access control
26 TopicsThe Problem with Consumer Cloud Services...
…is that they're consumer #cloud services. While we're all focused heavily on the challenges of managing BYOD in the enterprise, we should not overlook or understate the impact of consumer-grade services within the enterprise. Just as employees bring their own devices to the table, so too do they bring a smattering of consumer-grade "cloud" services to the enterprise. Such services are generally woefully inappropriate for enterprise use. They are focused on serving a single consumer, with authentication and authorization models that support that focus. There are no roles, generally no group membership, and there's certainly no oversight from some mediating authority other than the service provider. This is problematic for enterprises as it eliminates the ability to manage access for large groups of people, to ensure authority to access based on employee role and status, and provides no means of integration with existing ID management systems. Integrating consumer-oriented cloud services into enterprise workflows and systems is a Sisyphean task. Cloud-services replicating what has traditionally been considered enterprise-class services such as CRM and ERP are designed with the need to integrate. Consumer-oriented services are designed with the notion of integration – with other consumer-grade services, not enterprise systems. They lack even the most rudimentary enterprise-class concepts such as RBAC, group-based policy and managed access. SaaS supporting what are traditionally enterprise-class concerns such as CRM and e-mail have begun to enable the integration with the enterprise necessary to overcome what is, according to survey conducted by CloudConnect and Everest Group, the number two inhibitor of cloud adoption amongst respondents. The lack of integration points into consumer-grade services is problematic for both IT – and the service provider. For the enterprise, there is a need to integrate, to control the processes associated with, consumer-grade cloud services. As with many SaaS solutions, the ability to collaborate with data-center hosted services as a means to integrate with existing identity and access control services is paramount to assuaging the concerns that currently exist given the more lax approach to access and identity in consumer-grade services. Integration capabilities – APIs – that enable enterprises to integrate even rudimentary control over access is a must for consumer-grade SaaS looking to find a path into the enterprise. Not only is it a path to monetization (enterprise organizations are a far more consistent source of revenue than are ads or income derived from the sale of personal data) but it also provides the opportunity to overcome the stigma associated with consumer-grade services that have already resulted in "bans" on such offerings within large organizations. There are fundamentally three functions consumer-grade SaaS needs to offer to entice enterprise customers: Control over AAA Enterprises need the ability to control who accesses services and to correlate with authoritative sources of identity and role. That means the ability to coordinate a log-in process that primarily relies upon corporate IT systems to assert access rights and the capability of the cloud-service to accept that assertion as valid. APIs, SAML, and other identity management techniques are invaluable tools in enabling this integration. Alternatively, enterprise-grade management within the tools themselves can provide the level of control required by enterprises to ensure compliance with a variety of security and business-oriented requirements. Monitoring Organizations need visibility into what employees (or machines) may be storing "in the cloud" or what data is being exchanged with what system. This visibility is necessary for a variety of reasons with regulatory compliance most often cited. Mobile Device Management (MDM) and Security Because one of the most alluring aspects of consumer cloud services is nearly ubiquitous access from any device and any location, the ability to integrate #1 and #2 via MDM and mobile-friendly security policies is paramount to enabling (willing) enterprise-adoption of consumer cloud services. While most of the "consumerization" of IT tends to focus on devices, "bring your own services" should also be a very real concern for IT. And if consumer cloud services providers think about it, they'll realize there's a very large market opportunity for them to support the needs of enterprise IT while maintaining their gratis offerings to consumers.249Views0likes1CommentHP Discover and what F5 bring to the party
There are only a couple of weeks to go before HP Discover, taking place this year in Frankfurt on 4-6 December. HP is a big organisation with lots of end user and vendor touchpoints. The short video below, by F5's Alasdair Pattinson, lays out the main ways in which F5 and HP collaborate, namely in data centre consolidation projects, Bring Your Own Device initiatives, and smoothing and securing implementations of Microsoft Exchange.219Views0likes0CommentsDNSSEC – the forgotten security asset?
