Tuesday, November 30, 2010

Is Hybrid 2.0 a game change in security testing?

HP has recently released Hybrid 2.0 which combines black box testing with source code and binary code analysis. In my professional experience, I have done both black box testing with manual and automatic review of source code. I personally found that manual and targeted source code review and ethical manual hacking outperform any tools use. I would be interested in any insights and comments on Hybrid 2.0.

Monday, November 29, 2010

Accodring to eWeek: "Security Lacking in Most Virtualized IT Environments"

The following is from eWeek
(http://www.eweek.com/c/a/Virtualization/Security-Lacking-in-Most-Virtualized-IT-Environments-Survey-Says-408929/)
and I quote


".... Hypervisor privileges pose other concerns. The administrator
accounts on hypervisors generally have extensive access privileges
with very few limitations and security controls. The study found that
73 percent of surveyed organizations are concerned about the
privileges granted to hypervisors and the potential for abuse by users
with administrative control. However, 49 percent of those concerned
companies have not implemented any privileged user management or
security log management systems to mitigate the risk, the survey
found.

Even though the majority of the business and IT leaders said
virtualization would help improve IT operational efficiency, security
remains a concern, with 39 percent saying virtual environments are
more difficult to secure than physical environments.

Almost 85 percent of the organizations said "cloud privacy and
compliance issues" and "cloud security issues" inhibit plans to move
from virtual environments to a private cloud, the report said.

About a fifth of the companies in the survey said their IT staff does
not have the skills or funds to implement security in a virtual
environment, researchers found. About half, or 55 percent, of those
organizations cited budgetary restraints and the "upfront cost" of
implementation, and 53 percent named the "complexity of managing
security across virtual environments and platforms."

While over 84 percent of the surveyed managers prefer integrated
products that seamlessly secure physical and virtual environments,
just over half, or 56 percent, actually have implemented, or are in
the process of implementing, such systems, the researchers found.

While automation is considered important to secure virtual
environments, integrating security management with infrastructure
management or with incident and problem management do not appear
highly important for most respondents, according to the report.

Organizations will "struggle to automate their processes and reap the
real rewards of virtualization," said Nosseir.

Despite all the interest around virtualization, it is not yet the
standard for production environments. Only 34 percent of the
participating companies have deployed server virtualization for more
than 50 percent of their systems, the researchers found. The companies
have rolled out even less for other types of virtualization, such as
storage, application and desktop, the researchers said. For example,
only 8 percent of the organizations in the report has desktop
virtualization for more than 50 percent of the enterprise, according
to the report.

"Despite the rapid growth in server virtualization, many organizations
still have quite a way to go before they reach the level of maturity
and automation required to reap the true benefits of virtualization,"
said Nosseir.

Only 65 percent of the business managers enforced a separation of
duties for administrative tasks across virtual platforms, the report
said. More than 40 percent of the surveyed executives claimed to not
use automation tools for access certification, privileged user
management or log management, according to the study. In fact, only 42
percent perform

regular access certifications for privileged users or are able to
adequately monitor and log privileged access, researchers found.

Automation technologies that can mitigate risks from privileged access
in virtualized environments are "not yet widely deployed," said
Nosseir.

The virtualization security report, "Security—An Essential
Prerequisite for Success in Virtualization," surveyed 335 senior
business and IT executives in Europe and the United States, CA said.
The countries included Belgium, Denmark, Finland, France, Germany,
Italy, Luxemburg, Netherlands, Norway, Portugal, Spain, Sweden,
Switzerland, the United Kingdom and the United States.

Most organizations have at least two different virtualization
technologies in their environment. VMware remains the most prevalent,
deployed by 83 percent of the respondents, followed by Citrix at 52
percent. About 41 percent run Microsoft's hypervisors, namely Hyper-V,
according to the report."

I personally recommend NIST publication on <<Guide to Security for
Full Virtualization Technologies>> (Draft).

