PGP Blogs

Five Great Cloud Computing Security Resources
Wednesday, January 27th, 2010

There’s no shortage of words written about Cloud computing.  Even the topic of security and the Cloud yields over 28 million results on Google (13 million on Bing for those keeping score).  Given how important a topic securing Cloud computing is, how is one to cut through the clutter?  To help out, here are five of my favorite resources on Cloud Security:

1) Cloud Security Alliance “Security Guidance for Critical Areas of Focus in Cloud Computing”

A comprehensive look at the most important areas of security in the Cloud, written by an esteemed group of security practitioners.

2) Jericho Forum “Cloud Cube Model”

A nice paper that “provides a framework for exploring in more detail the nature of different cloud formations and the issues that need answering to make them safe and secure places to work in.”

3) ENISA’s Cloud Computing Risk Assessment

A nice risk-oriented discussion of the cloud computing business model and technologies.

4) ISACA’s Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives

A business-oriented view of cloud computing risks and governance imperitives.

5) Cloudsecurity.org and Securosis Blogs

Good, though infrequent, analysis in the Cloudsecurity.org blog.  Securosis commentary from former Gartner analyst and CSA Guidance editor Rich Mogull.

Filed under: Perspectives
Tags: cloud computing, Cloud Security Alliance
Comments: No Comments

“The Report of My Death Is An Exaggeration”
Monday, October 12th, 2009

Doug McLean – Blogmeister

Since Mark Twain uttered the title of this blog in 1897, hundreds if not thousands of technologies have been declared “dead.”  Some technology obituaries, vacuum tube computers spring to  mind, were completely accurate. However,  I’ve been in the computer industry long enough to know that successful computing technologies rarely ever “die,” they just get repurposed to work in new environments or to solve new problems. The best examples I can think of are SGML (Simple Graphic Markup Language) and ODA (Office Document Architecture). Both of these technologies were hot in the early ’80s when the industry was looking for standardizing the way computers told printers how to render a page (and coincidentally creating massive markets for document and content management).  It turns out that both of these technologies lost the imaging battle to the PDF standard, but that doesn’t mean they died. In fact, HTML can trace its roots and even some of its syntax directly to SGML and CSS (Cascading Style Sheets) can trace its architectural genealogy to ODA.

A more recent example debunks the myth that “the mainframe is dead.” Now if any computing technology should be dead by now, the mainframe computer certainly qualifies. But, as Jon Oltsik points out in this excellent piece in Network World, the IBM Z-Series has found a key role in the deployment of cloud based computing services, as hot a trend in enterprise IT as currently exists.

So, I’ve been amused this summer listening to a number of industry analysts (most of whom I greatly respect) claim that the advent of Self Encrypting Drives (SED), means the “death of encryption software.”  SEDs are these new drives that come from the factory pre-encrypted and prevent any data written to them from being read by unauthorized parties during their lifecycle and even after they’ve been retired. This is accomplished in most cases by putting the well known, and trusted AES encryption algorithm in firmware on the drive.

Putting encryption inside the drive itself is a neat idea, but I assure you it doesn’t mean the death of “encryption software.”  I should note at this point that Jon Oltsik is one of the analysts that’s declared encryption software “dead” earlier this year. But, Jon’s a smart guy and I’m assuming by this he meant that it will now morph to operate in a world where almost all drives have some limited encryption technology built in. I also feel compelled to observe that, in the IT sector, any time hardware is standardized (and consequently commoditzed) it has caused market expansion not contraction as it allows vendors to deliver new functionality at lower price points with which to tap new markets.

One of the core issues we need to resolve in the debate about whether encryption software is on life support is just what the term “encryption software” means. Once upon a time it referred to the core cryptographic algorithms used to scramble the bits on a disk or in a message. Algorithms such as TwoFish, Blowfish, DES, Triple DES and AES have all been used in the past to turn plain text into ciphertext and back again. However, the technology frontier in encryption software has expanded dramatically beyond the core crypto in the last ten years and is now more focused on how these algorithms are used and managed. There is still very important work going on to keep the core crypto algorithms secure and to fix some things we know are liabilities in the associated hash functions. Currently though, most of the investment in “encryption software” development is at the broader system level rather than at the algorithm level.

In fact, if all of the manufacturers of disk drives, computers, smart phones and everything else we need to secure were to guarantee that they would have current crypto libraries on board every device they ship starting tomorrow, it would save PGP Corporation…not a dime.  The reason for this is that our R&D investments are focused on the issues that drive our business and that our customers really care about. These days that means focusing on integrating policy management and key management functionality into existing enterprise data management infrastructure.

It also means focusing on providing the right management functionality for each kind of storage device. The policy and key management issues associated with managing encrypted drives on laptops are very different than they issues associated with managing encrypted shared storage devices. Take the simple example of complying with the legal discovery requirements under which most financial institutions operate. If they’ve encrypted their storage server farm (and most do), they have to have very powerful search, index, and retrieval functionality that knows what do with keys and encrypted data.  Compare that with a diversified manufacturer that just wants to encrypt all of its engineer’s laptops and impose some modest policy requirements on their use.  These are very different problems for which no one approach is the correct solution. You may source the solutions from a single vendor with a sufficiently broad product line, but you’d never deploy the same solution to address both issues.

So, from our perspective, “encryption software” is a long way from dead and, in many ways, is in the middle of its adolescence. It’s no longer a child trying to find its way in the world, but neither is it a completely mature technology that can be assumed to be available and usable on a predictable basis without significant planning, implementation and reporting.

Filed under: Perspectives
Tags: AES, cloud computing, CSS, Encryption, HTML, Jon Oltsik, ODA, PDF, Self Encrypting Drive, SGML
Comments: No Comments

Securing Content in the Clouds.
Tuesday, February 17th, 2009

I am impressed at how popular web applications have become in the last few years.  Not just web mail, but actual collaborative and analytical  applications.  Companies like Google, Salesforce, Apple, and Facebook have done an amazing job of migrating valuable user data to the clouds.  Not to mention the internet based backup systems.

Despite widespread use, the task of securing the data presented in web applications has largely been unaddressed.  Users of web mail (Gmail), forums, blogs and group calendaring (Google Calendar) currently have no reasonable way to ensure the privacy of their information, in that it often resides on the web server.   As an iPhone user I am very aware of this every time I sync up my address book or calendar. The data is protected on the move, but  I have no way to secure of the data once it reaches an Internet based repository.

Part of the reason is that these mobile devices present special challenges.  For example, Apple strictly limits what plugins can do to extend the iPhone.  I can empathize with their reasoning, malevolent code on a phone has the potential to cause extensive damage to both the user’s privacy as well as possibly the phone network.  But, even if these restrictions were made more reasonable, the current developer plugin architectures aren’t designed for securing data. I’d like to see this change.

I have done quite a bit of research on how to extend the web browser functionality  through plugins that can, for example, decrypt OpenPGP content. While this is a good start, it can only take us so far.  What we really need is for web application developers to understand the need for securing user’s content and to design in the proper hooks.    The same can be said for cloud based backup and sync systems.

Maybe this will happen as user’s become more aware of the data loss through security breaches, but I’d rather that we avoid those altogether by good design and forethought.

Filed under: Vinnie's Views
Tags: cloud computing, Data Security, Facebook, OpenPGP, Salesforce
Comments: 1