Videos from F5's recent Agility customer / partner conference in London
A week or so ago, F5 in EMEA held our annual customer / partner conference in London. I meant to do a little write-up sooner but after an incredibly busy conference week I flew to F5's HQ in Seattle and didn't get round to posting there either. So...better late than never? One of the things we wanted to do at Agility was take advantage of the DevCentral team's presence at the event. They pioneered social media as a community tool, kicking off F5's DevCentral community (now c. 100,000 strong) in something like 2004. They are very experienced and knowledgeable about how to use rich media to get a message across. So we thought we'd ask them to do a few videos with F5's customers and partners about what drives them and how F5 fits in. Some of them are below, and all of them can be found here.
The IP Address – Identity Disconnect
The advent of virtualization brought about awareness of the need to decouple applications from IP addresses. The same holds true on the client side – perhaps even more so than in the data center. I could quote The Prisoner, but that would be so cliché, wouldn’t it? Instead, let me ask a question: just which IP address am I? Am I the one associated with the gateway that proxies for my mobile phone web access? Or am I the one that’s currently assigned to my laptop – the one that will change tomorrow because today I am in California and tomorrow I’ll be home? Or am I the one assigned to me when I’m connected via an SSL VPN to corporate headquarters? If you’re tying identity to IP addresses then you’d better be a psychiatrist in addition to your day job because most users have multiple IP address disorder. IP addresses are often utilized as part of an identification process. After all, a web application needs some way to identify a user that’s not supplied by the user. There’s a level of trust inherent in the IP address that doesn’t exist with my name or any other user-supplied piece of data because, well, it’s user supplied. An IP address is assigned or handed-out dynamically by what is an unemotional, uninvolved technical process that does not generally attempt to deceive, dissemble, or trick anyone with the data. An IP address is simply a number. But given the increasingly dynamic nature of data centers, of cloud computing, and of users accessing web-based services via multiple devices – sometimes at the same time – it seems a bad idea to base any part of identification on an IP address that could, after all, change in five minutes. IP addresses are no longer guaranteed in the data center, that’s the premise of much of the work around IF-MAP and dynamic connectivity and Infrastructure 2.0, so why do we assume it would be so on the client side? Ridonculous! The decoupling of IP address from identity seems a foregone conclusion. It’s simply not useful anymore. Add to this the fact that IP address depletion truly is a serious problem – the NRO announced recently that less than 10% of all public IPv4 addresses are still available – and it seems an appropriate time to decouple application and infrastructure from relying on client IP addresses as a form of identification.The Problem with Consumer Cloud Services...
…is that they're consumer #cloud services. While we're all focused heavily on the challenges of managing BYOD in the enterprise, we should not overlook or understate the impact of consumer-grade services within the enterprise. Just as employees bring their own devices to the table, so too do they bring a smattering of consumer-grade "cloud" services to the enterprise. Such services are generally woefully inappropriate for enterprise use. They are focused on serving a single consumer, with authentication and authorization models that support that focus. There are no roles, generally no group membership, and there's certainly no oversight from some mediating authority other than the service provider. This is problematic for enterprises as it eliminates the ability to manage access for large groups of people, to ensure authority to access based on employee role and status, and provides no means of integration with existing ID management systems. Integrating consumer-oriented cloud services into enterprise workflows and systems is a Sisyphean task. Cloud-services replicating what has traditionally been considered enterprise-class services such as CRM and ERP are designed with the need to integrate. Consumer-oriented services are designed with the notion of integration – with other consumer-grade services, not enterprise systems. They lack even the most rudimentary enterprise-class concepts such as RBAC, group-based policy and managed access. SaaS supporting what are traditionally enterprise-class concerns such as CRM and e-mail have begun to enable the integration with the enterprise necessary to overcome what is, according to survey conducted by CloudConnect and Everest Group, the number two inhibitor of cloud adoption amongst respondents. The lack of integration points into consumer-grade services is problematic for both IT – and the service provider. For the enterprise, there is a need to integrate, to control the processes associated with, consumer-grade cloud services. As with many SaaS solutions, the ability to collaborate with data-center hosted