An interesting article from CIO Online last month explained how DNS had been used to identify over 700 instances of a managed service provider’s customers being infected with malware. The MSP was able to determine the malware using DNS. As the article points out, a thirty year old technology was being used to defeat twenty-first century computer problems. In short DNS may be a viable means of identifying infections within networks quicker, because as well as security apps relying on DNS, the attackers do as well. DNS however still comes with its own unique security approach. The signature checking procedures outlined in the Domain Name System Security Extensions (DNSSEC) specifications were deemed adequate for the protocols surrounding domain resolution. While the certificates offer security that is authenticated, the data is not encrypted, meaning that data is not confidential. The other problem with DNSSEC is that in the event of Distributed Denial of Service (DDOS) DNS Amplification attack on a DNS server, the processing of validation requests adds to the processor usage and contributes to slowdown. DNSSEC does, however, provide protection against cache poisoning and other malicious activities and remains part of the network security arsenal. At F5, our solution for the DNSSEC load problem was to integrate our DNSSEC to our BIG-IP Global Traffic Manager. The traffic manager handles all of the overhead processing requirements created during a DDOS DNS Amplification attack. The result is that the DNS Server can be left to function with no performance limitation. On top of this the F5 solution is fully compliant with international DNSSEC regulations imposed by governments, organisations and domain registrars. While DNSSEC may seem mature and even outdated for its security specifications, the correct application of technology, such as F5’s BIG-IP Global Traffic Manager delivers peace of mind over security, performance, resource and centralised management of your DNS.232Views0likes0CommentsContext. SDN. Big Data. Security. Cloud.
That's right, something for everyone. F5 recently attended IP Expo in the UK. We had some speaker sessions at the event - some readers might have come along and seen them live. The event organisers did a nice job of filming the slots along with the slideware presented, and here they are: THE NETWORK FIREWALL IS REDUNDANT (NATHAN PEARCE) BIG DATA - A CONTEXTUAL GOLDMINE (NATHAN PEARCE) KEEPING APPLICATIONS RUNNING SMOOTHLY FROM THE CLOUD (NATHAN PEARCE) AUTOMATION & ORCHESTRATION - KEY REQUIREMENTS FOR SOFTWARE DEFINED DATA CENTRES (KEVIN WARE-LANE)212Views0likes0CommentsVMworld 2012 Europe - Strobel's Scribblings, Part IV
The last installment...sniff...from F5's Frank Strobel at VMworld in Barcelona: One man's end is another's beginning... While VMworld EMEA 2012 came to an end today, something else saw its first light: @F5VMW The latest member to the F5 Twitter family was created to allow you - our valued user community - to better follow all news related to F5 and VMware. So, if you are not a follower yet, this is a great time to become one. We will be sharing updates on new solutions, new product integrations, tips & tricks including the latest from F5's own DevCentral, and - last but not least - updates from events such as VMworld, VMUGs, and many others. One of our first tweets from @F5VMW was a retweet about Charlie Cano's breakout session which took place today: Solving the Application Provisioning Nightmare: Integrating vSphere and vCloud Director with Your Application Delivery Networking Services (SPO2069). Together with Adina Simu from VMware, Charlie gave a repeat performance of this session from VMworld in San Francisco earlier this year. F5's deep integration with the vCloud Ecosystem Framework (vCEF) through VMware Ready for Networking & Security allows for an easier, automated, and seamless deployment of Application Delivery Networking (ADN) services by means of API-level communication between F5's management solution and VMware's vShield Manager. The ability to easily deploy vApps and the associated application delivery services in vSphere or vCloud Director using iApps has created a lot of interest with the VMworld attendees, both during the breakout session and during conversations at the booth. Click here to learn more about the VMware Ready Networking & Security program. So, while we say adios to Barcelona, we won't have to say farewell. Rumor has it that we will be returning to this beautiful city by the sea next year...171Views0likes0CommentsVMworld 2012 Europe - Strobel's Scribblings, Part III
More from Frank Strobel, live from VMworld 2012 in Barcelona. Today, 16,000 feet and a tale of two booths... At the end of another 10+ hour day at VMworld in Barcelona, my feet started hating me. At least, they clearly express their displeasure about being used too much. At the same time, however, there are 16,000 feet here interested in our story. Countless of those feet found their way to our booth today. And, speaking of booths, there are some that seem to be always full of attendees and some that are not so much. Can you guess from the pictures which of those are F5's? Many of the visitors to our booth asked about yesterday's VXLAN announcement and we were excited to share our plans with them. In addition, Charlie Cano co-presented with Adina Simu from VMware in a repeat performance from VMworld in San Francisco. Their joint presentation, vCloud Networking: an Extensible and Open Platform, was a technical deep dive describing the wealth of offerings the vCloud Ecosystem Framework provides from known vendors in the virtual data center realm, with easy provisioning, flexible insertion points, and automated lifecycle. Here’s a photo of Charlie in action! Last but not least, as I have shared with you in previous blog entries, F5's support for VMware View continues to grow. The latest member of the family is the Branch Office Desktop solution that the View team announced at VMworld just yesterday. Once more we asked Lori Mac Vittie to help us understand what F5 is doing and, more importantly, how this is beneficial to customers deploying remote and branch office desktops. Please find Lori's latest blog entry here: Bye Bye Branch Office Blues As we are wrapping up the business day in Barcelona, we are looking forward to tonight's party. Although, my feet have already told me that dancing is out of the question. No Flamenco for this VMworld attendee...190Views0likes0CommentsVMworld 2012 Europe - Strobel's Scribblings, Part II
