CloudFucius Wonders: Can Cloud, Confidentiality and The Constitution Coexist?
This question has been puzzling a few folks of late, not just CloudFucius. The Judicial/legal side of the internet seems to have gotten some attention lately even though courts have been trying to make sense and catch up with technology for some time, probably since the Electronic Communications Privacy Act of 1986. There are many issues involved here but a couple stand out for CloudFucius. First, there is the ‘Privacy vs. Convenience’ dilemma. Many love and often need the GPS Navigators whether it be a permanent unit in the vehicle or right from our handheld device to get where we need to go. These services are most beneficial when searching for a destination but it is also a ‘tracking bug’ in that, it records every movement we make. This has certainly been beneficial in many industries like trucking, delivery, automotive, retail and many others, even with some legal issues. It has helped locate people during emergencies and disasters. It has also helped in geo-tagging photographs. But, we do give up a lot of privacy, secrecy and confidentiality when using many of the technologies designed to make our lives ‘easier.’ Americans have a rather tortured relationship with privacy. They often say one thing ("Privacy is important to me") but do another ("Sure, thanks for the coupon, here's my Social Security Number") noted Lee Rainie, head of the Pew Internet and American Life Project. From: The Constitutional issues of cloud computing You might not want anyone knowing where you are going but by simply using a navigation system to get to your undisclosed location, someone can track you down. Often, you don’t even need to be in navigation mode to be tracked – just having GPS enabled can leave breadcrumbs. Don’t forget, even the most miniscule trips to the gas station can still contain valuable data….to someone. How do you know if your milk runs to the 7-Eleven aren’t being gathered and analyzed? At the same, where is that data stored, who has access and how is it being used? I use GPS when I need it and I’m not suggesting dumping it, just wondering. Found a story where Mobile Coupons are being offered to your phone. Depending on your GPS location, they can send you a coupon for a nearby merchant along with this one about Location-Based strategies. Second, is the Fourth Amendment in the digital age. In the United States, the 4th Amendment protects against unreasonable searches and seizures. Law enforcement needs to convince a judge that a serious crime has/is occurring to obtain a warrant prior to taking evidence from a physical location, like your home. It focuses on physical possessions and space. For instance, if you are committing crimes, you can place your devious plans in a safe hidden in your bedroom and law enforcement needs to present a search warrant before searching your home for such documents. But what happens if you decide to store your ‘Get rich quick scheme’ planning document in the cloud? Are you still protected? Can you expect certain procedures to be followed before that document is accessed? The Computer Crime & Intellectual Property Section of the US Dept of Justice site states: To determine whether an individual has a reasonable expectation of privacy in information stored in a computer, it helps to treat the computer like a closed container such as a briefcase or file cabinet. The Fourth Amendment generally prohibits law enforcement from accessing and viewing information stored in a computer if it would be prohibited from opening a closed container and examining its contents in the same situation….Although courts have generally agreed that electronic storage devices can be analogized to closed containers, they have reached differing conclusions about whether a computer or other storage device should be classified as a single closed container or whether each individual file stored within a computer or storage device should be treated as a separate closed container. But, you might lose that Fourth Amendment right when you give control to a third party, such as a cloud provider. Imagine you wrote a play about terrorism and used a cloud service to store your document. Maybe there were some ‘surveillance’ keywords or triggers used as character lines. Maybe there is scene at a transportation hub (train, airport, etc) and characters themselves say things that could be taken as domestic threats – out of context of course. You should have some expectation that your literary work is kept just as safe/secure while in the cloud as it is on your powered down hard drive or stack of papers on your desk. And we haven’t even touched on compliance, records retention, computer forensics, data recovery and