Weblogic Authors: Yeshim Deniz, Elizabeth White, Michael Meiner, Michael Bushong, Avi Rosenthal

Related Topics: Weblogic, IBM Cloud, Containers Expo Blog, Artificial Intelligence, @CloudExpo, Ruby-On-Rails

Weblogic: Blog Post

Security Cloud Assumptions

Responding to Hoff

After pushing my latest post, Securing the Cloud: Shared Hardware and the Data Plane, Hoff posted a series of excellent questions and responses to the post via Twitter. I thought responding via another blog post, so that his questions could be addressed alongside my last post, was the way to go. I’ve trimmed some of his questions here for brevity but all of his questions can be found on his Twitter stream. And here we go.

@thevirtualdc I hate to tell you this, but your last blog isn’t about securing “the Cloud” at all. You are interchanging cloud & virt…

You are correct that I am presumptively interchanging the cloud with virtualization within the cloud. The primary point of this series of cloud security posts is to break out all the areas that securing the cloud entails, taking a huge topic that many people are discussing and breaking it down into small bits. A very large bite of those small bits, in my opinion, is the platforms that run each individual cloud. It’s been my experience that the majority (definitely not all) of cloud providers right now, and the customers that are seeking out these cloud providers, are using some form of virtual platforms. This is an assumption I’ve discussed here before. I’m definitely not saying virtualization=the cloud, but rather that most cloud implementations rely somewhat on virtual platforms. Virtual platforms introduce a layer of transparency in cloud providers; a customer who choose a provider that’s running virtual platforms will most likely know what that platform choice and what version it’s running. To that extent, the security of those platforms is paramount to the security of the cloud itself.

@thevirtualdc …not that they aren’t related, but by lumping everything into the IaaS bucket (which is what you are essentially doing)…

I’m not necessarily lumping all cloud providers into the IaaS bucket. Non-IaaS providers, such as AWS, Azure, and Terremark, are cloud providers that build their solutions on top of virtual platforms. These are the types of cloud providers that fall into my assumptive clause above. I’m not so concerned in this post with what those providers are doing with virtual platforms or how they’re marketing their service, but rather the fact that they are running shared virtual platforms and relying on shared data plane management from companies that are outside their control. No matter how they’re implementing these technologies, the customers are trusting the providers and the providers are trusting the platforms (along with a ton of other pieces in the cloud puzzle that I’ll delve into later as part of this continuing series) to keep things secure. Basically I’m talking here about any cloud provider that’s implementing a solution on top of stadard virtual platforms.

@thevirtualdc I totally buy everything you wrote, except you decided to call it Cloud instead of Virt which will add 2 the confusion.

I completely agree with you on this one. Goodness knows I get all up in arms about terminology and definitions when it comes to technology, but the choice to lump a discussion about virtual platform and shared data security under the Cloud nameplate was intentional. I want people who are looking at the cloud, who are looking at security concerns in the cloud, to start thinking about security risks of what’s actually running most of the cloud. For example, a major cloud provider recently discussed their solution for cloud security was to deploy individually managed distributed firewalls for their customers. That’s good, but has nothing to do with the security concerns of the virtual platforms that are running those distributed firewalls. That’s the reason I want to associate virtual platform security with cloud security. Sure, there are providers and customers that won’t need to worry about this, but I believe the majority of both will. I don’t want people to think that the cloud is magical and mystical. It’s not; most of it is running some of the same software that we’re running in the enterprise, software that’s highly prone to security breaches.

Hoff concluded with this comment, which I’m unable to find in his Twitter stream but is available via Google cache:

 @thevirtualdc What about folks who use Xen derivatives…like the 800lb gorilla of Cloud, Amazon?

You are correct; I omitted Xen from my “take responsibility” list in that post. Xen introduces a different element that’s slightly harder to control: the OEM’ing and open-source nature of their solution(s). There’s no question that a provider like Amazon who’s depending on Xen as their platform foundation should be concerned about the security of that platform, however, Xen has the ability to be modified (to varying degrees). With respect to security, this makes it much more difficult for Citrix to be ultimately responsible for a secure running environment. The ESX hypervisor is always the same. The Xen hypervisor may be different across every implementation. That introduces risks to the data plane that are much harder to control. Still as critical but it’s harder to lump Citrix in the same bucket as Microsoft and VMware in this scenario for that reason. Regardless, you are correct in that I should have addressed this in my last post.

As always the feedback from Hoff is much appreciated and enjoyed. Even if I’m way off the planet on this (and most of what I wax about here) at least it contributes to the discussion and makes us think about these things. Security risks associated with virtual platforms and not controlling the data plane won’t directly impact all cloud providers or all cloud customers. But it will impact a good number of them, and the fact that we’re not looking to these technology creators (ie the platform vendors) to lead the way and create safe computing environments for shared data…well, that keeps me awake at night. :)

Read the original blog entry...

IoT & Smart Cities Stories
DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
The current age of digital transformation means that IT organizations must adapt their toolset to cover all digital experiences, beyond just the end users’. Today’s businesses can no longer focus solely on the digital interactions they manage with employees or customers; they must now contend with non-traditional factors. Whether it's the power of brand to make or break a company, the need to monitor across all locations 24/7, or the ability to proactively resolve issues, companies must adapt to...
DXWorldEXPO LLC announced today that ICC-USA, a computer systems integrator and server manufacturing company focused on developing products and product appliances, will exhibit at the 22nd International CloudEXPO | DXWorldEXPO. DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City. ICC is a computer systems integrator and server manufacturing company focused on developing products and product appliances to meet a wide range of ...
René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22nd international CloudEXPO | first international DXWorldEXPO and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time t...
Founded in 2000, Chetu Inc. is a global provider of customized software development solutions and IT staff augmentation services for software technology providers. By providing clients with unparalleled niche technology expertise and industry experience, Chetu has become the premiere long-term, back-end software development partner for start-ups, SMBs, and Fortune 500 companies. Chetu is headquartered in Plantation, Florida, with thirteen offices throughout the U.S. and abroad.
DXWorldEXPO | CloudEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
Disruption, Innovation, Artificial Intelligence and Machine Learning, Leadership and Management hear these words all day every day... lofty goals but how do we make it real? Add to that, that simply put, people don't like change. But what if we could implement and utilize these enterprise tools in a fast and "Non-Disruptive" way, enabling us to glean insights about our business, identify and reduce exposure, risk and liability, and secure business continuity?
SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY. DatacenterDynamics is a brand of DCD Group, a global B2B media and publishing company that develops products to help senior professionals in the world's most ICT dependent organizations make risk-based infrastructure and capacity decisions.