Cloud Computing Security Issues

In the last few years, cloud computing has grown from being a promising business concept to one of the fastest growing segments of the IT industry. Now, recession-hit companies are increasingly realising that simply by tapping into the cloud they can gain fast access to best-of-breed business applications or drastically boost their infrastructure resources, all at negligible cost.

But as more and more information on individuals and companies is placed in the cloud, concerns are beginning to grow about just how safe an environment it is.

1. Every breached security system was once thought infallible

2. Understand the risks of cloud computing

3. How cloud hosting companies have approached security

4. Local law and jurisdiction where data is held

5. Best practice for companies in the cloud


Every breached security system was once thought infallible

SaaS (software as a service) and PaaS (platform as a service) providers all trumpet the robustness of their systems, often claiming that security in the cloud is tighter than in most enterprises. But the simple fact is that every security system that has ever been breached was once thought infallible.

Google was forced to make an embarrassing apology in February when its Gmail service collapsed in Europe, while Salesforce.com is still smarting from a phishing attack in 2007 which duped a staff member into revealing passwords.

While cloud service providers face similar security issues as other sorts of organisations, analysts warn that the cloud is becoming particularly attractive to cyber crooks.

"The richer the pot of data, the more cloud service providers need to do to protect it," says IDC research analyst David Bradshaw.

Understand the risks of cloud computing

Cloud service users need to be vigilant in understanding the risks of data breaches in this new environment.

"At the heart of cloud infrastructure is this idea of multi-tenancy and decoupling between specific hardware resources and applications," explains Datamonitor senior analyst Vuk Trifković. "In the jungle of multi-tenant data, you need to trust the cloud provider that your information will not be exposed."

For their part, companies need to be vigilant, for instance about how passwords are assigned, protected and changed. Cloud service providers typically work with numbers of third parties, and customers are advised to gain information about those companies which could potentially access their data.

IDC's Bradshaw says an important measure of security often overlooked by companies is how much downtime a cloud service provider experiences. He recommends that companies ask to see service providers' reliability reports to determine whether these meet the requirements of the business. Exception monitoring systems is another important area which companies should ask their service providers about, he adds.

London-based financial transaction specialists SmartStream Technologies made its foray into the cloud services space last month with a new SaaS product aimed at providing smaller banks and other financial institutions with a cheap means of reconciling transactions. Product manager Darryl Twiggs says that the service has attracted a good deal of interest amongst small to mid-tier banks, but that some top tier players are also being attracted by the potential cost savings.

An important consideration for cloud service customers, especially those responsible for highly sensitive data, Twiggs says, is to find out about the hosting company used by the provider and if possible seek an independent audit of their security status.

"Customers we engage with haven't been as stringent as we thought they would have been with this".

How cloud hosting companies have approached security

As with most SaaS offerings, the applications forming SmartClear's offering are constantly being tweaked and revised, a fact which raises more security issues for customers. Companies need to know, for instance, whether a software change might actually alter its security settings.

"For every update we review the security requirements for every user in the system," Twiggs says.

One of the world's largest technology companies, Google, has invested a lot of money into the cloud space, where it recognises that having a reputation for security is a key determinant of success. "Security is built into the DNA of our products," says a company spokesperson. "Google practices a defense-in-depth security strategy, by architecting security into our people, process and technologies".

However, according to Datamonitor's Trifković, the cloud is still very much a new frontier with very little in the way of specific standards for security or data privacy. In many ways he says that cloud computing is in a similar position to where the recording industry found itself when it was trying to combat peer-to-peer file sharing with copyright laws created in the age of analogue.

"In terms of legislation, at the moment there's nothing that grabs my attention that is specifically built for cloud computing," he says. "As is frequently the case with disruptive technologies, the law lags behind the technology development for cloud computing."

What's more, many are concerned that cloud computing remains at such an embryonic stage that the imposition of strict standards could do more harm than good.

IBM, Cisco, SAP, EMC and several other leading technology companies announced in late March that they had created an 'Open Cloud Manifesto' calling for more consistent security and monitoring of cloud services.

