This document provides an overview of cloud security and how it differs from traditional security models. Some key points:
- Cloud computing introduces new security challenges due to its reliance on sharing resources over the internet, like computing power and storage.
- There are different cloud computing models including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
- Cloud computing is defined by traits like internet accessibility, scalability, multitenancy, broad authentication, usage-based pricing, and lack of location specificity. These traits increase security risks.
- Multitenancy, where multiple users share the same cloud resources, introduces the risk of unint
Cloud Computing is a growing research topic in recent years. The key concept of Cloud Computing is to provide a resource sharing model based on virtualization, distributed file system, parallel algorithm and web services. But how can we provide a testbed for cloud computing related training courses? In this talk we will share our experience to build cloud computing testbed for virtualization, high throughput computing and bioinformatics applications. It covers lots of open source projects, such as DRBL, Xen, Hadoop and bioinformatics related applications.
In short, Diskless Remote Boot in Linux (DRBL) provides a diskless or systemless environment for client machines. It works on Debian, Ubuntu, Mandriva, Red Hat, Fedora, CentOS and SuSE. DRBL uses distributed hardware resources and makes it possible for clients to fully access local hardware.
Xen is one of open source hypervisor for linux kernel. It had been used in Amazon EC2 production environment to provide cloud service model (1) — "Infrastructure as a Service (IaaS)". In this talk, we will show you how DRBL can help on fast deployment of Xen playground in classroom.
Hadoop is becoming the well-known open source cloud computing technology developed by Apache community. It is very power tool for data mining. It had been used in Yahoo and Facebook production environment to provide cloud service model (2) — "Platform as a Service (PaaS)". It’s easy to setup single hadoop node but difficult to manage a hadoop cluster. In this talk, we will show you how DRBL can help on fast deployment and management.
Most bioinformatics applications are open source, such as R, Bioconductor, BLAST, Clustal, PipMaker, Phylip, etc. But it also require traditional cluster job submission. In this talk we will show you how DRBL can help to build a testbed of bioinformatics research and provide cloud service model (3) — "Software as a Service (SaaS)". In this talk, we will cover how to:
- 1. Use DRBL to deploy Xen virtual cluster (drbl-xen)
- 2. Use DRBL to deploy Hadoop cluster (drbl-hadoop)
- 3. Use DRBL to deploy bioinformatics cluster (drbl-biocluster)
A live demonstration about drbl-hadoop and drbl-biocluster will be done in the talk, too.
This presentation will discuss concerns and opportunities, business drivers, cisco solutions for enterprise cloud, the compute platform, cisco automation solutions and cloud enablement workshop.
IJERA (International journal of Engineering Research and Applications) is International online, ... peer reviewed journal. For more detail or submit your article, please visit www.ijera.com
Cloud computing and Integration consists of hardware and software resources made available on the Internet as managed third-party services, in a pay-per-use model , offering scalability and close alignment to actual demand.
Back that *aa s up – bridging multiple clouds for bursting and redundancyRightScale
Back that *aaS up – Bridging Multiple Clouds for Bursting and Redundancy
Peder Ulander, VP of Product Marketing, Cloud Platform Group, Citrix Systems
Bridging multiple cloud computing environments allows enterprises to plan for peak usage even while only building capacity for today’s needs. Using CloudStack, CloudBridge and RightScale can enable Enterprise IT to extend resource pools beyond physical datacenter boundaries and leverage additional private clouds or public clouds to meet peak usage requirements and smoothly manage planned or unplanned capacity spikes.
Cloud Computing is a growing research topic in recent years. The key concept of Cloud Computing is to provide a resource sharing model based on virtualization, distributed file system, parallel algorithm and web services. But how can we provide a testbed for cloud computing related training courses? In this talk we will share our experience to build cloud computing testbed for virtualization, high throughput computing and bioinformatics applications. It covers lots of open source projects, such as DRBL, Xen, Hadoop and bioinformatics related applications.
In short, Diskless Remote Boot in Linux (DRBL) provides a diskless or systemless environment for client machines. It works on Debian, Ubuntu, Mandriva, Red Hat, Fedora, CentOS and SuSE. DRBL uses distributed hardware resources and makes it possible for clients to fully access local hardware.
Xen is one of open source hypervisor for linux kernel. It had been used in Amazon EC2 production environment to provide cloud service model (1) — "Infrastructure as a Service (IaaS)". In this talk, we will show you how DRBL can help on fast deployment of Xen playground in classroom.
