Category Archives: Cloud

A cloud over ownership

Posted on by
Reply

This is the title of an excellent article of Simson Garfinkel in Technology Review.  He explores the consequences of the switch from physical cultural goods to digital cultural goods stored in the cloud.  It is nothing really new but it has the advantage to be clearly stated.

The first point is about privacy.  When you purchased a physical book or a CD, the merchant has no way to profile you.  Of course, if you purchase it on  a digital store such as Amazon, the merchant will be able to profile some of your preferences.  but with a digital good stored in the cloud, the merchant will be able also to analyze how you consume this digital good.  And this is even more interesting.  he will know what is you prefered book among the ones you purchased.  For the same result with a physical book, you need to look for the more worned book in my library.

The second point is really about persistence.  When I purchase a book, it is mine until I destroy it, or give it away.  With a e-book in the cloud, it is mine as long as the cloud operator accepts (or survives).  This si a massive difference.  I am not sure that the legislation has taken into account this shift.   I do not even tackle the issue of DRM that may shape the ways I can consume the digital good.

Thus, the notion of ownership of a digital cultural good is changing.  As the good itself, the ownership seems to become more ethereal.  Is it good or bad?  I don’t know.  It is most probably useless to look for the answer, I’m afraid it is an unavoidable shift.  We will have to adapt for the best and the worst.

 

 

Guidelines on Security and Privacy in Public Cloud Computing

Posted on by
Reply

NIST provides some recommendations when using a public cloud.  This excellent document gives very practical guidelines.  Every IT manager who plans to use a public cloud infrastructure, and who cares about reliability, security and liability, should read it before making any decisions and selecting the right service provider.

In front of the economic benefits of public cloud, it is extremely difficult to resist to the songs of the mermaids.  This document rises some serious issues and may help to keep the things under control.  For instance:

  • Even if you are using a public cloud, your company is accountable for the overall security of your service, i.e. even that of the outsourced part.
  • As the cloud computing infrastructure is highly uniform, it should be in theory easier to harden the platforms and manage its security (which is a positive point for IaaS).  Unfortunately, the use of hypervisors (virtual machines) increases the surface of attack (although many people believe that virtual machines are more secure)
  • Sharing an infrastructure with unknown parties is a potential issue.  A strong assurance should be provided for the mechanism enforcing the logical separation.
  • Be ready to audit your service provider if security matters to you.

A must read paper if you are about to board on the cloud boat.  The paper is about public cloud.  Nevertheless, some parts are also useful in the context of private cloud.

Reference

W. Jansen and T. Grance, Guidelines on Security and Privacy in Public Cloud Computing, NIST, 2011 available at http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf.

Ten security concerns on cloud

Posted on by
Reply

Cloud computing becomes the hot buzz topic. We will all migrate to cloud computing, sooner or later. Although it is extremely attractive from the financial point of view, it raises extremely serious concerns about security.

Global knowledge has issues a white paper that provides a kind of check list for selecting your provider, or to decide if it is wise to switch to the cloud.

  1. Where’s the data?
  2. Who has access?
  3. What are your regulatory requirements?
  4. Do you have the right to audit?
  5. What type of training does the provider offer their employees?
  6. What type of data classification system does the provider use?
  7. What are the service level agreement (SLA) terms?
  8. What is the long-term viability of the provider?
  9. What happens if there is a security breach?
  10. What is the disaster recovery/business continuity plan (DR/BCP)?

By the way, many of these questions are equally valid with an internal/outsourced IT traditional service. For instance, 1 or 2. have you asked yourself these questions for your current system. What is the answer for 5 in your company?

The document is here.

Amazon Cloud Player and Cloud Drive

Posted on by
Reply

Is the launch of Amazon Cloud Player one of these events that will change the world? Yesterday, Amazon launched two new services: Amazon Cloud Drive and Amazon Cloud Player.

Amazon Cloud Drive is a service that offers 5GB of free storage. For that, you just need an Amazon account. It is always interesting to read the Terms of use.

Amazon put some safeguards to avoid (or at least give Amazon a way to stop) any attempt to use it as “Direct Download Site”. Thus in clause 1,

You agree not to use the Service in any other way, including to store, transfer or distribute files of or on behalf of third parties, for any form of file sharing, to operate your own file storage service or to resell any part of the Service.

In clause 5.1

You must ensure that you have all the necessary rights in Your Files that permit you to use the Service without infringing the rights of any copyright owners, violating any applicable laws or violating the terms of any license or agreement to which you are bound. You must ensure that Your Files are free from any malware, viruses, Trojan horses, spyware, worms, or other malicious or harmful code.

Not bad, the liability against the malware. About liability, what is the liability of Amazon? All is said in the clause 5.3.

5.3.Security. We do not guarantee that Your Files will not be subject to misappropriation, loss or damage and we will not be liable if they are. You’re responsible for maintaining appropriate security, protection and backup of Your Files.

