Welcome!

Weblogic Authors: Yeshim Deniz, Elizabeth White, Michael Meiner, Michael Bushong, Avi Rosenthal

Related Topics: Weblogic, IBM Cloud, Containers Expo Blog, Artificial Intelligence, @CloudExpo, Ruby-On-Rails

Weblogic: Blog Post

Security Cloud Assumptions

Responding to Hoff

After pushing my latest post, Securing the Cloud: Shared Hardware and the Data Plane, Hoff posted a series of excellent questions and responses to the post via Twitter. I thought responding via another blog post, so that his questions could be addressed alongside my last post, was the way to go. I’ve trimmed some of his questions here for brevity but all of his questions can be found on his Twitter stream. And here we go.

@thevirtualdc I hate to tell you this, but your last blog isn’t about securing “the Cloud” at all. You are interchanging cloud & virt…

You are correct that I am presumptively interchanging the cloud with virtualization within the cloud. The primary point of this series of cloud security posts is to break out all the areas that securing the cloud entails, taking a huge topic that many people are discussing and breaking it down into small bits. A very large bite of those small bits, in my opinion, is the platforms that run each individual cloud. It’s been my experience that the majority (definitely not all) of cloud providers right now, and the customers that are seeking out these cloud providers, are using some form of virtual platforms. This is an assumption I’ve discussed here before. I’m definitely not saying virtualization=the cloud, but rather that most cloud implementations rely somewhat on virtual platforms. Virtual platforms introduce a layer of transparency in cloud providers; a customer who choose a provider that’s running virtual platforms will most likely know what that platform choice and what version it’s running. To that extent, the security of those platforms is paramount to the security of the cloud itself.

@thevirtualdc …not that they aren’t related, but by lumping everything into the IaaS bucket (which is what you are essentially doing)…

I’m not necessarily lumping all cloud providers into the IaaS bucket. Non-IaaS providers, such as AWS, Azure, and Terremark, are cloud providers that build their solutions on top of virtual platforms. These are the types of cloud providers that fall into my assumptive clause above. I’m not so concerned in this post with what those providers are doing with virtual platforms or how they’re marketing their service, but rather the fact that they are running shared virtual platforms and relying on shared data plane management from companies that are outside their control. No matter how they’re implementing these technologies, the customers are trusting the providers and the providers are trusting the platforms (along with a ton of other pieces in the cloud puzzle that I’ll delve into later as part of this continuing series) to keep things secure. Basically I’m talking here about any cloud provider that’s implementing a solution on top of stadard virtual platforms.

@thevirtualdc I totally buy everything you wrote, except you decided to call it Cloud instead of Virt which will add 2 the confusion.

I completely agree with you on this one. Goodness knows I get all up in arms about terminology and definitions when it comes to technology, but the choice to lump a discussion about virtual platform and shared data security under the Cloud nameplate was intentional. I want people who are looking at the cloud, who are looking at security concerns in the cloud, to start thinking about security risks of what’s actually running most of the cloud. For example, a major cloud provider recently discussed their solution for cloud security was to deploy individually managed distributed firewalls for their customers. That’s good, but has nothing to do with the security concerns of the virtual platforms that are running those distributed firewalls. That’s the reason I want to associate virtual platform security with cloud security. Sure, there are providers and customers that won’t need to worry about this, but I believe the majority of both will. I don’t want people to think that the cloud is magical and mystical. It’s not; most of it is running some of the same software that we’re running in the enterprise, software that’s highly prone to security breaches.

Hoff concluded with this comment, which I’m unable to find in his Twitter stream but is available via Google cache:

 @thevirtualdc What about folks who use Xen derivatives…like the 800lb gorilla of Cloud, Amazon?

You are correct; I omitted Xen from my “take responsibility” list in that post. Xen introduces a different element that’s slightly harder to control: the OEM’ing and open-source nature of their solution(s). There’s no question that a provider like Amazon who’s depending on Xen as their platform foundation should be concerned about the security of that platform, however, Xen has the ability to be modified (to varying degrees). With respect to security, this makes it much more difficult for Citrix to be ultimately responsible for a secure running environment. The ESX hypervisor is always the same. The Xen hypervisor may be different across every implementation. That introduces risks to the data plane that are much harder to control. Still as critical but it’s harder to lump Citrix in the same bucket as Microsoft and VMware in this scenario for that reason. Regardless, you are correct in that I should have addressed this in my last post.

As always the feedback from Hoff is much appreciated and enjoyed. Even if I’m way off the planet on this (and most of what I wax about here) at least it contributes to the discussion and makes us think about these things. Security risks associated with virtual platforms and not controlling the data plane won’t directly impact all cloud providers or all cloud customers. But it will impact a good number of them, and the fact that we’re not looking to these technology creators (ie the platform vendors) to lead the way and create safe computing environments for shared data…well, that keeps me awake at night. :)

Read the original blog entry...