But the fact that neither Amazon.com, Google nor Salesforce.com agreed to take part suggests that broad industry consensus may be some way off. Microsoft also abstained, charging that IBM was forcing its agenda.

"Standards by definition are restrictive. Consequently, people are questioning whether cloud computing can benefit from standardisation at this stage of market development." says Trifković. "There is a slight reluctance on the part of cloud providers to create standards before the market landscape is fully formed."

Until it is there are nevertheless a handful of existing web standards which companies in the cloud should know about. Chief among these is ISO27001, which is designed to provide the foundations for third party audit, and implements OECD principles governing security of information and network systems. The SAS70 auditing standard is also used by cloud service providers.

Local law and jurisdiction where data is held

Possibly even more pressing an issue than standards in this new frontier is the emerging question of jurisdiction. Data that might be secure in one country may not be secure in another. In many cases though, users of cloud services don't know where their information is held. Currently in the process of trying to harmonise the data laws of its member states, the EU favours very strict protection of privacy, while in America laws such as the US Patriot Act invest government and other agencies with virtually limitless powers to access information including that belonging to companies.

UK-based electronics distributor ACAL is using NetSuite OneWorld for its CRM. Simon Rush, IT manager at ACAL, has needed to ensure that ACAL had immediate access to all of its data should its contract with NetSuite be terminated for any reason, so that the information could be quickly relocated. Part of this included knowing in which jurisdiction the data is held. "We had to make sure that, as a company, our data was correctly and legally held."

European concerns about about US privacy laws led to creation of the US Safe Harbor Privacy Principles, which are intended to provide European companies with a degree of insulation from US laws. James Blake from e-mail management SaaS provider Mimecast suspects that these powers are being abused. "Counter terrorism legislation is increasingly being used to gain access to data for other reasons," he warns.

Mimecast provides a comprehensive e-mail management service in the cloud for over 25,000 customers, including 40% of the top legal firms in the UK.

Customers benefit from advanced encryption that only they are able to decode, ensuring that Mimecast acts only as the custodian, rather than the controller of the data, offering companies concerned about privacy another layer of protection. Mimecast also gives customers the option of having their data stored in different jurisdictions.

For John Tyreman, IT manager for outsourced business services provider Liberata, flexibility over jurisdiction was a key factor in his choosing Mimecast to help the company meet its obligations to store and manage e-mails from 2500 or so staff spread across 20 countries. The company is one of the UK's leading outsourcing providers for the Public Sector, Life Pensions and Investments and Corporate Pensions leading. "Storing our data in the US would have been a major concern," Tyreman says.

Best practice for companies in the cloud

* Inquire about exception monitoring systems
* Be vigilant around updates and making sure that staff don't suddenly gain access privileges they're not supposed to.
* Ask where the data is kept and inquire as to the details of data protection laws in the relevant jurisdictions.
* Seek an independent security audit of the host
* Find out which third parties the company deals with and whether they are able to access your data
* Be careful to develop good policies around passwords; how they are created, protected and changed.
* Look into availability guarantees and penalties.
* Find out whether the cloud provider will accommodate your own security policies

Linux in Windows

"Ulteo Virtual Desktop an open source application that nicely integrates into your Windows Operating System and allows you to work as a full Linux system.Its main benefit is that you can run Linux and Windows applications simultaneously within the same desktop environment without rebooting the system."

Minimum requirement:

1) x86-based PC with a modern 32-bit CPU

2) 512 MB RAM

3) 4 GB of free HD space is required.

Key Features

---

Windows and/or Linux Application delivery

The Ulteo Open Virtual Desktop delivers applications based on Linux servers or Windows Terminal Services remotely from any browser (java enabled), to any desktop (Windows, MacOS, Linux, thinclient), anywhere (WAN-enable).

Available applications available by default include the full OpenOffice office suite, Firefox web browser, Thunderbird email client, kopete and pidgin Instant Messaging clients. Thousands others can be installed and deployed by the system administrator.

