Archive for the ‘Cloud Security’ Category

 

Security Alert: OpenSSL Bug Needs Prompt Attention

Tuesday, April 8th, 2014 by

A major vulnerability with the OpenSSL libraries was announced this morning. According to PCWorld, “The flaw, nicknamed ‘Heartbleed’ is contained in several versions of OpenSSL, a cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption. Most websites use either SSL or TLS, which is indicated in browsers with a padlock symbol. The flaw, which was introduced in December 2011, has been fixed in OpenSSL 1.0.1g, which was released on Monday [April 7].”

Heartbleed

We want to ensure all our customers are aware of this vulnerability so those impacted can take appropriate measures. The following description of Heartbleed is from http://heartbleed.com:

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”

GoGrid has already performed an extensive audit of our environment and has determined that none of our customer-supporting sites—including our management console, wiki, and secure signup—is exposed to this vulnerability.

If you are permitting SSL/TLS traffic to your servers, however, a firewall won’t block against this attack. This is a serious vulnerability with the ability to significantly expose your environment. GoGrid recommends you review the National Vulnerability Database CVE-2014-0160 as soon as possible to determine if the OpenSSL vulnerability applies to your organization and then take corrective action based on your specific security policies, if necessary.

Does it take a village to ensure security (or just hard work)?

Monday, January 6th, 2014 by

I watched an interview this morning where Snapchat’s CEO was discussing the recent exposure of its users’ phone numbers and names and something he said stood out for me: “Tech businesses are susceptible to hacking attacks. You have to work really, really, really hard with law enforcement, security experts, and various external and internal groups to make sure that you’re addressing security concerns.”

image

I have to agree with him: It takes a lot of effort to keep up with the latest security threats and vulnerabilities, to continuously assess existing security safeguards, to open channels of communications with security peers in other organizations, and to work with local and federal law enforcement to solve common security problems. Even companies that spend millions on security like Target are clearly challenged every day to identify and remove vulnerabilities to protect their customers’ data.

The rapid growth of cloud services and cloud service providers has only added new areas of concern for organizations hoping to leverage the benefits of the cloud. Organizations must perform their due diligence in identifying the right cloud service provider for their needs—preferably one that’s had time to develop security best practices based on firsthand experience and hard-won expertise. Securing a company’s production environment requires a cloud partner that is mature and has dedicated resources to provide robust security services and products.

Consider the recent DigitalOcean security revelation that its customers can view data from a VM previously used by another customer. According to one reporter, a DigitalOcean customer “noted that DigitalOcean was not by default scrubbing user’s data from its hard drives after a virtual machine instance was deleted.” Why not? DigitalOcean confided that the deletes were taking too long to complete and resulted in potential performance degradation of its services.

I recognize that challenge because GoGrid addressed this same issue years ago. All our deleted VMs go through an automated secure scrubbing process that ensures a previous customer’s data isn’t inadvertently shared with a new customer—and we do so without impacting our production environment. Was that easy to accomplish? No, it wasn’t. In fact, it took a lot of engineering work and resources to develop the right way to secure our customers’ data without impacting performance. Taking technical shortcuts when it comes to security often results in unexpected consequences that can affect an organization’s overall security—and ultimately, its reputation.

(more…) «Does it take a village to ensure security (or just hard work)?»

Cloud computing improves security for SMBs, studies reveal

Tuesday, June 18th, 2013 by

For the past several years, cloud computing has been disrupting the business world by providing organizations with innovative ways to save money, improve operations and gain access to next-generation applications. Small and medium-sized businesses (SMBs) have begun to recognize that the benefits of the cloud have reached their organizations as well. Still, some fears about the hosted services held many companies back. A recent study of US SMBs by Microsoft, however, revealed that many of these concerns are not backed by data but are really just misconceptions about the technology.

Cloud computing improves security, not impairs it

Cloud computing improves security, not impairs it

The survey found that 60 percent of organizations that have not yet adopted the cloud because of security concerns. Other SMBs that have not embraced the cloud said the fear of unreliability or loss of control over sensitive data held them back.

Conversely, businesses that have adopted the cloud have experienced benefits in all of these categories, suggesting the shroud of uncertainty surrounding the cloud should not be an obstacle.

“There’s a big gap between perception and reality when it comes to the cloud. SMBs that have adopted cloud services found security, privacy and reliability advantages to an extent they didn’t expect,” said Adrienne Hall of Microsoft. “The real silver lining in cloud computing is that it enables companies not only to invest more time and money into growing their business, but to better secure their data and to do so with greater degrees of service reliability as well.”

