Tag Archives: cloud computing

Abstracting Cloud Gateways

Posted on November 3, 2009 | Leave a comment

Ben Kepes, from the excellent CloudAve blog, wrote an entry about Layer 7’s strategy in the cloud. We had a good talk about Layer 7’s new Amazon AMI image, which is available right now in the Amazon Marketplace. CloudAve has been on my blogroll for a while, and I was quite pleased to talk to one of its contributors.

The best thing about technology isn’t actually the tech but the people you meet along the way. This industry is full of interesting people who understand how to make technology work for them. Ben seems to be one of those people. He and his family live on a small farm he built himself down in New Zealand, and from this base he’s fully engaged in the ebb and flow of the tech world. Check out his blog at diversity.net.nz.

Leave a comment

Posted in Layer 7 Technologies

Tagged

Podcast: How to Ultimately Secure the Cloud

Posted on November 2, 2009 | Leave a comment

I had a great discussion with Mike Vizard of CTOEdge the other day about how to secure the cloud. I was joking with Mike afterward that I had tried to avoid delivering any overt vendor message because this is such an important topic. Nevertheless, some SecureSpan specific features had leaked into the discussion. He thought that I had actually done better than most: it turns out I was 18 minutes into it before I slipped into vendor-speak.

You can judge for yourself. Listen to the podcast here.

 

Leave a comment

Posted in Layer 7 Technologies

Tagged , ,

Clouds May Be Big, But You Should Start Small

Posted on September 18, 2009 | 5 comments

James Urquardt, from Cisco, published a review of the US Government’s recently announced cloud initiative. I had the pleasure of sharing a panel with James recently at GigaOm Structure, and his CNET column should be on your must-read list if clouds are of interest to you.

In this article, James makes an interesting point that the government is really following the “Adopt at your own pace mentality” with respect to cloud. Obviously this isn’t about moving IT completely into the cloud–let’s face it, governments, of all organizations, hold data that will always be inappropriate for public cloud deployment. But it does demonstrate that a perfectly reasonable strategy is to create the opportunity to move select applications into the cloud (such as blogs, as the article mentions), and provide a mechanism so that these can coexist with existing internal IT. This is the so-called hybrid approach (particularly if there is a private cloud as part of the “internal” deployment).

But hybrid clouds face a big problem. To be useful, there must be secure communications between internal applications and new services deployed in the public (or semi-public) cloud. Amazon recently announced it’s Virtual Private Cloud initiative  to address this issue. I was encouraged by their efforts; clearly, Amazon is taking the hybrid model very seriously–no doubt they’ve had a lot of customers asking them to solve this problem. However, I do question the strategy of deploying a VPN tunnel between internal IT and a public cloud. Despite efforts to secure and make private the operating environment of the public cloud, the VPN solution remains a risky proposition.

The trouble with VPNs is that they are indiscriminate over traffic. The trust model of VPNs is based on both ends being equal secure. A VPN makes sense when you integrate a branch office into your central corporate network, as the later is subject to the same corporate security standards and policy. It can be dangerous if the remote site is one where you have any less control over the entire security model, as is the case in the cloud. Imbalance in security implementation is an opportunity for attack. If a single application on the cloud side is compromised, a system cracker can then leverage the VPN tunnel to get full access into the internal network. (This same problem exists with conventional VPNs and laptops, and believe me, it keeps security guys up at night.)

A better solution is to constrain communications on a service-by-service basis, managed under policy control. That way, if a system is compromised, it provides limited opportunity to launch a further attack. Here you are creating zones of trust between services, which is much more finely grained and deliberately constrained. The Layer 7 version of the secure hybrid model looks like this:

cloud VPN

Here, virtual and physical SecureSpan appliances coordinate communications between internal applications and services residing in the cloud. All transactions are managed under policy control. They are rigorously monitored, scrubbed for threats, and constrained to the appropriate parties. Architectures like this allow organizations of any size to move at their own pace into the cloud. It’s a model we’ve been advocating for some time. SecureSpan is already the security foundation of what is arguably the largest private cloud in the world, which is an existing government initiative that predates this latest announcement.

