It's Log, It's Log...

It's log, it’s log, it's better than bad, it's good! 

Everyone wants a log! You're gonna love it, log!

Come on and get your log! Everyone needs a log!

– Ren & Stimpy

Whether we like it or not, logging, monitoring and alerting are realities that we have to deal with on a daily basis. This is especially true for organizations that have legislative, regulatory or governance requirements that specifically call for logging.

Besides regulations, logging is extremely important for operations and security teams to do their jobs, not to mention technical support, QA and dev. Fortunately for folks migrating their applications to the cloud, there are, no real differences in terms of logging, monitoring or alerting from an on-premises deployment of the same applications— with two key exceptions.

These two key differences are both more prominent when dealing with the public cloud. The first is that most (all?) public cloud providers don’t make logs of user actions at the API or console available to the consumer. This means that you can’t track who actually performed actions such as starting up or terminating an instance or perhaps even more importantly, who created or changed firewall or other security rules. This has some serious implications under any number of compliance or regulatory regimes, including PCI and Sarbanes-Oxley to name two.

Along similar lines, consumers of public cloud want to get logs from their instances or applications without having to open up access from the broad range of potential IPs to their log consolidation or SIEM platforms.

Fortunately, there are architecturally simple solutions to both of these problems.

In the first case of getting API or console logs from your providers, what you need to do is purchase (or build) and then deploy a proxy between you and your cloud provider. Then, use that proxy for all API or console connections. Next, configure the proxy to log whatever is relevant to your organization and pass those logs to your log management servers. This architecture has other advantages (as I mentioned in my previous post) because you can also leverage the proxy to enhance the levels of authorization made available by the CSP. Additionally, the proxy can be configured to regularly audit the cloud environments and to alert when the configuration changes from what the proxy thinks it should be. This is handy as it means either someone has gone around the proxy to make changes or that something has failed on the cloud provider’s side of things.

The second case, getting instance or application logs from the provider back to your log management infrastructure has a few different options to choose from, depending on your requirements. The first option is to leverage the above proxy along with firewall APIs to automatically open the necessary IPs and ports for instances as necessary. This way you have a more limited range of IPs/ports open at any time. Alternately, a tiered log management structure could be built where logs are centralized into one or two instances on a cloud provider and the logs are then forwarded to the log management server.

In either case, an existing operations or security agent can be leveraged to direct the logs to the correct place using the agents’ central server. Finally, a pull mechanism would be used where the log management server regularly polls the cloud servers and pulls the logs down. Each of these options will work well; however, an organization needs to evaluate its own resources and see which one will be easiest for them to manage.

If one of these two issues is addressed by your organization, you are one big step closer to being able to use clouds like the enterprise that you are. Next post, I’ll be talking about another important aspect that needs addressing—key management.

 

David Mortman is the enStratus Chief Security Architect and has been doing Information Security for well over 15 years. Most recently, he was the Director of Security and Operations at C3. Previously, David was the CISO at Siebel Systems and the Manager of Global Security at Network Associates. David speaks regularly at Blackhat, Defcon and RSA amongst other conferences. Additionally, he blogs at emergentchaos.com,  newschoolsecurity.com  and securosis.com. David sits on a variety of advisory boards such as Qualys and Virtuosi. He holds a B.S. in Chemistry from the University of Chicago and bakes, cooks and juggles in his spare time.

enStratus, CloudStack, and the Apache Foundation

Several years ago, enStratus became the first cloud management platform to support the cloud platform of a company then known as VMOps. Since then, we’ve implemented public and private cloud solutions against VMOps, Cloud.com, and Citrix CloudStack for small companies, service providers, and enterprise private clouds. Today, we are thrilled to be part of the next step in the evolution of the CloudStack cloud platform as it becomes an incubator project for the Apache Foundation.

Obviously, enStratus will continue to support clouds built on CloudStack. enStratus brings to CloudStack everything you expect from enStratus in other cloud environments, including governance, budget management and chargebacks, automation, and more. In addition, enStratus orchestrates multi-cloud operations that include CloudStack among other options like Amazon’s public cloud. You can even use enStratus to automate the deployment of PaaS solutions like CloudFoundry on top of CloudStack.

But enStratus also has a long history of supporting Open Source efforts in the cloud space. In 2010, we released our cloud abstraction layer, Dasein Cloud, as an Open Source project under the Apache 2.0 license. enStratus customers as well as developers with no relationship to enStratus use Dasein Cloud to provide “write once, run against any cloud” capabilities for Java-based cloud applications. Our support of Open Source in the cloud space extends to many other projects beyond Dasein Cloud. We already have a number of things in mind that we would like to see in cloud platforms, and we look forward to working with the CloudStack Apache incubator project to bring these things to fruition.

