Alexander Wolfe


Upcoming Events

Where the Cloud Touches Down: Simplifying Data Center Infrastructure Management

Thursday, July 25, 2013
10:00 AM PT/1:00 PM ET

In most data centers, DCIM rests on a shaky foundation of manual record keeping and scattered documentation. OpManager replaces data center documentation with a single repository for data, QRCodes for asset tracking, accurate 3D mapping of asset locations, and a configuration management database (CMDB). In this webcast, sponsored by ManageEngine, you will see how a real-world datacenter mapping stored in racktables gets imported into OpManager, which then provides a 3D visualization of where assets actually are. You'll also see how the QR Code generator helps you make the link between real assets and the monitoring world, and how the layered CMDB provides a single point of view for all your configuration data.

Register Now!

A Network Computing Webinar:
SDN First Steps

Thursday, August 8, 2013
11:00 AM PT / 2:00 PM ET

This webinar will help attendees understand the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging. It will also help users decide whether SDN makes sense in their environment, and outline the first steps IT can take for testing SDN technologies.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

See more from this blogger

Encryption Is Cloud Computing Security Savior

I'm beginning to think that fears about cloud security are overblown. The reason: an intellectual framework is already in place for protecting data, applications and connections. It's called encryption. What's evolving now, and isn't anywhere near fully baked, is a set of agreed-upon implementations and best practices. Today's post talks about some relevant and interesting work from Trend Micro and from IBM.

Along with the leadership we're seeing from Trend Micro and IBM, it's only fair to add that most of the security vendors and cloud-service providers themselves are researching this stuff. (I'll cover those efforts in future posts.) One impediment in writing about cloud security is that people tend to be closed-mouth, because of the seriousness of security,  as per the old phrase: "If I tell you, then I'd have to kill you."

From my perspective, as I've started blogging about cloud security -- see "Cloud Security In Focus Amid Data Theft Fears" -- I've begun to see up close this reluctance of experts to provide deep data dumps. (A corollary is that those who don't know tend to be voluble.)

Quite apart from the fact that chatter is antithetical to the security and intelligence-community ethos (not always, though), there's so much disparate activity it's hard to get a holistic understanding of where things are headed. Thus, my funneling everything into the encryption bucket is an attempt to summarize and make some sense of where the nexus of activity lies.

So, while I've been hoping to pull together comprehensive posts,  I can see what I'm going to have to do is offer up incomplete bits and pieces, blogging about this stuff as I get wind of it. Accordingly, here are three interesting, albeit very loosely connected, items:

Encryption is already being used

First, here's a heads up I got from one reader (as a comment to my earlier post), about his use of encryption to secure his cloud connections:

"I can only speak from experience using Amazon Web Services since early 2006, but all the tools are there if only they are used. For instance you can have rotating keys and my favorite is private VPNs. If you have a good working security structure in place you can now use a private VPN from within your existing system to scale cloud resources without opening your system to the outside.

These are a lot of the same issues we faced when we hooked up those pesky LANs to the transactional mainframe systems via SNA gateways in the early 80's."

Improved cloud encryption techniques are being researched

My contacts at Trend Micro have hinted at some conceptual work they're doing, for future delivery at an unspecific date (i.e., I want to make clear that they're not yet talking productization) about an encryption scheme for public cloud computing. The work is based on technology acquired from Identum Ltd., a British started incubated at Bristol University, which Trend Micro acquired in 2008. Identum's work has formed the basis for the e-mail encryption solutions currently offered by Trend.

Indentum's encryption expertise is now in play in this cloud research. The basic, and very powerful, idea is to apply encryption agents to every virtual computing instance. Thus, every VM would have its own resident manager to ensure the proper application of encryption security resources.

The big win here is you'd have, in essence, automated application of security policies everywhere. Thus, you'd have cryptographic key management built into the process and also no worry about unprotected VM instances among your computing resources.

The key issue

As a transition between the Trend Micro item and this one on IBM, I should mention that management of cryptographic keys is by no means a trivial thing. When you think about it, all of your cloud security rests on being able to generate and hand out those keys, while keeping them out of the hands of bad guys. Hackers aren't going to be able to break your keys; what they'll do to breach your security is to steal them instead.

Which leads into the IBM research on homomorphic encryption. (See the press release, IBM Researcher Solves Longstanding Cryptographic Challenge, from July.) This is very arcane stuff, but as best as I can reduce it, this IBM breakthrough would allow you to send encrypted data throughout the cloud, manipulate it any way you want, and then at the end of the day, you'd still be able to decrypt it.

Currently, there are severe limitations on the operations you can perform on encrypted data, because some of the manipulations will muck it up so that it's no longer decryptable.

Why is this a problem? Well, you want to be work on encrypted data as long as possible without having to render it back into its plainly visible form. That way, you don't have to mess around with keys, or, more to the point, provide those keys to users you're not sure you trust.

The thing with this IBM research is it's not really clear that they've solved the problem. The always authoritative Bruce Schneier says that the work is theoretically impressive but completely impractical. Regardless, IBM gets props for pushing things forward.

In closing, I'd like to point you to a good post from George Reese over at O'Reilly Community: Twenty Rules for Amazon Cloud Security. The basic thrust of his advice is "encrypt everything" and only allow your decrypt key to surface for the very brief instances you're using it.

Follow me on Twitter: @awolfe58

What's your take? Let me know, by leaving a comment below.


Related Reading


More Insights


Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
 
Vendor Comparisons
Network Computing’s Vendor Comparisons provide extensive details on products and services, including downloadable feature matrices. Our categories include:

Research and Reports

Network Computing: April 2013



TechWeb Careers