And of course, if you believe in Amazon’s altruism, read clause 6.4

6.4.Information Provided The Service and the Software may provide Amazon with information relating to your use and performance of the Service and the Software, as well as information regarding the devices on which you download and use the Software and the Service. For example, this information may include the device type, mobile network connectivity, location of the device, information about when the Software is launched, individual session lengths for use of the Service, or occurrences of technical errors. Any information we receive is subject to the Amazon.com privacy notice located at www.amazon.com/privacy.

Amazon Cloud Player is more interesting. When you buy a song on Amazon store, you’ll be able to upload it to your Cloud Drive. Using the software Amazon Cloud Player, you may listen to your library from any devices that supports Amazon Cloud Player (It seems that it is only available for Windows OS, and Android). Amazon is the second larger seller of digital music behind Apple. Of course, you may also upload songs not purchased at Amazon and still listen them, as long as they are not DRM-protected).

Thus, Amazon Cloud Player combined with Amazon Cloud Drive is an instance of Digital Locker for music. It is not a Digital Rights Locker (DRL, such as UltraViolet or KeyChest) because there is no notion of usage rights associated. Furthermore, there is no notion of content protection.

Will it change something? Most probably yes. Apple and Google will react, most probably with a similar offer. Will the content owners like it? I am not sure. it may depend on the conditions that were negotiated for selling songs. In any case, I am sure that we will see many ripples around this launch.

PS: Amazon Cloud Player is only available for US customers. Amazon Cloud Drive has not such limitation.

Security of cloud computing

Posted on by
Reply

There is not a lot of doubt that cloud computing is the next frontier. Unfortunately, like for Far West, Cloud Computing will be in its early days a territory where the security may be weak (euphemism :Wink: ).

Already, a lot of effort is placed on analyzing the threats and finding solutions. In this trend, there is an interesting approach proposed by Thomas RISTENPART, Eran TROMER, Hovav SHACHAM and Stefan SAVAGE in their paper “Hey, You, Get off of My Cloud“. They discovered that a same server may run Virtual Machines (VM) for different customers. The goal of their attack was to plant a malicious VM on the same server than the target. Then, by measuring several parameters such as cache usage, or estimated traffic rates, they should be able to infer some information. In other words, a side channel attack.

Obviously the most questionable point is the first one. It has two assumptions:

  • – Being able to co-reside on a server with the target. A complete section (number 7) proposes different strategies to succeed on Amazon’s EC2.
  • – being able to implement a malicious VM for instance through existing vulnerability. This one seems even more questionable.

I am not sure that the disclosed attack is more than a nice theoretical play. Nevertheless, it has the advantage to rise many interesting questions. I’m sure that side channel attacks on cloud computing will become a very thrilling domain of exploration.

The paper was presented at CCS’09. Thomson was sponsor of one the hosted workshop (ACM DRM workshop 09)

Security and cloud computing

Posted on by
Reply

RSA recently published a white paper entitled The role of Security in Trustworthy Cloud Computing. The document is extremely interesting.

It presents the different security challenges that enterprise will face when switching to public or even private cloud computing. With cloud computing, IT departments will loose control. This loss of control needs to be balanced by more trust and confidence in external providers (cloud infrastructure provider such as Amazon’s E2C, service provider in case of SaaS…).

For instance, the document some requirements for secure data

It will require
* Data isolation
* More granular data security
* Consistent data security
* Effective data classification
* Information Rights Management
* Governance and Compliance

We could argue that all these requirements already exist in the non cloud world. Nevertheless, they become MANDATORY in cloud computing! They will be more complex to implement and to monitor.

The document seems to lack one important threat. The insider threat was already a member of the cloud provider who illegally access private data. I believe there is another threat, another user of the cloud that attempts to access your data if isolation is not perfect.

There is already a rush towards cloud computing. But clearly, security of cloud computing is not yet mature. There is no integrated secure available solution.

Book: The Big Switch

Posted on by
Reply

Nicholas CARR was the author of Does IT Matter? In this first book, he questioned the future role of IT. He was forecasting the end of IT. In this new book, he continues his prediction with the advent of cloud computing.

He forecasts that computing power will become an utility as power supply. He makes the parallel with the transition to electricity power. Big companies such as Amazon (Elastic Compute Cloud EC2) or Google are offering grid computers to external companies. The interesting part of the book is the analysis of the impact it will have in conjunction with the advent of Web2.0 It has already allowed small companies to succeed without having huge IT infrastructure.

The book also highlights the current trends of Web2.0. Chapter 7: From the Many to the Few is extremely interesting. It describes how companies such as YouTube, or PlentyOfFish are using, for quite nothing, mobs of good willing “content creators”. Chapter 8: The Great Unbundling is about the transformation of content consumption. He predicts that the future of Internet will not be as bright as expected.
“But it’s clear that two of the hopes most dear to the Internet optimists-that the Web will create a more bountiful culture and that it will promote greater harmony and understanding-should be treated with skepticism. Cultural impoverishment and social fragmentation seem equally likely outcomes.”(extract)

The security threats highlighted in the book are the typical malware and privacy issues.

A book to read because it sheds a provocative light on the future of Internet.