Amazon VPC

My next post was going to start defining the security referee concept I came up with previously but something much more interesting happened today: Amazon Web Services announced their newest addition, Amazon Virtual Private Cloud (VPC) which adds a new dimension to Amazon’s cloud service offerings. Based on the information available, Amazon VPC works much the same way existing Amazon EC2 instances work with the very important exception that access to your EC2 instances are isolated within Amazons web services cloud network. To access your VPC instances you create an IPSec VPN tunnel between your organization and Amazon. Once set up EC2-VPC instances behave exactly like a local system on your network would, with whatever IP address you want to give it (including RFC 1918 addresses but not IPv6 addresses).

At first glance Amazon VPC is a significant new offering as it places you in direct control over the traffic entering and leaving  your EC2-VPC  instances (aside from the obvious that you are still trusting Amazon to configure and maintain things correctly on their end) and opens the door to enabling in the cloud hosting of all sorts of applications that previously you would only consider hosting internally. But is Amazon’s Virtual Private Cloud really private?

You might accidentally make the mistake and think that EC2-VPC equals private and therefore dedicated resources but you would be wrong. Your EC2 instance may only be reachable by you over your VPN tunnel but your EC2 instance is running along side one or more public instances and using the same networking equipment. You might be saying this is obvious (It wouldn’t be scalable for Amazon if it didn’t) but for most the definition of “private cloud” means a dedicated cloud computing environment where CPU, bandwidth and storage are private to one customer (perhaps your own data center or a remote data center that you have a contact with). Since Amazon VPC only offers private access but shared CPU, bandwidth and network it’s not a true private cloud. Amazon also has a plan to eventually allow VPC instances to selectively have direct access to the Internet if you wish it.

So what is Amazon really offering here? Is the only thing new here the addtion of a hardware based VPN tunnel and private VLAN? Perhaps and perhaps a better name for Amazon’s service is Amazon Virtual Private Network Cloud because it seems like the network might be the only private part of this offering.

Unfortunately the debate still rages on regarding cloud computing definitions (I support the NIST definitions) and the term “private cloud” is getting a lot of attention because some claim there can be no such thing. I however have a good example of a private cloud that exists today: The HP Next Generation Data Center (NGDC) project. The HP NGDC  is a multi-year project at HP to consolidate the hundreds of data centers they have spread all over the world down to just a handful that embody all the properties of modern cloud computing. It’s elastic, it scales, it’s multi-tenant and best of all, it’s running today. When I was at HP I was involved in several projects to move the SPI Dynamics applications (including the HP SmartUpdate software update solution I helped design) into the HP NGDC. I’m happy to say that move was completed several months ago and if you are an HP Application Security Customer, you are using the HP private cloud, you just didn’t know it.

Here is the million dollar question: HP, why are you not advertising this, you have a huge cloud in your backyard and you haven’t noticed it. Hey Russ Daniels Eliav Levi (HP’s new CTO Cloud Computing), call me and lets talk.

So while Amazon’s VPC is not a dedicated offering and not as private as a true private cloud I still think it’s a good step in the right direction for cloud computing infrastructure-as-as-service (IaaS) providers. VPC might not offer the dedicated truly private environment you might want to reserve for running your Windows Domain Controller but it’s perfect for replacing all those QA labs and various “lab” systems that see very low utilization but needed an additional layer of protection before they could move into the cloud. In fact it’s these environments that Amazon VPC might just be perfect for but truly private? That’s up for debate.

Update: Aparently i’m not the only one thinking VPC is not so private, read Cloud Pulse: Amazon VPC pees in pool, not just on fire hydrant

Related posts:

1. The need for a Cloud Computing Security referee
2. It’s all in the Cloud:What Lala means to the future of Apple and iTunes
3. The next great Technology Supernova is coming
4. Something new

Still A lot of people are playing the cloud computing game because there is news broadcasting about it every day. Companies everywhere are asking about it because it’s rumored to perform the magical CapEx/OpEx swap and deliver potentially huge potential savings. The emerging players (big or small, new and old) are fighting for your attention like a pack of wild hungry dogs because they haven’t had a real meal since 2007 (the last of the big huge enterprise software/hardware sales deals). The problem in all the excitement however is that whenever one of the players gets to hold the mic for long enough they start telling you what the rules are. Even more worrisome is that they are just making it up as they go along in the hopes that they might be the ones to control the game.

