Cloud Services Initiative

Hacktivism a Growing Concern for CSPs

Daniel ODonnell — Thu, 15 Sep 2011 21:10:38 GMT

Every few years, Webster updates the American lexicon by adding new words to the dictionary. Some of the recent additions have been vlog (a blog with video), webisode (a TV show episode that can be viewed on the web) and staycation (a vacation at home or close by). I believe that the next time Webster does and update, hacktivism will be on the new word list.

Hacktivism is the term being used to describe the criminal activity of computer hacking under the cloak of social activism. The primary targets are government and corporate networks and web sites. The primary victims, of course, are the government agencies and corporations who ended up in the cross hairs of ad hoc hacker groups like Anonymous. The collateral victims are the innocent citizens who have their accounts and other confidential personal information stolen and published by the hacktivists.

Bay Area Rapid Transit (BART) in San Francisco is the most recent example. BART cut off cell phone service at one of its stations in expectation of planned protests. This action triggered an attack on the BART website which made public the names and addresses of BART police officers as well as personal information of many BART account holders. This growing trend of social activism through computer hacking is a huge red flag for IT risk management and security organizations.

It is a fact of IT life that all risk cannot be eliminated. New network vulnerabilities will continue to develop as a natural course business. However, establishing a robust perimeter and monitoring network activity with vigilance is critical to minimizing the risk and associated liability of these attacks.

Because network attacks are generally originated from outside the network, firewall and intrusion prevention technology is the first thought for developing a perimeter defense. However, there is more that can be done.

Using the “belt and suspenders” analogy, Data Loss Protection (DLP) appliances can be added to the intrusion prevention solution. Network DLP can protect confidential data by monitoring transactions, identifying sensitive data and limiting movement of that data through enforcement of IT security policies. So, even if an intruder penetrates the firewall, strong data transport policy enforcement can prevent confidential information from getting out. This protection is particularly important for Cloud providers to maintain the trust of their subscribers.

The final piece to this strong perimeter enforcement program is providing reliable, wire speed network access to the necessary appliances. Connecting multiple appliances without impacting network availability, reliability or delay is accomplished by next generation network taps. These taps are designed to provide network failover for increased reliability as well as aggregation and filtering for efficient, cost effective connectivity.

Network operators must protect the confidential data that has been entrusted to them by their customers and constituents. The bad news is that Hacktivism is a growing trend. The good news is that there are many tools available to defend against such attacks.

Cloud Pilot Edge Security Pilot

Daniel ODonnell — Sat, 16 Jul 2011 16:28:31 GMT

Many Service Providers (SP) are considering plans to provide cloud computing services. This new business model allows SPs to increase ARPU, add to their service offerings, differentiate themselves from their competitors, increase their customer base and become a strategic partner to their large business customers. This move makes perfect business sense and much of the infrastructure is already in place. However, as these Service Providers moves from a model of information transit to comprehensive information management there are many new issues to be addressed.

In the information transit model, the Service Provider SLA includes such guarantees as acceptable delay, network availability, bandwidth allocation and QoS parameters. In the new cloud model, the Service Provider becomes an Information Manger as well. Customer data is now resident on SP servers and located in SP data centers. Access must be managed and secured; the data must be protected and partitioned accurately and absolutely. The provider of cloud services is now responsible for the protection of their customer’s data, not only the transit of that information.

There are high level business process models being discussed within the TM Forum, the Service Provider community and the various other standards bodies. These issues, such as billing and back office support, of course need to be nailed down. However, time to market is a key determinant of who will be the leaders and who will be the laggards in this new frontier. In addition to understanding the business practices surrounding this new opportunity, it is important for SP’s to get their feet wet sooner rather than later. It is necessary to find some willing and friendly customers to pilot cloud models and to patiently work through the inevitable hitches and snags that will be present in any new service. When company data is involved, however, it is important that the access to this content is protected and the information flow is understood.