Thursday, November 25, 2010

Information and Comments on OASIS Identity in the Cloud (IDCloud) TC

OASIS Identity in the Cloud (IDCloud) TC is composed of leading IAM experts in the industry, and is now working on define various use cases for the identity and access management in the Cloud.

At time of this writing in the late 2010, sample uses cases have been proposed including identities for managing virtual machines and middleware; and identities used in IAAS, PAAS, and SAAS. There are also use cases for Federated Single Sign On using Kerberos and SAML2.0.

The use cases are still under development, and in my view, I believe that we need to define at least some common terms to formalize each use case. For example, the user community shall include the following, similar to Ping Idenity's CEO and Symplified CTO's approach, but elaborate furthermore.


Cloud Administrator:  

A person who is responsible for managing other type of user in the cloud computing environment. The duties of a Cloud administrator are wide-ranging, and vary widely from one organization to another. Cloud administrators are usually charged with manually creating other type of users if this is part of the IAM's process and procedures, reset the password for other users, unlock users who have failed certain number of login attempts and have been locked out by the Cloud Provider, run the auditing reports and compliance report, assist in the criminal investigations if there is security bleaches and access violation in the use of Cloud service, creating Virtual Machines, allocating Virtual CPU time, and network bandwidth, configuring Virtual Firewalls, etc.  Other duties may include scripting or light programming by leveraging Cloud Provider's Web Service API, monitoring cloud service usage,  bring down or start certain cloud service.  The Cloud Administrator can come from Cloud Provider or come from within Cloud Consumer's organization. It is important to follow Separation of Duty principal. The Cloud Administrator should not be able to see or change the sensitive information such as salary information, date of birth of other users, or medical information of other users. Cloud Administrator should have basic Cloud Computing skills, should understand Cloud Computing concepts and key supporting technologies.  Organizations recruiting Cloud Administrator shall do background investigation and carefully interview and exam the candidate before making an offer of hire.


Help Desk Users.

If there are many users (for example, millions of users using cloud service), the user must be supported by multi-tier help desk staff. This includes the level-one help desk staff, level-two system support staff, and level-three cloud administrators. Authorized users have the ability to change system parameters, select regular user security settings, and other configuration details through standard cloud user management administration tools.


Regular Users:

Depends on the type of Cloud Service leveraged by Cloud Provider, the regular user can be internal users within Cloud Consumer's organization (if it is internal application such as HR application)  or the end user for general public(if this is B2C environment such as internet shopping).


Contractors:  

The Cloud Consumer can hire a contractor to use cloud service to conduct outsourced business activities. In this case, the Cloud Consumer needs to make sure that the Contractor identity is established to use cloud server. Cloud Provider can also use Contractor to run part of its business, and should make sure the identity of such contractor are separate from regular users due to data privacy, privilege management and access control issues.


Partners:

  Both Cloud Consumer and Cloud Provider can have business partners and their identities in the Cloud must be established before they can use Cloud Service.


After use case formalization, the next step for the IDCloud is to do deep gap analysis of existing IAM standards such as SAML, SPML, WS Federation, etc with the use cases needed for the IAM in the Cloud. The final step for IDCloud is to crate profile of use cases which can then be used as recommended profile by the Cloud Identity providers.

Overall, this will be a gradual process and may take few years to get to the finishing line.

Top 8 Reasons why Identity and Access Management is essential for Cloud Environment?


Here are what I think would be the top 8 reasons for IAM in any Cloud Environment regardless of deployment model or service model.


For Cloud Provider:

1) To make sure who is using your service be it PAAS, IAAS or SAAS.

2) To be compliant with government regulations (this is the same as before).

3) To provide SOD and Least Privileged access to the data hosted on behalf of cloud consumer.

4) To build a trust relationship with cloud consumer.

5) For user based subscription model (such as salesforce.com), cloud provider need to have IAM to provision, audit, de-provision users.

6) To support potential e-Discovery as required by law enforcement agency.

7) To be able to support wide range of users, such as partners, internal cloud administrators, help desk users, end users, and delegated admin users.