Nowhere is this disruption more evident than as it relates to understanding the security risks of cloud computing. Almost overnight the entire security industry downloaded the latest cloud clip art and re-branded themselves to ride this new wave, but the truth is that cloud computing is a disruptive force in the industry and some of us just aren’t going to survive in the new world. Many are going to be left behind as the traditional information security and risk companies struggle to find their footing. The problem is that there are already a  lot of cloud computing security and risk issues emerging that are not getting addressed and these risks I believe threaten to disrupt the promising future of cloud computing.

In traditional IT you have your security, audit or risk management teams that know how to deal with IT security risks, but when you move to the cloud who takes over this role? Many providers would now say them, yet their terms of service won’t back up this claim. Your companies security concerns have not decreased (likely they increased) and your existing teams can’t simply be re-purposed to the cloud as is. Their policies and procedures have been designed for working with IT assets they own and control but when you give much of that up to the cloud how does  your company address it’s risks?

With that in mind think about the following emerging issues:

• Lack of a common definition of cloud computing has emerged (I support the NIST definition which is being supported by the CSA as well)
• A lot of the information on cloud computing is ad-hoc in a sea of hyperbole and advertising
• It’s impossible to search for cloud computing providers according to a set of business criteria like “My data must remain in the USA, the service must be SAS 70 compliant, and be audited by an external security firm every quarter”
• Nobody except you cares where your data might be in the cloud and your only assurance is your terms of service
• Growing concerns over the “audit-ability” of cloud computing providers and the “just trust us” mentality
• The lack of repeatable transparency between cloud providers and consumers
• Cloud computing providers suffering to keep up with their customers security information requests (a few examples)
• Well meaning attempts to create standards for the exchange of security and risk information (e.g. A6 from Ben @ironfog) in the hopes that there will be an exchange of information
• A very large and growing body of security concerns with cloud computing (e.g. work from the Cloud Security Alliance or the  Jericho Forum) yet no industry solutions emerging to address them

That’s a big and scary list with some very real issues on it and traditional  IT security industry is not going to address these issues anytime soon for two reasons. 1) Because there is no “CloudScanner” or “CloudFirewall”  they can create to solve this problem or sell through their existing sales channels and 2) They are going to be distracted for the next 2 years as they busy themselves moving all of their desktop software into the cloud.

I think it’s going to take a new category emerging in the security industry that is specifically focused on security for the Cloud. A trusted intermediary that will strive to keep everyone honest. Specifically a cloud computing security referee that can be trusted to keep and eye on the the providers, track their security and compliance status over time and help coordinate security transparency between cloud computing customers and providers.

Before we go any further let me be clear, I’m not proposing that this referee be a in the form of legislation or government mandates. This is an opportunity for new private companies to step in and fill this need. A company that is 100% focused on the cloud and the unique challenges it brings to business.

I’m going to address what I think what a cloud Computing Security Referee company will need to focus on in my next post soon but between now and then I would like to know if you think that a referee can solve the problems that are just now emerging. What do you think the company that steps up to be the referee will need to get right to succeed?

Related posts:

1. Amazon VPC, a not so private private cloud?
2. The next great Technology Supernova is coming
3. It’s all in the Cloud:What Lala means to the future of Apple and iTunes
4. Something new

The four great axioms that govern all information technology innovation are processing speed, storage, connectivity and bandwidth with a fith super axiom, cost, that defines the innovation threshold for each of these axioms. If you trace every major technological advance back to its starting point you will find the threshold of one of these axioms reaching a new milestone and almost instantly creating critical mass for “the next big thing”. In many cases crossing one threshold creates pressure that forces innovation across the stack. Sometimes that innovation isn’t possible and ideas collapse back onto themselves unable to reach critical mass. In most cases these ideas don’t die however, they wait, already primed and ready and it’s these ideas that don’t just reach critical mass when their time comes, they supernova.

The Internet is the most obvious example of an innovation that has rapidly expanded only to have parts of it collapse back on itself when one of the the processing power, storage, connectivity or bandwidth axioms failed to materialize. Indeed the Internet itself only initially fulfilled one of the axioms – connectivity, it wasn’t until processing power, storage and bandwidth started to improve that things got really interesting.

It’s this constant expand, contract life-cycle that has created the environment for supernovas like the Web which spurned the need for improved processing and bandwidth which in turn gave the web it’s second supernova – Web 2.0.

But not all massive innovations are supernovas. The introduction of improved processing power and storage also gave rise to the era of Client-Server architectures, spurned the introduction of better connectivity and bandwidth solutions and changed the face of IT. But in those cases these improvements don’t really feel like supernovas but more like improvements on past ideas. Why?  It’s because the advent of client/server innovations were focused on business environments which is why the majority of the bandwidth and connectivity innovations have been business focused (gigabit network connectivity is common at work, but do you have gigabit at home to the Internet?)