Fortunately, there are many excellent tools available today that can help manage, analyze and protect network data flows. There are three key areas of information flow that need to be closely managed:

Ingress – Access from outside the cloud must be managed and secured to prevent attacks and malicious programs. Specialized tools for this fall into the IPS/IDS category.
Egress – Attacks do not always come from external sources. Many SP and client company employees will have access to the network, the servers and company information for a variety of reasons. These authorized users include, SP service and support technicians, network engineers and managers are a just few. Any one of this group has the potential to maliciously or accidentally compromise confidential and proprietary data. There are tools to prevent data leakage that fall into the appliance group called DLP.
Network Forensics – It is important to understand application performance, network performance and overall data flow. There are many sniffers and probes available to analyze and report on network activity and performance. These are the base line appliances necessary for management of any network.

There are additional tools to manage such issues as regulatory compliance, consumer experience management, network performance and others. By simply focusing on the three tools above, we can cover attacks from outside the firewall, breaches from inside the firewall, and overall comprehensive network analysis.

There are two primary ways for these tools to connect to network links. First is to directly connect each appliance in-line on the link. This is where you connect the tool between the router and the switch directly in the path of the date flow. This allows all the data to flow through the tool. The tool can then analyze the data and perform the protective functions when it sees anomalies or rule violations.

There are two problems with this method. First, is simply that the more potential points of failure you insert into a link, the higher your probability of a failure. Second is that these appliances are very intelligent, software intensive products. With any stacked software product, and with embedded hard drives, "stuff happens." Further, as rules need to be updated or new versions are released, the product must be taken off-line for updates and reboots. The constant scheduling of network downtime is unacceptable in many of today's 7/24/365 networks.

The solution is to connect a hardware based tap in-line on the network link. Being hardware based products with no software operating system, taps are inherently very reliable. Beyond this, taps have fail-safe technology built in that will maintain the network link even in the event of a power failure to the device.

When you have a tap inserted into a network link, you have many options available for connecting appliances or network tools. Depending on the function of the tool, it may need to see the data real time as it flows through the network or it may need to only look at a mirror copy of the data out of band. In either case, the ports needed to connect all these appliances are available using a network tap.

Taps can aggregate the information from many links to a single tool. This provides efficiency and potentially huge savings in the procurement of the necessary network appliances. The use of regeneration features in a tap allow for the same data on a link to be sent to many different appliances. Finally, by using filtering and distribution techniques, the tap can provide only the pertinent information to each tool as needed. This enhances the speed and efficiency of operation of the network tools.

The new leaders in cloud services will jump in quickly with pilots and beta customers to develop and test real product and service offerings. These market leaders will have the advantage of experience, brand awareness and an early customer base as competitive offerings start to crowd the market. In order to become an early leader in this market, the time to develop cloud services and plan for a reliable and secure network infrastructure is right now.

NIST Seeks Public Input on New Cloud Computing Guide

Scott Morrison — Mon, 16 May 2011 20:01:30 GMT

What is the cloud, really? Never before have we had a technology that suffers so greatly from such a completely ambiguous name. Gartner Research VPPaolo Malinverno has observed that most organizations define cloud as any application operating outside their own data centre. This is probably as lucid a definition as any I’ve heard.

More formalized attempts to describe cloud rapidly turn into essays that attempt to bridge the abstract with the very specific, and in doing seem to miss the cloud for the clouds. Certainly the most effective comprehensive definition has come from the National Institute of Standards and Technology (NIST), and most of us in the cloud community have fallen back to this most authoritative reference when clarity is important.

Now is our chance to give back to NIST. To define cloud is to accept a task that will likely never end, and the standards boffins have been working hard to continually refine their work. They’ve asked for public comment, and I would encourage everyone to review their latest draft of the Cloud Computing Synopsis and Recommendations. This new publication builds on the basic definitions offered by NIST in the past, and at around 84 pages, it dives deep into the opportunities and issues surrounding SaaS, IaaS, and PaaS. There is good material here, and with community input it can become even better.