8) To support other functions within Cloud Provider such as BI, Sales, and Executive decisions.

I welcome comments on this and would like to seek input on the top 8 reasons why Cloud Consumer will need IAM. IAM includes full life cycle of identity management and access control, single sign on and federation. The top 8 reasons shall be service (IAAS, PAAS, SAAS) and deployment model agnostic (public, private, community and hybrid).

Hacker is getting smarter using Search Engine Optimization (SEO) for fishing attack

Happy Thanksgiving holidays and happy shopping for everyone. If you shop on line by doing Google Search. You will need to be extra careful these days.


According to EWeek, the hacker is now using SEO to promote malicious website into the top of Google or other Search engine's list. According to E-Week and I quoted below


" Attackers have set their sights on holiday shoppers searching for leaked Black Friday ads, creating malicious sites that appear on search engine result pages, according to a Nov. 18 alert by IT security firm SonicWall. Called SEO poisoning, hackers create these pages that Google and other search engines pick up thinking they are legitimate, and return them when users type in the search terms.

Security experts at SonicWall UTM Research discovered "polluted" results appearing in search engine results for holiday shopping-related terms in advance of Black Friday sales, the company said. These links take users to a malicious site that tricks users into downloading malware. The terms include "Walmart Black Friday Sales 2010," "Black Friday" and "Cyber Monday," according to researchers.

PandaLabs, Panda Security's anti-malware laboratory, is advising holiday shoppers to be extra wary when shopping online this holiday season. The company noted most of the malware it sees today is specifically built for extracting credit card information, Social Security numbers and other data, which can be used to facilitate identity theft. In fact, 66 percent of the threats in PandaLabs' malware database are Trojans that specialize in sensitive data extraction.

"Cyber-criminals know this Friday and Monday are two of the biggest shopping days of the year, and Americans are going to be sharing tons of sensitive data online during this period," said Sean-Paul Correll, threat researcher at PandaLabs. "It's more important than ever for shoppers to follow best practices to avoid infecting their computers or turning over their private information into dangerous hands."


There is also another report on hacker use recent Royal wedding news to trick the end user to download a so called "Anti-Virus" scan software, and if the user download this kind of software. 

So, becareful. 

Law Enforcement network uses Virtual Appliance to monitor guest systems

In the November 15th, 2010 issue of Government Computer News(GCN vol 29, Issue 20), there is an article entitled "The Real-World Challenge of Virtual Security" (http://gcn.com/articles/2010/11/15/nlets-virtualization-security.aspx) . In this article, the product called "vSecurity" from Catbird Networks (http://www2.catbird.com/) was mentioned and is used as virtual appliance on the hypervisor to monitor the configuration and security status of VMs on the host. vSecurity has built in compliance modules such as FISMA (don't know if it support Fedramp yet, but I doubt it since Fedramp is not finalized yet), DoD DIACAP, SOX and GLBA to determine and help to enforce compliance. vSecurity is deployed on the NLETS (National Law Enforcement Telecommunication Systems) which is a backbone for state, local and federal law enforcement agencies around the country to exchange date.

Virtualization security is far from a mature security technology, vSecurity does not solve all security issues associated with virtulization. But, used in NLETS proved that vSecurity is a serious product and should be considered for your virturalization security deployment.

Sunday, November 21, 2010

WSO2 Cloud Identity for Managing User Accounts of your Organization | WSO2 Oxygen Tank

I have brief looked at the WSO2 in the past, and believe that they have very good value propositions. If you need know more about it, please see the following link
WSO2 Cloud Identity for Managing User Accounts of your Organization | WSO2 Oxygen Tank

About Cloud Audit

In this blog post, I plan to talk about the cloud audit(A6) . According to the following website:
About: "The goal of CloudAudit (codename: A6) is to provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology."

The short term goal of A6 is to get it utilized as a common standard by which cloud providers, regardless of location -- that could be internal private cloud or could be public cloud -- essentially agree on the same set of standards by which consumers or interested parties can pull for information.