many other litigating issues. The cases continue to play out and this blog entry only covers a couple of the challenges associated with Cloud Computing and the Law, but CloudFucius will keep an eye on it for ya. Many of the articles found while researching this topic: The Constitutional issues of cloud computing In digital world, we trade privacy for convenience Cloud Computing and the Constitution INTERNET LAW - Search and Seizure of Home Computers in Virginia Time to play catch-up on Internet laws: The gap between technology and America's laws hit home last week in a court decision on network neutrality FCC considers reclassification of Internet in push to regulate it Personal texting on a work phone? Beware your boss High Court Justices Consider Privacy Issues in Text Messaging Case Yahoo wins email battle with US Government How Twitter’s grant to the Library of Congress could be copyright-okay Judge Orders Google To Deactivate User's Gmail Account FBI Warrant Sought Google Apps Content in Spam Case State court rules company shouldn't have read ex-staffer's private e-mails District Took 56,000 Pictures From Laptops Can the Cloud survive regulation? Group challenging enhanced surveillance law faces uphill climb Watchdogs join 'Net heavyweights in call for privacy law reform Digital Due Process Judge's judgment called into question Dept of Justice Electronic Evidence and Search & Seizure Legal Resources Electronic Evidence Case Digest Electronic Evidence Finally, you might be wondering why CloudFucius went from A to C in his series. Well, this time we decided to jump around but still cover 26 interesting topics. And one from Confucius himself: I am not one who was born in the possession of knowledge; I am one who is fond of antiquity, and earnest in seeking it there. ps The CloudFucius Series: Intro, 1Invasion of Privacy - Mobile App Infographic Style
Couple blogs/weeks ago, I posted What’s in Your Smartphone? covering the recent Nielsen report, State of the Appnation – A Year of Change and Growth in U.S. Smartphones. According to the study, 70% (last year) and 73% (this year) expressed concern over personal data collection and 55% were cautious about sharing location info via smartphone apps so, obviously, it is important that users are aware of the risks they face when downloading and using apps. So it is perfect timing that I came across Veracode’s infographic showing real world cases to outline the threat to user privacy posed by mobile apps. Infographic by Veracode Application Security Fascinating and scary at the same time. ps References: How Mobile Apps are Invading Your Privacy Infographic Infographic: How Mobile Apps Invade Your Privacy State of the Appnation – A Year of Change and Growth in U.S. Smartphones Nielsen: 1 in 2 own a smartphone, average 41 apps Freedom vs. Control BYOD–The Hottest Trend or Just the Hottest Term Hey You, Get Off-ah My Cloud! Evolving (or not) with Our Devices The New Wallet: Is it Dumb to Carry a Smartphone? BYOD Is Driving IT ‘Crazy,’ Gartner Says Consumerization trend driving IT shops 'crazy,' Gartner analyst saysNew iOS Edge Client
If you are running the BIG-IP Edge Client on your iPhone, iPod or iPad, you may have gotten an AppStore alert for an update. If not, I just wanted to let you know that version 1.0.3 of the iOS Edge Client is available at the AppStore. The main updates in v1.0.3: URI scheme enhancement allows passing configuration data to the client upon access. For example, you could have a link on the WebTop that invokes the client and forces web logon mode. Other Bug fixes. The BIG-IP Edge Client application from F5 Networks secures and accelerates mobile device access to enterprise networks and applications using SSL VPN and optimization technologies. Access is provided as part of an enterprise deployment of F5 BIG-IP Access Policy Manager, Edge Gateway, or FirePass SSL-VPN solutions. BIG-IP Edge Client for iOS Features: Provides accelerated mobile access when used with F5 BIG-IP Edge Gateway. Automatically roams between networks to stay connected on the go. Full Layer 3 network access to all your enterprise applications and files. I loaded it yesterday on my devices without a hitch. ps Related: iDo Declare: iPhone with BIG-IP F5 Announces Two BIG-IP Apps Now Available at the App Store F5 BIG-IP Edge Client App F5 BIG-IP Edge Portal App F5 BIG-IP Edge Client Users Guide iTunes App Store Securing iPhone and iPad Access to Corporate Web Applications – F5 Technical Brief Audio Tech Brief - Secure iPhone Access to Corporate Web Applications Technorati Tags: F5, infrastructure 2.0, integration, cloud connect, Pete Silva, security, business, education, technology, application delivery, ipad, cloud, context-aware, infrastructure 2.0, iPhone, web, internet, security, hardware, audio, whitepaper, apple, iTunesCloudFucius Shares: Cloud Research and Stats
