Securosis

Research

New Paper Available: The Executive Guide to Pragmatic Network Security Management

This should be no surprise because I just pounded through all the posts and put the paper up on GitHub for open review. As of today I am happy to launch the official exec-friendly white paper version of the Executive Guide to Pragmatic Network Security Management. There is a landing page, or you can go directly to the PDF. As a reminder, this paper focuses on managing your network security program – not a particular appliance or tool. It targets those of you with larger or more complex networks – or, really, anyone struggling to manage network security from a big picture perspective. I would like to thank RedSeal Networks for licensing the paper, which is how we get to publish these things for free. Share:

Share:
Read Post

Digging into the Underground

  Dell SecureWorks CTU published a cool research report published today. Joe Stewart and David Shear dug into the marketplace of attackers and found that the market for attack products, tools, and services is thriving. Here are a couple of their more interesting findings: Bank account number with online credentials ($70-130K in account): $300 or less 15,000 infected computer botnet: $250 DDoS attacks: $3-5 per hour; $90-100 per day Exploit kit subscription: $1,500 per year That’s pretty short money for those kinds of services, no? We are dealing with market forces, which means there is plenty of inventory. Yup, lots of credit cards, bank accounts, and bots out there waiting to be used. You know, supply and demand for the win. At least the computer crime folks haven’t screwed with the laws of economics. Not yet, anyway. Photo credit: “Dig for Victory 33” originally uploaded by Aidan “Trig” Brooks Share:

