Monday, March 25, 2013
Wednesday, March 20, 2013
Why Did Oracle Buy Nimbula? -- Virtualization Review
Oracle last week said it has acquired Nimbula, a company launched in 2010 by some of the original developers of Amazon Web Services EC2.
Nimbula Director is a cloud operating system designed to let enterprises and independent hosting providers build multitenant and geographically EC2-compatible public, private and hybrid Infrastructure as a Service (IaaS) environments. CEO and Co-Founder Chris Pinkham was a VP of engineering at Amazon, who led the development of EC2.
But one of Nimbula's key rivals, Eucalyptus, led by former MySQL CEO Marten Mickos, last year signed an API compatibility sharing pact with AWS. The move gave Eucalyptus sanctioned compatibility between its namesake cloud OS and EC2 and S3, giving it an edge over Nimbula.
In October, Nimbula joined the OpenStack community, pledging to incorporate OpenStack compatibility into Nimbula Director. In a brief statement, Oracle described Nimbula Director as complementary, saying it would be integrated with Oracle's cloud offerings.
Did Oracle acquire Nimbula to forge more compatibility with AWS or was this a dip into the OpenStack waters? Or perhaps it's for some combination of the two? Oracle to date has shown no public interest in OpenStack and it is not clear Nimbula could help change that, if indeed that's even the goal. But as Oracle rivals IBM and HP advance their support for OpenStack, perhaps the company is looking to hedge its bets?
"Oracle won't be able to make a proprietary cloud management play, but it will be able to make a solid product play to embrace OpenStack," wrote RedMonk analyst James Governor in a blog post, noting HP took an early lead in OpenStack support only to see IBM steal its thunder. While describing Nimbula's engineering team as talented, like myself, Governor thought Nimbula was a curious choice if OpenStack is indeed the endgame.
"If Oracle was anxious to nail OpenStack it might have made more sense to acquire, say, Piston Cloud," Governor concluded, referring to the company founded in 2011 by some original OpenStack creators. "Perhaps that's a deal for another week."
Friday, March 1, 2013
Thursday, February 28, 2013
Splunk Makes Its Platform Play | The Big Data Blog – BETA
A Massachusetts company called Prelert released a new application yesterday that combines machine learning and predictive analytics to detect and report anomalous behavior emanating from IT infrastructure. If that sounds a lot like what Splunk does, you’re right.
In fact, Anomaly Detective is a downloadable app that runs on top of Splunk Enterprise. The release ties into Splunk’s push to position Splunk Enterprise as a Big Data application development platform as much as a suite of Big Data applications itself. Splunk released a software development kit for JavaScript to GA in October, followed by two new SDKs, one for Java and another for Python, in December.Splunk Makes Its Platform Play | The Big Data Blog – BETA
Wednesday, February 27, 2013
Global Identity Management. Is it possible?
Because managing identities is a global problem, it requires a global solution, says Paul Simmonds of the Jericho Forum. A new organization has been established to address global identity. Simmonds offers insight.
As CEO of the newly created Global Identity Foundation and co-founder of the Jericho Forum, a global security group for CISOs, Simmonds says the core security challenge every organization faces is how to authenticate identity.
"Right now, with the systems we have in place, we don't have any connection to the person," he says during an interview at RSA Conference 2013.
The digital connection between the entity confirming the identity and the individual who possesses the identity has to be solid, Simmonds adds. "Banks and others need that information so they can make a risk-based decision, based on the identity," he says. Without that information, they are building risk profiles about identities, based on information that is not reliable, Simmonds explains.
"There is a challenge around doing this globally and doing this around bring-your-own-identity," he says. "So, one of the things that Jericho came to the conclusion about is that you and I need to be in control of our own identity. It's how humans operate. And doing anything else doesn't work."
Computer networks and systems get hacked, Simmonds says, making them unreliable for the management or authentication of identities. "Fundamentally, you and I need to bring our own identity to the game," he says.
At RSA 2013, Simmonds hosted a presentation about Jericho's plans for the new identity management group, as well as steps organizations should take now to educate themselves about what to expect in the future.
In this interview, Simmonds discusses:
- The role of the Jericho Forum and the role it envisions for the newly established Global Identity Foundation;
- Challenges current mindsets and infrastructure pose for global identity management and authentication;
- How a global network can help to improve financial and national security.
In addition to his roles as a board member on the Jericho Forum and head of the new Global Identity Foundation, Simmonds also is an independent security consultant who formerly served as the CISO of AstraZeneca, a global biopharmaceutical research company. He also previously oversaw information security for a high security European Web hosting company and was the global information security manager for Motorola.
For the interview, please see:
http://www.databreachtoday.com/interviews/managing-identity-risks-i-1808
Obama cybersecurity chief warns further regulations may be required - The Hill's Hillicon Valley
SAN FRANCISCO — President Obama’s executive order on national cybersecurity could result in new regulations for companies that operate key infrastructure, according to Michael Daniel, the White House’s cybersecurity coordinator.