Sharing is caring, according to some and with the shortened week, CloudFucius decided to share some resources he’s come across during his Cloud exploration in this abbreviated post. A few are aged just to give a perspective of what was predicted and written about over time. Some Interesting Cloud Computing Statistics (2008) Mobile Cloud Computing Subscribers to Total Nearly One Billion by 2014 (2009) Server, Desktop Virtualization To Skyrocket By 2013: Report (2009) Gartner: Brace yourself for cloud computing (2009) A Berkeley View of Cloud Computing (2009) Cloud computing belongs on your three-year roadmap (2009) Twenty-One Experts Define Cloud Computing (2009) 5 cool cloud computing research projects (2009) Research Clouds (2010) Cloud Computing Growth Forecast (2010) Cloud Computing and Security - Statistics Center (2010) Cloud Computing Experts Reveal Top 5 Applications for 2010 (2010) List of Cloud Platforms, Providers, and Enablers 2010 (2010) The Cloud Computing Opportunity by the Numbers (2010) Governance grows more integral to managing cloud computing security risks, says survey (2010) The Cloud Market EC2 Statistics (2010) Experts believe cloud computing will enhance disaster management (2010) Cloud Computing Podcast (2010) Security experts ponder the cost of cloud computing (2010) Cloud Computing Research from Business Exchange (2010) Just how green is cloud computing? (2010) Senior Analyst Guides Investors Through Cloud Computing Sector And Gives His Top Stock Winners (2010) Towards Understanding Cloud Performance Tradeoffs Using Statistical Workload Analysis and Replay (2010) …along with F5’s own Lori MacVittie who writes about this stuff daily. And one from Confucius: Study the past if you would define the future. ps The CloudFucius Series: Intro, 1, 2, 3, 4, 5, 6, 7, 8And The Hits Keep Coming
In case you missed this over the long weekend, a few more notable names were compromised in recent weeks. A few weeks ago I wrote about how the Big Attacks are Back and it sure seems like the hits keep coming. First, last Friday, Lockheed Martin said that earlier in the week, they detected that someone was trying to break into their network through the VPN. Lockheed is a huge military contractor providing fighter jets, spy satellites and other military and intelligence equipment for the US and other government entities. They are also known for Skunk Works or their Advanced Development Program projects. These are highly classified assignments with the SR-71 Blackbird and F-117 Nighthawk (Stealth) as examples over the years. I live very close the Skunk Works facility and I can say that I’ve seen some interesting craft flying over at various times. Anyway, there is some indication that this attempted breach is tied to the security tokens issued to the workers. Reports have indicated that it was RSA tokens and this incident might be directly tied to the RSA breach earlier this year. Lockheed quickly shut the remote access doors and issued new tokens and passwords to the entire workforce. They do say that their systems are secure and nothing notable, like customer/employee/program data, was taken. While defense contractors like Lockheed get probed daily, this is significant since the ‘sources’ are saying that there is a connection between the RSA breach and Lockheed’s. The intruder seemed to have knowledge of some critical information (possibly algorithm, seed, serial, cloned soft key, key gen time) for the current tokens and dropped a key logger on an internal computer. After RSA’s initial announcement, Lockheed did take additional protective measures, like an additional password for remote users but a key logger probably would have sniffed that. Lockheed was fortunate to have caught it quickly but this might be the beginning of the token breach fallout. Lockheed is not the only defense contractor that has been specifically targeted using compromised tokens . L-3 Communications has also been fending off penetration attempts according to reports. In both cases, it appears that the intruders are using both phishing and cloned soft keys to try to attack SecurID systems. Installed malware or phishing campaigns are being used in an attempt to link end-users with tokens. Many companies are increasing PIN lengths and lowering the number of failed attempts before accounts are locked out. Even McAfee is talking about how employees are being approached by strangers in public places looking to gain information. Another breach this past weekend involved PBS. This time, C is for Compromise…and not good enough for anyone. While, according to PBS, no internal networks were exposed, the malicious hackers were able to break into the website and posted a bogus story about Tupac being alive and well in New Zealand. They also posted credentials for PBS’s internal media and affiliate station portals. This was a response to a Frontline story about WikiLeaks called WikiSecrets. Apparently the group that claimed the attack was less than impressed by the program. 