Hadoop is becoming the well-known open source cloud computing technology developed by Apache community. It is very power tool for data mining. It had been used in Yahoo and Facebook production environment to provide cloud service model (2) — "Platform as a Service (PaaS)". It’s easy to setup single hadoop node but difficult to manage a hadoop cluster. In this talk, we will show you how DRBL can help on fast deployment and management.
Most bioinformatics applications are open source, such as R, Bioconductor, BLAST, Clustal, PipMaker, Phylip, etc. But it also require traditional cluster job submission. In this talk we will show you how DRBL can help to build a testbed of bioinformatics research and provide cloud service model (3) — "Software as a Service (SaaS)". In this talk, we will cover how to:
- 1. Use DRBL to deploy Xen virtual cluster (drbl-xen)
- 2. Use DRBL to deploy Hadoop cluster (drbl-hadoop)
- 3. Use DRBL to deploy bioinformatics cluster (drbl-biocluster)
A live demonstration about drbl-hadoop and drbl-biocluster will be done in the talk, too.
This presentation will discuss concerns and opportunities, business drivers, cisco solutions for enterprise cloud, the compute platform, cisco automation solutions and cloud enablement workshop.
IJERA (International journal of Engineering Research and Applications) is International online, ... peer reviewed journal. For more detail or submit your article, please visit www.ijera.com
Cloud computing and Integration consists of hardware and software resources made available on the Internet as managed third-party services, in a pay-per-use model , offering scalability and close alignment to actual demand.
Back that *aa s up – bridging multiple clouds for bursting and redundancyRightScale
Back that *aaS up – Bridging Multiple Clouds for Bursting and Redundancy
Peder Ulander, VP of Product Marketing, Cloud Platform Group, Citrix Systems
Bridging multiple cloud computing environments allows enterprises to plan for peak usage even while only building capacity for today’s needs. Using CloudStack, CloudBridge and RightScale can enable Enterprise IT to extend resource pools beyond physical datacenter boundaries and leverage additional private clouds or public clouds to meet peak usage requirements and smoothly manage planned or unplanned capacity spikes.
Cloud computing means using multiple server computers via a digital network, as though they were one computer.
We can say , it is a new computing paradigm, involving data and/or computation outsourcing.
it has many issues like security issues, privacy issues, data issues, energy issues, bandwidth issues, cloud interoperability.
there are solutions like scaling of resources, distribute servers etc.
Abstract--The paper identifies the issues and the solution to overcome these problems. Cloud computing is a subscription based service where we can obtain networked storage space and computer resources. This technology has the capacity to admittance a common collection of resources on request. It is the application provided in the form of service over the internet and system hardware in the data centers that gives these services. But having many advantages for IT organizations cloud has some issues that must be consider during its deployment. The main concern is security privacy and trust. There are various issues that need to be dealt with respect to security and privacy in a cloud computing scenario [4].
Keywords--Cloud, Issues, Security, Privacy, Resources, Technology.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Welocme to ViralQR, your best QR code generator.ViralQR
Welcome to ViralQR, your best QR code generator available on the market!
At ViralQR, we design static and dynamic QR codes. Our mission is to make business operations easier and customer engagement more powerful through the use of QR technology. Be it a small-scale business or a huge enterprise, our easy-to-use platform provides multiple choices that can be tailored according to your company's branding and marketing strategies.
Our Vision
We are here to make the process of creating QR codes easy and smooth, thus enhancing customer interaction and making business more fluid. We very strongly believe in the ability of QR codes to change the world for businesses in their interaction with customers and are set on making that technology accessible and usable far and wide.
Our Achievements
Ever since its inception, we have successfully served many clients by offering QR codes in their marketing, service delivery, and collection of feedback across various industries. Our platform has been recognized for its ease of use and amazing features, which helped a business to make QR codes.
Our Services
At ViralQR, here is a comprehensive suite of services that caters to your very needs:
Static QR Codes: Create free static QR codes. These QR codes are able to store significant information such as URLs, vCards, plain text, emails and SMS, Wi-Fi credentials, and Bitcoin addresses.
Dynamic QR codes: These also have all the advanced features but are subscription-based. They can directly link to PDF files, images, micro-landing pages, social accounts, review forms, business pages, and applications. In addition, they can be branded with CTAs, frames, patterns, colors, and logos to enhance your branding.
