Posts by author:

Carl Belso

Security’s Nemesis

by Carl Belso on April 14, 2010

Complexity leads to errors. The more complex a system is, the more likely it is to have errors. This is the root of the problem with computer security. The more functionality our systems have, the more difficult it is to defend them.

We now see the affects of complexity in systems with underlying (embedded) computers. An example of this is the Toyota Prius, which is having brake issues due to software related issues. A few years ago it would have been difficult to imagine a software issue affecting the brake system of a car. Now it is a reality, and the future is not looking much better. As more and more complexity is introduced into our devices, errors are more likely to occur.

Another example of this trend is found in our newest computing platform, the smart phone. As a new Droid user I am fascinated by the amount of functionality and computing power available from my phone. I downloaded several applications and started experimenting. After few days of this “download and play” activity, my phone started locking up. It was at that point that I realized that there was a significant amount of risk in what I was doing. Is security an issue on my phone? The short answer, of course it is! Both the iPhone and Android based phones have had security issues. Complexity is the nemesis of security.

Turning our attention to our IT Enterprises, the complexity is immediately apparent. The complexity of a smart phone is dwarfed by the complexity of our IT Enterprises; therefore, the likely hood of a security issue is much higher. In fact, I would go as far as to say that there is a security issue in your IT environment right now (mine too of course).

So what should we do? Panic, and then realize that there is no way to make it completely safe without removing the network cables (and WiFi, USB, CD-RW, floppy drives, etc.)! No, our world is not safe, and that is just the way it is. There is nothing you can do…

OK, we now see the reality of it, what do we do? In the early days of computer security there was the concept of the hard shell, soft center. Basically this concept was our firewalls form a shell around us, but inside things are not protected. Our connections to the “evil Internet” where all the hackers live are protected by firewalls. We also created DMZ’s (De-Militarized Zones) for our less trusted assets like web servers because these are the systems that the hackers are going to get. Security problem solved, right? Wrong.

Security-gooey-center

The hard shell, gooey center concept failed long ago. The enemy is no longer at the gate, he is in the castle. Now we need to further divide our systems into zones, and levels, and enclaves. Done? Nope.

We must also limit access to the networks and services within our enterprise. The “ultimate” goal is to limit access to only what the user needs. Consider this, the Sasser worm, which exploited a vulnerability Local Security Authority Subsystem Service (LSASS) in Windows, rapidly speared though several enterprise environments. The interesting aspect of this worm, and others like it, is that it relied on the ability to communicate with other computers on the network. In large Windows workstation environments, the worm quickly spread from workstation to workstation. Usually our workstation environments are connected to a single network (or VLAN) without any limitations. But why would one workstation need to communicate to another workstations? The answer, to spread a virus. If we limited workstation communications with local firewalls or private VLAN, most worms would fail.

Security-Inside

The solution is complex and difficult to manage. Security is required at every level; networks, servers, workstations, applications, and our Internet boarders. Perfect security is an unattainable goal. Instead, we must do what we can, within our constraints, to protect what is important. To maximize the return on these efforts, I suggest that we focus on the critical data sets and services, working from the assumption that the enemy is in the castle. Yes, maintain the moat and keep the gate closed, but we must also lock the doors to the treasury and put a couple of guards in the hallway.

{ 0 comments }

Cloud Computing (aka Internet based Services)

by Carl Belso on January 3, 2010

…and that Cloud looks like a highly redundant, geographically dispersed computer cluster…

Technology marches forward and the paradigm changes. The latest new paradigm – Cloud Computing! Cloud Computing is going to completely change the way we design our computing infrastructures, again.

Cloud Computing is the concept of using Internet services to support users. In general the term is applied more toward business users, but I would say that we all use Internet (or cloud) based services. One of the best and most successful cloud computing services is web-based email or webmail. Gmail, Hotmail, and Yahoo Mail are all examples of webmail services – and these services are examples of Cloud Computing.

There are also some specific types of cloud computing models.  These are basic subsets of cloud services and are different in the sense that they are usually purchased and have SLA (Service Level Agreements) associated with them.  The models are Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platforms as a Service (PaaS).

SaaS

Why do it in the Cloud?

In general cloud based services are more robust than similar in-house solutions. Yes, cloud services fail, but probably less often than similar services a business could deploy. Gmail for example has very high availability numbers. In fact, Gmail claims 99.9% availability, which is about an hour of down time per year,  less than 5 minutes a month.

Cloud computing is also less expensive.  Using cloud based services can save a lot of money in terms of capital investments and labor. Consider the costs of running an internal email server – hardware, software, system administration, networking, spam management, and so on. The costs of cloud based solution, the cost of the service and maybe a system administrator to help the users.

Why not to do it in the Cloud…

There are some very serious risks associated with Cloud usage. First and foremost is security. Cloud computing require you to rely on the cloud provider to address security.  Add to this the fact that the service is Internet accessible and security becomes a challenge. Recently Twitter felt the effects of failed security in its usage of cloud service. Without the benefits of hiding behind a firewall, cloud based services are more susceptible to hacking simply due to accessibility. It is critical to educate your users of these new challenges.

Another potential issue is data portability. Can you get your data out of the cloud? Unluckily, the answer is usually no. The ability to extract your data for archiving or backups is an important consideration when deciding whether or not to use cloud services and when selecting a provider. A recent move by Google to address data portability is a move in the right direction and will hopefully encourage others to follow suit. But the standard answer for most cloud computing solutions is “all your data are belong to us.

Welcome to the Future…

And Cloud Computing is there. The use of cloud computing is almost completely ubiquitous. Most Internet user take advantage of cloud services daily.  In fact, I suspect that most web usage is primarily focused on the use of cloud service; email, work-related activities, blogs, etc. The Cloud is the Internet and Cloud Computing is its new purpose.

What is next? More Cloud Computing power! Google Chrome OS? Maybe…

{ 3 comments }

Network Management – The Art of Enterprise Monitoring

November 30, 2009

“That which is not monitored is not managed.” – A wise System Administrator
Failure is a part of life. This is especially true in the world of IT. It is not a question of if, but when. The key to successful enterprise management is to know when things fail. This can only be accomplished through monitoring. [...]

Read the full article →

What is Enterprise Architecture?

November 18, 2009

I typically try to avoid “buzz” terms like Enterprise Architecture, but sometimes you just need a term. This is one such case. It is either use a term, or paragraphs of explanations. This is intended to be the paragraphs to define the term, Enterprise Architecture.

The term Enterprise Architecture (EA) is not well [...]

Read the full article →
Get Adobe Flash playerPlugin by wpburn.com wordpress themes