End-user Web Interface

Access to applications is delivered via a customizable and user-friendly web interface. Users are delivered either a full desktop or a single application.

Easy and centrally managed Administrator Web console

A comprehensive administrator web console is provided to define all the settings, manage users, applications and servers.
A native wizard enables an easy application publishing process. Applications are installed through packages.

Collaboration for users and IT support

Users can collaborate easily together in real time, each having a view of the same desktop. IT can control the application to help the end-user.

Microsoft Windows integration

The Open Virtual Desktop delivers Linux based applications on a Windows Desktop in a browser. Cut, paste and printing are all enabled.

Microsoft Active Directory and authentication

The authentication process is facilitated through Windows Active Directory and also through any LDAP server.

Microsoft or Linux File Server

User files can be stored either on a Windows or Linux server using SMB/CIFS and WebDAV(*).

Monitoring, logging, reporting, load-balancing

Windows and Linux application servers monitoring, loggin and reporting capabilities are provided to the OVD administrator.

Load-balancing is available on applications servers. It can be customized with various parameters.

Security

The Open Virtual Desktop uses SSH-tunneling to secure the entire communication process.

And many others!

Other features include:

• session recovery/reconnection
• support for many languages and keymaps
• possible installation of an Ulteo application server and Session Manager on a single server is possible by using a dedicated DVD ISO image
• SSO ready through our API

5 minutes installation

The Open Virtual Desktop is easy to install with a fully automated installation process.

System recommendation

• Servers for OVD Application servers: x86 servers w/ dualcore or quad CPU. 1GB or more RAM per 20 concurrent end-users. Supported Host OS: Ubuntu 8.04.1, RHEL 5.2, Centos 5.2, Fedora 10 + generic Linux install.
• Servers for Windows applications: Windows 2003 Server+Terminal Services on any hardware. Note: expected support for Windows Server 2008: June 2009.
• Servers for OVD Session Manager: any Pentium class x86 server w/512MB or more RAM. Host OS: Ubuntu 8.04.1, RHEL 5.2, Centos 5.2, Fedora 10 + generic Linux install.
• Note for OVD ApS and SM servers: it's possible to install everything on only one server for evaluation purpose.
• Client: Sun Java 1.5/1.6 enabled browser: Firefox 2+, Internet Explorer 7+, any platform.
• Network: 100Mbps or more LAN
• User directory servers: Active Directory on Windows Server, or LDAP server are currently supported.
• Fileservers: CIFS, WebDAV(*)
(*) WebDAV support available June 2009

Ready Steady, go!

Its setup file is about 510 MB in size which is available at: http://www.ulteo.com/home/en/ovdi/openvirtualdesktop/download?autolang=en.

After downloading it successfully, double click on the set-up file that is a .exe file. You will be greeted by a welcome screen simply follow the on screen instructions, and if everything goes fine then within five minutes Ulteo Virtual Desktop will be installed on your Windows system. Run the Ulteo Virtual Desktop and you will see a panel at the top of the screen. You can browse through all the Linux applications by using the drop-down menu and even you can configure the panel according to your liking by using the Configure Panel option.

The default user will be created with user name 'me' the password for the user 'me ' is 'me' it self so the username and password both are same. The 'root' user password is also 'root'. It contains many useful commands to work on Linux Command Line Interface (CLI). You can start KDE by using the startkde command.

Now whenever you plan to uninstall the Ulteo VD from your Windows simply go to the Windows control panel and under the Add or Remove Programs section, you will find Ulteo VD. Uninstall it the way you uninstall any other software in Windows.

Future of MySQL & Java

"Oracle has taken over Sun Microsystems."

Oracle Corporation has agreed to buy California-headquatered Sun Microsystems in a $7.4 billion ($9.50 per share) deal. The question that comes in our mind is what would happen to MySQL, which sun has recently acquired for a whopping US$ 1 billion? Many had feared Oracle may kill MySQL-but the lure of reaching out to enterprise customers through Sun's sales team seemed to offset the threats. Now, we are talking about the biggest proprietary database firm acquiring the fastest growing open source database project- that's tricky.

