@CloudExpo Authors: Pat Romanski, Elizabeth White, Liz McMillan, Yeshim Deniz, Zakia Bouachraoui

Related Topics: @CloudExpo, Containers Expo Blog, Cloud Security

@CloudExpo: Blog Feed Post

Not On My VM. Step One in Secure Cloud Usage

The solution is, of course, to use the tools that virtualization offers

A few years ago, a gentleman created a video showing how quickly an unpatched, unprotected Windows XP machine was infected once connected to the public Internet (the linked video is worth a watch, and is short). That video took the business community pretty much by storm, but was old news to security administrators and most systems administrators. Things have improved on the operating systems side of the house, but so have the systems, attackers, and environment for hackers, meaning things aren’t much better today.

In the confines of your enterprise, that’s all cool. Whether you are deploying a server or a desktop, you configure a machine, it follows the standards of the organization, and is protected by the organization’s security architecture.

imageWhen you deploy an application to the cloud, though, far too often the fact of how hostile the Internet is to unprotected servers is not properly appreciated. Sometimes because it isn’t IT deploying the application, sometimes because it is “just a pilot to evaluate cloud”, sometimes because the environment is so different that the Standard Operating Procedure (SOP) and policy documents are close to useless. No matter what the reason, the end result can be a nightmare just the same as if it happened in your datacenter.

The solution is, of course, to use the tools that virtualization offers, install and configure the VM and all applications internally, set up antivirus, lock down the operating system and the applications running in the VM, then either clone it and move the clone out to the cloud, or use VMotion to move it out to the cloud.

Any other alternative approach, due to the nature of the cloud, will leave you exposed for a variable amount of time. The problem here is that the IP has to be publicly routable for you to get to the instance, so there really isn’t a good way to install the OS out there and then lock it down. Once the OS is installed, you’re potentially in for a rough ride.

Some of you are going “Of course, this is common sense”. As usual, in some organizations it is indeed common sense. In others it absolutely is not, and often the nature of pilot programs makes “common sense” relative to “gaining knowledge”. So it is absolutely worth saying outright.

And yes, this is the very tip of the iceberg, your application must provide its own security services or have access to the role-based architecture deployed in the datacenter, but seriously, cloud security at the OS/Application layer is no different than public-facing applications in the datacenter. In the end, both are going to have public IP addresses that must be protected from those lurking in the shadows.


The next major sticking point is data connections back to the datacenter, but products like F5’s BIG-IP LTM can help in that department, offering tools like iSessions to provide secure, encrypted tunnels back to the datacenter. There are other products out there that can answer this same need, but recall that I’m an F5 employee. And recall that F5 is a market leader for a reason.


But you won’t even get there if your server instances are infected before they’re even patched. So remember, protect your server instances before you deploy them. In fact, if you’re going to do more than one or two servers to the cloud, it might just be worth your while to create a specialized image and insist that all cloud images be clones of that image – that way you can build all the protections in once and be done with it, much as you likely do with desktops and servers today. Better to start with the known-to-be-locked-down image and loosen from there than to recreate lock-down code every time you build a new server.

Safety first, it’s scary out there.

Read the original blog entry...

More Stories By Don MacVittie

Don MacVittie is founder of Ingrained Technology, A technical advocacy and software development consultancy. He has experience in application development, architecture, infrastructure, technical writing,DevOps, and IT management. MacVittie holds a B.S. in Computer Science from Northern Michigan University, and an M.S. in Computer Science from Nova Southeastern University.

CloudEXPO Stories
A valuable conference experience generates new contacts, sales leads, potential strategic partners and potential investors; helps gather competitive intelligence and even provides inspiration for new products and services. Conference Guru works with conference organizers to pass great deals to great conferences, helping you discover new conferences and increase your return on investment.
Using new techniques of information modeling, indexing, and processing, new cloud-based systems can support cloud-based workloads previously not possible for high-throughput insurance, banking, and case-based applications. In his session at 18th Cloud Expo, John Newton, CTO, Founder and Chairman of Alfresco, described how to scale cloud-based content management repositories to store, manage, and retrieve billions of documents and related information with fast and linear scalability. He addressed the challenges of scaling document repositories to this level; architectural approaches for coordinating data; search and storage technologies, Solr, and Amazon storage and database technologies; the breadth of use cases that modern content systems need to support; how to support user applications that require subsecond response times.
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the business decisions based on these, it is a serious impediment to digital transformation.
With more than 30 Kubernetes solutions in the marketplace, it's tempting to think Kubernetes and the vendor ecosystem has solved the problem of operationalizing containers at scale or of automatically managing the elasticity of the underlying infrastructure that these solutions need to be truly scalable. Far from it. There are at least six major pain points that companies experience when they try to deploy and run Kubernetes in their complex environments. In this presentation, the speaker will detail these pain points and explain how cloud can address them.
Containers and Kubernetes allow for code portability across on-premise VMs, bare metal, or multiple cloud provider environments. Yet, despite this portability promise, developers may include configuration and application definitions that constrain or even eliminate application portability. In this session we'll describe best practices for "configuration as code" in a Kubernetes environment. We will demonstrate how a properly constructed containerized app can be deployed to both Amazon and Azure using the Kublr platform, and how Kubernetes objects, such as persistent volumes, ingress rules, and services, can be used to abstract from the infrastructure.