Part II from our man on the ground, Frank Strobel, at VMworld Europe 2012 in Barcelona: What do motorcycles, tapas, and F5 have in common? Well, yes, that would be VMworld EMEA 2012. Let me explain... Today was the first full day of VMworld and we introduced the new F5 look & feel to EMEA. Not only do we have a beautiful new color scheme for our booth that aligns with the recently re-designed F5.com web site but we updated our messaging as well. The primary areas of focus are Orchestration, Management, and Control. One significant contribution to providing our customers with more control in their virtualized environments is F5's support for VMware's VXLAN we announced today. To gain a better understanding of what this means, please check out the blog entry from the fabulous Lori Mac Vittie:Getting You One Step Closer to a SDDC or F5’s latest press release here. As for motorcycles, we have a fun simulator in our booth. Come check us out at G100 and drive a Harley Davidson Fat Boy. Everyone is a winner and there are some special prizes for those driving the quickest lap! So, that leaves us with tapas. Those really have nothing to do with VMworld but because I love to eat, I thought that I should mention them. They are really, really good and the thought about enjoying another lovely dinner makes the long day at the event go by a little bit faster...199Views0likes0CommentsOf Escalators and Network Traffic
Escalators are an interesting first world phenomenon. While not strictly necessary anywhere, they still turn up all over in most first-world countries. The key to their popularity is, no doubt, the fact that they move traffic much more quickly than an elevator, and offer the option of walking to increase the speed to destination even more. One thing about escalators is that they’re always either going up, or down, in contrast to an elevator which changes direction with each trip. The same could be said of network traffic. It is definitely moving on the up escalator, with no signs of slackening. The increasing number of devices not just online, but accessing information both inside and outside the confines of the enterprise has brought with it a large increase in traffic. Combine that with increases in new media both inside and outside the enterprise, and you have a spike in growth that the world may never see again. And we’re in the middle of it. Let’s just take a look at a graph of Internet usage portrayed in a bit of back-and-forth between Rob Beschizza of Boing Boing and Wired magazine. This graphic only goes to 2010, and you can clearly see that the traffic growth is phenomenal. (side note, Mr. Beschizza’s blog entry is worth reading, as he dissects arguments that the web is dead) As this increase impacts an organization, there is a series of steps that generally occurs on the path to Application Delivery Networking, and it’s worth recapping here (note, the order can vary). First, an application is not performing. Application load balancing is brought in to remedy the problem. This step may be repeated, with load balancing widely deployed before... Next, Internet connections are overloaded. Link load balancing is brought in to remedy the problem. Once the enterprise side is running acceptably, it turns out that wireless devices – particularly cell phones – are slow. Application Acceleration is brought in to solve the problem. Application security becomes an issue – either for purchased packages exposed to the world, or internally developed code. A web application firewall is used to solve the problem. Remote backups or replication start to slow the systems, as more and more data is collected. WAN Optimization is generally brought in to address the problem. For storefronts and other security-enabled applications, encryption becomes a burden on CPUs – particularly in a virtualized environment. Encryption offloading is brought in to solve the problem. Traffic management and access control quickly follow – addressed with management tools and SSL VPN. That is where things generally sit right now, there are other bits, but most organizations haven’t finished going this far, so we’ll skip the other bits for now. The problem that has even the most forward-thinking companies mostly paused here is complexity. There’s a lot going on in your application network at this point, and the pause to regain control and insight is necessary. An over-arching solution to the complexity that these steps introduce is, while not strictly necessary, a precursor to further taking advantage of the infrastructure available within the datacenter (notice that I have not discussed multi-data center or datacenter to the cloud in this post), some way to control all of this burgeoning architecture from a central location. Some vendors – like F5 (just marketing here) – offer a platform that allows control of these knobs and features, while other organizations will have to look to products like Tivoli or OpenView to tie the parts together. And while we’re centralizing the management of the application infrastructure, it’s time to consider that separate datacenter or the cloud as a future location to include in the mix. Can the toolset you’re building look beyond the walls of the datacenter and meet your management and monitoring needs? Can it watch multiple cloud vendors? What metrics will you need, and can your tools get them today, or will you need more management? All stuff to ask while taking that breather. There’s a lot of change going on