Building Pressure

Over the past 15 years enormous amounts of energy has been invested in making the most of the bandwidth we have. Compression, caching, filtering, traffic shaping and routing technologies have all improved and been thrown at the problem to slow the inevitable need for more bandwidth. All of these technologies however have prevented real innovation and have likely created more problems than they have solved. Case in point I once participated in a conversation with Vint Cerf (who invented TCP/IP with Robert Kahn) where he lamented the priority they had given to saving bandwidth. He asked “How many problems for the Internet did we create because we wanted to save a few bytes?” Ironically Google has created a new initiative at code.google.com/speed/ that at times seems at odds with Vint’s question, but it’s clear at the very least Google is aware of how much this lack of bandwidth is crippling innovation.

Regardless, it’s this slow and methodical rise in bandwidth demand slowed by the attempts to save a few bytes but without a truly threshold breaking solution that has created a tremendous buildup of what I call “innovation pressure“. You can see this pressure when you observe the effect of things like the iPhone on AT&T’s 3G network, the effect that Cloud Computing services is having on both home and business networks alike and the tsunami that is online video that will likely destroy DVD, Blue-Ray and television broadcast media in a blink of the eye once released. These are however only a few examples.

Enter the Supernova

Now for some bold predictions (or at least hopes) on how it will play out. The next 12 months will see increased market awareness to the bandwidth problem followed by several high profile attempts by Google, Amazon, Microsoft, Apple, Cisco and others to address the issue head on in their own unique way. But these improvements won’t solve the last mile problem and will only buy time until the next phase of evolution arrives – Wireless Broadband.

The wireless providers (AT&T, Verizon, Sprint, T-Mobile) will start rolling out 4G networks throughout the country with 100Mbits mobile to 1Gbits stationary transfer capabilities, this roll out will be marked by the first viable household wireless broadband devices. This roll-out will be awaken the telecom industry. Dark fiber long sitting dormant is going to start coming online to keep up with the increased demand, this is where companies like Cisco and Juniper are going to really clean up as demand for their hardware starts to return to late 90′s levels. Lets not forget the 700Mhz UHF spectrum that just got opened up with the end of analog TV broadcasts as well. I think how this all get’s used is a wild card right now but it will deffinitly keep the wireless bandwdith train moving.

All the while, as the bandwidth problems starts to crumble we will see an exponential move throughout the market to consume that bandwidth as Cloud Computing initiatives start to hit full swing and both business and consumer cloud computing initiatives take root. Consumer Online backup was just the beginning, the gaming industry will start to offload game play and graphics processing, business will start to shift some of their massive transactional load into the cloud, and that’s when we reach critical mass. The fall of the bandwidth problem will unlock immediate global scale improvements in processing power and storage. The last hurdle that will check this runaway explosion is connectivity which I think will likely still be working out some kinks, but more limiting is that it’s going to take time to see the human side of the connectivity problem get solved. Once we see close to 80% of the United States get online you can expect to see the next supernova emerge.

Challenges for the Future

I’ll end by laying out a few challenges that I think this future is going to bring with it. These challenges can become opportunities if someone plays their cards right:

1) Security: What does security even mean anymore? Cloud Computing will bring with it the final death knell of the network perimeter. With no cool security toys to play with company Information security teams will have get back to their roots of ensuring Confidentiality, Integrity and Availability and focus less on tools (controls) and more on process otherwise why even keep them around?

2) Privacy: If your data is not local anymore where is it and who has access to it? What happens in the legal realm? If the legal system doesn’t evolve it’s sense of personal property to include data and capabilities that exist in the cloud then the ideal that you are protected from unlawful search and seizure is effectively dead. What about borders, there are a lot of legal systems to contend with. But wait, it gets worse. Many providers already limit what you can do with their services (no SPAM, no porn, etc…) but what happens when they start to limit what we compute? Will governments step in and try and monitor for anyone simulating nuclear explosions for example? With computing done remotely in the future, it’s not just your data you need to worry about but what are you computing with it. Thought Crimes anyone? Your data and the things you do with it including information about you needs to become your personal property no matter where it’s kept.

3) Interoperability: It won’t be in a providers best interest to make it easy for you to switch but without the ability to switch things will stagnate and cloud monopolies will inevitably form. A dangerous sign already is that the open source community has concluded it won’t be able to play a significant role in cloud computing other than creating free software for the providers because ultimately it costs big bucks to run a data center.  It will be hard for providers to make the leap to realize they need to be open. I’m not a fan of regulation but regulation is necessary when market forces will never push the market to do the right thing…this one is a tough one. The Jericho forum I think has the best chance to advance this agenda, if you are on the consumer side of things, you should give them your support.

