Right now, the three major public clouds (Amazon, Microsoft, and Google) seem all shiny and new, like many technologies seemed at some point in the past. Let’s see if we can learn from history and assess the risk of the public cloud’s becoming just another legacy platform.
Java is currently the leading exploit vector for Windows machines, and Java vulnerabilities are packaged into many of the “exploit kits” available in the darker corners of the Internet (see http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/). Internet Explorer, Flash Player, and even the Windows operating system itself have done a good job of either improving the security of their products or improving their patching processes. Java, however, still lags noticeably behind in both user/media awareness and quality of code. According to some statistics, Java vulnerabilities account for up to 70% of successful exploits, making it a veritable nightmare from a security perspective.
On the December 18 Virtualization Security Podcast, we were joined by Rafal Los (@Wh1t3Rabbit) to discuss whether it is time for CISOs to move on. Should CISOs start to look beyond simply the problems at hand? Should they drive security into all decisions made at the business and architecture levels? The discussion was mixed, to say the least. Continue reading In the New Year, Can CISOs Move On?
The premise of security is confidentiality, integrity, and availability. The premise of data protection is integrity and availability. The two go hand in hand. However, it is often the case that certain groups within organizations handle data protection (disaster recovery, business continuity, and backup) while other groups handle security. As security moves closer and closer to the data, could it perhaps be time for these two disciplines to become one? The security of data protection is becoming just as important as the security of the data within use. The management of the security of in-use data and protected data, regardless of location, is paramount. This means data stored on-premises, in the cloud, and remotely. Continue reading Cloud Dependency: Data Protection and Security
We have looked at the hidden dependencies around upgrades (Cloud Dependency: Automated Upgrades) as well as the hidden dependencies around networking (Cloud Dependency: Ubiquitous Networking). Now, we will look at the hidden dependencies on visibility. Or more to the point, the lack of visibility within the cloud. With regard to visibility, the question most often asked is, “Do we know what is happening behind the scenes within our tenancy?” Continue reading Cloud Dependency: Visibility
In my last cloud dependency article, I reviewed the need for ubiquitous networking. In this article, I look at the need for automated upgrades. I do not mean the need for automation in general, but specifically the need to automate any upgrade or update behavior. There are two sides to every cloud story: what the tenant does and what the cloud service provider does. In both of these stories, there is a need for well-planned, automated upgrades. Also needed is very good documentation on how to upgrade if the automation fails or if there is no easy way to automate. Upgrades should be bulletproof. We trust, but verify. Continue reading Cloud Dependency: Automated Upgrades