Blog Archives

enStratus Cloud Management Platform Selected For CSA Certification

July 29, 2010

security

The Cloud Security Alliance (CSA) was formed to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing. …

Read more
Privacy Settings are a Crutch. Free Apps Profit from your Data

May 26, 2010

General, security
William Vambenepe posts a challenging thought piece with a very simple contention – Data too sensitive to leak from Facebook is too sensitive to be on Facebook.

Vambenepe gives many examples of ways that Facebook can fail, but sums it up with a simple piece of advice: “Don’t put anything on any social network that you don’t want to be made public.” He goes on to broaden his thesis, looking at the Google Buzz fiasco saying that:

It’s as if your insurance company suddenly decided it wanted to enter the social networking business and announced one day that you were now “friends” with all their customers who share the same medical condition. And will you please log in and update your privacy settings if you have a problem with that, you backward-looking, privacy-hugging, profit-dissipating idiot.

All of which was interesting given the (somewhat in jest) session I lead at the recent Google Bar Camp entitled “Who is more evil, Google, Apple or Microsoft?”. Now given that this was a Google event with a bunch of Apple users present, I was pretty certain that Redmond would come out looking worst in the scrap but in fact this wasn’t the case. At both this session and a similar one I’d run previously along the same lines – people surprised me in their response. Many seemed to have the view that all three are evil, it’s just that with Microsoft and Apple their evilness is overt, whereas with Google it’s a much more understated attribute.

Now I’m not at all a Google hater. I live in Google apps, I’ve got lots of friends who work for the organization and fundamentally I love what they’ve done to the marketplace but despite all that I feel a little… uneasy. The theory goes like this:

Microsoft and Apple make their gazillions from selling software and/or hardware that, in a lot of examples, is proprietary and that traps its users into a particular way of working. Users, to a greater or lesser extent, accept this vendor lock in because they:
1. Gain a consistent way of working
2. Feel some certainty over the security of their data
Google is different – we all know that Google manages to offer us cheap or free products mainly because they are able to make huge money off of the collective intelligence that they so effectively mine – and this is where our concerns begin. People are (broadly) comfortable with their web searching habits being part of the great Google aggregate, but that becomes more concerning when they’re considering the same with their documents, their photos, their financial data.

So what can we learn from this triumvirate? And how should we relate that to the current furore regarding Facebook and privacy?

As Vambenepe says:

Yes you should have clear privacy settings. But the place to store them is in your brain and the place to enforce them is by controlling what your fingers do before data gets on Facebook. Facebook and similar networks can only leak data that they posses. A lot of that data comes from you directly uploading it. And that’s the point where you have control. After this, you really don’t. Other data comes from tracking and analyzing your activities and connections, without explicit data upload from you. That’s a lot harder for you to control (you rarely get asked for your privacy preferences on this data), but that’s out of scope for this blog entry.

Just like banks that are too big to fail are too big to exist, data that is too sensitive to leak from Facebook is too sensitive to be on Facebook.

And so as many questions are raised as are answered – I’d like to get a feel for how the readership regards the big three – Google, Apple and Microsoft, in terms of privacy and how this relates to an unasahamedly consumer play, Facebook.
CloudAve is exclusively sponsored by

Read more
Protect Your Facebook Privacy

May 18, 2010

General, security

I have been critical of Facebook’s privacy policies in this blog. In my opinion, Facebook has really gone rogue. They give a damn to users just like what Microsoft did during the time it had monopoly like power in the market. Having said that the movement to delete Facebook accounts is at best hysterical. I think we should have a more pragmatic approach than the emotional approach of deleting the Facebook account in protest. At least, from my point of view, I am not going to delete my account even though I am terribly upset about Facebook’s attitude. I have my entire family and most of my friends in there and I cannot afford to delete my Facebook account (at least at this time). I am more inclined to take a pragmatic approach, continue to voice my protest through Facebook and other online forums and take steps to protect my privacy as much as I can.

