Skip to main content


How 2020 Presidential Candidates Can Guard Against Cyberattacks

The 2016 presidential election witnessed unprecedented Russian cyberattacks and disinformation campaigns designed to disrupt the U.S. electoral system by influencing public opinion. The Russian goal is intended to destabilize the U.S.  through ideological activism, advancing their interest and further their political agenda. Their methods compromised computer systems of candidates and political parties using the exfiltrated data to spread disinformation and influence presidential elections.

On January 6, 2017, the U.S. Director of National Intelligence released a declassified report “Assessing Russian Activities and Intentions in Recent U.S. Elections.” According to the report, Vladimir Putin ordered a massive campaign orchestrating attacks from multiple fronts that involved spreading pro-Trump propaganda on social media to hacking the Democratic National Committee (DNC). Their methods resulted in massive data breaches within the DNC that included access to John Podesta's email f…

Just What is Cloud Security?

Today, Cloud computing is part of our daily lives. We use its convenience with Google Drive, Microsoft’s One Drive and many other providers namely Dropbox. Corporations use the resources of Google, Amazon S3, Microsoft Azure and Office 360.

Without a doubt, many still harbor deep concerns over cloud computing from a security standpoint and rightfully so. I will touch upon some of the legal ramifications as well. In its most straightforward definition, Cloud computing is nothing more than a service delivered on demand over the internet. It is in other words, an extension of data center facilities, its hardware, and applications controlled by the provider of those services that leases them out. With its inherent qualities, cloud computing has tremendous potential for organizations to improve their overall information security posture.

So what are the reasons for this? It is the cloud model and its virtue of scale to the global public. All tenants and users can achieve better security because of the provider’s investment in attaining significant security cost containment per consumer. In other words, and to paraphrase its protection as a service. The cloud model enables the return of effective control and professional operation over IT resources, processing and information.

Not only do we have the “public cloud” but a new twist, sort of, is the “private cloud.” So, what the heck is that? Some can imagine it as one cute cumulus cloud all by itself, a single silhouette up in the sky.

What a private cloud is - one that is not shared with other tenants, it is a dedicated resource that is controlled by its owner and not by the service provider. Think of co-location portability such as transporting a pre-configured data center in a container and plug it in at a hosting facility, we have plug-in-play technology at the data center level. This data-center-in-a-container are shipped worldwide, just imagine the disaster recovery and business continuity advantages this provides. Also believe the physical, logical and logistical security issues that go along with that, it is significant and complex.

However sophisticated, a private cloud provides significant security advantages for the same reasons. The catch to this is the cost of investment to acquire and maintain it never mind the logistics involved. Think of it this way, renting an apartment versus owning a home, you get the picture.

A view from inside Microsoft’s Chicago Data Center container area:

Cloud Security Fundamentals

The significant issues facing cloud security are ever evolving along with the technology itself and is beyond the scope of this article. However, the fundamental aspects are these:

Network Availability: Arguably the most critical foundation and doing without makes it pointless. The intrinsic value of cloud computing is that network connectivity, and bandwidth meet your needs. The cloud must be available whenever you need it. If not, the consequences are no different than a denial-of-service attack.

Cloud Provider Viability: Cloud providers are relatively the new kids on the block, and they are suspect to questions about their viability and commitment. This concern deepens when a provider requires tenants to use proprietary interfaces, leading to tenant lock-in. Be cognizant and conduct due diligence vetting prospective providers and have an input in your company’s SLA agreement. Always work with and educate your legal counsel about the technology.

Disaster Recovery and Business Continuity: Corporate tenants require confidence that their operations and services will continue if the cloud provider’s production environment is subject to a disaster. Make sure your containers in these facilities can be moved to other locations should the need arise with short notice. Realize that significant providers of cloud services have built their facilities in geographical areas not prone to natural disasters, are close to reliable transportation and have redundant electrical grid and telecommunication (internet) feeds, some are in physically hardened facilities.

Security Incidents: The provider must inform tenants of any security breach this is extremely important. It is not enough to endure your assets are secure but the services of the provider. Tenants may require provider support to respond to audit or assessment findings. Some providers may push back on this requirement. Make sure of this and incorporate language in the SLA for resolving investigations.

Transparency: This is a concern when a cloud provider doesn’t expose details of its own internal policy or technology, tenants must trust the provider’s security claims, and well I don’t buy that. Transparency is a must for security issues can and will affect both tenant and provider. Legal problems arise in the language that often tries to pin the blame on either party when breaches occur. Tenants must have transparency by providers as to how they manage cloud security, privacy and security incidents.

Loss of Physical Control

It is a well-known fact among seasoned security professionals that tenants and users lose physical control over their data and applications, this gives rise to a range of concerns and is the Achilles heel:

Data Privacy: One of if not the primary global concern having severe ramifications involving public and private clouds. What’s private data in one country may not necessarily be absolutely and unconditionally private in another? Data may not remain in the same system, raising multiple legal concerns, domestic and internationally.

