Amazon Web Services - Cloud computing and security

Cloud computing is a buzzword gaining traction especially in today's tough economic conditions. Cloud computing is a way to offer software as a service (SaaS). For example, I was reading an article recently that appeared in one of the leading money magazines that boldly predicted that Apple was going to be in trouble soon (of course telling everyone to dump their Apple stocks). Apple's big money maker is their IPod line. And for a user to use their IPod they have to do these things in order:

1. Burn the CD to a list of MP3 files or download from ITunes.
2. Plug in your IPod to the computer.
3. Launch ITunes and sync your music to the IPod.
4. Listen and enjoy.

The author was asking why listeners have to go through all of this stuff just to enjoy their favorite music? And what if the listener wanted to listen to something that they didn't physically own?

The author explained that services like Rhapsody offers music "in the clouds". All a listener has to do is log into their account and for $15 a month or so, you can listen to anything, at any time or day whether or not you have bought the actual album.

Apple has been slow to catch onto this concept and therefore the days of the IPod are numbered.

Amazon now offers "Amazon Web Services" - a cloud computing platform that offers users a wide variety of applications. Since cloud computing is one of the new things and security for traditional methods of software delivery are still a work in progress, how does security work in the clouds? If you go to http://aws.amazon.com on the right hand side of the page will be a link to the Security Whitepaper for AWS.

AWS breaks down security concerns for its cloud within this whitepaper. Here are the major areas and my comments for each section:

1. Physical security. AWS's physical security plan involves using non descript data centers with extensive secure access for all employees. Audit logs show who enters and exits the facilities. [Fred: this makes good sense. A company does not have to worry about salaries of security personnel around their server farm. Backups and fire alarms also are controlled by a cloud service. ]
2. Host operating system security. - AWS uses specially designed bastion hosts that log AWS employees access.
3. Guest operating system security - AWS creates virtual OS's that guests have full access control over but AWS employees do not. AWS recommends that guest admins disable the password based access and use token or key based authentication to gain access.
4. Firewalls - AWS configures the firewall to be default deny all and the customer admin has to open ports to allow inbound traffic. Traditional web application configurations can be configured like Port 80 and 443 for http and https traffic for example.
5. API calls - calls to API to AWS services or client created APIs use X.509 certificates for digital signatures. Calls can be encrypted using SSL and customers are advised to make their endpoints SSL protected.
6. Network security - AWS uses the same security infrastructure that has been implemented by their main website so attacks such as DDoS, man in the middle, and IP spoofing are not possible by AWS endpoints.

All in all, pretty interesting stuff.

Reputations in Web security

I linked onto a site today

http://www.builderau.com.au/news/soa/IT-security-The-trends-to-watch-in-2009-/0,339028227,339293963,00.htm

that mentions several trends in IT Security for 2009. One item that caught my eye was "Reputation" as in Web Reputation or IP Reputation. As a grad student in Information Security we study many of the common vulnerabilities that organizations succumb to: malware, phishing and spam attacks. I really have not heard of this term "Web Reputation" before today but it makes perfect sense. If I go to my email account and see an email that claims to originate from my bank I am conditioned to immediately assume that it is spam or an attempt to steal my user id and password. I delete it.

However, if my bank really needed to send me an email for some important data they are out of luck. What if I could immediately tell from some kind of visual indicator that this email was in fact from my bank? Some kind of image next to it that gives its "reputation"? Wow, that would really be useful. And to standardize that look and feel across all of my many email accounts: Outlook at work, Outlook Web Access at work from home, Google Mail. Yahoo Mail, and my university mail? Even cooler.

Of course, it would have to be hack-proof. If you were a company that offers Web reputation solutions and a media report surfaces that mentions how your software was hacked, your company would be out of business pretty soon.

Web reputation seems to involve analyzing items about a sender and calculating a reputation score for that sender. The score can take into account sending habits and information about the URL that the sender is using. The idea is to close the gap that traditional security measures like keyword lists, signature databases and antivirus engines. Web reputation software can flag incoming data even if it doesn't end up on McAfee's latest update for example.

I Googled "Web Reputation" and found many hits on this idea. I also found that there are a lot of organizations out there who are doing this thing. Here is a small listing:

1. IronPort - http://www.ironport.com/technology/ironport_web_reputation.html
2. Secure Computing - http://www.securecomputing.com/gateway/web_reputation.cfm
3. Symantec - http://www.pdfzone.com/c/a/Content-Management/Symantec-Betas-WebReputation-Protection-Software/

Fred

Adding new content.

I've been starting to think about what a new potential computer programmer would need to get started in the software development business. Of course, education and a degree in a computer related field would help. I have even been seeing commercials advertising ITT Tech (not sure of the name) that helps a student get into computer support.



Hey, I know that you may be thinking that you want to develop software and not support problems. But, if you have no professional experience, you can get a foot in the door by working support - Go for it! If you work hard and talk with the developers, soon enough you may find a few kind developers that could take you under their wings and show some ropes. The worst that could happen is that you learn all about how the software works from a user perspective. I know many managers that would jump at the chance to hire a person for business analysis if they know how the software works and has good ideas about the future of the department.



Back to education, I am starting back into graduate studies this fall after a self imposed year off from school. I'll be taking a network security class and after this class is done, I will have only 5 more classes until I get my Masters! I have done 100% of the program online and it has been wonderful. I can crack open a beer, log onto Skype or text chat and attend class in my underwear! lol (only if the class or group discussion is not on webcam).



That is the approach that I will take for any potential students who want to learn from my experience.



In the meantime, I am building a link section on the left hand side of the page that a beginning programmer would need to download and install to be ready for action. This includes Eclipse for development, MySQL for storing data and Apache Tomcat for your webserver. Of course, I am always available to help anyone through the installation and execution of each piece of software. Post a message or email me at fredwi@yahoo.com for customized help.

First posting!

Hello!

I've always had people ask me questions about what I do for a living. "Play around with computers!" I always reply. lol. It's not bad work if you can get it - even in the post computer bust of the early 2000's.

I've built software professionally for over 10 years now and the market today is just as good as ever. Anyone can get into this business and the older generation has as just a good a chance as anyone.

There are many different types of jobs in the computer field that don't involve programming:

• Computer support
• Office skills - Microsoft Word, Excel and Powerpoint
• Graphic artists
• Quality assurance
• Security

Keep checking back on this blog for future postings on this subject and more. My goal is to get into small tutoring. My expertise and recommendations are there for motivated individuals who want a change in careers. Or high school students who don't have any ideas what to study once they get to college.

Email me at fredwi@yahoo.com for more information.