services as a means to integrate with existing identity and access control services is paramount to assuaging the concerns that currently exist given the more lax approach to access and identity in consumer-grade services. Integration capabilities – APIs – that enable enterprises to integrate even rudimentary control over access is a must for consumer-grade SaaS looking to find a path into the enterprise. Not only is it a path to monetization (enterprise organizations are a far more consistent source of revenue than are ads or income derived from the sale of personal data) but it also provides the opportunity to overcome the stigma associated with consumer-grade services that have already resulted in "bans" on such offerings within large organizations. There are fundamentally three functions consumer-grade SaaS needs to offer to entice enterprise customers: Control over AAA Enterprises need the ability to control who accesses services and to correlate with authoritative sources of identity and role. That means the ability to coordinate a log-in process that primarily relies upon corporate IT systems to assert access rights and the capability of the cloud-service to accept that assertion as valid. APIs, SAML, and other identity management techniques are invaluable tools in enabling this integration. Alternatively, enterprise-grade management within the tools themselves can provide the level of control required by enterprises to ensure compliance with a variety of security and business-oriented requirements. Monitoring Organizations need visibility into what employees (or machines) may be storing "in the cloud" or what data is being exchanged with what system. This visibility is necessary for a variety of reasons with regulatory compliance most often cited. Mobile Device Management (MDM) and Security Because one of the most alluring aspects of consumer cloud services is nearly ubiquitous access from any device and any location, the ability to integrate #1 and #2 via MDM and mobile-friendly security policies is paramount to enabling (willing) enterprise-adoption of consumer cloud services. While most of the "consumerization" of IT tends to focus on devices, "bring your own services" should also be a very real concern for IT. And if consumer cloud services providers think about it, they'll realize there's a very large market opportunity for them to support the needs of enterprise IT while maintaining their gratis offerings to consumers.DNSSEC – the forgotten security asset?
An interesting article from CIO Online last month explained how DNS had been used to identify over 700 instances of a managed service provider’s customers being infected with malware. The MSP was able to determine the malware using DNS. As the article points out, a thirty year old technology was being used to defeat twenty-first century computer problems. In short DNS may be a viable means of identifying infections within networks quicker, because as well as security apps relying on DNS, the attackers do as well. DNS however still comes with its own unique security approach. The signature checking procedures outlined in the Domain Name System Security Extensions (DNSSEC) specifications were deemed adequate for the protocols surrounding domain resolution. While the certificates offer security that is authenticated, the data is not encrypted, meaning that data is not confidential. The other problem with DNSSEC is that in the event of Distributed Denial of Service (DDOS) DNS Amplification attack on a DNS server, the processing of validation requests adds to the processor usage and contributes to slowdown. DNSSEC does, however, provide protection against cache poisoning and other malicious activities and remains part of the network security arsenal. At F5, our solution for the DNSSEC load problem was to integrate our DNSSEC to our BIG-IP Global Traffic Manager. The traffic manager handles all of the overhead processing requirements created during a DDOS DNS Amplification attack. The result is that the DNS Server can be left to function with no performance limitation. On top of this the F5 solution is fully compliant with international DNSSEC regulations imposed by governments, organisations and domain registrars. While DNSSEC may seem mature and even outdated for its security specifications, the correct application of technology, such as F5’s BIG-IP Global Traffic Manager delivers peace of mind over security, performance, resource and centralised management of your DNS.Policy is key for protection in the cloud era