Share:
Read Post

Summary: Stay away from the Light

Ah, the holidays. That wonderful time of year when I struggle to attempt to explain to my children why the Christmas decorations are up before Thanksgiving. They are very adamant that Thanksgiving is first, and there really shouldn’t be Xmas decorations yet. Because I agree, and struggle to keep “Burn their houses down!” in my head rather than out loud when I drive past certain neighbors, I really can’t explain. Which is somewhat, well, odd, because I am a bit of a Jewish atheist. I mean really, of all the people on this planet, I am fairly low on the list of ones who should be obsessing about putting up colored lights and fake trees. But the thing is, we American Jews friggin’ love Christmas. Oh, not the religious pieces, those are quite confusing to us, but the general holiday spirit. And by “holiday spirit” I mean TV episodes, reruns of Christmas Vacation, the decorations and music, the endless catalogs that make Sky Mall look like one of those corporate 15-year anniversary gift brochures (you know, filled with demeaning lucite blocks and trashy fake jewelry to reward your many years of slavish dedication to the corporate overlords). But back to the decorations. My wife’s parents’ have neighbors who spent two days putting up their decorations. Actually, I need to correct myself: they spent two days watching the people they paid put up the decorations. Not two hours. Two. Full. Days. I will be the first to admit I have experienced a passing mental dalliance with the concept of paying someone with a much nicer ladder than me to spend an hour or two giving my home a colored LED bodyslam, but it just seems wrong. The whole idea of the holidays is to outdo your neighbors with your own sweat and blood, Clark Griswald style. To relish how your ability to run an extension cord to the second story makes you a better person. Paying someone? That’s the Lance Armstrong of Christmas. Actually, Lance had to cheat because everyone else was – he was just better and meaner at it. Paying someone to put up your lights before Thanksgiving makes you lower than a meth cooker with an ice cream truck. There’s no excuse for it, and I, for one, plan on complaining to my HOA. Which probably won’t help because I live in a different town, but someone needs to know. Sorry. I was going to talk about how awesome the Amazon Web Services concert conference was, but the lights got under my skin. For the record, I can’t remember a more exciting time to be in technology, and thanks to Amazon and other innovators, a truly awesome future is becoming reality. But did I mention those lights? &$%ers. On to the Summary: Favorite Securosis Posts Mike Rothman: CISO’s Guide to the Cloud: Real World Examples. Rich just killed it in this series. Really great research from top to bottom. And stuff not many others are thinking about. Yet. They will. Adrian Lane: Compliance for the Sake of Compliance. If a company can’t implement a security program, there is no security program. Rich: Mike’s You Cannot Outsource Accountability. Ever. Other Securosis Posts Digging into the Underground. Incite 11/20/2013 – Live Right Now. Black Hat Cloud Security Training (Beta) in Seattle Next Month. Defending Against Application Denial of Service: Building Protections in. The CISO’s Guide to the Cloud: Adapting Security for Cloud Computing, Part 2. The CISO’s Guide to the Cloud: Adapting Security for Cloud Computing (part 1). Favorite Outside Posts Mike Rothman: 20 Things You Need to Let Go to Be Happy. Ah, the elusive happiness. For me, happy is a place I visit a couple times a day. Then it passes. But these little tips remind me about why I get unhappy. Mostly because I’m not following this advice. Adrian Lane: 2014 to be an eventful year for SSL. Most people forget that SHA-1 is basic infrastructure, used by just about every single HTTPS/SSL/TLS connection in existence. The deprecation of SHA-1 is not just because it was an NSA contribution via NIST, but it has overstayed its welcome. Larry does a nice job of covering the issues. Mort: What’s my name? No, really, what is it? In other words: a user forgetting their username and/or password is orders of magnitude more likely than user enumeration… Mort (2): Boring Is Good. Rich: AWS vs. CSPs: Hardware Infrastructure. I was at these sessions. It is hard to express the enormity of cloud computing in general, and AWS in particular. They can’t even buy routers big enough to handle the traffic so they have to build their own networking stack and rearchitect everything. Research Reports and Presentations Executive Guide to Pragmatic Network Security Management. Security Awareness Training Evolution. Firewall Management Essentials. A Practical Example of Software Defined Security. Continuous Security Monitoring. API Gateways: Where Security Enables Innovation. Identity and Access Management for Cloud Services. Dealing with Database Denial of Service. The 2014 Endpoint Security Buyer’s Guide. The CISO’s Guide to Advanced Attackers. Top News and Posts Senators back lawsuit against NSA: ‘no evidence’ that bulk phone spying helps national security. Feds Arrest 5 More Suspects in $45 Million Global Bank Heist. The second operating system hiding in every mobile phone. Blog Comment of the Week This week’s best comment goes to Andrew, in response to The CISO’s Guide to the Cloud: Adapting Security for Cloud Computing. ‘We cannot overstate the importance of hardening the management plane. It literally provides absolute control over your cloud deployment – often including all disaster recovery.’ Great point. Information assurance is vital. Managing all the risks related to the usage, processing, storage, and transmission of data needs to be at the core of cloud services. Share:

Share:
Read Post

Compliance for the Sake of Compliance

  Adrian put up an insightful (as opposed to inciteful) column on Dark Reading, pointing out that that Simple Security Is A Better Bet. Though I quibble a bit with the subhead: “Complex security programs are little better than no security”. Of course any subhead taken out of context creates opportunity for misinterpretation. I would reword to say, “Complex security programs done poorly are little better than no security”. But that’s just me. The fact is that any set of security controls chosen needs to be achievable by the organization. Even if that means attack surface remains unaddressed. What choice do you have? Even if it’s the low bar that most compliance mandates prescribe. Adrian does make that point effectively. …it was going to address most of the issues the company had – it was not even fully aware of the issues it needed to address – and it was within its capability to implement. I hate to do this because sometimes it feels like compliance for the sake of compliance. Obviously that’s suboptimal. Just like anyone else, I like to actually solve the problem, rather than just putting band-aid after band-aid on the wound. But pragmatism needs to win the day. Any organization pushing beyond its capabilities (and budget) will have problems because it won’t be able to execute – even worse, it might get a false sense of security. Photo credit: “failure-to-comply” originally uploaded by Brendan Riley Share:

Share:
Read Post

Incite 11/20/2013—Live Right Now

As I mentioned a few weeks ago, XX1 had her Bat Mitzvah recently. It was great to be surrounded for a weekend by almost all the people we care about. And XX1 really stepped up and made us very proud. There are few things more gratifying than seeing your child excel – especially on a big stage in front of a lot of people. Part of the ceremony is a blessing from the parents. Some parents provide an actual blessing. Others tell entertaining stories about the child. I chose to give her some life perspective by distilling what I have learned over the past four decades down into a fairly simple concept. I understand she probably won’t get it for a while, but I’m okay with that. So here goes: I have no doubt you will move with grace to adulthood. In preparation for that transformation, let me share with you what I’ve discovered over the past 45 years. In fact, I believe it’s the secret to life. The secret to life? Wow. I know, it seems kind of deep. So here goes. The secret to life is to LIVE RIGHT NOW. I know it seems kind of underwhelming, but hear me out. Once I explain it a bit, maybe LIVE RIGHT NOW will make sense. You can choose to live in the future. Chasing dreams and aspirations and goals and life plans. You are so busy striving for what you don’t have, you never get around to appreciating what you do have. You’ll need to trust me on that. That doesn’t mean you can’t think to the future… but think to the future not in fear and worry, but in hope and grace. Realize you make the vision of your life a reality based on how you live right now. You could choose to live in the past. We need to be respectful of history, and learn the lessons of those that came before us. But don’t be limited by the past. Learn from your own experiences, especially the challenging ones – then let them go. You have the power to create your own future. A future where you can achieve whatever you set your mind to and become absolutely anything you choose. Never forget that who you ARE doesn’t depend on who you WERE. You can and should be reinventing yourself as you move through life. Don’t let anything or anyone define you. Let your actions right now, in this moment, represent who you are and who you will become. Steve Jobs said it much more elegantly in his awesome Stanford Commencement address, “Your time is limited, so don’t waste it living someone else’s life. Don’t let the noise of others’ opinions drown out your own inner voice. And most important, have the courage to follow your heart and intuition. They somehow already know what you truly want to become.” Understanding this secret doesn’t make it easy. Being yourself, loving yourself, and surrounding yourself with people who appreciate and love YOU for who YOU ARE is very difficult. You’ll face many challenges, make countless tough decisions and you’ll screw things up. That’s all part of this game we call life. Just be true to yourself and everything will be OK. I promise. Always remember your Mom and I will be there to support you – celebrating your accomplishments and helping you rebound from your setbacks. Most of all know that we love you, unconditionally and without bounds. I wanted to finish the speech with a Seinfeld quote, but “NO SOUP FOR YOU!” didn’t seem to fit. Instead I chose a passage from Seinfeld’s book that my father sent to me many years ago when I lost sight of what was important. “Life is truly a ride. We’re all strapped in and no one can stop it. As you make each passage from youth to adulthood to maturity, sometimes you put your arms up and scream, sometimes you just hang on to that bar in front of you. But the ride is the thing. I think the most you can hope for at the end of life is that your hair’s messed, you’re out of breath, and you didn’t throw up.” Strap in girlfriend, it’s a wild ride. –Mike Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. What CISOs Need to Know about Cloud Computing Adapting Security for Cloud Computing How the Cloud is Different for Security Introduction Defending Against Application Denial of Service Building Protections In Abusing Application Logic Attacking the Application Stack Newly Published Papers Security Awareness Training Evolution Firewall Management Essentials Continuous Security Monitoring API Gateways Threat Intelligence for Ecosystem Risk Management Dealing with Database Denial of Service Identity and Access Management for Cloud Services The 2014 Endpoint Security Buyer’s Guide The CISO’s Guide to Advanced Attackers Incite 4 U Sustainable security change: As we come up to the end of the year, countless folks will fall again into the trap of New Year’s resolutions. Something they are going to change for perhaps a few days in January, then it’s right back to the same old habits. Dave Elfering (whose blog is good – you should read it) talks a bit about Leading vs. Managing in the context of creating change. The process he references (from some work by John Kotter), involves the hard work of lining up support, creating a vision, communicating that vision, empowering action, generating short term wins, and consistency of enforcement to ensure the change sticks. This is hard stuff because everyone is constantly dealing with other shiny objects diverting their attention. Dave’s point is that managers can get things done. But it takes a leader to drive lasting change. I think he’s right. – MR Perverse security