The long term goad is to improve visibility and transparency of cloud provider and to provide automated tools for auditing. It will be exciting to evaluate such tool.

The open source tool is located at http://cloudaudit.googlecode.com/svn/trunk/. The tool is a zip file that you can unzip and use it. You can specify which compliance framework you need to use, for example, it can be PCI, HIPAA, NIST 800-53 (FISMA), etc. The goal is to have a commons set of API which can be used to map the security controls and to help to gather the auditing data through the tool.

Ken Huang
Director of Cloud Security
CGI Federal
Fairfax, VA, 22033

Wednesday, November 17, 2010

Former Loudcloud CEO Ben Horowitz Invested $10 Million In Cloud Identity Startup Okta

Okta is a start up on the cloud management. I believe that it has selected a right entry point to the market, the Identity as Service market to aim at small and big enterprise. Big Identity and Access Management (IAM) companies such as IBM, Oracle, Novell, and Microsoft just did not get the IAM right for the cloud yet. CA may be closer to what the cloud computing needs for IAM, but it still carried lot of legacy code and burden in its offering. So, I would bet Okta success in this market. Especially Ben Horowitz who was co-founder of Loudcloud and sold it to HP for 1.6 Billion to HP. So, I believe that Okta is on the mission to remove the pains for the Cloud Consumer in terms of identity and other management issues.

Ken Huang
Director of Cloud Security
CGI, Fairfax, VA, 22033

Brief review of Behind the Cloud book by Marc Benioff X

Brief review of <> book by Marc Benioff


Just finished reading the book by Salesforce.com CEO Marc Benioff entitled Behind the Cloud. It is an interesting reading. It is both about how to start a company (a SAAS company to be specific) and how to create an industry (the cloud computing industry).

There are many unconventional strategies such as hiring actors to protest on competitors user conferences or events.

To be frank and honest, I don't learn anything new about cloud computing in this book. I admire authors conviction and creative vision when cloud computing was still "behind the cloud" a decade ago.

Being an SVP of Oracle after only 13 years in Oracle is a big accomplishment and most corporate employees will never get to this position, let along to be friend with Larry Ellison. So, it took the courage and strong believe for Marc to start Salesforce.com right before the dot.com bust. It is interesting to know that Larry Ellison even lend $2 million to support Marc and let Marc took 3 Oracle employee to start the company and also offered him to come back to Oracle if the business went bust.

The book gave a detailed account and rational on why monthly subscription model does not work (due to shortage of cash flow) and yearly subscription is the way to go and also worked with SEC to reconcile the accounting rules for revenue recognition.

After reading his book, I have watched one of his recent presentation on the "Cloud 2.0". Essentially, "Cloud 2.0" is Cloud 1.0 meets with social web or web 2.0. Salesforce.com now hosts an social application called chatter, it is a kind of "facebook" inside the salesforce.com. My take was that majority of application in the salesforce.com are not really revolutionary new. The only change is the delivery and pricing model, and the so called democratization of IT and rapid elasticity (as defined by NIST). The slogan "No Software" does create confusion and stir, but catch people's attention. So, it is a smart logo and slogan for Salesforce.com. I guess that if Marc would choose his start up company now, he may not called "salesforce.com" anymore since his goal is far beyond sales automation software market. He may call it "NoSoftware.com" or "CloudWare.com" or something "CloudAppStore.com" to match with Apple or "CloudAppWorld" to match with BlackBerry.

I also agree with Marc's comments on Oracle. Oracle's slogan after acquisition of Sun Microsystems was "Oracle is the world's most complete, open, and integrated business software and hardware systems company". So, the under pining mission for Oracle is to sell you software and hardware. So, it is why Oracle's cloud computing strategy is behind its major competitors such as Microsoft, IBM, Google and Salesforce.com. Marc mentioned that Salesforce.com is "Complete" without selling you any software and hardware. This is essence of cloud computing.