and it’s always a good idea to know where you’re going in the long run while you’re fighting fires in the short run. The cost of failing to ask these questions is limited capability to achieve goals in the future – eg: more firefighting. And IT works hard enough, let’s not make it harder than it needs to be. And don’t hesitate to call your sales rep. They want to give you information about products and try to convince you to buy theirs, it’s what they do. While I can’t speak for other companies, if you get on the phone with an F5 SE, you’ll find that they know their stuff, and can offer help that ranges from defining future needs to meeting current ones. To you IT pros, I say, keep making business run like they don’t know you’re there. And since they won’t generally tell you, I’ll say “thank you” for them. They have no idea how hard their life would be sans IT.193Views0likes0CommentsVMworld 2012 Europe - Strobel's Scribblings, Part I
The first of what will be a series of reports from Barcelona...F5's Frank Strobel wraps-up Day Zero's events: ---------- VMworld EMEA 2012 – more exciting news from F5 At the evening prior to the start of the 2012 edition of VMworld EMEA, the F5 team is getting ready for another successful event - this time in beautiful Barcelona, Spain. No offense, Copenhagen, but the combination of sunshine, tapas, Sangria, and the Mediterranean has you beat. Earlier today we held a vmLIVE session with over 700 VMware channel partners in attendance (a new record for us!) interested in learning about what F5 can deliver in support of the Mobile Secure Desktop . Clearly, this is a hot topic and one that we will focus on during VMworld EMEA with a theater presentation in the solution exchange (Enhancing the User Experience for Multi-Pod VMware View Deployments -Tuesday, October 9th, 12:30pm) and our live demo in the booth. If you are evaluating VMware View for your VDI needs, you might want to consider paying us a visit to learn more. Also, today, we held a joint breakout session with VMware during the TAP pre-event day presenting on the VMware vCloud Automated Networking Framework: Network Extensibility (TEX1899) together with Ravi Neelakant. Charlie Cano delivered another standing room only performance. Those who have seen Charlie present before know why he draws large crowds. You will have a chance on Thursday to witness Charlie’s presentations skills during his own breakout sessions (SPO2069 - Solving the Application Provisioning Nightmare: Integrating vSphere and vCloud Director with Your Application Delivery Networking Services). Last but not least, stay tuned for more exciting news coming from F5 tomorrow. You don’t want to miss that one for sure. So, feel free to come by F5’s stand, G100, to check out our latest solutions and to participate at our really cool Motorcycle racing game. And, as always, there are cool prizes to be had… Viva Espana, Viva VMworld!213Views0likes0CommentsPolicy is key for protection in the cloud era
Today, companies host mission-critical systems such as email in the cloud, which contain both customer details, company-confidential information and without which, company operations would grind to a halt. Although cloud providers were forced to reconsider their security and continuity arrangements after the large cloud outages and security breaches last year, cloud users still have a number of challenges. Unless organisations work with a small, specialist provider, it is unlikely that they can guarantee where their data is stored, or the data handling policies of the cloud provider in question. Organisations frequently forget that their in-house data policies simply will not be exported to the cloud with their data. Authentication, authorisation and accounting services (AAA) are often cited as major concerns for companies using cloud services. Organisations need assurance of due process of data handling, or else a way to remove the problem so that they lose no sleep over cloud. Aside from problems with location, one of the main problems with cloud is that it does not lend itself to static security policy. For example, one of the most popular uses of cloud is cloudbursting, where excess traffic is directed to cloud resources to avoid overwhelming in-house servers, to spread traffic more economically or to spread the load when several tasks of high importance are being carried out at once. Firm policies about what kind of data can be moved to the cloud, at what capacity threshold, and any modifications which need to be made to data all need to be considered in a very short space of time. All of this needs to be accomplished whilst keeping data secure in transit, and with minimal management to avoid overloading IT managers at already busy times. Furthermore, organisations need to consider AAA concerns, making sure that data is kept in the right hands at all times. Organisations need to secure applications, regardless of location, and to do this, they need to be able to extend policy to the cloud to make sure that data stays safe, wherever it is. Using application delivery control enables companies to control all inbound and outbound application traffic, allowing them to export AAA services to the cloud. They should also make sure that they have a guarantee of secure tunnelling (i.e. via VPNs) which will make sure that data is secure in transit, as well as confirming that only the right users have access to it. Using some kind of secure sign on such as via two-factor authentication can also make sure that the right users are correctly authorised. In future, organisations may begin to juggle multiple cloud environments, balancing data between them for superior resilience, business continuity and pricing offers – often referred to as ‘supercloud’ - and this can be extremely complex. As company usage of cloud becomes more involved, managing and automating key processes will become more important so that cloud is an asset, rather than a millstone around the neck of IT departments.223Views0likes0Comments