Data Control: Data does come into the provider in various ways with some data belongs to others. Consider a shared database cluster a provider allocates to all tenants. A tenant DBA or administrator has limited control scope and accountability within a public Infrastructure as a Service (IaaS) implementation, and even less with a Platform as a Service (PaaS) one. What also is a significant concern is with authentication, authorization, and provisioning. Tenants need to have confidence their provider will offer appropriate control while recognizing the need to adapt their expectations for how much power is reasonable within these models.

Risks and Vulnerabilities: Another issue with cloud computing bring new classes of threats and vulnerabilities. There are likely new risks, but the actual exploits will mainly be a function of a provider’s implementation. All software, hardware, and networking equipment are subject to unearthing new vulnerabilities. By applying layered security and well-conceived operational processes, you can protect a cloud from frequent attacks, even if some of its components are inherently vulnerable. I must advise that in a shared environment the layered security may not be possible as some security systems and applications are not adapted to the “security as a service” model, and the provider may not provide adequate security that is beyond their control.

Legal and Regulatory Compliance: The irony of it all is that It may be difficult or unrealistic to use public clouds if your data is subject to legal restrictions or regulatory compliance. For example, the US Department of Justice recently was trying to compel Microsoft to divulge data stored in another sovereign nation such as Ireland. The privacy regulators in the European Union are all up in arms preventing data disclosure by their laws. Following appropriate legal protocol is advised, and you can expect providers to build and certify cloud infrastructures to address the needs of regulated markets. Just make sure they do that. Another headache is achieving certification may be challenging due to the many non-technical factors, including the current state of general cloud knowledge.

The public cloud model is appropriate for many non-sensitive needs, however moving sensitive information into any cloud not certified for such processing introduces inappropriate risk. You need to be entirely clear about specific best practices: It’s unwise to use a public cloud for processing sensitive, mission-critical or proprietary data. It’s expensive and excessive to burden non-sensitive and low-impact systems with high-assurance security. Finally, it’s irresponsible to either dismiss cloud computing as being inherently insecure or claim it to be more secure than alternatives.
Follow a reasonable risk assessment when choosing a cloud deployment model. You should also ensure you have appropriate security controls in place. List your security concerns so you can either dismiss or validate them and counter them with compensating controls.

The Significance of Virtualization

Virtualization plays a significant part in Cloud computing and is one of the main cogs in the system. Consider it as one of the centerpieces that brings downsizing and portability to the data center along with advancements in hardware technology. One must understand how virtualization is implemented within a cloud infrastructure and its architecture. I will try not to get too technical and provide an explanation of what each type of virtualization methods are deployed in the Cloud.

At the basic level, a virtual machine (VM) is an operating system (OS) captured in a configured and operationally ready system image. This image amounts to a snapshot of a running system that includes space in the model for virtualized disk storage.

The support for the VM’s operation is called a hypervisor, which represents itself to the VM as the underlying hardware. Different virtualization implementations vary, and there are several, but I will discuss the three most common types:

Type 1: This is also called native or bare metal virtualization. It’s implemented by a hypervisor that runs directly on bare hardware. Examples are Microsoft Hyper-V, Oracle VM, LynxSecure, VMware ESX, and IBM z/VM.

Type 2: Also called hosted virtualization, It has a hypervisor running as an application within a host OS and also run above the hypervisor as well. Examples include Oracle VirtualBox, Parallels, Microsoft Windows VirtualPC, VMware Fusion, VMware Server, Citrix XenApp and Citrix XenServer.

OS implemented virtualization: Implemented within the OS itself, it takes the place of the hypervisor. Examples of this include Solaris Containers, BSD jails, OpenVZ, Linux-V Server, and Parallels Virtuozzo Containers.

The Common Security Concerns

The security concerns with the use of virtualization are:
  1. Adding a new VM is adding an additional OS. This entails additional security risk. Every OS should be appropriately patched, maintained and monitored as appropriate per its intended use.
  2. Network-based intrusion detection doesn’t work well with virtual servers co-located on the same host. Consequently, you need to use advanced techniques to monitor traffic between VMs. When you move data and applications between multiple physical servers for load balancing or failover, network monitoring systems can’t assess and reflect these operations for what they are. It is compounded when using clustering in conjunction with virtualization.
  3. Virtualization demands different management approaches for many functions, including configuration management, VM placement, and capacity management. Also, the resource allocation problems can quickly become performance issues. Thus, refined performance management practices are critical to running a productive, secure virtualized environment.
Cloud computing may have inherent cost saving but without question has significant disadvantages that counter those benefits. Among them are major security, legal and compliance requirements that are global in nature and often times hinder total adoptions of IT services in the cloud. When dealing with Cloud computing ask if it makes sense, not for the entire organization, perhaps departments that have less risk associated with their operations. It also brings in virtualized technology adding additional technical and security concerns. These concerns are not for a user or tenant in a public cloud, but the private cloud where organizations must acquire, deploy and maintain virtualized systems.