Share:
Read Post

The CISO’s Guide to the Cloud: Real World Examples and Where to Go from Here

This is part five of a series. You can read part one, part two, part three, or part four; or track the project on GitHub. Real World Examples Cloud computing covers such a wide range of different technologies that there are no shortage of examples to draw from. Here are a few generic examples from real-world deployments. These get slightly technical because we want to highlight practical, tactical techniques to prove we aren’t just making all this up: Embedding and Validating a Security Agent Automatically In a traditional environment we embed security agents by building them into standard images or requiring server administrators to install and register them. Both options are very prone to error and omission, and hard to validate because you often need to rely on manual scanning. Both issues become much easier to manage in cloud computing. To embed the agent: The first option is to build the agent into images. Instead of using generic operating system images you build your own, then require users to only launch approved images. In a private cloud you can enforce this with absolute control of what they run. In public clouds it is a bit tougher to enforce, but you can quickly catch exceptions using our validation process. The second option, and our favorite, is to inject the agent when instances launch. Some operating systems support initialization scripts which are passed to the launching instance by the cloud controller. Depending again on your cloud platform, you can inject these scrips automatically when autoscaling, via a management portal, or manually at other times. The scripts install and configure software in the instance before it is accessible on the network. Either way you need an agent that understands how to work within cloud infrastructure and is capable of self-registering to the management server. The agent pulls system information and cloud metadata, then connects with its management server, which pushes configuration policies back to the agent so it can self-configure. This process is entirely automated the first time the agent runs. Configuration may be based on detected services running on the instance, metadata tags applied to the instance (in the cloud management plane), or other characteristics such as where it is on the network. We provide a detailed technical example of agent injection and self-configuration in our Software Defined Security paper. The process is simple. Build the agent into images or inject it into launching instances, then have it connect to a management server to configure itself. The capabilities of these agents vary widely. Some replicate standard endpoint protection but others handle system configuration, administrative user management, log collection, network security, host hardening, and more. Validating that all your instances are protected can be quite easy, especially if your tool supports API: Obtain a list of all running instances from the cloud controller. This is a simple API call. Obtain a list of all instances with the security agent. This should be an API call to your security management platform, but might require pulling a report if that isn’t supported. Compare the lists. You cannot hide in the cloud, so you know every single instance. Compare active instances against managed instances, and find the exceptions. We also show how to do this in the paper linked above. Controlling SaaS with SAML Pretty much everyone uses some form of Software as a Service, but controlling access and managing users can be a headache. Unless you link up using federated identity, you need to manage user accounts on the SaaS platform manually. Adding, configuring, and removing users on yet another system, and one that is always Internet accessible, is daunting. Federated identity solves this problem: Enable federated identity extensions on your directory server. This is an option for Active Directory and most LDAP servers. Contact your cloud provider to obtain their SAML configuration and management requirements. SAML (Security Assertion Markup Language) is a semi-standard way for a relying party to allow access and activities based on approval from an identity provider. Configure SAML yourself or use a third-party tool compatible with your cloud provider(s) which does this for you. If you use several SaaS providers a tool will save a lot of effort. With SAML users don’t have a username and password with the cloud provider. The only way to log in is to first authenticate to your directory server, which then provides (invisible to the user) a token to allow access to the cloud provider. Users need to be in the office or on a VPN. If you want to enable remote users without VPN you can set up a cloud proxy and issue them a special URL to use instead of the SaaS provider’s standard address. This address redirects to your proxy, which then handles connecting back to your directory server for authentication and authorization. This is something you typically buy rather than build. Why do this? Instead of creating users on the SaaS platform it enables you to use existing user accounts in your directory server and authorize access using standard roles and groups, just like you do for internal servers. You also now get to track logins, disable accounts from a single source (your directory server), and otherwise maintain control. It also means people can’t steal a user’s password and then access Salesforce from anywhere on the Internet Compartmentalizing Cloud Management with IAM One of the largest new risks in cloud computing is Internet-accessible management of your entire infrastructure. Most cloud administrators use cloud APIs and command line interfaces to manage the infrastructure (or PaaS, and even sometimes SaaS). This means access credentials are accessed through environment variables or even the registry. If they use a web interface that opens up browser-based attacks. Either way, without capability compartmentalization an attacker could take complete control over their infrastructure by merely hacking a laptop. With a few API calls or a script they could copy or destroy everything in minutes. All cloud platforms support internal identity and access management to varying degrees –