You have until June 13, 2011 to respond.

The Role of IT Service Management in the Cloud

Christian Carlson — Sun, 24 Apr 2011 13:34:13 GMT

The move to cloud based services and the potential for multiple cloud service providers opens up an opportunity for organizations to be more diligent in applying IT Service Management practices and principles across the service lifecycle. Areas that are often underdeveloped, such as financial management, service portfolio management, and supplier management, can be more completely defined by the organization and managed with greater vigor.

Governance takes on a much greater role, as cloud computing exposes a direct linkage between the IT investment and the business value provided and the associated risk. These require a different approach to service level management and risk management. Service level management can be more direcly tied to the actual service an end-user receives and must be part of the input to the financial management process.

Organizations will play multiple roles in the cloud service lifecycle and must prepare their IT Service Management personnel, processes, and tools to support the varied roles. Consuming a SaaS offering does not relieve an organization of the responsibilities for ITSM. NIST has defined 5 actors in cloud computing: consumer, provider, broker, auditor, and carrier. Agencies should be prepared to support the IT Service Lifecycle for each of these roles as they relate to their cloud strategy. There will be an opportunity for agencies to specialize in certain roles, say as an auditor of a SaaS offering under the oversight of the agency (e.g. OMB as an auditor of salesforce.com).

IT Service management professionals will be impacted as well by the usage of cloud computing. Program and project management become even more important as you move more critical services to this model. Financial management is an area where more resources will likely be needed. Part of the promise of cloud computing is the reduction in physical resources managed and the ability to reallocate personnel from basic systems management in service operation to more value added work in service design.

Cloud Computing made in your Neighbourhood?

Helen Edwards — Wed, 05 Jan 2011 09:53:35 GMT

At the last International Conference on Cloud Computing organized by BITKOM; René Obermann from Deutsche Telekom introduced the notion of "Cloud Computing made in Germany". An interesting if somewhat surprising concept. A few moments later, Werner Vogels from Amazon mentioned that it was possible to use Amazon cloud services located in the EU, rather than elsewhere in the world. Cloud computing made in the EU?

While never explicitly stated, the notion of assigning geographic labels to cloud computing pervaded many of the discussions at the conference...

Such a development reflects an increasing concern related to who has access to data stored in the cloud. Enterprise cloud computing is not Facebook, however. The lack of trust seems directed not so much to the providers (although a cloud provider may become your direct competitor in unexpected ways, a topic to discuss some other day) than to the governments of the particular region where the cloud service is physically located. In the case of the USA based providers, the concerns extends beyond the American borders due to the Patriot Act. Seen in this light, the comments of René Obermann and Werner Vogels make much more sense.

The question to ask is: where does this stop? Cloud computing made in Germany might be attractive to a German company, potentially much less to, say, a Swiss or French one. In some cases, it could become a deterrent or even a legal obstacle for a potential customer to use a cloud made in "the wrong place". These concerns will probably lead in the short and medium term to a limited international offering and a boom of local cloud computing services for enterprises. Not necessarily a bad idea since cloud computing scares many potential users because of its "one size fits all" approach.

Cloud computing made in your neighbourhood maybe after all the way to go?

What's in a Name?

James Warner — Tue, 02 Feb 2010 18:16:02 GMT

As William Shakespeare famously wrote – “that which we call a rose by any other name would smell as sweet.” Truer words have never been spoken but it’s clear old Bill never tried to procure cloud services because in this market, names can be deceiving. You might think you’re buying lavender but in reality you get stinkweed.

This point kept coming back to me over and over last week while attending TM Forum’s Team Action Week in Lisbon. Almost every topic we discussed – Service Level Metrics, Procurement Requirements and Product & Service Catalogs kept coming back to this issue of terminology.

It quickly becomes apparent that until we have a common lexicon – an agreed set of terms and definitions that accurately describe a particular type of cloud service, confusion (and disappointment) will reign.