Now, there is an option. The good folks at ReclaimPrivacy.org has released a bookmarklet that helps you tighten your privacy in Facebook. It is a scanner that scans your Facebook account to inspect your privacy settings and warn you about settings that might be unexpectedly public. All you have to do is to drag the bookmarklet to your browser toolbar, log into your Facebook account and click the bookmarklet you just installed. It scans and tells you if your privacy is good. If not, it gives you an option to fix it with a click. A pretty nifty tool that can help people like me who still want to stay in Facebook but maintain a level of privacy.

I wish these folks had put up a nice “About” section giving background on the effort. It would have given more confidence to non technical users (well, there are more than 450 Million of them in Facebook) who want to use the tool for fixing the Facebook privacy issues. Technical users can see that it is an open source tool with source code available. This is good enough to assure us that we can trust the tool. Anyhow, if you are worried about the privacy of your Facebook account, I strongly urge you to use this tool to fix it.

Disclaimer: It is a publicly available open source tool which I used to fix the privacy issues in my account. Your mileage may vary and I am not responsible for anything that happens with the use of the tool. As a blogger, I am writing about a tool that could potentially help Millions of Facebook users. Check out the Techmeme discussion about this tool.

CloudAve is exclusively sponsored by

Read more
Facebook May Not Care About Your Privacy But It Definitely Cares About Your Security

May 14, 2010

security
Facebook may not give you a damn about your privacy and it may have gone rogue. But, it is serious about ensuring the security of your account. Today, they have announced some steps to ensure that there are no unauthorized access to your facebook account. Even though this effort is highly laudable, it is somewhat hypocritical without a strong respect for users’ privacy.

According to a Facebook blog post, the two significant safety measures are
- Login Notifications: You will be notified instantly by email and SMS (optional feature). You will be asked to register all the devices you use with a name for each one of them. When you log in from a new device, you will be asked to name the device and immediately a notification is sent to the email address and mobile phone on the file (as per your settings)
- Blocking suspicious logins: When the system detects some suspicious login activity, it asks the user to answer some trivial questions that can identify the real user (like the birth date or the name of a friend). You are allowed to login after the correct identifications. There is an option to verify the login logs and reset password if something suspicious is found.
The first option is no brainer but there could be some issues with the second one. First, it could get annoying if you are someone who logs in from many different places including libraries, friend’s machines, etc.. Second, and most importantly for the networkers like Robert Scoble, if you login from an unknown location and facebook’s system deems it suspicious, the system could ask you to identify a facebook friend’s photograph and there is a high likelihood that you may not know the name of that person from several thousand “friends” and your facebook account will get locked. It is not clear if it completely locks you out or still allow you access from trusted devices. Even though it is a good measure, it could get annoying at times from a convenience perspective.

Related Posts:
- In The Middle Of A Firestorm Over Privacy, Facebook Releases New Login Security Features
- Facebook Rolls Out New Login Security Features (Updated)
CloudAve is exclusively sponsored by

Read more
Cloud Sherpas – Raising Money and Enhancing GAPE Admin

May 11, 2010

Design, enterprise, security

I’ve written before about Cloud Sherpas, a cloud computing systems integrator and application developer. They’re a Google Apps reseller that also created SherpaTools for Google Apps, a free app that gives more administrator functionality to Google Apps users.

Only a few days ago, Cloud Sherpas raised $1 million in funding from Hallett Capital and other investors and, somewhat unusually, one of the investors in the round has taken over the CEO role from Michael Cohn who is becoming VP Product and Marketing.

The focus of the funding is an acceleration of Google Apps enterprise adoption and a release today will help with that. The enhanced version of SherpaTools is focused on helping enterprises protect and preserve end user data. Google Apps admins can now delegate access to fellow IT staff, such as help desk workers, without providing the company’s master username and password credentials. Using a dedicated pin number, a help desk worker can reset an end user’s password, for example, but he or she would not have access to a broader spectrum of employee data. While a seemingly minor improvement, this gives a degree of granularity of user control that is important to enterprise users.