Pricing and Packages
Additionally, there is a 14-day free offer to ViralQR, which is an exceptional opportunity for new users to take a feel of this platform. One can easily subscribe from there and experience the full dynamic of using QR codes. The subscription plans are not only meant for business; they are priced very flexibly so that literally every business could afford to benefit from our service.
Why choose us?
ViralQR will provide services for marketing, advertising, catering, retail, and the like. The QR codes can be posted on fliers, packaging, merchandise, and banners, as well as to substitute for cash and cards in a restaurant or coffee shop. With QR codes integrated into your business, improve customer engagement and streamline operations.
Comprehensive Analytics
Subscribers of ViralQR receive detailed analytics and tracking tools in light of having a view of the core values of QR code performance. Our analytics dashboard shows aggregate views and unique views, as well as detailed information about each impression, including time, device, browser, and estimated location by city and country.
So, thank you for choosing ViralQR; we have an offer of nothing but the best in terms of QR code services to meet business diversity!
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
2. i Cloud Computing Deep Dive 2
Cloud security
changes everything
The scalability of cloud computing depends on sharing resources that were never shared
before, demanding a new set of security best practices
MANY COMPUTER SECURITY PRACTITIONERS infrastructure. Common examples include Google’s
blow off cloud computing as just a semantic exercise Gmail, Microsoft’s Business Online Productivity
describing conventional applications running across a Suite, and Salesforce.com.
wide area network.
They are wrong. Cloud computing is a new paradigm • Platform as a Service (PaaS). PaaS providers give
that challenges traditional security dogma. Old assump- developers complete development environments
tions are gone forever and the ones that replace them will in which to code, host, and deliver applications.
make the security expert’s job harder than ever. The development environment typically includes
This paper will cover how cloud computing differs the underlying infrastructure, development tools,
from the past and discuss characteristics of the new APIs, and other related services. Examples include
threat model. Google’s App Engine, Microsoft’s Windows Azure,
and Salesforce’s Force.com.
CLOUD COMPUTING MODELS
Before delving into cloud computing exploits and Naturally, many cloud service providers mix two or
defenses, it helps to get a basic understanding of cloud more of these cloud service models or cannot be neatly
computing models. Although new models appear to placed into one type. Additionally, the type of user who
be emerging every day, here are the basic ones nearly can access the cloud further defines each model, as well
everyone agrees on: as what type of cloud is at issue:
• Infrastructure as a Service (IaaS). IaaS pro- • The public cloud. Public clouds are created by
vides massively scalable, elastic computing resources one vendor and offered to the general public. Pub-
via the Internet. Some providers offer just a single lic clouds are almost always Internet-accessible and
resource, such as storage space, but most now focus multitenanted.
on providing complete computing platforms for cus-
tomers’ VMs, including operating system, memory, • The private cloud. Private clouds are hosted by the
storage, and processing power. Clients often pay for same organization that utilizes the service (which in
only what they use, which fits nicely into any com- general does not support multitenancy). The primary
pany’s computing budget. value proposition is data accessibility and fault tolerance.
• Software as a Service (SasS). SaaS providers • The hybrid cloud. This term typically applies to
deliver software functionality through the browser, organizations that have set up private cloud services
without the end-user having to install software in combination with external public cloud services.
locally. Typically, SaaS offerings are multiten- It also refers to service offerings used exclusively by
anted: Customers establish accounts on one huge an invited group of private customers (also called a
instance of the software running on a virtualized “community cloud”).
INFOWORLD.COM DEEP DIVE SERIES J A N U A R Y 2 011
3. i Cloud Computing Deep Dive 3
For more information, see the National Institute for most servers are Internet-accessible. This must change
Standards and Technology (NIST) document detailing the security defender’s thinking.
common cloud terminology. Just as most clouds are Internet-accessible, they are
also almost entirely Web-based, with browsers as clients
HOW CLOUD COMPUTING IS DIFFERENT and Web servers as the server endpoint connection.
Cloud computing is a major departure from traditional Some clouds use simple HTML-based forms and Web
networks and applications. In general, a service or offer- pages, but most are an increasingly complex set of Web
ing is considered cloud computing if it has at least four of services and protocols. (Wikipedia has an excellent begin-
these seven traits: ner’s tutorial on Web services.)
