October 21st, 2011

FROM THE VAULT: White Paper – Steer Safely into the Clouds

Cloud GovernanceThis week, From the Vault – our weekly series highlighting classic resources from the Layer 7 Resource Library  – steps back into the Cloud. Our goal with the white paper Steer Safely into the Clouds was to outline a secure path for Cloud adoption. With a great many drivers pointing enterprises towards the Cloud, this is pretty vital information.

This white paper is also a vital document for us because it outlines the governance philosophy underpinning all our Cloud solutions. It’s increasingly true that everybody wants to be in the Cloud but a move to the Cloud introduces new security risks and may compromise traditional IT governance. That’s where our Cloud governance philosophy comes in.

The way we see it, Cloud governance is a logical evolution of existing SOA governance best practices. It offers a way to assert control over both internal and external applications and data. This white paper should be enough to convince you that, using Cloud governance, the widely reported challenges of Cloud computing can be met.

Download Steer Safely into the Clouds

October 12th, 2011

Event Follow-Up: Defining, Enforcing & Validating Web Services Policy on AWS

Amazon Web ServicesLast week, I was involved with a Layer 7 workshop in Tysons Corner, VA, just outside of Washington, DC. This workshop, called Defining, Enforcing & Validating Web Services Policy on AWS was presented in association with our friends at Amazon Web Services. The goal of the session was to teach attendees how build a secure bridge between the enterprise and the public Cloud.

You see, for organizations with variable application loads or the need to scale rapidly, Cloud services like AWS offer a truly elastic way to accommodate changing compute needs. But it’s rare for an enterprise to be able to run a workload in the public Cloud isolated from data or applications residing inside the enterprise. These organizations need ways to bridge the enterprise and the Cloud without compromising security or limiting scale-out.

Layer 7/AWS Event

The Layer 7/AWS workshop demonstrated a solution based on Layer 7′s industry-leading SecureSpan EC2 Appliance, which makes it simple for organizations in this situation to address the challenges of federation, integration and governance they are facing. Specifically, the event began with an overview of AWS before providing practical instructions on how the SecureSpan EC2 Appliance can be used to:

  • Ensure security and federate identities in Cloud/enterprise integrations
  • Implement fine-grained access and data security policies without coding
  • Secure and manage REST APIs for Cloud applications

We certainly got a great response from attendees. Also, during registration, we got quite a few requests for similar events in different cities. If you’d like us to hold a Layer 7/AWS workshop in your city, please don’t hesitate to contact us by calling 1-800-681-9377 or emailing sales@layer7.com. In the meantime, if you want to know more, the slides presented at the workshop are available here. Additionally, here’s a demo of Layer 7 federation features specific to AWS:

January 15th, 2010

Cyber Attack on Google and Others

On Tuesday, Google reported in their official blog that in mid-December they detected a "highly sophisticated and targeted" attack on their corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. Additionally, Google stated in this blog that 20 other large companies were similarly targeted. Google went on to state that they have evidence to suggest that a primary goal of the attackers was to access the Gmail accounts of Chinese human rights activists. This incident, as well as the limitation on free speech imposed on Google by the Chinese government, is forcing Google to review the feasibility of their business operations in China.

In follow-up, a number of security firms who are supporting the investigation have concluded that the number of attacked companies is not 20 but between 30 and 34. Most of the attacked were large Fortune 500 companies. The attack code named "Aurora" by the attackers was made up of dozens of pieces of malware, and several levels of encryption to hide itself in the targeted company networks and to obscure activity.

The U.S. Government has been under this type of attack for many years. This is the first time that a highly organized and sophisticated attack was launched on private industry. Who knows what the impact of this will be on the global economy? The mind can only fathom what would happen if each of the companies attacked lost some intellectual property which resulted in them being "second to market" for a product that they have been planning for and building for months or even years.