Share:
Read Post

The CISO’s Guide to the Cloud: Adapting Security for Cloud Computing, Part 2

This is part four of a series. You can read part one, part two, or part three; or track the project on GitHub. As a reminder, this is the second half of our section on examples for adapting security to cloud computing. As before this isn’t an exhaustive list – just ideas to get you started. Intelligently Encrypt There are three reasons to encrypt data in the cloud, in order of their importance: Compliance. To protect data in backups, snapshots, and other portable copies or extracts. To protect data from cloud administrators. How you encrypt varies greatly, depending on where the data resides and which particular risks most concern you. For example many cloud providers encrypt object file storage or SaaS by default, but they manage the keys. This is often acceptable for compliance but doesn’t protect against a management plane breach. We wrote a paper on infrastructure encryption for cloud, from which we extracted some requirements which apply across encryption scenarios: If you are encrypting for security (as opposed to a compliance checkbox) you need to manage your own keys. If the vendor manages your keys your data may still be exposed in the event of a management plane compromise. Separate key management from cloud administration. Sure, we are all into DevOps and flattening management, but this is one situation where security should manage outside the cloud management plane. Use key managers that are as agile and elastic as the cloud. Like host security agents, your key manager needs to operate in an environment where servers appear and disappear automatically, and networks are virtual. Minimize SaaS encryption. The only way to encrypt data going to a SaaS provider is with a proxy, and encryption breaks the processing of data at the cloud provider. This reduces the utility of the service, so minimize which fields you need to encrypt. Or, better yet, trust your provider. Use secure cryptography agents and libraries when embedding encryption in hosts or IaaS and PaaS applications. The defaults for most crypto libraries used by developers are not secure. Either understand how to make them secure or use libraries designed from the ground up for security. Federate and Automate Identity Management Managing users and access in the cloud introduces two major headaches: Controlling access to external services without having to manage a separate set of users for each. Managing access to potentially thousands or tens of thousands of ephemeral virtual machines, some of which may only exist for a few hours. In the first case, and often the second, federated identity is the way to go: For external cloud services, especially SaaS, rely on SAML-based federated identity linked to your existing directory server. If you deal with many services this can become messy to manage and program yourself, so consider one of the identity management proxies or services designed specifically to tackle this problem. For access to your actual virtual servers, consider managing users with a dynamic privilege management agent designed for the cloud. Normally you embed SSH keys (or known Windows admin passwords) as part of instance initialization (the cloud controller handles this for you). This is highly problematic for privileged users at scale, and even straight directory server integration is often quite difficult. Specialized agents designed for cloud computing dynamically update users, privileges, and credentials at cloud speeds and scale. Adapt Network Security Networks are completely virtualized in cloud computing, although different platforms use different architectures and implementation mechanisms, complicating the situation. Despite that diversity there are consistent traits to focus on. The key issues come down to loss of visibility using normal techniques, and adapting to the dynamic nature of cloud computing. All public cloud providers disable networking sniffing, and that is an option on all private cloud platforms. A bad guy can’t hack a box and sniff the entire network, but you also can’t implement IDS and other network security like in traditional infrastructure. Even when you can place a physical box on the network hosting the cloud, you will miss traffic between instances on the same physical server, and highly dynamic network changes and instances appear and disappear too quickly to be treated like regular servers. You can sometimes use a virtual appliance instead, but unless the tool is designed to cloud specifications, even one that works in a virtual environment will crack in a cloud due to performance and functional limitations. While you can embed more host network security in the images your virtual machines are based on, the standard tools typically won’t work because they don’t know exactly where on the network they will pop up, nor what addresses they need to talk to. On a positive note, all cloud platforms include basic network security. Set your defaults properly, and every single server effectively comes with its own firewall. We recommend: Design a good baseline of Security Groups (the basic firewalls that secure the networking of each instance), and use tags or other mechanisms to automatically apply them based on server characteristics. A Security Group is essentially a firewall around every instance, offering compartmentalization that is extremely difficult to get in a traditional network. Use a host firewall, or host firewall management tool, designed for your cloud platform or provider. These connect to the cloud itself to pull metadata and configure themselves more dynamically than standard host firewalls. Also consider pushing more network security, including IDS and logging, into your instances. Prefer virtual network security appliances that support cloud APIs and are designed for the cloud platform or provider. For example, instead of forcing you to route all your virtual traffic through it as if you were on a physical network, the tool could distribute its own workload – perhaps even integrating with hypervisors. Take advantage of cloud APIs. It is very easy to pull every Security Group rule and then locate every instance. Combined with some additional basic tools you could then automate finding errors and omissions. Many cloud deployments do this today as a matter of course.