2011 started out *relatively* quiet but is now tuning into a banner year for breaches. ps Resources: Data Breach at Security Firm Linked to Attack on Lockheed Lockheed Martin Suffers Massive Cyber attack InsecureID: No more secrets? (Cringely broke the Lockheed story) Second Defense Contractor L-3 ‘Actively Targeted’ With RSA SecurID Hacks Unknown hackers have broken into the security networks of Lockheed Martin Corp and several other U.S. military contractors Hackers breached U.S. defense contractors Cyber attack shows constant threat to key intel FRONTLINE statement on PBS hacking PBS Website Hacked Social hackers target McAfee staff in church, at car parks The Big Attacks are Back…Not That They Ever Stopped 3 Billion Malware Attacks and Counting Technology Can Only Do So Much Unplug Everything!The New Wallet: Is it Dumb to Carry a Smartphone?
When I was a teenager, I used to have one of those cool nylon surfer wallets with the Velcro close, you remember those don’t ya? While pumping diesel (had a VW Rabbit) one day at an old Gulf station, I left the wallet on top of the car and drove off. Realizing that my wallet was not snug in the sun visor when I got home, I retraced my path and found it - parts of it - scattered all over Route 1. Luckily, I got most of my belongings back but had that sickened feeling of almost losing my most precious possession at the time, my fake I……um, my driver’s license. I then got a leather wallet and shoved so many things in there I could have been mistaken for George Costanza, not to mention the hole that evolved right at the bottom point of my back pocket. Not liking the bump on my butt, I eventually moved to ‘money-clip’ type holders, you know those money holder things you carry in your front pocket. I felt ‘safer’ knowing it was in my front pocket and I only carried the essentials that I needed, rather than the reams of receipts I’d have in my wallet. When I was younger, I’d use tie clips, metal binder clips, and other things until I got a nice Harley-Davidson one which holds credit cards and clips currency. I’d still feel sick if I lost it however. Not having a wallet, purse, money clip or other currency container at all, may eventually be our new reality. You see, our smartphones are starting to carry all that digital information for us and according to a recent CNNMoney article, our smartphones are becoming one of our most dangerous possessions. We can do banking, make payments, transfer money, use the phone for loyalty card swipes along with credit card transactions. At the same time, mobile users more vulnerable to phishing attacks, some banking apps for Android, iPhone expose sensitive info, Android Trojan Emerges In U.S. Download Sites and how IPv6: Smartphones compromise users' privacy. We knew it would eventually happen but the crooks are now adapting to the explosive mobile growth, the rise of mobile banking and our never ending connection to the internet. Don’t get me wrong, like many of you, I love having email, contacts, calendar and entertainment at my fingertips along with the convenience of having all my stuff with me; but the chances of losing much more greatly increase since you have the equivalent, or even more, of all your credit cards, personal and private information and other sensitive stuff right on your smartphone. Sure there are backup programs but how many of you actually backup your computer on a weekly basis? How many have wipe or lock software installed to destroy everything on the smartphone if it is stolen? How many have tracking software if it is lost? How many have your actual home address in the GPS navigator so the offender can find where you live and visit while you are away? How many have sensitive corporate information stored on the smartphone since you use it for both personal and business use? Now I’m starting to spook myself. Many people will willingly trade some personal info for personal convenience. You might never give a total stranger your home address and phone number but if they add, ‘in exchange, we’ll give you this branded card and you’ll get 10% off every purchase,’ more than likely, we’ll turn that personal info over. If you understand that every purchase will be scanned, sent to a database and used for marketing or as the merchant describes, to ‘provide you with the best service and offerings,’ then you might