4) Business Continuity: If your entire business is dependent on the cloud, what happens when the cloud lets you down? Truthfully this one will solve itself and I think it’s just the last of the old IT guard fighting change. People don’t need to get to your IT data center, they need to get to your data and applications, when you put them in the cloud, you move them closer to the consumer. However what happens when you are the primary consumer? Having your Internet connection go down could kill you. It’s all about bandwidth and connectivity at this point and these issues get worked out during the supernova but there will be some spectacular disasters along the way I’m sure.

What do you think will be the next technology supernova?

++Erik

Related posts:

1. Amazon VPC, a not so private private cloud?
2. The need for a Cloud Computing Security referee
3. Something new
4. Prediction Confirmed: Big changes coming to iTunes in 2010
5. It’s all in the Cloud:What Lala means to the future of Apple and iTunes

I’m still in Atlanta, and i’m working on something. Something new. Something wonderful. Oh my god, it’s full of stars.

Sorry, got away from myself, can you tell I’m excited? I don’t want to spoil the surprise but I’ll give you a teaser: Cloud Computing + Security

This is going to be huge and I look forward to sharing it all with you. I’ll see you all next week, look for the announcement here and at twitter.com/silvexis

Related posts:

1. The next great Technology Supernova is coming
2. The need for a Cloud Computing Security referee
3. Amazon VPC, a not so private private cloud?

For example, this little chain of events:

• Timing attacks on web privacy (Billy)
  
• Putting up, then shutting up (Jeremiah)
  
• RSnake Puts Up (Robert)
  

Please, all of you, put all this you stole your research nonsense behind you and move on. We all build our work on the shoulders of the giants who came before us. Half of the “new” ideas in security I read today were first presented in this book by James Martin in 1974. Does that mean any of his work was stolen? No, not really. Stuff get’s reinvented all the time and that’s good. Most of the time we call this innovation.

New research brings old ideas to life when they are presented in a new context. Often a context that didn’t exist back when the idea first appeared. It’s this context that the researcher brings to the idea which is the real innovation and we should all just sit back and bask in its glory. An idea is timeless and the good ones will get re-invented over and over again through the ages, like say for example ultrawideband wireless which was invented in 1894 or the fuel cell, invented in 1845. (Read: Tuning in to Technologies Past). These guys all invented something amazing, but nobody knows who these people are because they didn’t discover or even have the context that would have allowed their technologies to change the world.

There are also many examples throughout history where completely independent inventors have come up with the same idea nearly simultaneously (Gorman, 1998). These simultaneous inventions happens all the time but why? The explanation I like best is what the historian Thomas Hughes described as a Reverse Salient. “A salient is a protrusion in a geometric figure, a line of battle, or an expanding weather front. As technological systems expand, reverse salients develop. Reverse salients are components in the system that have fallen behind or are out of phase with the others” (Hughes, 1987). I believe that it’s these reverse salients that create an innovation vacuum that the leading researchers almost subconsciously rush to fill independent of each other. Or as John Campbell argues “Scientists and engineers, like everyone else, are influenced by their patrons and customers. The cultures of their communities thus affect the pace and direction of technological change.”

Pheww, well that puts it all in perspective right?

So, Robert (Rsnake), Jeremiah, and Billy, please, all of you, get back to innovating and discovering new context. The world is a better place when you are focused on that.

References and great reading

• Standage, R. (Jan 2005). “Tuning in Technology’s Past“, (MIT Technology Review, Online Article)
• Gorman, M. (1998). Transforming Nature, Chapter 3, Section 2 “Reverse Salients and Simultaneous Inventions“
• Campbell, J. (1996). “Perpetual Uncertainty” (Federal Reserve Bank of Boston, Online Article)

No related posts.

So Blackhat is going to special this year, it’s a time to enjoy catching up with customers and friends in the community but also a chance to let loose just a little bit more than usual for me and the entire SPI crew, so if you see us, give us a shout and come join the fun.

See you in Vegas!

Related posts:

1. Blackhat
2. iPhone ACTIVATED!

I survived. Sleep was not an option.