Daniel said new regulations could be needed to create a “backstop” to address security gaps in the computer systems and networks of the nation’s water systems, electric grid and other critical infrastructure.
The order creates a program led by the Homeland Security Department where critical infrastructure operators would join on a voluntary basis and agree to follow a set of cybersecurity best practices and standards crafted jointly by the Commerce Department and the industry.
But Daniel noted that a key part of the order directs primary regulators — including the Treasury and Energy departments — to review their current regulations and requirements and align them with the standards included in the cybersecurity framework developed by the Commerce Department’s National Institute of Standards and Technology. That could result in the agencies taking new executive actions or crafting updated regulations to bring their rules up to speed with the framework.
“They’re to compare their current requirements and regulations against that framework, and if they are not sufficient and the companies [are] not participating in the voluntary program for whatever reason, that those regulators could take action to try to bring their requirements and regulations up to the level of the framework,” Daniel told The Hill in an interview at the RSA cybersecurity conference. “I think from the administration’s perspective, we view that as kind of the backstop.”
“This is very significant stuff, and I think the president believes ... we need to have that backstop to make sure that we’re getting the cybersecurity of that critical infrastructure up to the level of the framework,” he added.
The U.S. Chamber of Commerce criticized the executive order when it was issued, saying that it “opposes the expansion or creation of new regulatory regimes.”
But the White House cybersecurity chief said this section of the cyber order is needed to help critical infrastructure thwart cyberattacks that could lead to catastrophic damage in the physical world.
In the near term, the White House will focus on overseeing the implementation of the measures in the executive order, while it is also working on a set of legislative principles to help guide Congress’s work on cybersecurity legislation.
Daniel said the principles will be similar to those outlined in the cybersecurity legislative proposal the administration delivered to Congress in May 2011, such as stiffening criminal statutes for cyber crime and creating a national data breach notification law that tells companies when they need to report a security breach to the government.
He said the forthcoming set of principles will not include bill text, but will reaffirm the administration’s support of the 2011 legislative proposal.
In Washington, the administration and Congress are engaged in an intense debate about the looming $85 billion automatic budget cuts. Daniel warned that the cuts will affect cybersecurity programs across the federal government and potentially the implementation of the executive order.
“There’s no question that it’s going to potentially have a negative impact on not just the [executive order], but all of our cybersecurity efforts across the board,” he said. “I don’t think it will be disproportionate to other government programs, but it will clearly negatively affect it and slow us down on our implementation, so I think that certainly it’s going to have a negative effect.”
“It’s one of the many reasons why sequester is such a bad policy to begin with, because it doesn’t allow you to prioritize for things that are really important like cyber,” Daniel added.
In the meantime, he noted that, while the White House has engaged with various congressional committees that are in the midst of crafting cybersecurity legislation, it will be challenging to get a bill passed this year.
Although lawmakers have sounded alarm about the cyber threat facing the U.S., Congress has so far failed to pass pertinent legislation. The Senate tried twice to pass a sweeping cybersecurity bill last year, but GOP members blocked the measure over concerns that it would saddle industry with burdensome new regulations.
“I think there’s actually a real window of opportunity here,” Daniel said. “This is a difficult environment to get any legislation passed. I’m sort of a natural optimist in that regard, so I will keep working on that, but it will be a challenge.”
Read more: http://thehill.com/blogs/hillicon-valley/technology/285133-cybersecurity-chief-further-regulations-may-be-required#ixzz2MA9PXAbv
Follow us: @thehill on Twitter | TheHill on Facebook
Vulnerability Gives Hackers Access to Locked iPhones
Think your iPhone 5 is safe and secure with your password lock set up nicely? A new vulnerability has been discovered which could allow hackers to bypass password locks and gain access to users' personal information.
First detected by Vulnerability Lab in a Full Disclosure report and further detailed on Kaspersky Labs' Threatpost blog, hackers can get around the iPhone's lock screen by using the Emergency Call function. The workaround gives the user access to contact lists, voicemails and photos.
"The exploit involves manipulating the phone’s screenshot function, its emergency call function and its power button," Threatpost.com writes. "Users can make an emergency call (911 for example) on the phone and then cancel it while toggling the power on and off to get temporary access to the phone."
From there, a hacker can attach a USB cord to the smartphone and access data on the phone via a computer. The exploit works on iPhone 5 devices running iOS 6.1 software.
"The vulnerability allows the local attacker to bypass the code lock in iTunes and via USB when a black screen bug occurs," the Full Disclosure report notes. "Successful exploitation of the vulnerability results in unauthorized device access and information disclosure."
Apple has not yet responded to a request for comment.
For a deeper look at how the exploit works, check out the video below. The first part of the video demonstrates a vulnerability detected earlier this month.
Vulnerability Gives Hackers Access to Locked iPhones
Subscribe to:
Posts (Atom)