Cloud Management and Identity

I would like to focus on one of the big challenges in cloud information security—identity and access management. Or in other words, authentication and authorization.

How do you cleanly control who has access to what within your enterprise?

The authentication piece has been getting easier (though there are still a lot of hurdles) as more operating systems and applications support technologies such as ActiveDirectory (AD), LDAP and Single Sign On. Authorization is a much bigger problem as most applications still aren’t leveraging directory services as well as they could, but rather have their own built-in authorization systems. If you are lucky, however, they can map roles to AD or LDAP groups.

This problem is magnified when you start moving to the cloud and especially so when you move to public cloud. And while some cloud providers, most notably AWS, have started adding some authorization functionality most have little to nothing to offer on this front. As an example, on most (all?) providers anyone who has access to terminate instances can terminate any instance in that account!

One company I’m familiar with had a developer with legitimate access to their cloud provider accidentally terminate several key development databases when trying to terminate some test instances they had launched. Fortunately, those databases were backed up so recovery was relatively simple, though it did stop work for several hours while the recovery happened. Other companies I’ve talked with have dealt with this issue by creating a separate cloud account for each project. This isn’t too painful when you have a few accounts, but this quickly scales beyond the point of manageability with some companies having as many as 60, 80 or even 150 (or more!) different cloud accounts. This quickly becomes a nightmare to track and manage. Some developers or IT folks end up with dozens of different keys and other credentials to manage. This just increases the chances of errors happening. And what do you do when those folks leave? Talk about a mess to clean up!

This is where we come into play. enStratus has built a much more granular access control system. Users are assigned to groups and roles which are then granted permissions to the appropriate servers or deployments, even across multiple clouds. This access can be further restricted to particular actions such as, starting, stopping, pausing or terminating servers. This can, of course, all be managed via our API. As an added bonus, for on-site deployments we also support synchronization with Active Directory or LDAP, but that’s really the subject of another post.

To read on, you can read the new white paper on Identity and Access Management for the Cloud (PDF). I would love to continue the conversation or get your feedback.

 

David Mortman is the enStratus Chief Security Architect and has been doing Information Security for well over 15 years. Most recently, he was the Director of Security and Operations at C3. Previously, David was the CISO at Siebel Systems and the Manager of Global Security at Network Associates. David speaks regularly at Blackhat, Defcon and RSA amongst other conferences. Additionally, he blogs at emergentchaos.com,  newschoolsecurity.com  and securosis.com. David sits on a variety of advisory boards such as Qualys and Igie. He holds a B.S. in Chemistry from the University of Chicago and bakes, cooks and juggles in his spare time.

 

 

Evolving with CloudStack and the Ecosystem

As is evident at the Cloud Connect conference this week, the cloud industry keeps changing, evolving and growing. Today, Citrix announced CloudStack 3—including new features such as expanded networking and hypervisor support, and more.  

enStratus is excited to participate in this announcement and would like to congratulate Citrix on the first major new release since the acquisition of Cloud.com. Of course, our work with CloudStack is nothing new. enStratus has been working with CloudStack since the beginning of time—from VMOps to Cloud.com and now with Citrix. Our joint customers include several enterprise cloud deployments, including Korea Telecom (KT) where enStratus is the cloud management platform for KT's enterprise clients.  

enStratus has already completed testing with CloudStack 3 and we look forward to helping clients with governance and automation capabilities for this new release, as well as other their other private and public clouds. Whether on-premises or leveraging our SaaS solution, we are ready to go. 

Also part of the announcement today was the introduction of the Citrix Cloud Community.  Our business model and product strategy relies on a strong cloud ecosystem to help deliver a complete solution for our clients. This includes integration with leading configuration management tools, like Chef and Puppet, as well as working with systems integrators and cloud consultancies to deploy and manage clouds for our customers. We look forward to working with new partners going forward. We also look forward to having our cloud management experts work with the CloudStack community to enable enterprises around the globe continue down their path to the cloud.  

Several members of the enStratus team are at Cloud Connect, including Bernard Golden, our new VP of Enterprise Solutions.  Bernard, along with our VP of Product Strategy, James Urquhart, will be presenting at four sessions over the next few days.  Look for them at the show or stop by booth #622 for a chat.  

In the meantime, enStratus will continue leading the cloud evolution with our ecosystem. I look forward to sharing more updates with you soon.

George Hadjiyanis is the Vice President of Sales and Marketing for enStratus and has been with the company since it was founded in 2008.

 

How Can Automation Make Your Cloud More Secure?