This year’s Blackhat conference was the best event i’ll attend all year. It’s awesome to see a whole track of presentations dedicated to web application security which has only been my life for the past 7 years. The highpoints for me were the talks by Jeremiah Grossman & TC Niedzialkowski of WhiteHat Security on hacking intranets using JavaScript malware and of course the talks by Billy Hoffman and Bob Auger of SPI Dynamics (my company) where we brought attention to RSS issues, discussed new AJAX threats and presented analysis on web worms and viruses. The events during the day were awesome, the crowds were intense and for those who fought their way through them to our demo booth, we salute you.

I also spent a day wandering around DefCon, which is definitely a different vibe than BlackHat. Post-apocalyptic technologic organic anarchy comes to mind. I enjoyed wandering around, hanging out in the CTF room for a bit and browsing the shops, I didn’t get to see the talks I wanted to unfortunately. Despite all the technology IQ wandering around, event planning is a lost art at DefCon, you just have to go with the flow and I had a schedule to keep.

There was of course the fact that I was in Vegas with thousands of hackers and we were all hell bent on tearing up the town. After the sun went down the event parties kicked in. Leaving time travel for another time, I had to choose from many events, here are the reviews of the ones I attended.

Aug. 1st
Everyone… – Shadow Bar at Caesars

Ok, ok, this wasn’t an event party, but after getting off the plane, and checking into Caesars it was off to Shadow Bar, drinks were not free nor cheap (rough!) but the night was well spent seeing old faces and meeting a few new ones. Shadow was IMHO a nice way to ease into Vegas, no lines, simple atmosphere and dancers wearing next to nothing behind shadow curtains.

Aug. 2nd
SPI Dynamics – Tao Nightclub at the Venetian

I’d be pretty remiss if I didn’t go to my companies own party. Of course that means I can’t give a unbiased review, but I bet if you ask someone who was there, they will tell you it rocked! If you were there, add your comments and let people know what you thought.

 
Tipping Point – Body English at the Hard Rock

After all the fuss to get a pass, I didn’t go! Well I got my Tipping Point collectors key ring, maybe next year guys! Instead I headed over to…heck I really can’t remember…

Aug 3rd
Microsoft – the Pool at the Palms

Ok, despite the evil outdoor layout, the place was rocking. On arriving I ignored the “be careful around the pool warning” and I managed to step right into the crazy pool edges after receiving my first drink (damn sneaky 3 inch deep water “feature”!). I took my now soaked foot up to the SPI cabana, and quickly realized the amazing power of the dry Vegas heat to dry anything off in seconds. From there the drinks were flowing like water, the staff at the Palms was great and the Music was perfect. DJ Keith Myers rocks. Billy, thank you for his CD, I’m enjoying it right now.

Microsoft – After Party – RAIN at the Palms

The pool shutdown around 12:00, but with free entry into RAIN we decided to check it out. With fire shooting out above the dance floor so close I could have roasted marshmallows and a packed house I was impressed. Unfortunately there was some really annoying staff that kept on hitting people in the eyes with mag lights and overall RAIN was not the liquid experience I was hoping for. I bailed, and unfortunately a little too soon as KPMG showed up later and invited a bunch of the SPI folks up the VIP room. Next time, I’m listening to Caleb.

Aug 4th
Acuvant – The Foundation Room at Mandalay Bay

The foundation room is the best club I’ve ever set foot in, period. Members only, except for Monday nights, The foundation room is considered one of the most exclusive clubs on the strip. The entrance, which is a pretty non-descript, was guarded by one guy and a list (you are on the list right?). Once past the entry way you find your way to an elevator with one button. The ride to the top of Mandalay Bay is swift, and soon you find yourself standing in a club where no detail has been overlooked. Private rooms with a dark middle eastern flair, plenty of spaces to relax and enjoy on comfortable leather couches or just as many places to be in the thick of things in the main room, talking with friends and strangers near the bar or outside on the patio that overlooks the strip. The foundation room is not a simple club, it a complex experience. As the evening unfolded the hackers of Blackhat and the high rollers of Vegas mixed it up and shared stories. In between conversations on web application security with Jeremiah, Billy, TC, Rsnake, Arian, Bob, Matt, Caleb and others were amazing conversations with Vegas locals like Ed and Isaac about what really goes on behind the scenes in Vegas (I’m sworn to secrecy). Be careful if your taxi starts heading out the desert – you might not be coming back.

End of the Road
On the 5th we downshifted and slept in, had lunch and wandered around the strip. We did the tourist thing and watched the fountains at the Bellagio, shopped for friends back home and hit the road to the airport. It was a week spent to its fullest, any longer and I might have just spontaneously combusted. BlackHat, I’ll see you again next year.

Related posts:

1. Blackhat 2007
2. Clinton on FOX News