Cloud Security

Few things inspire a blogger to write blog posts than appealing to their ego and sense of humour. Despite concerted appearances to the contrary, it appears I too am susceptible.

Here we take a lesson in marketing brilliance from Novell…as they “take the drama out of Cloud Computing”…by bringing a slightly surreal blog post I wrote to the small stage/screen:

If the above doesn’t display for you, click An interpretation from the blog post: Are You Trying to Pin the Tail on the Cloud Donkey? by Craig Balding

Thanks to the actors for giving me a laugh out loud moment – commanding performances gents! :)

Cheers,
Craig

P.S For more hilarity, check out their Vimeo channel

Last week I attended SecureCloud 2010 in Barcelona, a conference dedicated to cloud computing and security, organised by the Cloud Security Alliance, ENISA, ISACA and IEEE.

This proved to be an excellent opportunity for deep dive conversations with others heavily involved with cloud security, both providers and users.

The conference was well run – particularly for a first time out. The presentations were a mixed bunch, which I felt reflected:

• the on-going open interpretation of the term “cloud” (and a few who insisted on muddying the waters by referring to traditional web hosting providers as “cloud providers” – eek!)
• the different stages that people are at with their understanding of cloud computing and security and
• the wide diversity of speakers present (a healthy thing in my book)..

I’m very glad I attended and was able to present the kick-off to Project Skylab.

A number of readers asked if the presentations would be recorded and made available to non-attendees. Unfortunately, they were not, so I’ve recorded the “home edition” version of my talk and make it available here.

The Skylab Project is aimed at IT and IT security professionals that are “cloud curious” and want to get their hands dirty in a relatively safe way (i.e. no business data involved). You could say its for the hobbyist security geek. This talk sets out the concept, design goals and plans for Project Skylab. Hence, this presentation is not about “cloud security” per se or “securing the cloud”. At most its about delivering a security related service (an demand security test lab) from the cloud. Check out my other cloud computing and security presentations if you’re looking for coverage of cloud security challenges.

Important notes:

• this is the “kick-off” of Skylab – not the “solution” stage (!)
• if you’re an old hand with IaaS services (including cloud overlay networks), I doubt you’ll learn anything new about cloud.

I plan to develop Skylab on an on-going basis. I’m also encouraging others to contibute their ideas (with full credit of course).

Finally, I’ve applied to speak at Brucon 2010 in September. If my application is successful I will present the first tried and tested incarnation of Skylab.

Please let me know if you enjoy this video (or not!) as this is the first time I’ve tried this. I welcome your feedback.

I’d like to thank Jim Reavis and his team for the excellent logistical support throughout the conference, along with the SecureCloud presentation committee for inviting me to speak.

Cheers,
Craig

P.S cloudsecurity.org now has a forum dedicated to discussions about cloud computing and security. There is also a dedicated board for Project Skylab communication.

Next Tueday and Wednesday I’ll be attending SecureCloud 2010 in Barcelona, Spain. This looks to be a very promising conference, totally focused on cloud computing and security. Admission is free, and the event is organised by the Cloud Security Alliance, ENISA, ISACA and IEEE.

On Wednesday, I’ll present “Skylab: How To Create A Simple Security Test Lab With No Hardware”. Here’s the blurb:

This presentation will be technical in nature and focus on how
security practitioners can leverage public IaaS clouds today, to create
an ad-hoc security test lab for both offensive and defensive security
research. We’ll explore prior use cases of cloud by security
researchers, define a simple test lab network architecture and
associated requirements, get an overview of existing IaaS capabilities
and the challenges you’ll face when replicating even relatively simple
network topologies (along with some workarounds). At the end of this
presentation, attendees will know how to build their own virtual skylab.

When I get back, I’ll upload my slides and explain more about Skylab.

If you’re attending, definitely come up and say hello.

Cheers,

Craig

Ask a room full of security professionals what cloud threats they are concerned with and you’ll get quite a variety of answers. Partly this stems from the widly varying definitions of “Cloud”, but also reflects their respective experience dealing with security threats faced by their organisation.

Maybe you think “insider threats” are the big issue, or perhaps you feel attacks against the shiny new attack surface offered by cloud providers is the big concern. Or you may look at things the other way round and feel that attacks against cloud clients are the most significant threat – especially given what we know about client side computing, mobile professionals and insecure WiFi setups.

Either way, here is a chance to express your view.

Right now, the Cloud Security Alliance (CSA) is seeking your input. They are currently finalising a paper for release at RSA 2010 next week, called the Top Threats to Cloud Computing. The CSA “top threats” working group is seeking wider input on the respective ranking of 7 specific cloud threats.

If you are a cloud user and/or security professional, I encourage you to take the 5 minute survey. Results will be collected at the end of this week.

Cloudsecurity.org is proud to be supporting the Global Security Challenge with their “Cloud Security Challenge” competition.

If you’ve a bright idea for cloud security or you know someone who has, this is an opportunity to grow it quickly.

The competition aims “to empower entrepreneurs in the security technology space.”

The Global Security Challenge team do this through running challenges that anyone with a clever idea and a decent business plan can enter. A panel of experts select the most promising security technology start-ups.

The winner of this challenge will receive a 10,000USD grant and mentorship from CapGemini. HP Labs in Bristol UK are sponsoring the event and offering use of their test-bed for up to 3 finalists.

Ultimately it may provide a path to additional funding — top contenders from previous challenges raised 57MM USD.

The competition is free to enter and the deadline is 15th March.

To learn more and submit your idea, visit the Global Security Challenge website

Let me know if you have any questions and I’ll do my best to get them answered.