As the Web matures, most things that were once
• Internet (or intranet) accessible accomplished using a single computer will be executed
• A massively scalable, user-configurable pool of elastic by a matrix of Web services, connected together in most
computing resources (such as network bandwidth, cases by XML, SOAP (or REST), and SAML. As Web 2.0
compute power, memory, etc.) takes over, future security defenders must get to know
• Multitenancy (one large software instance shared by these services and protocols inside and out, and defend
many customer accounts) against their deficiencies as they emerge (and there are
• A broad authentication scheme bound to be plenty).
• Subscription or usage-based payment
• Self-service MULTITENANCY
• Lack of location specificity Multitenancy is a major defining trait for public clouds.
Typically, in a traditional environment, only the appli-
All of these traits offer new challenges to the computer cation’s owner and direct employees can access the
security professional, but accessibility, multitenancy, broad application data. In a cloud, multitenancy means that
authentication, and lack of location-specificity are the four multiple, distinct, separate end-user parties share the
items responsible for the biggest technology shift and same service and/or resources. End-users may be aware
demand for new security solutions. of this fact and may even be able to directly interact
with other end-users. Or they may be unaware that
ACCESS TO THE INTERNET OR resources are shared and that this is a risk.
INTRANETS EQUALS HIGH RISK In a cloud, risk looms that the parties sharing that
We already know that any computing resource that is cloud will be able to — unintentionally or intentionally
Internet accessible is at a higher risk than one that is — access one another’s private data. This has been the
not. It’s how most of the bad guys break into comput- case in cloud exploits with major cloud providers during
ers today, whether it involves social-engineered Trojan the past few years. In some cases, all it took was modify-
horse programs, viruses, or human attackers. High-risk ing a client’s unique identifier, sent over in the browser
environments, like the top secret classified systems of request, to another identifier, and up comes another cli-
most governments, usually aren’t allowed to connect to a ent’s data. Sometimes spillage has occurred when a bug
network that can connect to the Internet. Too much risk. in the cloud service offered up too much data without
Clouds don’t use VPN technologies. With cloud the client doing anything out of the ordinary.
computing, it’s assumed that all users and application With IaaS-based clouds in particular, security
resources are Internet- or intranet-accessible, with all researchers are discovering a brand new class of vulner-
the elevated risk that implies. This means that anony- abilities that did not exist in the old world. For example,
mous attackers can access connection points just as any attackers are finding ways to “cyberjack” another ten-
legitimate user or manager of the system can. In a tradi- ant’s data and resources by discovering other tenant’s
tional computing environment, only a small percentage IP addresses and computer resources or by searching
of servers are Internet-accessible. In cloud computing, for other people’s data remnants after they release
INFOWORLD.COM DEEP DIVE SERIES J A N U A R Y 2 011
4. i Cloud Computing Deep Dive 4
unneeded resources back to the cloud. As it turns out, well as identity metasystems. With Web Identity 2.0,
some cloud vendors don’t erase or format the freed-up there can be a multitude of identity services (made
storage or memory resources. up of both centrally managed and single, stand-alone
It’s too early to know whether these types of risks identities) that can interoperate with a large number
will decrease as cloud security matures or whether they of Web sites and services. Popular individual identity
will remain a fixture that defines the new threat model. services include OpenID, InfoCard, and LiveID. Many
of these authentication services are interoperable with
BROAD AUTHENTICATION SCHEMES each other and use common protocols such as XML,
Internet accessibility and multitenancy pose a challenge SOAP, SAML, Web services, WS-Federation, and so on.
when determining how to authenticate large num- In the Web 2.0 world, each Web site (or cloud pro-
bers of different clients. In the traditional model, each vider) can choose which federated identity service to
authenticating user has a full user account located in work with and accept. The Web site or service provider
the application’s authentication database (or directory can require particular types of identity assurance (such
service). But scaling and multitenancy complicates the as a simple password, smartcard, or biometric device)
process, because conventional authentication services before a user can participate. For example, a cancer
tend to offer access to shared common resources by survivor Web site may wish to allow anonymous users
default. In Active Directory, for example, members of whereas an online banking Web site may require a site-
the Everyone group can see and list all sorts of resources issued smartcard or other authenticating token to log on.
