Tag Archives: deployment

“Rogue Clouds” Giving IT Staff Nightmares

rogue-cloud-nightmareOrganizations are widely migrating to the cloud to gain competitive advantages around speed, agility and flexibility according to Symantec Corp’s recent Avoiding the Hidden Costs of Cloud 2013 Survey. In fact, more than 90 percent of all organizations are at least discussing cloud, up from 75 percent a year ago. Other key survey findings showed enterprises and SMBs are experiencing escalating costs tied to rogue cloud use, complex backup and recovery, and inefficient cloud storage. Rogue clouds are defined as business groups implementing public cloud applications that are not managed by or integrated into the company’s IT infrastructure.

Industry experts predict several key issues will arise in 2013 focused on the financial pressures and security challenges of cloud computing. Business continuity is seen as an important issue with the increase in cloud outages posing greater risks than security breaches. Over the holidays, a leading cloud service provider experienced an outage, which they quickly remediated. This outage impacted businesses and posed important concerns around data loss prevention, backup, time spent on data recovery and the associated costs. However, with advance preparation, organizations can build safe, agile and efficient clouds that will enable them to meet their business goals.

“By taking control of cloud deployments, companies can seize advantage of the flexibility and cost savings associated with the cloud, while minimizing the data control and security risks linked with rogue cloud use,” said Francis deSouza, group president, Enterprise Products and Services, Symantec.

77% of businesses saw rogue cloud deployments last year, 40% of them suffered exposure of confidential info.

Rogue Cloud Implementations

According to the survey, rogue cloud deployments are one of the cost pitfalls. It is a surprisingly common problem, found in more than three quarters (77 percent) of businesses within the last year. It also seems to be an issue experienced more by enterprises (83 percent), due to their larger company size, than SMBs (70 percent).

Among organizations who reported rogue cloud issues, 40 percent experienced the exposure of confidential information, and more than a quarter faced account takeover issues, defacement of Web properties, or stolen goods or services. The most commonly cited reasons for undertaking rogue cloud projects were to save time and money.

Cloud Backup and Recovery Issues

Cloud is complicating backup and recovery. First, most organizations use three or more solutions to back-up their physical, virtual and cloud data—leading to increased IT inefficiencies, risk and training costs. Furthermore, 43 percent of organizations have lost cloud data (47 percent of enterprises and 36 percent of SMBs), and most (68 percent) have experienced recovery failures.

Finally, most see cloud recovery as a slow, tedious process. Only 32 percent rate this is as fast and 22 percent estimate it would take three or more days to recover from a catastrophic loss of data in the cloud.

Inefficient Cloud Storage

One of the key advantages to cloud storage is how simple it is to provision. Sometimes this simplicity leads to inefficient cloud storage. Generally, organizations strive to maintain a storage utilization rate above 50 percent. According to the survey, cloud storage utilization is surprisingly low at 17 percent. There is a tremendous difference in this area between enterprises (which are utilizing 26 percent of their storage) and SMBs (which is a shockingly low seven percent). Furthermore, roughly half admit very little, if any, of their cloud data is deduplicated, further compounding the problem.

Compliance and eDiscovery Concerns

According to the survey, 49 percent of organizations are concerned about meeting compliance requirements in the cloud, and a slightly larger number (53 percent) are concerned about being able to prove they have met cloud compliance requirements. This concern about information in the cloud is well founded, as 23 percent of organizations have been fined for cloud privacy violations.

eDiscovery is creating additional pressure on businesses to quickly find the right information. One-third of businesses reported receiving eDiscovery requests for cloud data. Of those, two-thirds have missed their cloud discovery deadlines, leading to fines and legal risks.

Data in Transit Issues

Organizations have all sorts of assets in the cloud – such as web properties, online businesses or web applications – that require SSL certificates to protect the data in transit whether it is personal or financial information, business transactions and other online interactions. The survey showed companies found managing many SSL certificates to be highly complex: Just 27 percent rate cloud SSL certificate management as easy and only 40 percent are certain their cloud-partner’s certificates are in compliance with corporate standards.