The truth about the cloud
The underlying reality of a cloud infrastructure is that it is often more secure and reliable than traditional premise-based systems. Microsoft highlighted this truth when it found that a whopping 94 percent of SMBs using the cloud revealed that they acquired more security benefits using the hosted services than they did with legacy solutions. This meant having access to more innovative and up-to-date antivirus and data management tools.

(more…) «Cloud computing improves security for SMBs, studies reveal»

Cloud risk assessments critical to keeping resources safe

Friday, May 3rd, 2013 by

As businesses around the world continue to pursue mobile, social and cloud computing technologies in an effort to improve operations and stay competitive, more organizations are falling victim to sophisticated digital threats that are being reengineered with next-generation infrastructure environments in mind. To keep mission-critical resources safe, decision-makers will need to be vigilant and implement innovative solutions to reduce risk.

Cloud risk assessments critical to keeping resources safe

Cloud risk assessments critical to keeping resources safe

Unfortunately, the cloud risk landscape is not standardized, meaning organizations are often on their own when it comes to assessing and guarding against potential threats. A recent TechTarget report highlighted how a variety of consulting agencies have come forward during the past several years with documents containing information about the potential cloud threat landscape, although these resources may not provide companies with all the information they need to truly mitigate risk.

Understanding cloud security risk assessments
Enterprise executives need to develop a robust cloud risk assessment framework if they are to migrate mission-critical resources to the hosted environment without exposing those assets to malicious cybercriminals who are targeting the private sector with more enthusiasm than ever. For the most part, Cloud service providers are aware of the expanding threat landscape, however, and have adjusted their offerings to make them more defensive against problems, TechTarget said. Still, the overall risk of doing anything digital is growing, forcing companies to take initiative.

To begin, IT directors should develop a model that defines potential risks and the relationship between those incidents and the data center, the news source stated. This is an important first step because it enables decision-makers to understand what potential threats are associated with using a particular cloud infrastructure model or solution. This approach also allows IT managers to evaluate the residual risk after any controls have been implemented to reduce challenges.

Because every organization is different, each will have its own unique definitions and problems to be on the lookout for. Retailers, for example, need to be aware of payment card industry compliance requirements and how cybercriminals will be on the prowl for financial data. Meanwhile, healthcare institutions must be vigilant when protecting personally identifiable information, as failing to do so will leave existing and prospective patients at risk.

(more…) «Cloud risk assessments critical to keeping resources safe»

How To Enable & Manage the New, Free GoGrid Firewall Service

Wednesday, May 1st, 2013 by

Security and infrastructure don’t always go hand in hand. In fact, many non-adopters of cloud computing have cited the lack of good security as one of the primary reasons they are not wholeheartedly embracing the cloud and all its glory. In some ways, these naysayers are correct: You shouldn’t deploy a cloud or frankly any type of infrastructure without some type of security, whether it’s software-based controls or a hardware device. At GoGrid, it is this desire to overcome security concerns that compelled us to release our free (that’s right FREE) Firewall Service.

When we developed our Firewall Service, we wanted to do more than simply offer a set of blocking rules or a hardware device. We wanted our solution to be centrally managed, easy to use and configure, fully featured, integrated across all our data centers, reliable, programmatically controlled, highly available, flexible, elastic, self-healing…whew! And did I mention, free? As we did for our new Dynamic Load Balancers, we embraced the concepts of software-defined networking (SDN) when architecting our Firewall Service.

Our research showed that for small environments, software-based firewalls (like IPtables or a Windows Firewall) worked just fine, provided the infrastructure didn’t need to scale. Similarly, hardware-based firewalls were great for enterprise-grade installations (but remember, if you get one hardware device, you typically need another one ready as a failover). We wanted to do it better. You can read more about the theory behind our cloud Firewall Service in this article.

As with my previous How To articles, there are 3 easy steps in the Firewall Service setup:

1. Create a Security Group
2. Define
a Policy
3. Add
a Connection

GoGrid’s Firewall Service is distributed and global. That means that once it’s configured, it automatically synchronizes across all our data centers. If you have multiple web servers in multiple GoGrid data centers, you simply define the Security Groups and Policies, connect the servers, and you’re done. Any future policy changes are automatically synchronized to the connected servers. Simple, right? Let’s see how to set up the Firewall Service. (more…) «How To Enable & Manage the New, Free GoGrid Firewall Service»