An interesting new feature, and one that I’ve previously had a real need for, involves the ability to quickly and easily preserve the data of terminated employees. Usually with Google Apps, all of an employee’s data (spreadsheets, presentations, emails, etc.) are deleted once they’re removed from the system. In our case, when an employee left we’ve got around the issue by suspending rather than deleting a user from the system. We then went into the account and manually removed/archived/reassigned the data files we wanted to keep. Not at all user friendly! With the new release of SherpaTools, IT admins can automatically delegate all of a terminated employee’s files to his or her manager or another user in the system.

Cloud Sherpas is moving beyond it’s free tool and will soon introduce a paid version. In an interesting twist however, users who buy their Google Apps licences directly from Cloud Sherpas will get all the SherpaTools premium features for free – a nice little inducement if ever I saw one!

In terms of where Cloud Sherpas are at now, they’re reporting around 2100 businesses users serving nearly 300,000 workers. I’ve said before that I think tool like this serve a dual purpose – firstly to drive customers to CloudSherpas service offerings (deployment and migration to Google apps) and secondly to get the attention of folks like Google for a potential future trade sale – let’s watch and see what happens in Cloud Sherpas’ case.

CloudAve is exclusively sponsored by

Read more
Know Thy Art Of Defence

May 8, 2010

security
When we talk about Cloud Computing and security in the same sentence, we immediately think about infrastructure security and a debate kicks off around the topic. Yes, infrastructure security is important and it is the headache of the IaaS provider. As a developer running a web app on top of IaaS or a startup building a SaaS application on the cloud or on top of a managed provider infrastructure, one needs to worry about the application security. In this post, I will briefly discuss the state of application security in the cloud and introduce an interesting company, Art of Defence , in this space.

In fact, it is my gut feeling that many startups offering web 2.0ish applications or SaaS applications are completely ignoring the application security and it is just a matter of time before things blow up on their face. The IBM X-Force annual report in 2008 showed clearly how there was a 8X increase in the count of web application vulnerabilities (an exponential increase from 2004-2008) and at the end of 2008, 74% of these vulnerabilities were left unpatched. Most of the users have absolutely no idea about what is in store for them when the web applications they use are severely vulnerable. It is like a bomb waiting to explode and the costs of any attacks using these vulnerabilities could be devastating to both the vendors and their users.

In the traditional web application hosting era, we used web applications firewalls which adds a layer around the web server fending off any attacks based on the rules we add to the configuration of such firewalls. Mod Security is one such example for Apache web server and in my previous avatar of system admin, I have used Mod Security extensively to fend off attacks on PHP scripts running on our servers. Such web application firewalls served the purpose to a reasonable extent protecting web applications from attacks exploiting vulnerabilities (known and, sometimes, unknown using some of the Just In Time rules).

As web applications moved from traditional development model to a SaaS model, things got pretty complex. For one, it makes it difficult for cloud providers because they will have more than one client in a single hardware. The traditional web application firewall approach will not work here. Not only these firewalls are dependent on the hardware and, thus, adding to the complexity, they also consume quite a bit of resources. This makes it useless in a cloud based scenario. A better way to do it is to implement the security measures into the applications itself so that the security also scales well with the cloud. It is not happening anytime soon and we need a different kind of solution to handle this requirement. Enter dWAF, distributed Web Applications Firewall. dWAF comes in the form of a plugin or even a SaaS service and seamlessly integrates with many cloud environments. These firewalls offer support for detection of vulnerabilities and protection from attacks in a seamless way without consuming much resources.

Art of Defence, founded in Germany with a recently opened office in San Francisco, has done great work in developing such a distributed firewall and their flagship product, distributed Web application firewall (dWAF) Hyperguard, offers comprehensive application security for the cloud era. They have partnered with Amazon Web Services and GoGrid to offer their firewall solution as a SaaS. AWS customers can access hyperguard SaaS by simply adding a small software plug-in to an existing web server Amazon Machine Image (AMI), or by using art of defences custom AMI. GoGrid customers can also do the same.