Hidden Costs Are Easily Avoided

The survey shows ignoring these hidden costs will have a serious impact on business. However, these issues are easily mitigated with careful planning, implementation and management:

  • Focus policies on information and people, not technologies or platforms
  • Educate, monitor and enforce policies
  • Embrace tools that are platform agnostic
  • Deduplicate data in the cloud

Symantec’s Avoiding the Hidden Costs of Cloud 2013 Survey

Symantec’s 2013 Cloud Survey is a result of research conducted by ReRez in September-October 2012. The full study represents 3,236 organizations from 29 countries. Responses came from companies with a range of five to more than 5,000 employees. Of those responses, 1,358 came from SMBs and 1,878 came from enterprises.

Source

Hype Cycle For Cloud Computing, 2012

Leave a reply

Enterprises are beginning to change their buying behaviors based on the deployment speed, economics and customization that cloud-based technologies provide. Gartner cautions however that enterprises are far from abandoning their on-premise models and applications entirely for the cloud.

Based on an analysis of the Gartner Hype Cycle for Cloud Computing, 2012, the best results are being attained by enterprises that focus on a very specific strategy and look to cloud-based technologies to accelerate their performance. Leading with a strategic framework of goals and objectives increases the probability of cloud-based platform success. Those enterprises that look to cloud platforms only for cost reduction miss out on their full potential.

Cloudwashing and Inflated Enterprise Expectations

While the hype surrounding cloud computing may have peaked, cloudwashing continues to cause confusion and inflated expectations with enterprise buyers. This just slows down sales cycles, when more straightforward selling could lead to more pilots, sales and a potentially larger market. Cloud vendors who have the expertise gained from delivering cloud platforms on time, under budget, with customer references showing results are starting to overtake those that using cloudwashing as part of their selling strategies.

Additional take-aways from the Gartner Hype Cycle for Cloud Computing include the following:

  • The Cloud BPM (bpmPaaS) market is slated to grow 25% year over year, and 40% of companies doing BPM are already using BPM in the cloud. Gartner has identified more than 30 bpmPaaS applications and platforms, and defines this category as a model-driven BPM platform in the cloud to construct next-generation process-centric applications for systems of differentiation and innovation.
  • Cloud Email is expected to have a 10% adoption rate in enterprises by 2014, down from the 20% Gartner had forecasted in previous Hype Cycles. This represents modest growth as the adoption rate of this category had been between 5 and 6% in 2011.
  • Big Data will deliver transformational benefits to enterprises within 2 to 5 years, and by 2015 will enable enterprises adopting this technology to outperform competitors by 20% in every available financial metric. Gartner defines Big Data as including large volumes processed in streams, in addition to batch. Integral to Big Data is an extensible services framework that can deploy processing to the data or bring data to the process workflow itself. Gartner also includes more than one asset type of data in their definition, including structured and unstructured content.
  • Master Data Management (MDM) Solutions in the Cloud and Hybrid IT are included in this hype cycle for the first time in 2012. Gartner reports that MDM Solutions in the Cloud is getting additional interest from Enterprise buyers as part of a continual upward trend of interest in MDM overall. Dominant vendors in this emerging area include Cognizant, Data Scout, IBM, Informatica, Oracle and Orchestra Networks, are among those with MDM-in-the-cloud solutions.
  • PaaS continues to be one of the most misunderstood aspects of cloud platforms. The widening gap between enterprise expectations and experiences is most prevalent in this market. Gartner claims this is attributable to the relatively narrow middleware functions delivered and the consolidation fo vendors and service providers in this market.
  • By 2014 the Personal Cloud will have replaced the personal computer as the center of user’s digital lives.
  • Private Cloud Computing is among the highest interest areas across all cloud computing according to Gartner, with 75% of respondents in Gartner polls saying they plan to pursue a strategy in this area by 2014. Pilot and production deployments are in process across many different enterprises today, with one of the major goals being the evaluation of virtualization-driven value and benefits.
  • SaaS is rapidly gaining adoption in enterprises, leading Gartner to forecast more than 50% of enterprises will have some form of SaaS-based application strategy by 2015. Factors driving this adoption are the high priority enterprises are putting on customer relationships, gaining greater insights through analytics, overcoming IT- and capital budget-based limitations, and aligning IT more efficiently to strategic goals.
  • More than 50% of all virtualization workloads are based on the x86 architecture. This is expected to increase to 75% by 2015. Gartner reports this is a disruptive innovation which is changing the relationship between IT and enterprise where service levels and usage can be tracked.