One of the earliest benefits of eTOM was just this. It allowed people to discuss and compare knowing everyone was talking about the same thing. This is desperately needed in the cloud space. That’s why one of the early projects we plan to launch in TM Forum is the creation of a set of common definitions.

But it’s not something we can likely do alone so expect to see us leverage our user community (ECBC) as well as other groups in order to gain industry-wide agreement. If this is something that interest you and you’d like to participate, drop me a line.

Oooops!

James Warner — Tue, 19 Jan 2010 16:39:36 GMT

So a lady in Georgia last week logged onto Facebook from her mobile phone and ended up seeing confidential information for loads of other people. The reason given was an AT&T routing error. I still can’t quite understand why it isn’t a service security error but I’ll take their word for it. Two things come to mind.

First, if you keep confidential information of Facebook or any other public site like that – you deserve to have your identity stolen. That’s like leaving your laptop in the front seat of a convertible while you go shopping and then being amazed when it’s gone when you return. There are names for people like this and most aren’t complimentary.

But a more serious issue is raised by this incident. Reports I’ve seen claim this exposed a little known flaw in the Internet itself. Again, I’m not the guy to judge if that’s correct or not. But I do know that perception is reality.

Last week I blogged about Telco’s having inherent advantages when it comes to offering cloud services. One of these advantages was security. Now this story. Not sure if I’m as gullible as the laptop in the convertible guy but I pose the question - have I been drinking the Telco Kool-Aid?

I don’t think so. I still think Telco’s retain significant and inherent advantages. But I haven’t seen any response from AT&T. Crisis management 101 says that a company has to get out ahead of bad publicity like this. You need to be open and reassure people. This is just one more reason for people to hold back on committing to a cloud strategy.

Maybe AT&T thinks this will all blow over. Give the nice lady & her kids a new iPhone gratis and they’ll shut their mouths. Me – I’d be doing everything in my power to convince people this was that 1 stray decimal point off the five 9’s of reliability.

What’s your take on all this?

Will Service Providers Seize the Moment?

James Warner — Wed, 13 Jan 2010 19:42:56 GMT

I almost fell out of my chair the other day when I saw references to 'over-the-top' cloud services. The author was speculating that telecom service providers will become "also rans" as providers of cloud services just as they lost the battle for playing a value added role in providing digital media/content services.

I have to admit the thought never occurred to me. Like many, I felt that Telcos were being handed a gift in that they have so many natural advantages when it comes to providing cloud services. They have a trusted relationship with millions of potential customers. They have the technical capabilities to deliver a range of services. They understand quality, service levels and security better than almost anyone. It seemed a natural progression from being the providers of communication services to cloud services.

But wait. What's to prevent a Google or Amazon or whomever from buying wholesale bandwidth and bundling it with their XaaS offering - essentially the same concept as an MVNO in the mobile space? Nothing! And if Telco's aren't careful, this is exactly what will happen and they will have lost an enormous opportunity to stem the 'dumb pipe' tide.

The solution is to do what I advocated in my talk at last month's Management World Americas conference. Telcos need to behave radically different than they ever have. They have to shed their old culture and attitudes and do it immediately. They need to become aggressive, fast moving and willing to do things differently. To quote an old sports maxim - "play like you're behind." If they don't, they'll have only themselves to blame.

More news coverege of TM Forum's Cloud INitiative

James Warner — Wed, 16 Dec 2009 16:15:06 GMT

The hits keep rolling in.

http://www.itnews.com.au/News/162926,telstra-commonwealth-bank-join-cloud-standards-group.aspx

Cloud Initiative - Now the fun really statrts

James Warner — Wed, 16 Dec 2009 12:11:42 GMT

With Orlando in the past and my swollen feet returning to normal size after walking 17 miles a day from one side of the hotel to the other, I wanted to share just a few of the many responses to TM Forum's Cloud Initiative and ECBC we announced last week.

http://gigaom.com/2009/12/09/telcos-eye-the-cloud

http://gigaom.com/2009/12/13/hedging-your-options-for-the-cloud/