accept that. If you accept and understand the risks of doing mobile banking, transferring money, making payments and carrying around your entire life on your mobile device….and take actions to mitigate those risks, like using encryption, backups, wipe/locate software, antivirus, OS updates and other mobile security precautions along with practicing the same discretion as you would with your home computer (like not clicking links from strangers) then you should stay relatively safe. Unless, of course, you leave that digital wallet on the top of your vehicle and drive off. ps Resources Android Trojan Emerges In U.S. Download Sites Sophisticated New Android Trojan "Geinimi" Spreading in China Chinese crack down on 'money-sucker' Androids Your most dangerous possession? Your smartphone IPv6: Smartphones compromise users' privacy Mobile users more vulnerable to phishing attacks Report: Banking Apps for Android, iPhone Expose Sensitive Info Make Sure Your Smartphone Payments Are Secure F5 BIG-IP Edge Client App F5 BIG-IP Edge Portal App Securing iPhone and iPad Access to Corporate Web Applications – F5 Technical Brief Audio Tech Brief - Secure iPhone Access to Corporate Web ApplicationsF5 Tutorial: BIG-IP APM with SecureAuth
This video demonstrates the flexibility of BIG-IP Access Policy Manager and integration with SecureAuth, which provides two-factor authentication using SSL certificates. F5's Tony Torzillo shows how these integrate with the AD server to allow you to login to the AD server, and it will then retrieve the user's phone number and email and allow them to authenticate via a text message, voice call, or email as stored in their AD policy. For more videos, check out F5’s YouTube channel. BIG-IP APM with SecureAuth ps twitter: @psilvas Technorati Tags: F5, infrastructure 2.0, integration, cloud connect, Pete Silva, security, business, education, technology, application delivery, intercloud, cloud, context-aware, infrastructure 2.0, automation, web, internetCloudFucius Dials Up the Cloud
According to IDC, the worldwide mobile worker population is set to increase from 919.4 million in 2008, accounting for 29% of the worldwide workforce, to 1.19 billion in 2013, accounting for 34.9% of the workforce. The United States has the highest percentage of mobile workers in its workforce, with 72.2% of the workforce mobile in 2008. This will grow to 75.5% by the end of the forecast period to 119.7 million mobile workers. The U.S. will remain the most highly concentrated market for mobile workers with three-quarters of the workforce being mobile by 2013 and Asia/Pacific (excluding Japan) represents the largest total number of mobile workers throughout the forecast, with 546.4 million mobile workers in 2008 and 734.5 million in 2013. This means more workers will be using mobile devices, not being tied to an office cube and will need to have access back to the corporate network or applications hosted in the Cloud. Enterprises and management are faced with a potential contradictory business situation. The level of employee collaboration is on the rise; yet at the same time, the locations and work hours are changing and growing. Additionally, companies understand the importance of providing access to their critical systems, even during a disaster; and that doesn’t necessarily mean a major tornado, flood, hurricane, earthquake or other natural phenomenon. What does an enterprise do when it’s so cold and snowy that employees can’t get to the office? Declare a “snow day” and close their doors? Certainly not. What does an employee do when they are sick, injured or their child is home from school? Depending on the severity, they might be able to work from home. As for the users, it's not just a bunch of office employees and road warriors accessing shared files; but it’s also consultants, contractors, telecommuters, partners and customers using home computers and mobile devices to get our job done. Squeezed in the middle are the IT guys facing the demands of both management and users, along with the ever expanding and evolving security requirements. SSL VPN has become the mainstream technology of choice for remote access and Infonetics reports that the Worldwide SSL VPN gateway revenue increased 13.9% to $116.8M in 4Q09 and will grow 19% to $138.7M by 4Q10. Traditionally, corporate VPN controllers have been deployed in-house or in the corporate data center since the needed resources were also located there. Management and control over that VPN has been critical since it’s the gateway to the corporate network along with much of the sensitive info that resides ‘on-the-inside.’ Plus, *most* VPN controllers are full appliances – dedicated/branded hardware with the vendor’s code baked in. Finally, the advancement of cloud computing has become an enticing choice for IT departments looking to deploy corporate systems and sensitive resources for user and customer access. Enter FirePass SSL VPN Virtual Edition. A couple weeks ago F5 released FirePass v7, improving SSL VPN functionality, scalability, third-party integration, and offering new flexible deployment options including a virtual appliance. Virtualization as a technology, has reached a point of widespread adoption and many customers have requested the option of running FirePass as a virtual appliance. Providing a virtual edition of FirePass allows customers to potentially save money by allowing them add SSL VPN functionality to their existing virtual infrastructure. With FirePass VE, you get better scalability & flexibility due to the ability of being able to spin up and spin down virtual FirePass instances across the globe, in much the same way we talk about the BIG-IP appliances managing virtualized environments around the world. FirePass Virtual Edition is the full fledged, full featured FirePass code and currently runs on VMware ESX* and ESXi 4.0*. It’s vMotion enabled and you can cluster for config-sync, load balance VMs and service providers can have multiple VMs running on one system for a hosted VPN service. FirePass VE provides flexibility, scalability, context, and control particularly for Small & Medium Enterprises whose budgets might still be tight but need a remote access solution. It’s also a perfect solution for Enterprises who need a remote access business continuity solution. *Asterisk alert: If you are like me, and see a little * after something, I immediately drop to the bottom fine print to find the catch. FirePass VE is sold & supported just like FirePass hardware and is fully supported on the VMware products listed above. VMware also has a link off their website about the FirePass VE/VMware interoperability. As with any piece of software, there are minimum hardware and configuration requirements along with recommended VM provisioning but actual performance may vary depending on the target system. The FirePass v7 VE release notes (logon may be required) does provide the VMware system minimum characteristics. Just want to properly set expectations, especially with that pesky asterisk. :-) And one from Confucius: A man who has committed a mistake and doesn't correct it, is committing another mistake. ps The CloudFucius Series: Intro, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11Connecting to a Cloud while Flying thru the Clouds
CloudFucius checked out some In-flight WiFi this week while traveling to Seattle. Alaska Air offers GoGo Inflight Internet on their 737 fleet flying the 48 contiguous for $4.95, but the service is free through July 2010. An instruction card is located in the magazine pouch located in front of your seat and after the climb to 10,000 ft, you can connect with your WiFi enabled device. The setup is simple: 1. Turn on WiFi; 2. Find ‘gogoinflight’ signal (which happens to be the only one found at 10,000 ft); 3. Launch browser and log in. You do need to create an account, if you haven’t already, and fill out a couple pages of info – not at all cumbersome. We got connected fairly easily and quickly without any issues. We even got connected to F5’s corporate VPN and was able to open Outlook and download any new email along with anything else I usually do while working remotely. The signal was strong and the speed was usable. There have been a couple articles about the latency and performance challenges of these cellular connections once more than a few flyers connect. Limited number of power ports on planes might also discourage fliers, especially on long flights. Plus, according to this article, ‘Of the 230 respondents who guide corporate travel policy within their organizations, only 34 percent said it's OK for travelers to unsheathe their corporate cards to access Wi-Fi on all flights.’ The Business Travel News survey found that only 7% would reimburse in-flight internet access and only on very long flights. I usually use business air travel time to rest, play a game on the handheld, read and other relaxing activities but Internet-in-the-Sky does allow the classic road-warrior to stay productive, procrastinators to complete tasks and personal travelers to surf the web. Internet on a Plane got me thinking about the security implications of connecting while looking down at actual clouds. Certainly, you need to be aware of all the usual cautions and risks while connected to a typical open, unencrypted WiFi signal like protecting both your privacy and computer. Use a VPN if you have access to one, encrypt file transfers, enable your firewall & antivirus, ensure OS patches are up