Bottom line: Gartner’s latest Hype Cycle for Cloud Computing shows that when cloud-based platforms are aligned with well-defined strategic initiatives and line-of-business objectives, they deliver valuable contributions to an enterprise. It also shows how Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) are the catalysts of long-term market growth.

Author: Louis Columbus
Source

The State Of Cloud Networking

Leave a reply

As the role of cloud computing is growing significantly in its ability to deliver business applications, many IT decision makers are facing challenges with their existing network infrastructure to support the migration of their business applications to the cloud.

An international study by Cisco revealed that without the proper cloud migration strategy, more than one third (38 percent) of IT decision makers would rather get a root canal, dig a ditch, or do their own taxes than address network challenges associated with public or private cloud deployments.

Cisco revealed that updating the network is one of the top focus areas for cloud migration. In order to successfully move more applications to the cloud, the majority of respondents cited a cloud-ready network (37 percent) as the biggest infrastructure element required for further cloud deployments, ahead of a virtualized data center (28 percent) or a service-level agreement from a cloud service provider (21 percent).

This data expands on the Cisco Global Cloud Index, which predicts that more than 50 percent of computing workloads in data centers will be cloud-based by 2014, and that global cloud traffic will grow over 12 times by 2015, to 1.6 zettabytes per year – the equivalent of over four days of business-class video for every person on Earth.

Cloud deployments in perspective:

  • Almost two in five (39 percent) of those surveyed said they dread network challenges associated with private or public cloud deployments so much that they would rather get a root canal, dig a ditch, or do their own taxes.
  • At the same time, nearly three quarters (73 percent) feel they are confident with enough information to begin their private or public cloud deployments. However, the remainder (27 percent) feels they have more knowledge about how to play Angry Birds than the steps needed to migrate their company’s network and applications to the cloud.
  • In a clear sign that many IT organizations are still considering and planning cloud migrations, nearly one quarter (24 percent) of IT decision makers said that over the next six months, they are more likely to see a UFO, a unicorn or a ghost before they see their company’s cloud migration starting and finishing.
  • Without proper processes and planning, more than one quarter (31 percent) said they could train for a marathon in a shorter period of time than it would take to migrate their company’s applications to the cloud.
  • A majority (76 percent) predict their cloud applications are likely to be breached, yet only one quarter (24 percent) are confident to the point in which they believe the odds are better for them to be struck by lightning than have their cloud applications breached by an unwanted third party.

When asked the reason behind their move to the cloud, 52 percent of respondents claimed it was an imperative made by their business or CIO to in order to improve costs, productivity and agility; 41 percent said they’re simply following the industry or their peers; and 30 percent are doing so because of customer requirements.

Source

CIOs Worried By The Cloud

Leave a reply

CIOs are worried: cloud computing is being used as a way for businesses to dodge the IT department and get services delivered more quickly. But as well as giving the CIO sleepless nights, this attempt to side-step the IT department is causing additional cost and complexity along the way.

I recently wrote about how cloud computing deployments are kicking off without the CIO’s knowledge, and only coming to light when sys admins put their expenses through. Inside a large organisation this can mean uncontrolled spending on cloud computing that rapidly reaches tens or hundreds of thousands of dollars.

And according to research by Forrester Consulting, two thirds of CIOs now believe their business sees cloud computing as a way to circumvent IT.

