-based services for their core mission-critical applications. Large and medium sized companies that have supporting IT organizations, have striven to increase vertical backward integration of core business processes. Businesses believe that they inherently gain more certainty, control and competitive advantage by directly owning the data critical to their line of business or supply chain.

Undermining this control for cost savings and time-to-market advantages is a fraught with a challenging cost-benefit analysis, IT insecurity and job wariness, internal business politics, and fear and uncertainty associated with any major change. The wholesale adoption of cloud-based services may reduce resource costs for businesses, but cuts down operational effectiveness by bludgeoning control of business data and introducing new security, privacy, legal and in some cases, performance challenges.

Even with both the quantifiable and more subjective constraints, businesses cannot ignore the fact that significant time to market advantages and capital cost savings can be achieved through the selective use of cloud-based services. To use a concrete PaaS type of example, all it takes is an IT person with a credit card to get a farm of servers up and running and available for use. The setup, physical datacenter costs, maintenance and patching for the servers are all rolled into the monthly bill. In this sense we can talk about businesses being conservative with existing systems but aggressive in selecting cloud services that will provide some competitive cost and cycle advantages, either for partnership, new technology R&D or some new service their existing infrastructure cannot provide.

Security in the Cloud and Elsewhere

Daniel Ruggles — Tue, 21 Sep 2010 13:17:46 +0000

Security, in the cloud or elsewhere, is a crucial topic that could fill many pages. There are however a smaller number of summary requirements that should be examined by IT architects.

As companies move or build solutions in the cloud, having a consistent security model is vital to simplify development and to avoid vendor lock-in and preserve their IT investments. However, the same applies to internal private cloud configurations or just plain IT systems in general.

With a cloud-based application, access control is just as important, but the infrastructure, platform and application of security is under the direct control of the cloud provider. The Cloud Security Alliance (CSA) published the second edition of its guidelines for secure cloud computing, delivering a document that sets out an architectural framework and makes a host of recommendations around cloud security.

The following section describes the relevant security controls as discussed by CSA.

Security Control	Description
Asset Management	It must be possible to manage all of the hardware, network and software assets (physical or virtual) that make up the cloud infrastructure. This includes being able to account for any physical-or network-based access of an asset for audit and compliance purposes.
Cryptography: Key and Certificate Management	Any secure system needs an infrastructure for employing and managing cryptographic keys and certificates. This includes employing standards-based cryptographic functions and services to support information security at rest and in motion.
Data / Storage Security	It must be possible to store data in an encrypted format. In addition, some consumers will need their data to be stored separately from other consumers’ data.
Endpoint Security	Consumers must be able to secure the endpoints to their cloud resources. This includes the ability to restrict endpoints by network protocol and device type.
Event Auditing and Reporting	Consumers must be able to access data about events that happen in the cloud, especially system failures and security breaches. Access to events includes the ability to learn about past events and reporting of new events as they occur. Cloud providers cause significant damage to their reputations when they fail to report events in a timely manner.
Identity, Roles, Access Control and Attributes	It must be possible to define the identity, roles, entitlements and any other attributes of individuals and services in a consistent, machine-readable way in order to effectively implement access control and enforce security policy against cloud-based resources.
Network Security	It must be possible to secure network traffic at the switch, router and packet level. The IP stack itself should be secure as well.
Security Policies	It must be possible to define policies, resolve, and enforce security policies in support of access control, resource allocation and any other decisions in a consistent, machine readable way. The method for defining policies should be robust enough that SLAs and licenses can be enforced automatically.
Service Automation	There must be an automated way to manage and analyze security control flows and processes in support of security compliance audits. This also includes reporting any events that violate any security policies or customer licensing agreements.
Workload and Service Management	It must be possible to configure, deploy and monitor services in accordance with defined security policies and customer licensing agreements.

Security Certifications and Promoting Cloud Computing

Daniel Ruggles — Mon, 13 Sep 2010 15:05:58 +0000

There is an abundance of certifications in the IT industry covering application development, project management, security, and vendor tool specific. An interesting spin to all of this is a security framework tied specifically to cloud computing.

The Cloud Security Alliance (CSA) published the second edition of its guidelines for secure cloud computing, delivering a document that sets out an architectural framework and makes a host of recommendations around cloud security.

NIST created a notional definition of Cloud Computing in October 2009 and CSA has provided a more elaborate definition on cloud computing, which has been the subject of much hype in recent years. According to the CSA, cloud computing environments feature on-demand, self-service consumption; allow broad access via networks; draw from a pool of shared computing resources; can be quickly scaled up or down depending on demand; and involve some type of metering to track usage.

The CSA’s report tackles cloud security on 13 different domains, from governance issues like e-discovery, compliance and audits to operational concerns such as disaster recovery, application security and identity management.

Domain Title

Clouding Computing Architecture Framework
Governance and enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Traditional Security, Business Continuity, and Disaster Recovery
Data Center Operations
Incident Response, Notification, and Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization

This new security certification is called the Certificate of Cloud Security Knowledge, the designation is earned by studying “Security Guidance for Critical Areas of Focus in Cloud Computing, V2.1″ and “Cloud Computing: Benefits, Risks and Recommendations for Information Security” and passing an online test.