Hi! David Mortman here. I’m enStratus’s Chief Security Architect and I’ll be periodically blogging here to cover issues related to security and the cloud. One of the themes I’ll be hitting a lot over the coming months is the power of automation and how that makes your organization not only more efficient but also more secure.

Case in point, multiple studies have shown that one of the biggest contributors to downtime at companies is human error (Visual Ops, Visual Ops Security by Gene Kim et al.).  Automation can remove much of the human element from this equation and especially in the case of repeatable actions, ensures that those tasks are done the same way every time. This is hugely helpful during the audit process for compliance regimes. 

Similarly, as we’ve learned from the Verizon DBIR, one of the biggest contributors to security breaches over the years is the failure by organizations to change or revoke access to resources after individuals change or leave jobs. This is yet another place where automatic processes can be very helpful.

Once you have automation in place, you can start doing some really interesting things very efficiently. For example, deployment of patches becomes even simpler, as does the provisioning (and de-provisioning) of users across machines. You can also start automating the handling of encryption keys or other sensitive data. This means that you can now reduce the number of employees who need access to that sort of data even more. And, as an added bonus, all of these actions are logged by default which also helps with audit and compliance concerns be it from customers, partners or regulators.

More on the power of automation in a later post.

 

David Mortman is the enStratus Chief Security Architect and has been doing Information Security for well over 15 years. Most recently, he was the Director of Security and Operations at C3. Previously, David was the CISO at Siebel Systems and the Manager of Global Security at Network Associates. David speaks regularly at Blackhat, Defcon and RSA amongst other conferences. Additionally, he blogs at emergentchaos.com,  newschoolsecurity.com  and securosis.com. David sits on a variety of advisory boards such as Qualys and Igie. He holds a B.S. in Chemistry from the University of Chicago and bakes, cooks and juggles in his spare time.

 

 

Extend LDAP/AD Into Your Cloud Management

Whether you have a public, private, or hybrid cloud, a best-practice includes extending your LDAP or Active Directory (AD) into your cloud management security. This allows you to build on your existing security policies and improve the efficiencies of your cloud infrastructure user management.

1. Delegated Authority: This enables you to set up users in enStratus without the need to set up users and passwords. Here are a couple common tasks that would benefit from directory services integration.

• Add a user to LDAP - enStratus will discover the user and add that user an all group memberships for that user to enStratus.

• Terminate user from LDAP - enStratus will deactivate the user in the enStratus directory as well as remove any Windows and Unix accounts for that user on VMs in the cloud.

2. Automated Management: Remotely manage users and group membership

3. Access Controls: Granular, role-based permissioning managed within enStratus across one or more clouds

Leverage Directory Services to extend security and access controls into private and public clouds

These capabilities will save you time and keep your security policies consistent across clouds.

If you would like to learn more, you can request a copy of our User Management for Private and Public Clouds document.

From Where Should You Govern Your Cloud?

More and more enterprises are moving forward with private/public cloud proof-of-concepts and production deployments.  As the cloud migration ramps, cloud governance is becoming more of a focus. 

Recent CRN and ZDNet articles gave some great points to consider about cloud governance.

• Central authorization  
• ID and access controls
• Policy enforcement and monitoring
• Service level reporting
• Automation and auditing

One new question facing organizations moving to the cloud is how do you deliver this governance and from where?

As the diagram below shows, there are three options to deliver a cloud governance solution.  

1) SaaS solution running in the cloud being managed

In this model, you are running all or part of your cloud governance solution in the cloud that you are governing. This is how several enStratus competitors deliver their solution. In terms of access controls, service levels, disaster recovery and other issues, the risk level seems a little like letting the fox guard the henhouse.

2) SaaS solution running outside the cloud being managed

This model has become popular for companies governing public cloud deployments. This is one option available from enStratus. Governing your public cloud from a SaaS solution hosted outside the cloud provides a better framework for key management, encryption, and auditing.

3) An on-premise deployed cloud management solution

Deploying a completely on-premise version of cloud management software is the preferred option for enterprises with very sensitive data in the public cloud or organizations that have a private cloud. The benefit includes leveraging your policies and procedures and directly integrating with internal infrastructure and management systems. This is also a model delivered by enStratus. This is the best option for organizations with compliance requirements or that are very risk averse.

The key to selecting one of these models is understanding your cloud strategy, governance needs and risk tolerance. 

Cloud OS or Cloud Management Software?

As with any emerging market comes terminology confusion.  The term “Cloud Management” is a great recent example. We want to take a few minutes to help define this important term.

You will hear people refer to various solutions as Cloud Management Software – from Cloud Operating Systems to tools that allow you to manage multiple SaaS solutions.