that a cloud provider would probably not want every Conversely, users may be able to submit only the
client to see. identity data they wish to share with the participat-
Initially, many cloud providers tried to solve this ing service provider (called claims-based identity). For
problem by using proprietary or private authentica- example, a user purchasing alcohol via the Internet may
tion services. But these services rarely have the scal- need only to prove that he or she are over the legal
ability and functionality needed. First-generation clouds drinking age but not have to show his or her actual
required that all end-users have separate accounts in identity or birthdate. A central tenet of any good iden-
their databases — similar to the way Web surfers need tity metasystem is that users should only have to show
to log on separately to each website where they have the bare minimum of identity information necessary
an account. (For example, your Facebook account is to access the offered service and perform the desired
not related to your Amazon or iTunes accounts). This transaction. Submitting (or requesting) too much iden-
is known as “Web Identity 1.0” in identity system circles. tity information is considered very “Web 1.0.”
Clearly, asking end-users to create and manage sepa- In the Identity 2.0 model, authenticated anonymity
rate log-on accounts for every future Web service they (called pseudo-anonymity) is possible. In this case, a
will use doesn’t scale — for a multitude of reasons. Using trusted third party knows the user’s real identity and
one big SSO (single sign-on) solution that interacted with has authenticated him or her, but hands out a different
participating Web sites became the “Web Identity 1.5” identity credential that is trusted by the Web service pro-
way of doing things. With this authentication model, vider. Thus, that user can use the Web service without
users registered with an “independent,” centralized revealing his or her true identity to the Web site.
authority to obtain an SSO ID. Then, when visiting par-
ticipating Web sites, the user could enter their SSO cre- THE EFFECT OF BROAD AUTHENTICATION
dentials to gain access. An example of this sort of solution ON CLOUD COMPUTING
was Microsoft’s Passport (now morphed into LiveID) and In the near future, it’s likely that both private and public
other protocols created by the Liberty Alliance. clouds will support Web 2.0 identities. Users of private
But many people balked at the idea of a single entity clouds will likely use their SSO to access public cloud
handling everyone’s SSO accounts. What evolved is services, while external users may use their SSO to
known as “Web Identity 2.0,” or federated identity, as access your company’s private or hybrid cloud offering.
INFOWORLD.COM DEEP DIVE SERIES J A N U A R Y 2 011
5. i Cloud Computing Deep Dive 5
The security impact of this is that a cloud attacker is guest-to-guest vulnerabilities.
likely to be an authenticated user within the cloud Clearly, cloud computing amounts to more than just
system at the onset of an attack. By contrast, the old semantic games. It presents a unique set of challenges
assumption is that the attacker didn’t start with authenti- that security defenders must rise up to meet.
cated access and needed to gain original access to begin
high-level system exploitation. CLOUD SECURITY DEFENSES
For example, consider two of the earliest and largest Cloud security is an evolving field. To begin with, cloud
cloud services: Google Gmail and Microsoft Hotmail solutions are subject to all the conventional attacks —
(now called LiveMail). Both contain millions of authen- buffer overflows, password attacks, physical attacks,
ticated users and both now support newer SSO forms exploitation of application vulnerabilities, session con-
such as OpenID and InfoCard. Google and Microsoft tamination, network attacks, man-in-the-middle attacks,
have no idea which users are legitimate and which social engineering, and so on. But the unique charac-
intend to do harm to other users or to the service itself. teristics of cloud computing present a new set of chal-
Identity is still a work in progress. Solutions will lenges as well.
change and morph as people begin to adopt the cloud Start by assuming attackers are logged-in, authen-
in great numbers. And as new needs emerge, new solu- ticated users, and begin your defenses from there —
tions and protocols will need to be invented. Whatever and there may be many attackers, thanks to the cloud’s
trajectory these future developments take, Identity 2.0 global reach. This level of attacker access means that
is new paradigm that requires a huge mind shift in com- many conventional defenses (such as separated security
puter security defenders. zones, firewalls, and so on) will have little relevance.
LACK OF LOCATION SPECIFICITY CLOUD SECURITY DEFENSE CLASSIFICATIONS
The term “cloud” implies that a service is available widely, Managing cloud security is different than maintain-
if not globally, with a multitude of origination and des- ing ordinary enterprise security. Security professionals
tination points. The specific location of the computing should analyze all cloud offerings (including their own)
resources for a given cloud may not be immediately iden- within a holistic security framework to make sure all
tifiable by either the client, the cloud vendor, or both. In angles are covered.
a traditional network offering, the user or vendor often Keep in mind that each combination of cloud ser-
is aware of where the application or data is being hosted. vices has its own unique set of risks and countermea-
This brings up all sorts of interesting dilemmas. For sures. Table 1 organizes these variables into a set of
example: How are security defenders supposed to classifications and subtopics intended to generate fur-
protect data when they don’t even know where it is? ther discussion and analysis.
