Thursday data center tidbits: arguing against virtualization, NASA data goes free range

Vern Burke, SwiftWater Telecom
Biddeford, ME

First up today is a question I ran across asking if there are any circumstances that argue against server virtualization in the data center. The only thing I can think of is the requirement for specialized hardware. If your applications require specialized hardware, keep them on their own server, otherwise, get virtualizing!

The next piece is about NASA discovering that they’ve been selling excess PCs without properly cleaning sensitive data off them. And everyone is in a panic over cloud computing being a tremendous security threat? The biggest security threat is leaving your data in the care of people who have no focus on the security of it.

Data center doof of the week goes to Tumblr for managing to kill a database cluster AND kill their network for a day for the sake of scheduled maintenance. Squeaky red noses are enroute!

Cloud computing security and unreasonable expectations.

I’ve just been reading about how one company got “burned by cloud computing security”. The cloud computing security debate has now officially jumped the shark.

The example given here is a web site customer that chose an ultra cheap ($6.95 a month) hosting company for their legal related business web site. The customer then built a buggy as hell PHP based web site that was promptly and repeatedly hacked for 3 months, overwriting code and serving malware to its visitors. The hosting company verified that the problem wasn’t with it’s servers and told the customer to clean its site up. Customer did a lousy job of it and kept getting hacked, so they left for another hosting service at $400 per month that would maintain all the site code for them. Customer still thinks first hosting company should have been responsible for fixing the security problems in their buggy site.

First off, what the heck does this have to do with cloud computing? Absolutely nothing whatsoever. Cloud computing can’t protect people from themselves, it’s not some kind of magic wand. Calling this a cloud computing security issue is nothing but cloudwashing.

Next, what the hell is wrong with someone to think a hosting provider is going to work on their web site and fix the security bugs in their pages for $6.95 a month? And then have no problem unloading $400 a month to another provider that will and still badmouth the $6.95 provider? Somehow the hosting provider is supposed to protect the customer from themselves because they aren’t competent to write their own web pages?

And then to knock down the first hosting provider because they turned down the customer’s request to do it for more money. They’re in the business of providing low cost hosting, not coding web sites. Sheesh.If this is where customer expectations are headed, ultra cheap, expecting services the provider doesn’t offer, and expecting the provider to fix all your web site bugs, I have no idea where sanity has gone.

I’ll be more than happy to provide anyone with an inexpensive unmanaged cloud computing powered virtual machine. Take the unmanaged virtual machine and you’re responsible for all the system administration. I’ll also be happy to provide a fully managed machine and handle all the system admin for you. I’ll even be happy to maintain and develop your site code for you. Just don’t buy the cheapest package and expect I’m going to fix your buggy site for free.

And sure as heck don’t go to another provider and complain that I wouldn’t do it for 1/50th of what you’re willing to pay them,

Email or call me or visit the SwiftWater Telecom web site for cloud computing services.

Vern

Tuesday data center tidbits: #cloudcomputing regrets?

First up is the piece about EMC shutting down it’s ATMOS cloud computing storage service. Vendors have been inadvertently competing with their own market far longer than cloud computing has been around, this isn’t a cloud phenomena.

Next up is a piece about cloud computing and data center secrecy being an IT security risk. Revealing the physical location of a public data center, offering site surveys, and being willing to talk to some general degree about data center facility and security architecture details is all reasonable. There shouldn’t be an expectation of total transparency without an NDA however (how much of your internal business operations do you reveal to the world in general?). There’s an insinuation that, if you don’t give away everything, that you must be hiding something bad.

Finally, there’s another piece about cloud computing security risks. I have no idea where people get this idea that, because data from multiple tenants is stored on the same server, that this automatically means everyone can get into your data, not to mention that you can’t investigate any security breach because tenant’s logs are “co-located”. It appears to me that most of these people are pontificating about something they’ve never worked with and don’t fully understand.

Email or call me or visit the SwiftWater Telecom web site for cloud computing services.

Vern

Cloud computing security, the good, the bad, the ugly, the silly.

I was just reading yet another story about cloud computing security issues. It’s time to separate the real cloud computing security issues from the highly unlikely and the totally ridiculous.

Leading the ridiculous list, there’s criminals infesting “the cloud” and criminals run the largest cloud! First of all, there’s no such thing as “the cloud” Google’s cloud, Amazon’s cloud, our cloud, they’re all separate and distinct clouds. If someone does something nefarious on one cloud, it doesn’t mean every cloud computing service is now breached. Second, while a botnet does superficially resemble a cloud from the outside, it’s missing a LOT of characteristics of a real cloud, notably virtualization. NOT a cloud (the cloudwashing is REALLY getting crazy).

Next on the ridiculous list is the idea that everyone should be able to audit the provider’s entire cloud infrastructure. While there are number of standard security actions to be taken (such as restricting access to the cloud hosts control interfaces), I don’t know any cloud provider who is going to allow customer approval of cloud server software versions or configurations. You might as well ask to approve all the provider’s routers and switches while you’re at it.

Next you have the FUD factor (fear, uncertainty, and doubt). The NSA declares they don’t like the cloud because you can’t be sure who’s “cuddling up” next to you. When you can’t come up with a real issue, invent an undefined boogeyman.