In the IaaS space, Cloud Management Software sits on top of various public and private clouds and provides the following capabilities:

1)   Allows users to provision, manage and control various public clouds and private cloud platforms

2)   Helps manage users, security, and automation across infrastructures

3)   Protect from single cloud vendor lock-in to allow cross-cloud operations and migration

4)   Manage your service level requirements

5)   Audit and report for compliance

The diagram below shows our perspective of the relationship Cloud OS solutions.

 

VMware has a great definition of a Cloud OS.

“A cloud operating system is a new category of software that is specifically designed to holistically manage large collections of infrastructure – CPUs, storage, networking – as a seamless, flexible and dynamic operating environment.  Analogous to the operating system that manages the complexity of an individual machine, the cloud operating system manages the complexity of a datacenter.”

We hope that this helps clarify the difference.

 

Cross-Cloud Management Today

Over the past few months, more and more organizations have moved toward leveraging multiple cloud providers.  Whether it’s a private/public hybrid model or multiple public providers, this is definitely a trend.

Our vision has always been that organizations will use multiple cloud providers and need one management, governance and automation solution for all of them. 

Security, Provisioning and Financial Controls

Many of our customers have been starting VMs in multiple cloud providers like AWS, Rackspace, Eucalyptus and Cloud.com.  With our granular access controls, enStratus provides you the ability to grant access to each person or group with the access they require for the appropriate clouds.

In addition our financial controls allow you to track spending across clouds including soft and hard spending caps across all the clouds you manage with enStratus.

Cross-cloud dependencies, cloud-bursting, cross-cloud DR, and cross-cloud auto-scaling

Though managing multiple independent clouds from inside enStratus is cool, enStratus also enables you to create managed applications that operate across multiple clouds. For example, you can configure an application to operate entirely within your private data center up to a certain capacity threshold and have enStratus burst part, or all of it, into a public cloud beyond that capacity. The image below shows an example of how to set the bursting to the secondary cloud after 5 servers.

For truly distributed application architectures, enStratus has the capability to automate cross-cloud auto-scaling. enStratus will make sure traffic for your distributed application is balanced evenly across multiple clouds and provide you redundancy even in the face of the complete failure of one of your cloud providers. Even if you don’t want the redundancy, enStratus will optionally backup to a DR cloud.

  

Manage Your Private/Hybrid Clouds from Your Own Data Center

Most companies got their first exposure to cloud computing through public cloud options such as any of the many public clouds supported by enStratus.  When operating a public cloud, it makes a lot of sense to leverage a SaaS tool like the enStratus SaaS solution. You simply visit https://cloud.enstratus.com/page/1/register.jsp, sign up, and immediately begin using enStratus to manage your cloud. No software installation needed.

Running a private cloud? Leverage enStratus on-premise!

Most enterprises these days are looking beyond the public cloud to hybrid and private cloud computing. While our SaaS solution is perfectly capable of managing private and hybrid clouds, we think it makes sense to have an on-premise management tool when managing on-premise clouds. The systems you are deploying in a private cloud are obviously important enough to keep within your data center, so it makes no sense to allow a third-party control that infrastructure from beyond your firewalls.

Same Features, On-premise. The enStratus on-premise solution provides the same exact features as our SaaS offerings, operating in your data center instead of ours. It’s a simple installation and you can plug it into your SSO infrastructure (including SAML 2.0 and OpenID). You can then point enStratus at your private and public clouds.

enStratus is simply the only enterprise cloud infrastructure capable of on-premise deployment for managing public and private clouds.

Most Cloud Platforms, including VMware vCloud. No other cloud management offering provides the same freedom of choice among a cloud platforms and public clouds as enStratus. We natively support vCloud, Nimbula, OpenStack, Eucalyptus, and Cloud.com. In addition, you can leverage all of the public compute clouds we support (AWS, Bluelock, CloudSigma, GoGrid, Rackspace, Terremark) and all of the public storage clouds (AWS, AT&T, Azure, Google, Rackspace) from within your data center.

Operate across clouds: Cross-cloud dependencies, cloud-bursting, cross-cloud DR, and cross-cloud auto-scaling

Though managing multiple independent clouds from inside enStratus is cool, enStratus also enables you to create managed applications that operate across multiple clouds. For example, you can configure an application to operate entirely within your private data center up to a certain capacity threshold and have enStratus burst part or all of it into a public cloud beyond that capacity.

For truly distributed application architectures, enStratus has the capability to automate cross-cloud auto-scaling. enStratus will make sure traffic for your distributed application is balanced evenly across multiple clouds and provide you redundancy even in the face of the complete failure of one of your cloud providers. Even if you don’t want the redundancy, enStratus will optionally backup to a DR cloud.