Amazon Web Services - Cloud computing and security

Cloud computing is a buzzword gaining traction especially in today's tough economic conditions. Cloud computing is a way to offer software as a service (SaaS). For example, I was reading an article recently that appeared in one of the leading money magazines that boldly predicted that Apple was going to be in trouble soon (of course telling everyone to dump their Apple stocks). Apple's big money maker is their IPod line. And for a user to use their IPod they have to do these things in order:

1. Burn the CD to a list of MP3 files or download from ITunes.
2. Plug in your IPod to the computer.
3. Launch ITunes and sync your music to the IPod.
4. Listen and enjoy.

The author was asking why listeners have to go through all of this stuff just to enjoy their favorite music? And what if the listener wanted to listen to something that they didn't physically own?

The author explained that services like Rhapsody offers music "in the clouds". All a listener has to do is log into their account and for $15 a month or so, you can listen to anything, at any time or day whether or not you have bought the actual album.

Apple has been slow to catch onto this concept and therefore the days of the IPod are numbered.

Amazon now offers "Amazon Web Services" - a cloud computing platform that offers users a wide variety of applications. Since cloud computing is one of the new things and security for traditional methods of software delivery are still a work in progress, how does security work in the clouds? If you go to http://aws.amazon.com on the right hand side of the page will be a link to the Security Whitepaper for AWS.

AWS breaks down security concerns for its cloud within this whitepaper. Here are the major areas and my comments for each section:

1. Physical security. AWS's physical security plan involves using non descript data centers with extensive secure access for all employees. Audit logs show who enters and exits the facilities. [Fred: this makes good sense. A company does not have to worry about salaries of security personnel around their server farm. Backups and fire alarms also are controlled by a cloud service. ]
2. Host operating system security. - AWS uses specially designed bastion hosts that log AWS employees access.
3. Guest operating system security - AWS creates virtual OS's that guests have full access control over but AWS employees do not. AWS recommends that guest admins disable the password based access and use token or key based authentication to gain access.
4. Firewalls - AWS configures the firewall to be default deny all and the customer admin has to open ports to allow inbound traffic. Traditional web application configurations can be configured like Port 80 and 443 for http and https traffic for example.
5. API calls - calls to API to AWS services or client created APIs use X.509 certificates for digital signatures. Calls can be encrypted using SSL and customers are advised to make their endpoints SSL protected.
6. Network security - AWS uses the same security infrastructure that has been implemented by their main website so attacks such as DDoS, man in the middle, and IP spoofing are not possible by AWS endpoints.

All in all, pretty interesting stuff.

Reputations in Web security

I linked onto a site today

http://www.builderau.com.au/news/soa/IT-security-The-trends-to-watch-in-2009-/0,339028227,339293963,00.htm

that mentions several trends in IT Security for 2009. One item that caught my eye was "Reputation" as in Web Reputation or IP Reputation. As a grad student in Information Security we study many of the common vulnerabilities that organizations succumb to: malware, phishing and spam attacks. I really have not heard of this term "Web Reputation" before today but it makes perfect sense. If I go to my email account and see an email that claims to originate from my bank I am conditioned to immediately assume that it is spam or an attempt to steal my user id and password. I delete it.

However, if my bank really needed to send me an email for some important data they are out of luck. What if I could immediately tell from some kind of visual indicator that this email was in fact from my bank? Some kind of image next to it that gives its "reputation"? Wow, that would really be useful. And to standardize that look and feel across all of my many email accounts: Outlook at work, Outlook Web Access at work from home, Google Mail. Yahoo Mail, and my university mail? Even cooler.

Of course, it would have to be hack-proof. If you were a company that offers Web reputation solutions and a media report surfaces that mentions how your software was hacked, your company would be out of business pretty soon.

Web reputation seems to involve analyzing items about a sender and calculating a reputation score for that sender. The score can take into account sending habits and information about the URL that the sender is using. The idea is to close the gap that traditional security measures like keyword lists, signature databases and antivirus engines. Web reputation software can flag incoming data even if it doesn't end up on McAfee's latest update for example.

I Googled "Web Reputation" and found many hits on this idea. I also found that there are a lot of organizations out there who are doing this thing. Here is a small listing:

1. IronPort - http://www.ironport.com/technology/ironport_web_reputation.html
2. Secure Computing - http://www.securecomputing.com/gateway/web_reputation.cfm
3. Symantec - http://www.pdfzone.com/c/a/Content-Management/Symantec-Betas-WebReputation-Protection-Software/

Fred