Monthly Archives: November 2009

How Secure is Cloud Computing?

Technology Review has published an interview with cryptography pioneer Whitfield Diffie that is worth reading. I had the great pleasure of presenting to Whit down at the Sun campus. He is a great scientist and a gentleman.

In this interview, Diffie–who is now a visiting professor at Royal Holloway, University of London–draws an interesting analogy between cloud computing and air travel:

“Whitfield Diffie: The effect of the growing dependence on cloud computing is similar to that of our dependence on public transportation, particularly air transportation, which forces us to trust organizations over which we have no control, limits what we can transport, and subjects us to rules and schedules that wouldn’t apply if we were flying our own planes. On the other hand, it is so much more economical that we don’t realistically have any alternative.”

Diffie makes a good point: taken as a whole, the benefits of commodity air travel are so high that it allows us to ignore the not insignificant negatives (I gripe as much as anyone when I travel, but this doesn’t stop me from using the service). In the long term, will the convenience of cloud simply overwhelm the security issues?

The history of computing, of course, is a history full of such compromise. Right now we are in the early days of cloud computing, where all of us in the security community are sniping at the shortcomings of the technology, the process, the legal and regulatory issues, and anything else that appears suspect. But truthfully, this is the ultimate low hanging fruit. Identifying problems with the cloud is effortless; offering real solutions is considerably harder.

Not surprising, Diffie offers a real solution, which is to look hard at trusted platforms. In the end, convenience will sweep over us all, so it is important to quickly establish the best secure baseline we can. The secure base for cloud computing needs to become like aircraft maintenance schedules–something that is a given part of the process and an important component that allows us to reasonably invest trust in the system as a whole.

I Went for Coffee and RDS was Waiting for Me When I Returned

Here at Layer 7, we’ve been really excited about Amazon’s Relational Data Service (RDS) ever since they announced it last month. RDS is basically a managed mySQL v5.1 instance running in the Amazon infrastructure. The point of RDS to provide another basic service that we all need all of the time, managed within the AWS ecosystem. It offers some great scaling options (in terms of instance sizing), but best of all, it provides automatic snapshoting of  database instances. This revolutionizes EC2 because it solves the nagging persistence problem that we all face when we terminate instances. We’ve all come up with clever ways of dealing with this using S3 and EBS,  but now it’s gotten much easier.

Since RDS is really mySQL under the covers, I had been hearing that it’s pretty easy to port to. We’ve been itching to play with it here, using Layer 7’s SecureSpan Gateway AMI that’s runs in EC2. Unfortunately, this Fall has been really busy, so none of us have had an opportunity to play with it until now.

The inimitable Jay Thorne, who is a musician first but holds down a day job here as Director of Development for the Tactical group, finally cleared an afternoon to put RDS through it’s paces. I had to step out for coffee with another of our execs, which turned into a longer-than-expected discussion. But by the time I got back, Jay was done: SecureSpan using persistent Amazon RDS storage. Hello, cloud registry/repository…

Here’s Jay’s summary, which I think speaks for itself:

Total elapsed time: 1.25 hours
Number of pdf documents read: 1
Number of web pages read: 3
Number of command copy/pastes from doc: 6
Number of dbs created by mistake until I got the zoning right: 2
Number of mistyped credentials until I learned to use a creds file: 7
Number of dumpfiles created source side: 1
Number of times I had to import to get it right: 1
Number of characters in the hostname of the db: 50
Number of hosts I put in the db firewall allow list: 1
Number of sets of user credentials I created: 1
Number of lines in our internal wiki article I wrote about this: 35
Number of bangs on the keyboard in frustration: 0


Webinar Available: New Security Model Requirements for the Cloud

Last week, Anne Thomas Manes, Research Director from Burton and I did a Webinar entitled New Security Model Requirements for the Cloud. It’s probably generated the most feedback of any webinar I’ve done. It’s now online, so have a look at it here.

Abstracting Cloud Gateways

Ben Kepes, from the excellent CloudAve blog, wrote an entry about Layer 7’s strategy in the cloud. We had a good talk about Layer 7’s new Amazon AMI image, which is available right now in the Amazon Marketplace. CloudAve has been on my blogroll for a while, and I was quite pleased to talk to one of its contributors.

The best thing about technology isn’t actually the tech but the people you meet along the way. This industry is full of interesting people who understand how to make technology work for them. Ben seems to be one of those people. He and his family live on a small farm he built himself down in New Zealand, and from this base he’s fully engaged in the ebb and flow of the tech world. Check out his blog at

Podcast: How to Ultimately Secure the Cloud

I had a great discussion with Mike Vizard of CTOEdge the other day about how to secure the cloud. I was joking with Mike afterward that I had tried to avoid delivering any overt vendor message because this is such an important topic. Nevertheless, some SecureSpan specific features had leaked into the discussion. He thought that I had actually done better than most: it turns out I was 18 minutes into it before I slipped into vendor-speak.

You can judge for yourself. Listen to the podcast here.