Share:
Read Post

Black Hat Cloud Security Training (Beta) in Seattle Next Month

I am teaching another cloud security class for Black Hat. There are two classes, one on December 9-10, and the other December 11-12. This class covers the CCSK certificate requirements and includes a test token to sit the exam (online). But we maintain the CCSK courseware, and it is time to try out some updated material. Specifically: We are streamlining the lecture day to reduce cruft and generally clean up the slides. We have even more real-world examples of how to get things done, based on our ongoing research. The labs are being updated for changes at Amazon Web Services. We are bringing more advanced material, as we did in Black Hat Vegas. The advanced material is not part of the core course, and we only get to it after the normal training requirements. It is an extension of the material I wrote about in the Software Defined Security paper. This class also qualifies as a Train the Trainer course, with some additional online training we offer for free after the class proper. If you want to become an instructor and sign up for this class, please email me and let me know ahead of time. Thanks, and hope to see you in Seattle! Share:

Share:
Read Post

You Cannot Outsource Accountability

  Given our severe skills gap in security, managed services and other security outsourcing tactics continue to be very interesting to end users. Either that, or non-security senior management gets frustrated by the inability of the internal team to get anything done, so they look at having someone else take a crack. As the NSS folks ask in their blog post, To Outsource or Not to Outsource, That is the Question!, but I don’t think that’s the right question. It’s really more about what they can outsource, not whether to outsource at all. Although their first sentence does irk me: Is it a good thing that one of the fastest growing segments in the field of information security revolves around surrendering control of your security to another party? Surrendering control? Really? That kind of attitude will get you killed. If there is one thing I have learned over the years, it was from cleaning up roadkill from security folks who bought the hype, and believed that a service provider would solve all their problems. But you can’t outsource accountability. Then NSS went on to categorize some decision points for selecting a provider. And depending on what you are asking the provider to do, there are various nuances to making that selection. That’s fine. But ultimately there must be someone inside the organization responsible for the security program. Really responsible, and empowered to make decisions. That person is responsible for allocating resources to get the job done. That could mean using internal staff, deploying technology, leveraging managed services, or deeper outsourcing. I am not religious about any specific mix, but I am about the need for someone on internal to make those decisions. Share:

Share:
Read Post

The CISO’s Guide to the Cloud: Adapting Security for Cloud Computing

This is part three of a series. You can read part one or part two, or track the project on GitHub. This part is split into two posts – here is the first half: Adapting Security for Cloud Computing If you didn’t already, you should now have a decent understanding of how cloud computing differs from traditional infrastructure. Now it’s time to switch gears to how to evolve security to address shifting risks. These examples are far from comprehensive, but offer a good start and sample of how to think differently about cloud security. General Principles As we keep emphasizing, taking advantage of the cloud poses new risks, as well as both increasing and decreasing existing risks. The goal is to leverage the security advantages, freeing up resources to cover the gaps. There are a few general principles for approaching the problem that help put you in the proper state of mind: You cannot rely on boxes and wires. Quite a bit of classical security relies on knowing the physical locations of systems, as well as the network cables connecting them. Network traffic in cloud computing is virtualized, which completely breaks this model. Network routing and security are instead defined by software rules. There are some advantages here, which are beyond the scope of this paper but which we will detail with future research. Security should be as agile and elastic as the cloud itself. Your security tools need to account for the highly dynamic nature of the cloud, where servers might pop up automatically and run for only an hour before disappearing forever. Rely more on policy-based automation. Wherever possible design your security to use the same automation as the cloud itself. For example there are techniques to automate (virtual) firewall rules based on tags associated with a server, rather than applying them manually. Understand and adjust for the characteristics of the cloud. Most virtual network adapters in cloud platforms disable network sniffing, so that risk drops off the list. Security groups are essentially virtual firewalls that on individual instance, meaning you get full internal firewalls and compartmentalization by default. Security tools can be embedded in images or installation scripts to ensure they are always installed, and cloud-aware ones can self configure. SAML can be used to provide absolute device and user authentication control to external SaaS applications. All these and more are enabled by the cloud, once you understand its characteristics. Integrate with DevOps. Not all organizations are using DevOps, but DevOps principles are pervasive in cloud computing. Security teams can integrate with this approach and leverage it themselves for security benefits, such as automating security configuration policy enforcement. Defining DevOps DevOps is an IT model that blurs the lines between development and IT operations. Developers play a stronger role in managing their own infrastructure through heavy use of programming and automation. Since cloud enables management of infrastructure using APIs, it is a major enabler of DevOps. While it is incredibly agile and powerful, lacking proper governance and policies it can also be disastrous since it condenses many of the usual application development and operations check points. These principles will get you thinking in cloud terms, but let’s look at some specifics. Control the Management Plane The management plane is the administrative interfaces, web and API, used to manage your cloud. It exists in all types of cloud computing service models: IaaS, PaaS, and SaaS. Someone who compromises a cloud administrator’s credentials has the equivalent of unmonitored physical access to your entire data center, with enough spare hard drives, fork lifts, and trucks to copy the entire thing and drive away. Or blow the entire thing up. We cannot overstate the importance of hardening the management plane. It literally provides absolute control over your cloud deployment – often including all disaster recovery.* We have five recommendations for securing the management plane: If you manage a private cloud, ensure you harden the web and API servers, keeping all components up to date and protecting them with the highest levels of web application security. This is no different than protecting any other critical web server. Leverage the Identity and Access Management features offered by the management plane. Some providers offer very fine-grained controls. Most also integrate with your existing IAM using federated identity. Give preference to your platform/provider’s controls and… Compartmentalize with IAM. No administrator should have full rights to all aspects of the cloud. Many providers and platforms support granular controls, including roles and groups, which you can leverage to restrict the damage potential of a compromised developer or workstation. For example, you can have a separate administrator for assigning IAM rights, only allow administrators to manage certain segments of your cloud, and further restrict them from terminating instances. Add auditing, logging, and alerting where possible. This is one of the more difficult problems in cloud security because few cloud providers audit administrator activity – such as who launched or stopped a server using the API. For now you will likely need a third-party tool or to work with particular providers for necessary auditing. Consider using security or cloud management proxies. These tools and services proxy the connection between a cloud administrator and the public or private cloud management plane. They can apply additional security rules and fill logging and auditing gaps. Automate Host (Instance) Security An instance is a virtual machine, which is based on a stored template called an image. When you ask the cloud for a server you specify the image to base it on, which includes an operating system and might bring a complete single-server application stack. The cloud then configures it using scripts which can embed administrator credentials, provide an IP address, attach and format storage, etc. Instances may exist for years or minutes, are configured dynamically, and can be launched nearly anywhere in your infrastructure – public or private. You cannot rely on manually assessing and adjusting their security. This is very different than building a server in a test environment, performing a

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.