“The simultaneous pull of cost reduction and simplification in one direction and better, cheaper, faster in the other is putting a strain on IT’s ability to meet expectations. CIOs are concerned that cloud provides their business a way around IT, which undermines the strategic partnership they are trying to build with business leaders,” said the report ‘Delivering On High Cloud Expectations’.

According to the report, one in three CIOs strongly agreed with the statement, ‘business executives perceive cloud as a means to be less dependent on IT,’ while only one in five non-CIO respondents felt the same way.

“This contrast indicates CIOs are more concerned than their teams that public cloud challenges, and maybe even undermines, their organisation. We agree with their concern; unbridled public cloud acquisition by shadow IT circumvents carefully planned strategies to reduce complexity, control costs, and provide reliable services.”

The survey also found that ’shadow IT’ acquisition of cloud services is adding to confusion: 48 per cent of firms surveyed officially support deploying mission-critical applications to managed public cloud services, even though these services were being deployed by 80 per cent of organisations. “The 32 per cent difference suggests that many firms circumvent IT to get the services they want, confirming CIO worries.”

Four out of five respondents said setting a cloud strategy is a high priority, but IT organsations are struggling with complexity: four out of ten respondents said they had five or more virtual server pools, and three or more hypervisor technologies, making reducing cost and complexity a priority. The survey, sponsored by BMC Software, polled 327 enterprise infrastructure executives and architects across the US, Europe and Asia-Pacific.

Author: Steve Ranger
Source

Preparing Your Network For The Cloud

Leave a reply

The network is the weakest link in cloud computing as, without network access, staff are unable to connect to databases, e-mail or other applications.

While the cloud can store company data and deliver applications without the overheads of dedicated in-house servers and other hardware, the third party hosting the data or applications is not usually responsible for the network links from the customer to its facilities.

Companies must plan how they connect their corporate networks to third party cloud providers to ensure they have enough affordable and reliable bandwidth to serve their users’ needs.

They must consider cost, service level agreements, security, network back up/fail-over to the cloud provider, network management and any specialist “network to the cloud” service offerings on the market. The Cisco Cloud Index predicts that over half of computing workloads in datacentres will be cloud-based by 2014. The Index also predicts global cloud traffic will grow over 12 times by 2015, to a mammoth 1.6 zettabytes per year.

Dr Graham Oakes is a consultant and author of Project Reviews, Assurance and Governance. Over the last 20 years he has worked on IT and networking projects for the likes of Sony Computer Entertainment, Vodafone, the Open University, Oxfam and the Council of Europe. He said: “Moving applications into the cloud clearly has an impact on network utilisation. But before buying more bandwidth, you have to do a couple of other things.”

Oakes urges organisations to understand the traffic patterns associated with each application. Some applications are “surprisingly frugal” on the network, he said, while some are “surprisingly chatty”. Making decisions based on data, not assumptions, is the key.

He recommends network managers keep track of data latency, or delay. Often it is not the amount of data being transferred that matters, it is the amount of time users have to wait while applications render web pages or are fully loaded onto desktops. High latency means data packets must rely on multiple round trip journeys across many network portions that make up an enterprise’s cloud operating environment.

Oakes said good wide area network (WAN) optimisation between the cloud facility and the corporate network is key to cloud deployments. He urges efficient caching and protocol optimisation, for instance, being established ways to improve both latency and bandwidth performance.

James Wright, of the infrastructure consulting group at Accenture, said: “Until you have flexibility at the infrastructure level, including local area networks (LANs) and WAN networks, you will struggle to realise the benefits of shifting parts of your operations to the cloud. Put simply, it can very quickly become impractical, expensive and complicated, not to mention inoperable, to proceed if you don’t get these areas of the cloud project right.”

Wright said large organisations should consider an multiprotocol label switching (MPLS) network connection to link their corporate network to an external cloud provider. According to Wright, MPLS goes a long way to making sure the right people get access to the right applications at the right time, effectively addressing security, bandwidth performance, latency and availability requirements.

