Cloud Security

Happy New Year from the Cloud Security blog

2012-12-31T18:13:26+01:00

Hello again and Happy New Year!

I’ve just updated my About page ready for 2013.

After a break from blogging and with mainstream cloud and “cloud-marketed” services gaining real traction, my goals for this site have changed. Friends and family frequently ask which cloud services, apps and cloud providers I recommend along with how to use them “safely”. Again, I’m not aware of any sites that cover this from a security perspective. Consequently, I decided to broaden the site to address the concerns and practicalities for cloud “users” and developers in addition to security professionals and curious geeks. This means more practical hands-on reviews, HOWTOs and walkthroughts via screencasts. In short: I show you how to select and use cloud apps, APIs and services with security in mind.

I look forward to sharing my cloud fiddling with you in 2013!

Let me know in the comments if there’s something specific you’d like to see.

Cheers
Craig

GoGrid Security Breach

2011-03-30T23:33:28+02:00

Bad news for GoGrid customers as today we received the following breach notification by email…

Dear Valued Customer:

In the normal process of reviewing our system activity, our Security Team discovered that an unauthorized third party may have viewed your account information, including payment card data. We immediately took action to protect our customers, including notifying federal law enforcement authorities, who have since seized the computing equipment and records of the single individual suspected of this misconduct. The criminal investigation is ongoing, and we will continue to assist the authorities in working toward a successful prosecution.

The security and reliability of our platform is fundamental to our business, as is the trust and faith that our customers place in us. We have completed a rigorous audit conducted by a leading security firm. There were three important findings that lead us to believe the situation has been contained:

1. The method utilized by the suspect to gain access has been identified and remediated.
2. It appears that the suspect’s sole motive was to acquire free services from us. We have no evidence suggesting that the suspect was targeting customer infrastructure or payment cards.
3. We have no indication that any customer information was shared with any other unauthorized parties or that there has been unauthorized use of any cardholder’s data.

In addition, we are instituting a series of new measures designed to further enhance security. Any information that you may need in order to comply with these measures will be communicated through the user portal and the support ticketing system. As an added precaution, affected cardholders will receive a letter in the mail offering credit monitoring services at our expense.

Client privacy, confidentiality and security are central to us. We greatly value your business and apologize for any inconvenience this causes. If you have any questions related to any of the above, please contact our Customer Service Team at 1-866-310-8477 or 1-415-963-9955 or via email at gogridteam@gogrid.com.
Sincerely,
John Keagy, Chief Executive Officer, and the GoGrid Team

This email was sent by:GoGrid

360 Spear Street, Suite 200 San Francisco, CA, 94105, USA

Anyone know any details of the case?

Brucon 2010 - More on Project Skylab

2010-12-17T23:22:45+01:00

The Brucon multimedia people recently posted the video of all the Brucon 2010 talks.

Here’s a video of my Project Skylab talk [1 hour / 120MB AVI] hosted by the Corelan team (thanks guys!). The first half is mostly a “call to action” for security practitioners, the second half covers Skylab components, architecture and plans.

I plan to post a demo video of Skylab in late January/early Febuary, so if you’re looking for that, hold tight.

For those that want to peruse the slidedeck and speaker notes, here’s the Slideshare powered preso:

Project Skylab: Helping You Get Your Cloud On

View more documents from craigbalding.

Brucon remains one of my favourite infosec conferences – its relaxed, friendly and has consistently good talks. As with many non-profit conferences, it relies very much on the goodwill and sweat of a volunteer crew and I’d like to say a special thankyou to all those that lent a helping hand.

How to Kick Ass in Cloud Computing Marketing

2010-05-18T22:18:01+02:00

Few things inspire a blogger to write blog posts than appealing to their ego and sense of humour. Despite concerted appearances to the contrary, it appears I too am susceptible.