to date and disable any file shares. In-air Internet does pose some new threats. Over the shoulder eavesdropping is certainly a concern. Who hasn’t snuck a peek, glanced or outright watched the row in front, through the 2 inch seat separation either out of boredom or nosiness? While viewing someone edit a corporate PowerPoint isn’t that much of a threat; being able to see emails, VPN credentials or an internal web application URL and log in info being typed in, certainly is a risk. Call it back seat key logging. Forget about malware, I’ll watch and jot down what they type. I found myself feeling a little anxious as I entered the small bit of sensitive information required to create the GoGo account. Seeing the screen is also a concern and do believe there will be an uptick in privacy filters that protect computer screens from unwanted eyes. Protecting data in public places is hard enough, but in a cramped airplane there is almost no privacy and you really can’t just get up and leave. I’ve never been one who favored ‘save password’ but in this instance, having auto-filled asterisks instead of typing it in public is a good idea. Heightened awareness of the evolving business travel risks should be reiterated often to all employees. And one from Confucius: The superior man, when resting in safety, does not forget that danger may come. When in a state of security he does not forget the possibility of ruin. When all is orderly, he does not forget that disorder may come. Thus his person is not endangered, and his States and all their clans are preserved. ps The CloudFucius Series: Intro, 1, 2, 3, 4, 5, 6, 7, 8, 9CloudFucius Inspects: Hosts in the Cloud
So much has been written about all the systems, infrastructure, applications, content and everything else IT related that’s making it’s way to the cloud yet I haven’t seen much discussion (or maybe I just missed it) about all the clients connecting to the cloud to access those systems. Securing those systems has made some organizations hesitate in deploying IT resources in the cloud whether due to compliance, the sensitivity of the data, the shared infrastructure or simply persuaded by survey results. Once a system is ‘relatively’ secure, how do you keep it that way when the slew of potentially dangerous, infected clients connect? With so many different types of users connecting from various devices, and with a need to access vastly different cloud resources, it’s important to inspect every requesting host to ensure both the user and the device can be trusted. Companies have done this for years with remote/SSL VPN users who request access to internal systems – is antivirus installed and up to date, is a firewall enabled, is the device free of malware and so forth. Ultimately, the hosts are connecting to servers housed in some data center and all the same precautions you have with your own space should be enforced in the cloud. Since cloud computing has opened application deployment to the masses, and all that’s required for access is *potentially* just a browser, you must be able to detect not only the type of computer (laptop, mobile device, kiosk, etc.) but also its security posture. IDC predicts that ‘The world's mobile worker population will pass the one billion mark this year and grow to nearly 1.2 billion people – more than a third of the world's workforce – by 2013’ With so many Internet-enabled devices available; a Windows computer, a Linux box, an Apple iteration, a mobile device and anything else with an IP address, they could all be trying to gain access to your cloud environment at any given moment. It might be necessary to inspect each of these before granting users access in order to make sure it’s something you want to allow. If the inspection fails, how should you fix the problem so that the user can have some level of access? If the requesting host is admissible, how do you determine what they are authorized to access? And, if you allow a user and their device, what is the guarantee that nothing proprietary either gets taken or left behind? The key is to make sure that only “safe” systems are allowed to access your cloud infrastructure, especially if it contains highly sensitive information and context helps with that. One of the first steps to accomplishing this is to chart usage scenarios. Working in conjunction with the security policy, it is essential to uncover the usage scenarios and access modes for the various types of users and the many devices that they might be using. The chart will probably vary based on your company’s and/or website’s Acceptable Use Policy, but this exercise gets administrators started in determining the endpoint plan. Sounds a lot like a remote access policy, huh, with one exception. Usually