“This is why implementing voice over MPLS is a great entry point for the corporate cloud. Most organisations give all their people a [IP-based] desk phone which sits alongside their workplace applications. So once that voice is in the cloud, the CIO has confidence, from a network access perspective, that connectivity is robust.

One of Europe’s oldest law firms, Thomson Snell & Passmore, is a good example of an organisation getting its WAN right in preparation to moving into the cloud. The firm recently optimised its IT infrastructure with Silver Peak’s WAN optimisation technology to migrate quickly and efficiently to the cloud.

Thomson Snell & Passmore simplified its network infrastructure in its hosted datacentre, enabling it to reduce network traffic by 45% and take full advantage of the cost and organisational benefits of its cloud infrastructure. David Bennett, head of information systems at Thomson Snell & Passmore, said: “As we moved all our applications into the cloud it became all the more imperative that our underlying network infrastructure was optimised to support the increased traffic demand.

“We can now take full advantage of our cloud infrastructure without having to invest in costly additional bandwidth or extra WAN capacity.”

In addition, said Bennett, the firm got up and running in the cloud weeks ahead of schedule, which saved the company significant time and money.

Value Retail, a company which specialises in the development and operation of luxury outlet retail villages, with nine existing ones in key European tourism markets, had its own network obstacles to overcome when it moved to the cloud, including ones related to timelines.

Its online presence is important to the business to promote to existing retail villages and drive further growth. The company is currently using cloud hosting provider FireHost to manage all 17 of its websites, and is also using FireHost’s Secure Cloud infrastructure-as-a-service (IaaS) model to supply infrastructure in the cloud.

Shazad Awan, digital development manager at Value Retail, said: “Although one of the providers we looked at had a satisfactory approach to support, we were given a quote of eight weeks to switch everything over, which didn’t fill me with confidence. We’d also have to host everything on dedicated hardware.”

Awan claimed many hosting companies “just didn’t seem to be set up for the cloud environment we required”. In contrast, said Awan, the current provider told the firm it could move over to their cloud environment in less than a week.

“Another key advantage with our current provider is that websites are constantly monitored for security threats and malicious activity. For example, if a denial of service (DoS) attack is detected, traffic is automatically offloaded, without causing downtime.”

This means that customers aren’t put at risk from security threats and don’t experience any disruption when they visit Value Retail sites, said Awan.

Author: Antony Savvas
Source

Post-Virtualization Security

Leave a reply

As the second law of thermodynamics tells us, all things trend toward chaos and this is no less true with a virtual environment. Sprawl can have a real security impact, and it takes discipline and planning to control sprawl — discipline and planning that won’t occur without someone from the security team actively monitoring the problem and formulating strategies for how to address the issue.

Virtualization has been one of the most rapidly and widely adopted technologies in recent memory. It’s huge, and it’s here to stay.

And as security professionals know, setting up a virtual environment securely isn’t easy. Significant effort goes into tasks like evaluating off-premise service providers, ensuring regulatory compliance, and standing up technical controls like monitoring and encryption. But in the excitement to stand up the new environment and get security to an acceptable “target state,” organizations sometimes don’t address security hygiene long-term. In other words, security is in high gear while the environment spins up, but it doesn’t lay the groundwork for what happens once things are chugging along.

This represents an area of concern because setting up a secure environment is only the first step. As the second law of thermodynamics tells us, all things trend toward chaos — this is no less true with a virtual environment. Stand up a virtual environment today and walk away from it and you’ll wind up with an unmanaged security nightmare tomorrow. As technical staff create new VMs, modify existing VMs, create “orphan” snapshots, and take other action in the environment, the environment slowly moves away from the defined, “secure” state into a less known one. This has a security impact.

So for organizations laying out challenges and focus areas for the new year, now’s a good time to think through your planning for how to keep the virtual environment secured. Ideally, you’ve been doing this all along as you first started tackling virtualization. But if (like most) you haven’t, doing it now is a smart move.