How can a cloud provider identify a client’s data (for
legal and other purposes)? How does the cloud pro- CLOUD DEFENSE BEST PRACTICES
vider securely erase a client’s data if the client exits the Enterprise security is a vast discipline and each of
cloud solution? How can a particular client’s data be its many aspects must be reexamined in light of the
prevented from leaving the host country of origin, if cloud. Take user deprovisioning as an example. Nor-
even the cloud operators don’t know where the data is? mally, when an employee leaves a company, access to
company applications and data is removed. But if that
THE ROLE OF VIRTUALIZATION employee has subscribed to cloud services on behalf of
Virtualization tends to play a big role in cloud services, the company, from the beginning the company should
either as the underpinning for the service or, in the have had the technology in place to track those sub-
case of IaaS, as part of the cloud service offering itself. scriptions, or the former employee may still be able
And virtualization has every security risk that a physical access company data. You can’t deprovision if you don’t
computer environment has — plus guest-to-host and know what was provisioned in the first place.
INFOWORLD.COM DEEP DIVE SERIES J A N U A R Y 2 011
6. i Cloud Computing Deep Dive 6
TABLE 1: CLOUD SECURITY CLASSIFICATIONS AND SUBTOPICS
A security defender responsible for cloud security should consider a wide range of parameters when developing
a cloud security defense plan.
SECURITY CLASSIFICATION RELATED SUBTOPICS
Infrastructure security Physical security, environmental controls, business continuity/disaster recovery,
network infrastructure, firewalls, proxies, routers, access control lists, staffing/employee
background checks, availability (performance and anti-DoS), security policies (including
what can be made available to customers), remote access, mobile access and platforms,
identity/authentication/federation, billing systems, virtualization issues, high availability
Resource provisioning Provisioning; modification; ownership and control, access; deprovisioning; reuse/
reassignment of: users, computing resources, computer systems, or IP address space;
domain name services; directory services; self-service configuration management
Storage and data security Privacy/privacy controls, data tagging, data storage zoning, data retention policies,
data permanence/deletion, encryption (at-rest, in-transit, key management, Federal
Information Processing Standards/Federal Information Security Management Act),
digital signing/integrity attestation, multitenancy issues, archiving, backup, recovery, data
classification, locality requirements, malicious data aggregation prevention
Application security Security design lifecycle, identity/authentication/federation, session management, data input
(if applicable) validation, error handling, vulnerability testing, patching, authentication, data integration/
exchange, APIs, proxies, application sandboxing, versioning, bug/issue tracking
Audit/compliance Logging, monitoring, auditing, compliance, accreditation, legal issues, regulations, locality
requirements, discovery, forensics, SLAs, public communication plans, fraud detection
General security Anti-malware, anti-spam, patching, incident response, data leak prevention
Implications of this type apply across a whole range providers should have ways for defenders to mark or
of security issues. Here are some key ones to consider. tag data with ownership and security classification and
For better or worse, the degree to which you can apply to enable defenses based upon those attributes. Data
best security practices often depends on the provider. should be protected in such a way that unauthorized (but
authenticated, multitenanted) viewers can be prevented
SAY GOODBYE TO THE DMZ from seeing another’s data. If a client needs to prevent its
One of the major changes from traditional computing data from leaving its home country, the cloud provider
is the pervasiveness of the cloud. By its very definition, should make sure the data never does.
it is meant to be everywhere. If the DMZ wasn’t dead Cloud providers should physically prevent (using physi-
before, it certainly is now. The DMZ was always porous, cal network dividers, routers, switches, IPSec, access con-
with many more holes than any defender wanted to trol lists, and so on) server and data commingling. If a
admit. The cloud, with authenticated attackers, just puts particular server never needs to talk to most other servers,
the nail in the coffin. it should be prevented from doing so. If a client computer
What is a security defender to do? Well, for one, shouldn’t be able to talk to other client computers, make
think in terms of data classification and ownership and sure there is no way for an authenticated users to leverage
marry that with strong security domain isolation. Cloud cloud access to gain access to the other.