5 Comments

Posted in Layer 7 Technologies

Tagged ,

Is Cloud Computing Secure? Prove It

Posted on September 17, 2009 | Leave a comment

I had a discussion with Wayne Rash the other day about security in cloud computing. He followed up with an excellent article in eWeek with the provocative title Is Cloud Computing Secure? Prove It. I’d encourage you to have a look; Wayne spoke to a number of well-known people in the industry, and they offer up some valuable insights in his piece.

Wayne is interesting to talk to. He’s a retired naval officer who has been in the IT business long enough to have earned a very broad perspective.  Cloud has a lot of roots in earlier technologies (virtualization, time sharing, ASPs, outsourced data centres, etc). I find that it’s always instructive to discuss cloud computing with people like him who recognize not just the similarities, but also the differences between cloud and its antecedents.

If you ever meet Wayne, be sure and ask him about his experiences with Rear Admiral Grace Hopper.

Leave a comment

Posted in Layer 7 Technologies

Tagged ,

Avoiding the Toll Road into the Cloud

Posted on August 27, 2009 | Leave a comment

I have a new article I co-wrote with Andrew Finall and Jay Thorne now published on GigaOm. It’s about leased lines to the cloud, an especially timely topic given yesterday’s announcement from Amazon about its Virtual Private Cloud service (more on this in an upcoming post).

Leave a comment

Posted in Layer 7 Technologies

Tagged , ,

Cloud Use Cases

Posted on August 10, 2009 | Leave a comment

Where does Layer 7 play in the cloud?

Here are the three basic scenarios we see all the time here at Layer 7 with our cloud customers:

1. Governing Access to External Cloud Apps

Problem: Employees can access cloud services with only a credit card and a browser

Solution: Use Layer 7 SecureSpan Gateway clusters to enforce policy and provide a consistent on-ramp to cloud services.

  • Control employee access
  • Maintain authoritative usage records
  • Provide simple on ramp for cloud services (apply cloud-specific security decorations, etc)

Deployment: Physical appliances for extremely high performance (featuring accelerated cryptography, hardware key management (HSM),  and XML processing), software installation on existing server infrastructure, or virtual appliances deployed on commodity hardware. Deploy in clusters for policy synchronization and ease of administration.

Scenario 1

2. Governing Cloud Apps That Need Access to Internal Resources

Problem: Cloud applications (such as Salesforce.com) need access to internal resources (like directories, legacy data bases, mainframes, etc).

Solution: Use Layer 7 SecureSpan Gateway clusters in the DMZ to ensure than only authorized external services (and identities) are permitted access to mission-critical internal systems.

  • Authentication
  • Fine-grained authorization
  • Identity mapping
  • Threat detection
  • SLA enforcement (for example, throttling access rate to servers)
  • Automated internal failover

Deployment: Deploy SecureSpan Gateways in the DMZ to provide secure, managed access to internal network resources. Use hardware appliances for extremely high performance (featuring accelerated cryptography, hardware key management (HSM),  and XML processing), software installation on existing server infrastructure, or virtual appliances deployed on commodity hardware. Deploy in clusters for policy synchronization and ease of administration.

Scenario 2

3. Cloud Application Security and Monitoring

Problem: How do you protect cloud applications?

Solution: Use Layer 7 SecureSpan Virtual Appliances to secure and manage all communications in or out of cloud applications.

  • Resident in-cloud
  • Automatic policy synchronization between other gateways
  • Rapid re-deployment and mapping of policy dependencies (IP addresses, etc) within cloud provider, or between cloud providers
  • Fine-grained service isolation
    • Secure container model or standalone gateway.

Deployment: Hardened and optimized virtual appliances deployed in the cloud. Appliances can be bound to individual machine images, or share responsibility for multiple image instances. Specific virtualized instances for VMWare or Xen-based clouds, or Amazon EC2.

Scenario 3

Why Choose Layer 7?

  • Experience in Cloud Technology: Layer 7 isn’t just another company jumping on the cloud bandwagon; we’ve been  shipping fully supported, productized virtual appliances (not one-offs, nor proof-of-concepts) for over 2 1/2 years. Since the company’s founding in 2002, we have leveraged virtualization technologies. We draw on years of internal expertise in optimizing virtualized images and hardening base operating systems to create a trustworthy application base. SecureSpan is used as the security basis for countless military and intelligence applications. SecureSpan Gateways form the fundamental security infrastructure for the largest cloud project on the planet, which is run by the department of defense.
  • True Clustering Solution: Management of outgoing communications cannot become a bottleneck or a single point of failure. Layer 7 is the only vendor in this space that has a real clustering solution for scalability, fault tolerance, and ease of administration.
  • Multiple Deployment Options: Hardware appliance, software install, or virtual appliance. Choose what works best for your environment. Mix and match solutions at will.
  • Dynamic Policy Download: Layer 7 SecureSpan Gateways can automatically load policies from trusted downstream gateways or central repositories. We pioneered this use case between branch offices and home office, and it extends identically to the cloud

More on this in a following post, including some actual customer deployment scenarios with SaaS providers like Salesforce.com.