The Sprawl

For virtualized data centers and private cloud Test Drive the Public Cloud for $1. Windows & Linux Cloud Hosting. Click Here. deployments, keeping the number of virtual hosts within defined parameters can be challenging. VMs tend to proliferate and collect over time because of “one-off” or ad hoc VMs created without a clear plan for decommissioning. Add time and employee attrition to the mix, and you can be left with a large population of undocumented VMs that lack clear purpose and that staff are uncomfortable removing because they’re not sure who will be impacted.

On the operations and performance side, sprawl is a well-known problem. But the security side of it isn’t always addressed. For example, sprawl can have a regulatory impact. The PCI virtualization guidance tells us that if a VM is in scope of PCI, so also is the hypervisor. This means that uncontrolled proliferation can have unintended consequences — like if a test and QA VM moves into the CDE without appropriate controls. Even without the regulatory impact, dangers abound, such as technical security considerations like patch management, logging, anti-malware, etc.

It takes discipline and planning to control sprawl — discipline and planning that won’t occur without someone from the security team actively monitoring the problem and formulating strategies for how to address the issue. The further environments drift from the documented secure state, the more work is required to bring the environment back in line. This means that security organizations should be actively monitoring inventories of VM assets. They should be working with the technical teams to control expansion now while the problem is small rather than waiting for the problem to become unmanageable later on down the road.

Impacts to Existing Controls

Secondly, as we all probably realize by now, existing security controls don’t always translate well to virtual environments. Consider as one example what happens to network traffic monitoring tools like IDS when conversations between virtual images happen within the hypervisor (backplane communications) as opposed to over the network. For most security professionals, this failure to translate means they’ve needed to deploy new security tools to address shortcomings in the existing tool set.

This strategy is great in that it meets immediate needs, but it doesn’t address what happens over the long term. Consider that the virtual environment is expanding (in most cases rapidly) while the legacy physical environment is contracting. The budget for controls is usually constant. Consider how these two data points play out a year from now — and two years from now. Budgetary support is likely to shift. In fact, it’s not hard to envision a scenario wherein we need to start scaling back existing security controls that address only the legacy environment. Doing that cleanly takes planning and preparation on the part of the security organization. For example, it may take a year or more to shift how current controls are managed and operated in order to allow them to spin down cleanly without impacting existing staff.

Data Expansion

As the last item to consider, security organizations often don’t appreciate the tremendous rate of data growth that can occur in a virtual environment. Pretty much everything you do in the virtual environment has a storage impact. There’s the data you’d be collecting and managing anyway, but also sprawl adds to it, planned growth, snapshots used for QA or patching, etc. Data volume can explode in a very short period of time.

This matters to security professionals because of the way certain controls operate relative to data volume — specifically, controls that operate linearly over data like DLP file searches and encryption.

As an example of why this matters, take the example of bulk data encryption. Encrypting a terabyte is trivial. Encrypting an exabyte? Well, that may not even be possible depending on how the data is used. There are some controls that need to be addressed while data sizes are still manageable. It behooves security professionals to think this through now rather than waiting until the volume has expanded beyond what a given control can manage.

Spending some time thinking through the ongoing maintenance and hygiene of a virtual environment is a useful exercise. So in laying out plans for 2012, keep in mind that the work doesn’t stop once the environment is in place — it continues throughout the entire lifecycle of that environment.

Author: Ed Moyle
Source

Remove Vulnerability From VoIP Networks

2 Replies

Using the OSI network layer model as a basis, here’s how to derive a simplified three-layer model for SIP-based VoIP and corresponding threats and defenses. The resurgence of interest in VoIP to provide telephone services worldwide is often credited to the use of session initiation protocol (SIP) for signaling. Both residential and enterprise VoIP services are widely deployed. IP telephony may be used either to replace the primary telephone service or to provide additional telephone lines.