INFOWORLD.COM DEEP DIVE SERIES J A N U A R Y 2 011
7. i Cloud Computing Deep Dive 7
ENCRYPT YOUR DATA USE DNS SECURITY
Data should always be encrypted when stored (using sepa- If your cloud provider’s DNS services support it, con-
rate symmetric encryption keys) and transmitted. If this is sider implementing DNSSEC (DNS Security) between
implemented appropriately, even if another tenant can your DNS servers and the provider’s DNS servers.
access the data, all that will appear is gibberish. Shared Once enabled, DNSSEC ensures that dependent cli-
symmetric keys for data encryption should be discouraged, ents always get verified, authenticated DNS resolution
yet tenants should be able to access their own encryption entries from authoritative DNS servers. Unfortunately,
keys and change them when necessary. Cloud providers DNSSEC is enabled only on a small percentage of DNS
should not have ready access to tenant encryption keys. providers. Ask your cloud provider if it will consider
creating DNSSEC “trust anchors” between your site(s)
USE STRONG AUTHENTICATION and the provider’s — or consider implementing static
Make sure any Identity 2.0 system you participate in has DNS records on your side, to prevent malicious DNS
a strong history of good security and uses open protocols. redirection attacks.
Proprietary, single-site authentications systems may seem
to present lower risk than shared systems do, but the infor- USE RED HERRINGS AND AN
mation surrounding proprietary systems is rarely shared. EARLY WARNING SYSTEM
Systems that use and support open standards usually have Some cloud providers and customers create “red her-
the added protection of community analysis. Weaknesses ring” data as an early warning system. Red herring data
are frequently found early and coded out. Newfound is fake data that is injected into a database and then
vulnerabilities are usually shared and fixed faster. monitored to see if it “leaks out.” For instance, suppose
the cloud provider creates complete client records for
PREPARE TO PREVENT DDoS ATTACKS Fred and Wilma Flintstone. Everything about the fake
Attackers are often content with simply denying legitimate record would be unlikely to exist in the real world. Then
users access to their services using DDoS attacks. Luck- the cloud vendor (or client) uses data leak detection sys-
ily cloud systems are usually very resilient against simple tems and procedures to monitor for that specific data.
flood attacks and excel at ramping up more bandwidth If the data is found outside the cloud provider’s system,
and resources in the face of gigabytes of malicious traffic. then it could be an early warning that malicious data
Be aware, however, that attackers may attempt to theft has occurred and should be investigated.
take down upstream or downstream nodes that are
not under the control of the cloud provider. More than KILL ALL OLD DATA
one Internet access provider has been forced to cut off Cloud providers should ensure that all data no longer
access for a victimized site simply to preserve access for needed is permanently erased from computer memory
everyone else. You shouldn’t be forced to come up with and storage. Shared resources shouldn’t mean perma-
creative defenses the first time you’re hit with a DDoS, nently shared storage. Clients should contact cloud pro-
so make sure you have adequate DDoS defenses and viders to make sure that all submitted data is solely owned
response plans ready to go. All the hard work and peer- by the client and learn what measures providers take to
ing agreements should be established ahead of time. ensure the permanent deletion of unneeded data. i
INFOWORLD.COM DEEP DIVE SERIES J A N U A R Y 2 011
8. i Cloud Computing Deep Dive 8
ADDITIONAL RESOURCES
Cloud computing is a new paradigm that requires new security defenses. The material included here covers only a
small portion of the considerations you need to weigh when preparing a holistic cloud defense. The following Web
assets are excellent sources of additional information:
NIST’s cloud section
http://csrc.nist.gov/groups/SNS/cloud-computing
A great place to quickly get up to speed on cloud terminology without reading a book.
Cloud Security Alliance
http://www.cloudsecurityalliance.org
Site represents a good collection point for enterprise-level cloud-related security. Look under the
New Research section.
Cloud Security Alliance IT Certification
http://www.cloudsecurityalliance.org/certifyme.html
Cloud Threats and Security Measures, MSDN, J. Meier
http://blogs.msdn.com/b/jmeier/archive/2010/07/08/cloud-security-threats-and-countermeasures-at-a-glance.aspx
Black Hat Webcast: Chewing the Cloud: Attacking Cloud-Based Services
http://www.blackhat.com/html/Webcast/Webcast-2010_cloudsec.html
An interesting Webcast on cloud attacks.
INFOWORLD.COM DEEP DIVE SERIES J A N U A R Y 2 011