Leave a comment

Posted in Layer 7 Technologies

Tagged , , ,

Cloud will change the roles in IT

Posted on July 24, 2009 | Leave a comment

Anytime something is commoditized, jobs change. Cloud is no exception. As enterprises move applications into off-premises cloud infrastructure, jobs will inevitably be eliminated, and roles will change. We’ve observed this effect for many years at Layer 7. New technologies like SOA demand that people break out of existing roles and take on new vision and responsibilities. The silos and job descriptions that were developed over the years in traditional IT departments cannot easily function in SOA (or by extension, in cloud). This is a great opportunity for the ambitious people to shine, but it also leaves people in its wake who can’t (or won’t) change with the times. When these people dig and and resist the change, they threaten the initiative and often stall the entire project. Cloud is going to face this significantly, particularly when it is being mandated from above.

Infoworld has an interesting article about how cloud will threaten certain IT jobs (and create new ones) here.

with the move to SOA is that new technology often demands entirely new roles and responsibilities be defined

Leave a comment

Posted in Layer 7 Technologies

Tagged , ,

Do Cloud Initiatives Come From IT or Corporate Mgmt?

Posted on July 24, 2009 | Leave a comment

Here’s a good example of how cloud initiatives will often be driven not by technical staff, but by management. Washington State Representative Reuven Carlyle is questioning the state IT department proposal for a traditional, $300M IT processing center in Olympia. He maintains that the proposal is not well thought through, and that the state (famously home to Amazon and Microsoft) should be instead looking at embracing cloud technologies.

I wrote about this in my white paper Steer Safely into the Clouds. Cloud is one of those rare technical trends that easily captures the imagination of non-technical organizational management. It’s just that accessible and compelling. My argument in the paper is that IT needs to be ready with a rigorous cloud strategy because the impetus to go to the cloud is likely to come from the boardroom, not the cubes.

More details here.

Leave a comment

Posted in Layer 7 Technologies

Tagged , ,

GigaOm Structure: Private Clouds

Posted on June 26, 2009 | Leave a comment

Celeste LeCompte wrote up a great piece on the panel about private clouds I participated in yesterday at GigaOm Structure 09. I’m happy to have contributed the line that became her headline.

George Gilbert moderated an absolutely power-packed panel that also included:

  • James Urquart, Tech Strategist from Cisco
  • Chuck Hollis, VP and CTO of Global Marketing at EMC
  • Stephen Herrod, CTO and SVP R&D VMWare
  • Kia Behnia, CTO of BMC
  • Brandon Watson, Director of Azure Services Platform, Microsoft

Have a look at Celeste’s article, which also has the video of the event. I must say, I was really impressed with the GigaOm show. It was completely sold out (when was the last time you heard that happening?) and the level of organization of the tracks was really high. I’ve never spoken anywhere where they confiscated my phone before I got on stage (and for good reason–the production quality on the sound and video was top notch).

I was chatting briefly with AT&T’s Joe Weinman, who was the MC for the event (and whose dry-as-dust delivery was brilliant, BTW). He likened it to the Academy Awards for all the buzz and tech-celebrity attendance. Definitely the best show I’ve been to in recent memory.

Leave a comment

Posted in Layer 7 Technologies

Tagged , , , ,

eWeek: Managing Identity in the Cloud Podcast

Posted on June 8, 2009 | Leave a comment

I did a podcast recently with Mike Vizard of eWeek. Mike had some excellent questions around all the issues is managing identity and trust relationships in the cloud. This is one of those under-reported issues around cloud computing. Security always comes down to trust, and this is going to be the significant issue business faces as it moves applications out of it’s corporate network.

Listen to it here.

Leave a comment

Posted in Layer 7 Technologies

Tagged , , , , ,