Here we take a lesson in marketing brilliance from Novell…as they “take the drama out of Cloud Computing”…by bringing a slightly surreal blog post I wrote to the small stage/screen:

If the above doesn’t display for you, click An interpretation from the blog post: Are You Trying to Pin the Tail on the Cloud Donkey? by Craig Balding

Thanks to the actors for giving me a laugh out loud moment – commanding performances gents! :)

Cheers,
Craig

P.S For more hilarity, check out their Vimeo channel

Introducing the Skylab Community Project

2010-03-24T22:43:47+01:00

Last week I attended SecureCloud 2010 in Barcelona, a conference dedicated to cloud computing and security, organised by the Cloud Security Alliance, ENISA, ISACA and IEEE.

This proved to be an excellent opportunity for deep dive conversations with others heavily involved with cloud security, both providers and users.

The conference was well run – particularly for a first time out. The presentations were a mixed bunch, which I felt reflected:

the on-going open interpretation of the term “cloud” (and a few who insisted on muddying the waters by referring to traditional web hosting providers as “cloud providers” – eek!)
the different stages that people are at with their understanding of cloud computing and security and
the wide diversity of speakers present (a healthy thing in my book)..

I’m very glad I attended and was able to present the kick-off to Project Skylab.

A number of readers asked if the presentations would be recorded and made available to non-attendees. Unfortunately, they were not, so I’ve recorded the “home edition” version of my talk and make it available here.

The Skylab Project is aimed at IT and IT security professionals that are “cloud curious” and want to get their hands dirty in a relatively safe way (i.e. no business data involved). You could say its for the hobbyist security geek. This talk sets out the concept, design goals and plans for Project Skylab. Hence, this presentation is not about “cloud security” per se or “securing the cloud”. At most its about delivering a security related service (an demand security test lab) from the cloud. Check out my other cloud computing and security presentations if you’re looking for coverage of cloud security challenges.

Important notes:

this is the “kick-off” of Skylab – not the “solution” stage (!)
if you’re an old hand with IaaS services (including cloud overlay networks), I doubt you’ll learn anything new about cloud.

I plan to develop Skylab on an on-going basis. I’m also encouraging others to contibute their ideas (with full credit of course).

Finally, I’ve applied to speak at Brucon 2010 in September. If my application is successful I will present the first tried and tested incarnation of Skylab.

Please let me know if you enjoy this video (or not!) as this is the first time I’ve tried this. I welcome your feedback.

I’d like to thank Jim Reavis and his team for the excellent logistical support throughout the conference, along with the SecureCloud presentation committee for inviting me to speak.

Cheers,
Craig

P.S cloudsecurity.org now has a forum dedicated to discussions about cloud computing and security. There is also a dedicated board for Project Skylab communication.

Cloud Computing and Security Conference: SecureCloud 2010

2010-03-14T14:59:21+01:00

Next Tueday and Wednesday I’ll be attending SecureCloud 2010 in Barcelona, Spain. This looks to be a very promising conference, totally focused on cloud computing and security. Admission is free, and the event is organised by the Cloud Security Alliance, ENISA, ISACA and IEEE.

On Wednesday, I’ll present “Skylab: How To Create A Simple Security Test Lab With No Hardware”. Here’s the blurb:

This presentation will be technical in nature and focus on how
security practitioners can leverage public IaaS clouds today, to create
an ad-hoc security test lab for both offensive and defensive security
research. We’ll explore prior use cases of cloud by security
researchers, define a simple test lab network architecture and
associated requirements, get an overview of existing IaaS capabilities
and the challenges you’ll face when replicating even relatively simple
network topologies (along with some workarounds). At the end of this
presentation, attendees will know how to build their own virtual skylab.

When I get back, I’ll upload my slides and explain more about Skylab.

If you’re attending, definitely come up and say hello.

Cheers,

Craig

Cloud Security Threats Survey

2010-02-23T13:08:58+01:00

Ask a room full of security professionals what cloud threats they are concerned with and you’ll get quite a variety of answers. Partly this stems from the widly varying definitions of “Cloud”, but also reflects their respective experience dealing with security threats faced by their organisation.