Experts got mixed views. Some believe that MySQL is now too strong to be killed, and hence Oracle would be smart enough to use it and expand its base in new markets, while others believe it might try to slow down MySQL's growth so that is does not end up competing with Oracle's own database.

What about OpenOffice.org? Will Oracle use it to create problems for Microsoft on MS Office turf? After all, Larrry Ellison, Oracle's big boss, has been quite open about his anti-Microsoft sentiments, and this could be a good chance for him. Plus, OpenOffice.org also powers the Symphony project of another of Oracle's competitors-IBM. How closely will the two teams work, I wonder.

Then there's Java too, which was also open sourced by sun. Ellison is beaming with pride abou this acquisition. His famous quote about Java still it all, "...the most important software Oracle has even acquired". So, there's nothing to worry about Java.

In a nutshell- Java's future is certain. MySQL and OpenOffice.org is anyone's guess.

Interface in C++

"Interface: Interface is a group of related methods with empty bodies. As interfaces are implicitly abstract, they cannot be directly instantiated except when instantiated by a class which implements the said interface. The class must implement all of the methods described in the interface, or be an abstract class."

An interface is a contract, a specification that concreteclasses MUST follow. It defines method signatures but cannot have any implementations; the latter must be provided by the classes that implement the interface.

C#,Java differs from C++ in this regard because C++ lacks native language support for interfaces. As a C++ programmers if you want to make interface in C++ you have to create an abstract class with all its method as pure virtual function.

Example of Interface in C++:
=========================
class Student
{
public:

void display(){}=0; //Pure Virtual Function
void setdata(){}=0; //Pure Virtual Function

};

-------------------------------------------

class StudentImplement:public Student
{
public:

void display()
{

cout<<"Display Logic";

}
void setdata()
{
cout<<"Setdata Logic";
}
};

Future is Cloud Computing

"Cloud computing is a style of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet. Users point of view they need not have knowledge of, expertise in, or control over the technology infrastructure "in the cloud" that supports them."

Business need Cloud Computing:

Todays Businesses want the flexibility to outsource the provisioning of infrastructure to people who can be presumably more efficient at it than they can be. The motivation is going to come really from having other people provide the —power, the day-to-day management, the reliability, uptime and so forth. Businesses want to have the option of moving their application loads into, and equally importantly back out of, this outsourced infrastructure as they see fit.
From the consumer point of view, ultimately the user wants his information to belong to him and not to any particular device. Increasingly, individuals are characterized by a body of digital information. And that information needs to live on over a period of decades—the rest of our lives—beyond the lifetime of any device you might have. So most of us will become customers of an "information bank" and in so doing become dependent on the cloud. You can see this trend already starting with hosted e-mail services like Hotmail, Yahoo, Gmail, etc.

What are the challenges?

How do you operate at this scale, how do you make things essentially bulletproof in terms of reliability, security and privacy. Those are tough things to do. There are a lot of companies who don't realize there is a discipline and an approach to operating a service that is different from developing a software product. Companies have to learn that as they go forward.

How does cloud computing fit in the context of the history of computing?

We are in a big transition from a device-centric world to an information-centric world. It's going to be about how do you make the information useful and available and make that the center of people lives instead of specific devices. Devices will have to cleave to the information rather than the other way around. IT infrastructure, the plumbing, will fade away for most users and businesses, and will increasing be left to professional providers.

Is there a risk of a lock-in if companies start relying on a cloud provider?

There is going to be the classic tension between the interest of the user who wants things to be standardized, portable and to have choice and the interest of the provider who wants to have a very sticky relationship with the customer.

Who will run these clouds?

There will be a variety of companies who want to make a business of it. And we don't believe it will come down to two or three guys at the end. We think it will be hundreds of outfits who want to provide these services. Like Google, Amazon etc.