IP telephony offers some dramatic benefits over traditional or plain old telephone systems (POTS), such as reduced operating costs, portability and accessibility. IP telephony has its share of problems. To date, most of the focus has been on such challenges as voice quality, latency and interoperability. Security of the VoIP network is only now being recognized as an important issue to be addressed.

Multiple security threat models exist in current implementations of SIP-based VoIP networks. These threats are further aggravated because in order to allow similar access as the public switched telephone network (PSTN), VoIP networks are often implemented over the public Internet, which is a potentially hostile environment.

The very same reasons that make SIP so popular, e.g., its similarity to hypertext transport protocol (HTTP), are also the reasons for its vulnerability. This can lead to similar problems such as identity theft, impersonation, denial of service (DOS), hijacking and theft of services, and violation of privacy and confidentiality. The good news is that many of the security mechanisms for SIP-based VoIP can be the same as those used for HTTP. The challenge is simply to make these mechanisms SIP- and VoIP-friendly. In addition, SIP and its extensions provide for a number of intrinsic security features that can be used to harden implementations.

VoIP Overview

In addition to transmitting voice, a basic telephone system transmits many signals such as off-hook, on-hook and dual tone multi-frequency (DTMF) tones for dialed digits, etc. It also needs to maintain the state of the call, and generate a dial tone, ring-back and other tones. It can be said that there are two distinct streams of information on the wire: the signaling and the voice.

In PSTNs, some of the signaling travels in-band along with the voice up to the central office where it is sent over the Signaling System 7 (SS7) network. The SS7 network is not accessible to the public. Therefore, the PSTN is relatively secure. In VoIP telephony, voice is carried by real-time protocol (RTP) and the signaling by one of the many signaling protocols such as H.323, MGCP or SIP. Both of these transport streams are sent over the public Internet or on networks connected to the public Internet. This leaves the VoIP telephone network vulnerable.

Due to the nature of the IP network, in order to use it for telephony, additional requirements must be met by a VoIP device such as:

  • User authentication: The phone is no longer physically connected to the PSTN and needs to be authenticated
  • Address translation: Translating phone numbers into IP addresses and vice-versa
  • Routing: Locating and routing to the correct service gateway for the destination phone
  • Feature translation: Transparently translating advanced phone features such as call waiting, call hold, call forwarding, etc.
  • Caller ID: Generation of and decoding and transmission of caller ID over IP
  • Call detail records: Generation and transmission of billing information for PSTN and VoIP services
  • Legal: Access to emergency services and provision for intercept by law-enforcement agencies

In addition to just providing a transparent translation of telephone services, any VoIP device (since it is connected to the Internet) should provide for mechanisms to protect from toll fraud, eavesdropping and call hijacking among other things, and maintain message integrity. This is in addition to standard network security to protect against DoS and DDoS attacks.

 

 
Figure 1. How SIP fits into the VoIP Protocol soup

SIP was not designed to provide for all of these requirements, and it is not the only protocol that the communicating devices will need. The purpose of SIP is just to make communication possible. The communication itself must be achieved by another means (and possibly another protocol). Since SIP is an IETF specification, it is designed to use other existing IETF protocols to fill in the gaps.

VoIP threat assessment model

Starting from the basic OSI Reference Model and the Department of Defense (DoD) or TCP/IP reference model, the SIP-based VoIP network can be analyzed by a layered approach. Threats and therefore countermeasures can also be mapped to the layers of the network reference models. With this layered analysis strategy, it becomes immediately apparent that each layer has different security threats.

 

 
Figure 2. The layered approach to threat assessment.