Maybe you think “insider threats” are the big issue, or perhaps you feel attacks against the shiny new attack surface offered by cloud providers is the big concern. Or you may look at things the other way round and feel that attacks against cloud clients are the most significant threat – especially given what we know about client side computing, mobile professionals and insecure WiFi setups.

Either way, here is a chance to express your view.

Right now, the Cloud Security Alliance (CSA) is seeking your input. They are currently finalising a paper for release at RSA 2010 next week, called the Top Threats to Cloud Computing. The CSA “top threats” working group is seeking wider input on the respective ranking of 7 specific cloud threats.

If you are a cloud user and/or security professional, I encourage you to take the 5 minute survey. Results will be collected at the end of this week.

The Global Security Challenge: Money and Mentorship for Radical Cloud Securty Ideas

2010-02-03T22:32:26+01:00

Cloudsecurity.org is proud to be supporting the Global Security Challenge with their “Cloud Security Challenge” competition.

If you’ve a bright idea for cloud security or you know someone who has, this is an opportunity to grow it quickly.

The competition aims “to empower entrepreneurs in the security technology space.”

The Global Security Challenge team do this through running challenges that anyone with a clever idea and a decent business plan can enter. A panel of experts select the most promising security technology start-ups.

The winner of this challenge will receive a 10,000USD grant and mentorship from CapGemini. HP Labs in Bristol UK are sponsoring the event and offering use of their test-bed for up to 3 finalists.

Ultimately it may provide a path to additional funding — top contenders from previous challenges raised 57MM USD.

The competition is free to enter and the deadline is 15th March.

To learn more and submit your idea, visit the Global Security Challenge website

Let me know if you have any questions and I’ll do my best to get them answered.

Are You Trying to Pin the Tail on the Cloud Donkey?

2010-01-25T01:14:15+01:00

Today, when it comes to security due diligence and on-going operational security visibility of cloud services, enterprise security pros are acting out the childrens game, Pin the Tail on the Donkey.

With security policy in hand, we’re groping around, blindfolded by a lack of security visibility whilst disoriented by the scale and combination of new (and old) technologies and service models. The Cloud Donkey – known for a strong sense of preservation – looks on.

The problem is that there are many donkeys, and even more tails. Worse, we’re all trying to stick different tails on the same donkeys.

If we don’t like what we’re (not) seeing, we can either moan about our predicament or try to change things. Like collaborating with others that share the same concerns to develop the “Audit, Assertion, Assessment, and Assurance API (A6)” for cloud services.

If you’re a security pro, don’t be an ass, join the A6 security group.

Photo credit: cherrypatter

Can the Cloud Help Haiti?

2010-01-18T17:54:06+01:00

If you’ve been looking for a way to extend a hand to the people of Haiti, or you want your cloud venture to spread some goodwill, this post is written for you.

On Wednesday this week, many of us will be attending CloudCamp Haiti – and you can join us.

Here’s what you need to know

CloudCamp Haiti is a virtual unconference held as a public webinar. CloudCamp Haiti builds upon the popular CloudCamp format by providing a free and open place for the introduction and advancement of cloud computing. For this event, we are raising funds to donate to the aid effort in Haiti. Funds will be donated directly to the Red Cross efforts in Haiti.

Using an online meeting format attendees can exchange ideas, knowledge and information in a creative and supporting environment, advancing the current state of cloud computing and related technologies.

Date/Time:
- Jan 20th 11:00am – 2:30pm Eastern Standard Time (EST)

Location:
- Online Webinar via GoToMeeting

Get involved:
If you are interesting in getting involved as a presenter contact John Willis (john.willis AT zabovo.com) Interested in sponsoring? contact Dave Nielsen (dave AT platformd.com)

What You Can Do

Sponsor this event – either as a company or privately, or register to attend for 25USD.

If you’re still reading, what are you waiting for?