What we know about Aurora

There is some debate currently on whether Aurora leveraged a vulnerability in Internet Explorer and Adobe's Reader and Acrobat applications or whether the attack only leveraged Internet Explorer. Either way, Aurora installation began on the targeted system by viewing a malicious website or potentially through opening a PDF document sent in an email but as I mentioned this has not been substantiated by Adobe. Once executed in the browser an encrypted shell script would run. The shell script downloaded the binary from an external machine which once executed would open a backdoor to the attackers Command and Control servers. These servers were purportedly running in hosted facilities in the US. This allowed the attacker some level of access into the users machine and the network to which the machine is connected.

Microsoft Versions Affected:

According to Microsoft, Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

Let's review the time line of events in this event. The following dates/times were derived from various sources on the internet.

Mid-December - Google detects a "highly sophisticated and targeted" cyber attack

January 2nd - Adobe becomes aware of "sophisticated, and coordinated" cyber attack

January 4th - Attack seems to have stopped as Command & Control Servers are shut down

January 12th/3pm - Google announces the Cyber Attack via blog

January 12th/3:16pm - Adobe announces the Cyber Attack via blog

January 12th/Evening - U.S. Government asks China for an Explanation

January 14th - Microsoft issues a security advisory


When looking at the time line the scary thing is that the attack seems to have been commencing from mid-December (let's say the 15th). If Google detected it at its start, which may not be the case, and it was not shut down till January 4th, the attackers had 21 days of access. It's scary to think how much information could have been stolen and potentially how much damage the attackers could have done in 21 days should this have been their goal.

As stated in the U.S. Government Cyberspace policy review, information and communication networks are largely owned and operated by the private sector, both nationally and internationally. The report goes on to state that Cyber security requires a public-private partnership as well as international cooperation. Unfortunately, we are sorely lacking in the ability to ensure a coordinated response and recovery to a significant incident should one occur. This time line only proves this point. It appears as though private/public communication did not effectively start till January 12th, during this time companies were infiltrated, but yet may not have known. Even if Google had notified all the companies it derived were under attack from the information they had available, there is nothing to say that another attack was not going on simultaneously by the same attackers but disconnected from the one affiliated with Google.

With worldwide cyber attacks becoming more focused, we must accelerate our ability to deal with them more rapidly in a coordinated fashion. This particular instance seems to have been about stealing information, monetary gain, or political issues. We need to remember that it could just have easily been about disrupting critical national infrastructure for pursuit of national disorganization and loss of life.

January 5th, 2010

Identity and Access Management in Cloud Computing #1

The new United States Federal Chief Information Officer (CIO) Vivek Kundra is serious about embracing cloud computing as a vehicle for rationalizing government IT assets, costs, and budgets. Aneesh Chopra, the Federal CTO follows suite, and has gone on the record to say that the federal government should be exploring greater use of cloud computing where appropriate. Cloud-based and Cloud application providing government storefronts like Apps.gov are being stood up in support of this goal. As stated by Vivek Kundra the major challenge they face in making cloud computing a reality is around Security and Privacy.

With this and an influx of government customers approaching Layer 7 for advice to deal with their cloud computing security and privacy challenges, I have been reading any cloud computing literature I can get my hands on. Although there is some good information coming out of the Cloud Security Alliance, NIST, and from industry sources, there is still a lack of sufficient detail on the topic of security and privacy to allow government customers to move forward smartly with cloud computing.

The fundamental shift from traditional IT to Cloud based IT is that enterprises are moving away from a model where they control all aspects of application delivery to a model where a large portion of the governance associated with the applications deployment and run-time characteristics of a service is controlled by the cloud provider. This is a significant move for the government which traditionally kept its IT close and its data even closer. One of the biggest questions is "How do I do Identity and Access Control and Management in the cloud" and that is a very good question.

There are a number of challenges associated with cloud computing and identity, access control and management, none of which have simple solutions. Challenges in provisioning identities for the cloud, storing identities so that the cloud has access, and enforcing fine-grained or even course grained access control in the cloud are all issues that have been resolved in the enterprise but require a new way of thinking in addressing them in cloud computing.

In the coming weeks, I will write a series of blog posts to flush out the concept of identity and access management in cloud computing, beginning next week with a description of cloud computing integration patterns.