there is a notion of ‘trusted’ and ‘un-trusted’ with remote access. If a user requests access from a corporate issued laptop, often that’s considered a trusted device since there is something identifiable to classify it as an IT asset. These days, with so many personal devices entering the cloud, all hosts should be considered un-trusted until they prove otherwise. And as inter-clouds become reality, you’ll need to make sure that a client coming from someone else’s infrastructure abides by your requirements. Allowing an infected device access to your cloud infrastructure can be just as bad as allowing an invalid user access to proprietary internal information. This is where endpoint security checks can take over. Endpoint security prevents infected PCs, hosts, or users from connecting to your cloud environment. Automatic re-routing for infected PCs reduces Help Desk calls and prevents sensitive data from being snooped by keystroke loggers and malicious programs. Simply validating a user is no longer the starting point for determining access to cloud systems; the requesting device should get the first review. Pre-access checks can run prior to the actual logon (if there is one) page appearing, so if the client is not in compliance, they won’t even get the chance to enter credentials. These checks can determine if antivirus or firewall is running, if it is up-to-date, and more. Systems can direct the user to a remediation page for further instructions to gain access. It’s easy to educate the user as to why the failure occurred and relay the possible steps to resolve the problem. For example: “We noticed you have antivirus installed but not running. Please enable your antivirus software for access.” Or, rather than deny logon and communicate a detailed remedy, you could automatically send them to a remediation website designed to correct or update the client’s software environment, assuring policies required for access are satisfied without any user interaction. Inspectors can look for certain registry keys or files that are part of your corporate computer build/image to determine if this is a corporate asset and thus, which system resources are allowed. Pre-access checks can retrieve extended Windows and Internet Explorer info to ensure certain patches are in place. If, based on those checks, the system finds a non-compliant client but an authorized user; you might be able to initiate a secure, protected, virtual workspace for that session. As the ever-expanding cloud network grows, the internal corporate resources require the most protection as it’s always been. Most organizations don’t necessarily want all users’ devices to have access to all resources all the time. Working in conjunction with the pre-access sequence, controllers can gather device information (like IP address or time of day) and determine if a resource should be offered. A protected configuration measures risk factors using information collected by the pre-access check; thus, they work in conjunction. For example, Fake Company, Inc. (FCI) has some contractors who need access to Fake Company’s corporate cloud. While this is not an issue during work hours, FCI does not want them accessing the system after business hours. The controller can check the time if a contractor tries to log on at 2 AM; it knows the contractor’s access is only available during FCI’s regular business hours and can deny access. Post-access actions can protect against sensitive information being “left” on the client. The controller can impose a cache-cleaner to eliminate any user residue such as browser history, forms, cookies, auto-complete information, and more. For systems unable to install a cleanup control, you can block all file downloads to avoid the possibility of the inadvertent left-behind temporary file—yet still allow access to needed cloud applications. These actions are especially important when allowing non-recognized machines access without wanting them to take any data with them after the session. In summary: First, inspect the requesting device; second, protect resources based on the data gathered during the check; third, make sure no session residue is left behind. Security is typically a question of trust. Is there sufficient trust to allow a particular user and a particular device full access to enterprise cloud resources? Endpoint security gives the enterprise the ability to verify how much trust and determine whether the client can get all the cloud resources, some of the cloud resources, or just left in the rain. And one from Confucius: When you know a thing, to hold that you know it; and when you do not know a thing, to allow that you do not know it - this is knowledge. ps The CloudFucius Series: Intro, 1, 2, 3, 4, 5