Today, companies host mission-critical systems such as email in the cloud, which contain both customer details, company-confidential information and without which, company operations would grind to a halt. Although cloud providers were forced to reconsider their security and continuity arrangements after the large cloud outages and security breaches last year, cloud users still have a number of challenges. Unless organisations work with a small, specialist provider, it is unlikely that they can guarantee where their data is stored, or the data handling policies of the cloud provider in question. Organisations frequently forget that their in-house data policies simply will not be exported to the cloud with their data. Authentication, authorisation and accounting services (AAA) are often cited as major concerns for companies using cloud services. Organisations need assurance of due process of data handling, or else a way to remove the problem so that they lose no sleep over cloud. Aside from problems with location, one of the main problems with cloud is that it does not lend itself to static security policy. For example, one of the most popular uses of cloud is cloudbursting, where excess traffic is directed to cloud resources to avoid overwhelming in-house servers, to spread traffic more economically or to spread the load when several tasks of high importance are being carried out at once. Firm policies about what kind of data can be moved to the cloud, at what capacity threshold, and any modifications which need to be made to data all need to be considered in a very short space of time. All of this needs to be accomplished whilst keeping data secure in transit, and with minimal management to avoid overloading IT managers at already busy times. Furthermore, organisations need to consider AAA concerns, making sure that data is kept in the right hands at all times. Organisations need to secure applications, regardless of location, and to do this, they need to be able to extend policy to the cloud to make sure that data stays safe, wherever it is. Using application delivery control enables companies to control all inbound and outbound application traffic, allowing them to export AAA services to the cloud. They should also make sure that they have a guarantee of secure tunnelling (i.e. via VPNs) which will make sure that data is secure in transit, as well as confirming that only the right users have access to it. Using some kind of secure sign on such as via two-factor authentication can also make sure that the right users are correctly authorised. In future, organisations may begin to juggle multiple cloud environments, balancing data between them for superior resilience, business continuity and pricing offers – often referred to as ‘supercloud’ - and this can be extremely complex. As company usage of cloud becomes more involved, managing and automating key processes will become more important so that cloud is an asset, rather than a millstone around the neck of IT departments.HP Discover and what F5 bring to the party
There are only a couple of weeks to go before HP Discover, taking place this year in Frankfurt on 4-6 December. HP is a big organisation with lots of end user and vendor touchpoints. The short video below, by F5's Alasdair Pattinson, lays out the main ways in which F5 and HP collaborate, namely in data centre consolidation projects, Bring Your Own Device initiatives, and smoothing and securing implementations of Microsoft Exchange.Context. SDN. Big Data. Security. Cloud.
That's right, something for everyone. F5 recently attended IP Expo in the UK. We had some speaker sessions at the event - some readers might have come along and seen them live. The event organisers did a nice job of filming the slots along with the slideware presented, and here they are: THE NETWORK FIREWALL IS REDUNDANT (NATHAN PEARCE) BIG DATA - A CONTEXTUAL GOLDMINE (NATHAN PEARCE) KEEPING APPLICATIONS RUNNING SMOOTHLY FROM THE CLOUD (NATHAN PEARCE) AUTOMATION & ORCHESTRATION - KEY REQUIREMENTS FOR SOFTWARE DEFINED DATA CENTRES (KEVIN WARE-LANE)VMworld 2012 Europe - Strobel's Scribblings, Part I
The first of what will be a series of reports from Barcelona...F5's Frank Strobel wraps-up Day Zero's events: ---------- VMworld EMEA 2012 – more exciting news from F5 At the evening prior to the start of the 2012 edition of VMworld EMEA, the F5 team is getting ready for another successful event - this time in beautiful Barcelona, Spain. No offense, Copenhagen, but the combination of sunshine, tapas, Sangria, and the Mediterranean has you beat. Earlier today we held a vmLIVE session with over 700 VMware channel partners in attendance (a new record for us!) interested in learning about what F5 can deliver in support of the Mobile Secure Desktop . Clearly, this is a hot topic and one that we will focus on during VMworld EMEA with a theater presentation in the solution exchange (Enhancing the User Experience for Multi-Pod VMware View Deployments -Tuesday, October 9th, 12:30pm) and our live demo in the booth. If you are evaluating VMware View for your VDI needs, you might want to consider paying us a visit to learn more. Also, today, we held a joint breakout session with VMware during the TAP pre-event day presenting on the VMware vCloud Automated Networking Framework: Network Extensibility (TEX1899) together with Ravi Neelakant. Charlie Cano delivered another standing room only performance. Those who have seen Charlie present before know why he draws large crowds. You will have a chance on Thursday to witness Charlie’s presentations skills during his own breakout sessions (SPO2069 - Solving the Application Provisioning Nightmare: Integrating vSphere and vCloud Director with Your Application Delivery Networking Services). Last but not least, stay tuned for more exciting news coming from F5 tomorrow. You don’t want to miss that one for sure. So, feel free to come by F5’s stand, G100, to check out our latest solutions and to participate at our really cool Motorcycle racing game. And, as always, there are cool prizes to be had… Viva Espana, Viva VMworld!