Cloud reliability is certainly a valid issue, what with highly publicized outages from the major cloud computing providers over the last year. Of course, this isn’t really a cloud computing security issue at all though.

So what are the REAL cloud computing security issues? Background checks on cloud provider employees is an entirely valid one. Thoroughly securing the cloud control interfaces or control domain (known as dom0 in Xen Cloud Platform) is another.

Updating the cloud operating systems and the virtual machine operating systems promptly when vulnerabilities are patched should be a no-brainer. Finally, good solid system administration practices on the virtual machines is critical. I’ve said this before, you’re far likely to have a virtual machine broken into directly because of bad practices (understrength passwords, poor password choices, etc) than you are to have any chance of someone invading through the cloud system itself. This is the exact same security issue that dedicated physical servers have had forever and it’s addressed the exact same way, no special procedures because it happens to be a virtual machine running on a cloud.

The reality is that cloud computing security hasn’t changed that much from dedicated physical servers. Don’t let the cloudwashing and other silliness distract you from REALLY securing yourself in a cloud.

Email or call me or visit the SwiftWater Telecom web site for cloud computing services (with real honest to goodness security)!

Vern

Cloud computing and the great security debate.

I’ve been reading about the recent Gartner report on cloud computing security issues and here. I think there are a ton of holes in this report.

The first point is the statement that 60% of virtual servers are not as secure as the physical servers they replace and that’s not going to change until 2015. Really? Unfortunately, the articles don’t supply any basis for that claim or what is supposedly going to change in the next 5 years to change that. Gartner’s issue seems to be not having “information security professionals” involved in the virtualization project so it seems this number is based on project methodology and not a real analysis of virtual servers in the wild. Take this number with a HUGE grain of salt.

The second point is that supposedly the hypervisor (the core of the virtualization and cloud computing system) is a new platform that introduces new vulnerabilities and ones that havn’t been discovered yet. I’m not sure how they get “new” when the popular Xen hypervisor has been around for 7 years now.

It is certainly true that hypervisors may contain undiscovered vulnerabilities. Of course, so does almost any piece of software that touches the Internet (take a look at any of Microsoft’s bugfests). If you refused to use a piece of software unless it was guaranteed perfect, you’d never use any software at all.

The idea that network security appliances can’t see virtual machine to virtual machine traffic on the same physical host is simple to resolve with proper network design. The claim that virtual machines can’t be adequately separated is just plain odd. The blanket statement that the physical servers can’t provide adequate access control to the administrative interface is baffling.

Finally, there’s the “risk” that combining virtual servers on the same physical server can result in unauthorized access to data. Nobody ever provides a specific example of this claim, just a vague “well it COULD happen”. I would suspect that, since there’s a huge amount of virtual server and cloud computing being used (Amazon EC2 for example), if there was a major chance of this happening, we’d have already seen it.

So, what si the REAL virtual server or cloud computing security risk? The same thing it’s always been, bad system admin practices (understrength passwords, poor quality passwords, not updating buggy software), just exactly the same as it is for physical servers. It’s far more likely that a security breach of a virtual or cloud computing server is going to come from outside, just exactly as it would for a physical server.

Follow good administration practices, standard security practices for the virtual and control domains (Dom0 and DomU in Xen terms) just like a physical machine, and keep all software patched and up to date including the virtual machines and the hypervisor, and stop dreaming up boogeymen in the data center closet.

Email or call me or visit the SwiftWater Telecom web site for cloud computing services and green data center services and sleep well at night.

Vern

The virtual data center, know what not to put in the cloud.

Tonight I was reading on the challenges of cloud computing. I’m not sure how these “security issues” with the data center cloud get blown into these kinds of issues.

The first issue is that cloud providers place several customer’s data on the same physical machine and security policy may require that the information be kept separate. First, this is the very nature of how the cloud works. If you insist on having a dedicated physical machine, don’t use the cloud, it’s that simple.

Next thing is to get over the idea that somehow the cloud virtual machines are different functionally than a dedicated server. Just because the virtuals share a physical machine doesn’t mean they can interact with each other any more than physically separate machines do, nor can they access storage other than what belongs to them.

The second issue is that, because the virtual machines can be dynamically moved between hosts in the cloud, you can’t know where your data physically is stored. In the case of our own cloud, regardless of what host is running the virtual, the data is always stored in the same physical location. The virtual may move but the storage for it doesn’t.

Of course, wherever the virtual machine storage is, the data center cloud operations people could certainly physically lay hands on it (it’s not like it drops into a black hole). As with the first issue, if the data needs to be where you can personally lay your hands on the physical device containing it, don’t use the cloud, period.

The end result of this is that, if you require your virtual machine to run by itself on a dedicated piece of hardware, if you require your own direct control over the physical host server’s virtual network switch to enforce your own policys, then the cloud isn’t the place for you. It’s more important to know what the cloud shouldn’t be used for and nuclear code grade security is one of those things.

For the rest of us, keep the software versions of the virtual machine up and follow good system admin practices and you won’t have to worry about cloud security.

Vern, SwiftWater Telecom