Hyperguard has three components
- The enforcer, a small plugin that can be plugged into a web server or a network firewall or a load balancer. The Enforcer sends request and response data to a component called Decider and also modifies requests and responses if needed. The Enforcer is an adapter for hyperguard to get the data it needs to enforce the policy
- The decider, the core policy engine receives the request from the enforcer, decides what to do and offers a response
- The admin interface, the UI that lets the administrators set the policies, monitor and track alerts
Art of Defence has recently partnered with the Santa Clara based Whitehat Security, a company that helps businesses with website risk management and compliance. With this partnership, art of defence’s hyperguard is tightly integrated with the WhiteHat Sentinel website vulnerability management service. Art of defence used WhiteHat Security’s operational open XML API to enable hyperguard to transform WhiteHat Sentinel’s verified website vulnerability assessment results into viable rule-set suggestions for hyperguard’s security policy management. Now, companies that use both solutions will be able to take advantage of “virtual patching” functionality and mitigate website vulnerabilities quickly, limiting exposure to exploits.

Some of the top folks from Art of Defence is also heavily involved in Cloud Security Alliance’s efforts to promote best cloud security practices. They have played a major role in the application security part (domain 10) of Security Guidance for Critical Areas of Focus in Cloud Computing report. It is an interesting company to keep a tab on for anyone who follows cloud security closely.
CloudAve is exclusively sponsored by

Read more
LastPass – So Good I’ll Dismiss Any Concerns

February 16, 2010

security
I spend a significant amount of time online – and do so using a myriad of online services – from accounting to banking, from email to my various blogs, from e-commerce sites to airline services – I live in a world of usernames and passwords. Like others I tend to have a few variations on a theme with passwords, an exceptionally risky, yet pragmatic response to login hell. So when I find a solution that takes care of all my password woes, remembers them for me, suggests tem for me and does a bunch of other stuff, even between different computers, I start getting pretty interested.

So it was that I recently stumbled across LastPass, a SaaS solution that promises to be “the last password you’ll ever remember”. LastPass combines a really well-designed web service with browser add-ons for the majority of browsers and also throws in support for most mobile handsets as well. Across all devices and browsers, LastPass remembers your password, give advanced features such as automatic form filling and password generation, and keeps everything secure and tidy.

If I step back and think for a minute, I could get concerned about one web service (and a free one at that) holding all the passwords to my digital life, but LassPass is just so good I’ll take some faith from their security and technology disclosure page and keep on using it. After all it’s better than using the name of my first born child for every single web site and service I use!

There’s the odd thing I’d like them to deal with, so in that spirit here is my wish list:
- Integration with chrome for automatic password generation and form-filling
- Native integration with the windows mobile web browser
- Support for multiple passwords for sites (I have three internet banking log ins)
- Support for two factor authentication devices (and preferably the ability to use one TFA device for all sites – which would require by in from third parties but still..)
- Charge a little for all versions – people feel more secure when they pay for a service!
CloudAve is exclusively sponsored by

Read more
In The Era Of Mashups, MashSSL Could Be A Savior

February 3, 2010

Analysis, security
Image via Wikipedia

From Web 2.0 era to the current SaaS era, we are seeing a proliferation of Mashups, not just in the consumer space but also in the enterprise space. Well, the idea of mashing up of data from two or more data sources/applications is not unique to these times. We have seen such mashups even during the traditional computing era but what makes this attractive is the availability of such mashups over the web for consumption using web browsers or Rich Internet Applications. For example, when you check the weather on a website by inputting the zipcode, it picks up weather data from one application and map data from another application, mashes it up and presents the result to the user through the browser. This ready availability of mashups over the web poses some security problems and one such problem is going to be the topic of this post. First, let me describe the problem and, then, talk about one of the solutions considered by a industry consortium.

In the more traditional web era, which some people dub as Web 1.0, the security and integrity of the data moving from the data source (server) to the browser (client) was mediated by the Secure Socket Layer, popularly known as SSL. SSL protocol helps us establish a secure channel between two entities but it doesn’t help when more than two entities are in play, as in the mashups. Even though there are reports about the possibility of compromising SSL to attack such two party web communications, it has served us pretty well so far. SSL prevents the man in the middle attacks by using TCP as a communication layer and public/private key encryption, to provide a reliable end-to-end secure and authenticated connection between two points over the internet. SSL uses public and private key to establish a trust through a handshake between two entities. Once the handshake is completed, these entities can securely transfer data without any worries.