Mobile Devices and Securing the Wild.
How do we secure against the threat of #mobile lost devices now and in the future? Security and application accessibility is a chicken and egg question. Of course you develop apps first in an emerging space, but when do you introduce security? While developing? While the space is developing? After the space is matured and attacks have become a fact of life? Right now it seems that the focus of organizations everywhere when it comes to mobile is providing new ways for users and employees to interact through mobile devices. That’s a great place to start, since the mobile paradigm is a different beast than the desktop paradigm (a great read on one facet of the differences is this page from the Android Developer site – Android Design). While it is necessary to get applications and new access methods out there, we’re still struggling with basic security issues. The same things that scared many organizations off of Palms when they first came out and USB keys later plague mobile devices (of which Palm was one, though certainly an early generation)… How much data is being carted out of the building and by whom, what happens if a trusted employee loses their device – which is a different question in the BYOD world than the IT issued device world… You cannot wipe a BYOD device remotely, and there’s a good chance you can’t force the employee to either. While at the #CEBTowerGroup analyst conference (aimed at Financial Services firms, but a good show for any company struggling with cutting edge issues), one presenter pointed out that increasingly employees in the IT issued device category will delay calling IT to report a lost device in the hopes that they’ll find it without it being wiped. Not at all surprising, but not something I had specifically thought of either, and a great point. How much time does a ne’er-do-well have with a device before it is locked out. With customers, the problem is doubly troubling. Calling your company to inform you that they lost their phone is not exactly going to be the first thing on their mind unless they have stored passwords and credit card info for your website on their phone… And then you’re likely to be one of many. Another troubling statistic that came from the Tower Group conference was that over 50% of those who found a mobile device attempted to look at private information on the phone… in fact, nearly as many people snooped around in private information as tried to contact the owner of the phone. That’s scary, and shows some amount of overlap between those two numbers. So the scenario where a user loses their phone, and that phone is (a) loaded with corporate data, and (b) has stored credentials for access to corporate apps, where the phone is then used by someone of ill intent to access corporate info is inevitable. More prevalent and thus more inevitable is customers losing a phone with credentials stored on it. You can avoid some of the customer problem by not caching credentials in your app, but that doesn’t stop the customer from keeping the info on the phone so they don’t have to remember it, or from using some other on-phone mechanism to “cache” them. And history says they will. Does your perimeter know which I’m on? It is the job of corporate IT to protect against these concerns, but today we have little enough in the way of tools to implement protection from this kind of problem. Here’s what we need, though I understand that this is not an overnight solution set. Today, mobile devices do not reliably offer brand/model information on opening a connection. They’ll need to. More to the point, they’ll need to offer some kind of unique identifier to go with it. People who join a phone plan and get four Galaxy SIIIs for their family will need to be able to tell them apart – or more importantly, sites they notify that the phone is lost will need to tell them apart. IT needs a way to block devices that are reported as lost or stolen. Wiping them is great if the company supplied the device, but blocking them from access to corporate systems is the best that can be done in a customer or BYOD scenario. Customers and employees need an easy way to report a lost or stolen phone and an easy way to mark it as found. The IT response to these would be “lock out” and “reactivate” respectively. This method needs to be secure and definitively identify the customer as the person attempting to use it. The first point is the sticky one. As I’ll explain below, we have the answers for #2 and #3 today, but #1 is more difficult. It can be answered within custom-built apps, but that doesn’t help the 300,000 apps out there already for mobile devices, and it’s not generic, meaning you’ll have to implement it on both sides yourself. As usual, I focus on F5 products, but no doubt you could find similar ways to implement this technology. The good bit about F5 gear is we’ve done the heavy lifting for you . The other two points we have in one form or another today. F5’s Access Policy Manager (APM) can say “if user X logs in from a mobile device, redirect them to the mobile site.” it’s easy enough to have a rule that says “if user X logs in from a mobile device and their devices is reported