Cloud Computing Definitions and Use Cases

Daniel Ruggles — Thu, 09 Sep 2010 16:19:29 +0000

An active discussion on cloud computing use cases brings a somewhat more practical approach to what this service might offer to a company and how it might evolve over time. Not everyone can use salesforce.com or Google mail services, which are the most frequently cited examples of cloud computing.

The NIST definition describes five essential characteristics of cloud computing:

Rapid Elasticity: Elasticity is defined as the ability to scale resources both up and down as needed. To the consumer, the cloud appears to be infinite, and the consumer can purchase as much or as little computing power as they need. This is one of the essential characteristics of cloud computing in the NIST definition.
Measured Service: In a measured service, aspects of the cloud service are controlled and monitored by the cloud provider. This is crucial for billing, access control, resource optimization, capacity planning and other tasks.
On-Demand Self-Service: The on-demand and self-service aspects of cloud computing mean that a consumer can use cloud services as needed without any human interaction with the cloud provider.
Ubiquitous Network Access: Ubiquitous network access means that the cloud provider’s capabilities are available over the network and can be accessed through standard mechanisms by both thick and thin clients. This does not necessarily mean Internet access. By definition, a private cloud is accessible only behind a firewall. Regardless of the type of network.
Resource Pooling: Resource pooling allows a cloud provider to serve its consumers via a multi-tenant model. Physical and virtual resources are assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). In many cases privacy laws and other regulations require the cloud provider’s resources to be in a particular location. The cloud provider and cloud consumer must work together to adhere to those regulations.

Starter set of use cases include:

	Customer Problem Solved	Requirements & Capabilities	Applicable Use Case
Payroll Processing	Processing time reduced Hardware requirements reduced Elasticity enabled for future expansion	IaaS (VMs), cloud storage	Enterprise to Cloud
Logistics & Project Management	Processing time reduced Manual tasks eliminated Development environment updated and streamlined	PaaS (app framework), cloud storage	Enterprise to Cloud to End User
Central Government	IT expertise consolidated Hardware requirements reduced	IaaS, PaaS	Private Cloud
Local Government	IT expertise consolidated Hardware requirements reduced	IaaS, PaaS	Hybrid Cloud
Astronomic Data Processing	Hardware expense greatly reduced (processing power and storage) Energy costs greatly reduced Administration simplified	IaaS (VMs), cloud storage	Enterprise to Cloud to End User

Building Super Secure Security

Daniel Ruggles — Tue, 07 Sep 2010 17:51:37 +0000

Can a resilient and fail-safe security system be created? Given time and money can the ultimate secure network technology be developed? Defense Advanced Research Projects Agency (DARPA) intends to fund an initiative to find out and in June 2010 announced the Clean‐Slate Design of Resilient, Adaptive Secure Hosts (CRASH). It relies on human biology to develop super-smart, highly adaptive, supremely secure networks.

CRASH program looks to translate human immune system strategies into computational terms. In the human immune system multiple independent mechanisms constantly monitor the body for pathogens. Even at the cellular level, multiple redundant mechanisms monitor and repair the structure of the DNA. These mechanisms consume tons of resources, but let the body continue functioning and to repair the damage caused by malfunctions and infectious agents, DARPA stated.

“The analog of the innate immune system will include combinations of hardware and software elements that constantly enforce basic semantic properties such as type safety, memory integrity, code/data distinctions, information flow, and access control constraints. The innate subsystem will render impossible attacks based on vulnerabilities stemming from violations of these basic properties. As with biological systems, significant resources should be dedicated to this task. Since hardware resources are now plentiful, it would be reasonable to use hardware mechanisms where this will lead to more complete enforcement or to better runtime performance,” DARPA stated.

Seems a bit far-fetched and will likely take a number of years before any commercial products roll out as a result of this government study, but the intent and objectives are intriguing and might actually make headway in building a more secure computing environment.

Security in the New Data Center

Daniel Ruggles — Tue, 31 Aug 2010 15:43:08 +0000

Information security in data centers has historically relied on perimeter firewalls, pattern matching “after the fact” with intrusion detection, and at the server level by installing host-based intrusion detection, identity enforcement, antivirus, and other software agents. Internal LANs can be segmented and boundary controls implemented using the same firewall technology.

Virtualization adds a layer of complexity in that applications on the same host can communicate without accessing the physical network and will then circumvent all those embedded traditional firewalls and associated security processes. Server-based security isn’t scalable, doesn’t encompass the range of network-attached devices in the data center, and presents major operational challenges.

As with any new technology (e.g., virtualization) and new adoption concepts (e.g., cloud computing) security planning and execution will lag. Companies need a more comprehensive view of layered security across data center infrastructure. If you have a mixed environment using some stand-alone servers and some virtual instances isolate and segregate what you run on these environments. Running your financial systems on the same LAN segment that hosts your virtualized development instances is just asking for problems.

The National Institute of Standards and Technology (NIST) has issued draft recommendations for securely configuring and using full virtualization technologies. Full virtualization is considered a key technology for cloud computing, but it introduces new issues for IT security.

The proposed security recommendations are contained in the draft document, NIST Special Publication 800-125, Guide to Security for Full Virtualization Technologies.