@ThingsExpo Stories
High-velocity engineering teams are applying not only continuous delivery processes, but also lessons in experimentation from established leaders like Amazon, Netflix, and Facebook. These companies have made experimentation a foundation for their release processes, allowing them to try out major feature releases and redesigns within smaller groups before making them broadly available. In his session at 21st Cloud Expo, Brian Lucas, Senior Staff Engineer at Optimizely, will discuss how by using...
In this strange new world where more and more power is drawn from business technology, companies are effectively straddling two paths on the road to innovation and transformation into digital enterprises. The first path is the heritage trail – with “legacy” technology forming the background. Here, extant technologies are transformed by core IT teams to provide more API-driven approaches. Legacy systems can restrict companies that are transitioning into digital enterprises. To truly become a lead...
SYS-CON Events announced today that Daiya Industry will exhibit at the Japanese Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Ruby Development Inc. builds new services in short period of time and provides a continuous support of those services based on Ruby on Rails. For more information, please visit https://github.com/RubyDevInc.
As businesses evolve, they need technology that is simple to help them succeed today and flexible enough to help them build for tomorrow. Chrome is fit for the workplace of the future — providing a secure, consistent user experience across a range of devices that can be used anywhere. In her session at 21st Cloud Expo, Vidya Nagarajan, a Senior Product Manager at Google, will take a look at various options as to how ChromeOS can be leveraged to interact with people on the devices, and formats th...
SYS-CON Events announced today that Yuasa System will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Yuasa System is introducing a multi-purpose endurance testing system for flexible displays, OLED devices, flexible substrates, flat cables, and films in smartphones, wearables, automobiles, and healthcare.
Organizations do not need a Big Data strategy; they need a business strategy that incorporates Big Data. Most organizations lack a road map for using Big Data to optimize key business processes, deliver a differentiated customer experience, or uncover new business opportunities. They do not understand what’s possible with respect to integrating Big Data into the business model.
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities – ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups. As a result, many firms employ new business models that place enormous impor...
SYS-CON Events announced today that Taica will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Taica manufacturers Alpha-GEL brand silicone components and materials, which maintain outstanding performance over a wide temperature range -40C to +200C. For more information, visit http://www.taica.co.jp/english/.
SYS-CON Events announced today that Dasher Technologies will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Dasher Technologies, Inc. ® is a premier IT solution provider that delivers expert technical resources along with trusted account executives to architect and deliver complete IT solutions and services to help our clients execute their goals, plans and objectives. Since 1999, we'v...
Recently, REAN Cloud built a digital concierge for a North Carolina hospital that had observed that most patient call button questions were repetitive. In addition, the paper-based process used to measure patient health metrics was laborious, not in real-time and sometimes error-prone. In their session at 21st Cloud Expo, Sean Finnerty, Executive Director, Practice Lead, Health Care & Life Science at REAN Cloud, and Dr. S.P.T. Krishnan, Principal Architect at REAN Cloud, will discuss how they b...
SYS-CON Events announced today that MIRAI Inc. will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. MIRAI Inc. are IT consultants from the public sector whose mission is to solve social issues by technology and innovation and to create a meaningful future for people.
SYS-CON Events announced today that TidalScale, a leading provider of systems and services, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. TidalScale has been involved in shaping the computing landscape. They've designed, developed and deployed some of the most important and successful systems and services in the history of the computing industry - internet, Ethernet, operating s...
SYS-CON Events announced today that IBM has been named “Diamond Sponsor” of SYS-CON's 21st Cloud Expo, which will take place on October 31 through November 2nd 2017 at the Santa Clara Convention Center in Santa Clara, California.
Join IBM November 1 at 21st Cloud Expo at the Santa Clara Convention Center in Santa Clara, CA, and learn how IBM Watson can bring cognitive services and AI to intelligent, unmanned systems. Cognitive analysis impacts today’s systems with unparalleled ability that were previously available only to manned, back-end operations. Thanks to cloud processing, IBM Watson can bring cognitive services and AI to intelligent, unmanned systems. Imagine a robot vacuum that becomes your personal assistant tha...
SYS-CON Events announced today that TidalScale will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. TidalScale is the leading provider of Software-Defined Servers that bring flexibility to modern data centers by right-sizing servers on the fly to fit any data set or workload. TidalScale’s award-winning inverse hypervisor technology combines multiple commodity servers (including their ass...
As hybrid cloud becomes the de-facto standard mode of operation for most enterprises, new challenges arise on how to efficiently and economically share data across environments. In his session at 21st Cloud Expo, Dr. Allon Cohen, VP of Product at Elastifile, will explore new techniques and best practices that help enterprise IT benefit from the advantages of hybrid cloud environments by enabling data availability for both legacy enterprise and cloud-native mission critical applications. By rev...
Infoblox delivers Actionable Network Intelligence to enterprise, government, and service provider customers around the world. They are the industry leader in DNS, DHCP, and IP address management, the category known as DDI. We empower thousands of organizations to control and secure their networks from the core-enabling them to increase efficiency and visibility, improve customer service, and meet compliance requirements.
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend 21st Cloud Expo October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
SYS-CON Events announced today that N3N will exhibit at SYS-CON's @ThingsExpo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. N3N’s solutions increase the effectiveness of operations and control centers, increase the value of IoT investments, and facilitate real-time operational decision making. N3N enables operations teams with a four dimensional digital “big board” that consolidates real-time live video feeds alongside IoT sensor data a...
Amazon is pursuing new markets and disrupting industries at an incredible pace. Almost every industry seems to be in its crosshairs. Companies and industries that once thought they were safe are now worried about being “Amazoned.”. The new watch word should be “Be afraid. Be very afraid.” In his session 21st Cloud Expo, Chris Kocher, a co-founder of Grey Heron, will address questions such as: What new areas is Amazon disrupting? How are they doing this? Where are they likely to go? What are th...