as stolen, redirect them to a lockout page, away from corporate systems” utilizing APM’s functionality. The same is true for customers and users attempting to access the VPN. This is important even in an environment where IT supplies devices because employees are more likely to invoke that type of functionality than have their device wiped clean. Depending upon the employee, that may be fine – some don’t carry corporate info around on their devices, just use them for remote access. The catch to this step is, of course, that until step #1 is implemented, the user would be locked out from all mobile devices. That will be fine for some people, but many – like myself – have multiple “mobile devices”. I have a Playbook, a GalaxyTab, and an iPhone, not to mention my access to a Blackberry phone and an Impression tablet. If I lose my IT-supplied iPhone, or my son loses his Impression after I’ve used it to log into work, should it lock out my GalaxyTab too? Point number two is easy to implement, since “stolen” could be an AD or LDAP field that is then accessible to APM integration. IT would simply need to implement a web interface to report lost or stolen devices. This solution is most applicable to financial sites, but major shopping sites like Amazon suffer the same level of trust issues, and no matter how small the business, the employee side of this equation applies to you. The reason I say it’s more important for financial institutions is because today the solution to “I lost my phone” would have to be “put a hold on their account”. If you’ve ever been through a hold on your account, it’s painful, and honestly, if an hour later you find your phone at Starbucks where someone turned it in, you’re going to suffer a lot of unnecessary discomfort in the banking scenario. So today, products like our APM can stop users from logging on from a mobile device once a device is reported as stolen, you could put device identifying information into your app if you are developing it to make this control more granular, and turning on and off could be simple – as long as a way can be secured to make certain it actually is the user in question blocking and unblocking mobile access. So think about it. This threat is more one of opportunity than what we usually protect against, but the reputation – or even the competitive health – of your business could be at stake, a simple way for users to control access is worth pondering. Related Articles and Blogs: FBI Offers Smartphone-Ready 'Most Wanted' List Duo Security Advances Two-Factor Authentication Google Acquires Quickoffice Mobile Apps Researchers Find Ways to Bypass Google's Android Malware Scanner New HTML5 Control Blends Web with Native Mobile Apps What Does Mobile Mean, Anyway? Mobile Apps. New Game, New (and Old) Rules Mobile Device Support for VMware View F5 Enables Mobile Device Management Security On-Demand Mobile User Access Anywhere, Dynamic Security Everywhere Mobile Payment sicherer machen! Mobile and IPv6: Why Cows Connecting to the Internet Affects YouF5 Friday: Never Outsource Control
Extending identity management into the cloud The focus of several questions I was asked at Interop involved identity management and application access in a cloud computing environment. This makes sense; not all applications that will be deployed in a public cloud environment are going to be “customer” or “market” focused. Some will certainly be departmental or business unit applications designed to be used by employees and thus require a certain amount of access control and integration with existing identity management stores, like Active Directory. Interestingly F5 isn’t the only one that thinks identity and access management needs to be addressed for cloud computing initiatives to succeed. It's important to not reinvent the wheel when it comes to moving to the cloud, especially as it pertains to identity and access management. Brown [Timothy Brown, senior vice president and distinguished engineering of security management for CA] said that before moving to the cloud it's important that companies have a plan for managing identities, roles and relationships. Users should extend existing identity management systems. The cloud, however, brings together complex systems and opens to door for more collaboration, meaning more control is necessary. Brown said simple role systems don't always work, dynamic ones are required. [emphasis added] --“10 Things to Consider Before Moving to the Cloud”, CRN, 2010 Considering the emphasis on “control” and “security”, both of which identity management is closely tied, were the top two concerns of organizations in an InformationWeek Analytics Cloud Computing survey this is simply good advice. The problem is how do you do that? Replicate your Active Directory forest? Maybe just a branch or two? There are overarching systems that can handle that replication, of course, but do you really want your corporate directory residing in the cloud? Probably not. What you really want is to leverage your existing identity management systems where they reside – in the corporate data center – but use its authentication and authorization information to allow or deny access to cloud-based applications.