However, SSL doesn’t scale to mashups and other SaaS interoperability use cases. In the case of mashups (and, of course, in SaaS interoperability scenarios), two or more application communicate with each other through the user’s browser. There is no standard way for these applications to authenticate each other and establish a secure communication channel. From the consumer SaaS applications to Enterprise 2.0 applications, we are now seeing some kind of mashup of data sources from different applications. When two applications connect with each other through the user’s browser, how can these applications be sure that it is not a man in the middle sitting to either grab the data or inject “bad” data or a browser infected by malware capturing important data and sending it to “bad hands”? Since mashups happens at the application layer, there is no easy way to authenticate and establish trust. SSL doesn’t help in the multi-party situations as, by definition, it is supposed to stop multi-party situations like man in the middle attacks. Moreover, SSL mostly works on the TCP layer and cannot help much in the case of mashups (Security gurus, feel free to point out any situation where SSL could be tapped to solve the mashup needs but I haven’t come across any such situation).

To solve this problem, we can go ahead and develop a protocol and standardize it but it is time consuming. In this era of faster adoption of such technologies by users, especially enterprises, there is a need to find an alternative solution. The solution should be
- Simple and with no complex needs for new cryptographic techniques or protocols. Such new technologies delays adoption as trust is not something that can be gained fast.
- Must be RESTful so that it is lightweight and can sit on top of ubiquitous http
- Not requiring any changes to the browser because it will also delay the adoption
- More importantly, it should be able to scale well in this cloud based world
- Definitely open and, preferably, under one of the OSI approved licenses
Enter MashSSL, an alliance formed by a consortium of leading technology companies including leading SSL certificate vendors Comodo, DigiCert, Entrust and VeriSign; leading providers of security technology and services Arcot, Cenzic, ChosenSecurity, Denim Group, OneHealthPort, QuoVadis, SafeMashups and Venafi; leading security research institutions Institute for Cyber Security, UTSA, MIT Kerberos Consortium and Secure Business Austria, along with noted security experts in November, 2009.

MashSSL is a new multi-party protocol that has been expressly built on top of SSL so that it can take advantage of the trust SSL already enjoys. MashSSL is based on an unique insight which uses deliberately introduced trusted Man in the Middle entities which could manipulate the messages but eventually cancelling out the effect of such manipulations so that the two applications always receive the exact data they would have got in the absence of such Man in the Middle entities. This whitepaper explains this very well with some neat case studies.

MashSSL was first developed by a company called SafeMashups and has now become an open specification with an open source reference implementation, and is in the process of being standardized. Essentially, MashSSL repurposes SSL to create a secure application layer pipe through which open protocols like OAuth, OpenID, OpenAJAX, etc., and proprietary applications like payment provider interfaces can flow in a more secure fashion while leveraging the already existing trust and credential infrastructure.

As I concluded in one of my recent posts,

With Web 2.0 and SaaS, we are mostly seeing adoption by geeks and pundits. There is no widespread adoption from mainstream consumers yet and only a small segment of businesses are using them. With more and more adoption of these technologies, such attacks are only going to increase. If these providers don’t have the security (infrastructure, application, people, etc) correct, we are going to see large scale attacks and chaos.

Mashup security will become crucial with further adoption in both consumer and enterprise space. Especially, in the case of enterprises where critical data are mashed up for gaining valuable business intelligence, this security between various data sources and/or applications becomes one of the most important issues. This issue should be giving the CIOs and CSOs nightmare. With further tweaking of the MashSSL proposal and standardization, they could mitigate a big chunk of the risks involved.

PS: This is my attempt to simplify the complex security issue for the consumption by our readers. If I have missed out any crucial information, feel free to jump in and add your comments. This post was motivated by a note posted by Christofer Hoff in his blog.

CloudAve is exclusively sponsored by

Read more
Thinking About Security Is Old School? – A Dangerous Trend

January 28, 2010

Analysis, security

Recently, I was listening to a podcast in which analysts were debating about public and private clouds. During the course of the discussions, one of the participants, a SaaS vendor, made a comment that disturbed me a bit. I…

Read more