A defense strategy can also follow this layered approach. This eases deployment and leads to the three-layer security model as follows:

  • Infrastructure security layer: Protect and secure the network infrastructure
  • Network services security layer: Protect and secure end-users, access and service enablers
  • Application security layer: Protect and secure SIP-based VoIP and other network applications

Based on general network security precepts, each security layer then needs to be evaluated on the basis of the following parameters:

  • Authentication: Confirm the identity of communicating entities, whether individuals, devices, services or applications. Authentication guards against impersonation or replay of previous communications.
  • Authorization: Cross-checks identity for role and access. This prevents unauthorized access to services, access to stored information, toll fraud, etc.
  • Accountability/Audit: Keeps track of usage and security services. This helps in early detection and recovery from threats and attacks.
  • Availability/Reliability: Redundancy, perimeter protection and hardening ensure that authorized users continue to have access to network devices, services and stored information despite an ongoing attack such as a DoS attack.
  • Confidentiality: Encryption of communication streams prevents unauthorized intercepts and eavesdropping. In addition, encryption can be coupled with access control to protect stored information.
  • Integrity: Prevents unauthorized modifications, deletion, creation or replication of data. Typical mechanisms are based on hashing algorithms such as HMAC, MD-5 and SHA-1. This also helps in early detection of unauthorized activity.
  • Non-repudiation: Proof that communications actually happened. Required for forensic evidence purposes.
  • Privacy/Anonymity: Privacy tackles issues like phone number harvesting, call pattern tracking, etc. that violates the privacy of the user. Anonymity, on the other hand, allows a user to communicate without revealing their identity and is usually contrary to most security policies.

Security mechanisms at the infrastructure layer are normally provided by the broadband access provider. For example, cable networks may authenticate subscribers by MAC address, or DSL networks may use PPPoE, which incorporates a password mechanism for authentication.

At the network services layer, the access and service enablers are typically protected by the broadband service providers and by the backbone network providers. End-users however, are typically not protected and left to their own devices. Most industry security schemes consider end-points as un-trusted.

Broadband access routers are increasingly prevalent at the customer premises end. These routers incorporate network address translators (NATs) that, besides helping to conserve IP address space, are sometimes used along with packet filtering to provide basic firewall functionality. The security provided entirely depends on the correct configuration of these devices. Service providers that provide CPE equipment that is customized and locked to their networks address this issue to some extent, as they can manage the customer equipment and impose some modicum of security. This trend is seen in a large percentage of broadband access networks.

The CPE for the SIP-based VoIP service is usually a terminal adapter (TA) that connects downstream from the broadband access modem or router and provides an analog phone interface to a regular phone instrument. This VoIP device, in most cases, is not a part of the managed broadband access network. In the case of VoIP, there are two distinct transport streams that need to traverse the firewall and NAT, namely the core signaling transport and the media transport paths. Simple firewalls will not let VoIP traffic through, since they do not know which ports to open for the voice traffic and at what time. In the interest of security, it is not practical to always leave open a large range of ports.

At the application layer, the threat and countermeasures become quite complex. This layer is the most vulnerable layer and different types of threats are becoming increasingly common. There is still a lot of work to be done before standard interoperable mechanisms are put in place to harden an application such as SIP-based VoIP. A collaborative, industry-wide effort is required.

The first step in that direction was taken in October 2005. The Voice over IP Security Alliance (VOIPSA), an industry consortium of VoIP and information security vendors, providers and thought leaders, released the first draft of their VoIP Security Threat Taxonomy, which attempts to identify and qualify the various threats in preparation for standardizing the mechanisms used as countermeasures.

Hardening the VoIP network

A VoIP network relies on the basic IP infrastructure for multiple services such as domain name service (DNS), trivial file transfer protocol (TFTP), file transfer protocol (FTP), etc. SIP-based VoIP networks rely on the DNS mechanism for many types of services related to telephony such as electronic numbering (ENUM). In addition, the use of the service record (DNS SRV) in the DNS server to identify SIP services enables server load balancing and redundancy. This achieves better network reliability during peak traffic and also provides resilience against DOS attacks.

However, DNS has itself been identified as one of the vulnerable systems in the TCP/IP infrastructure. It is vulnerable to many types of transaction attacks including cache poisoning, domain hijacking and man-in-the-middle redirection. Open recursive DNS servers are actively being used as DDoS reflectors, providing a huge amplification factor for such attacks. DNS security extensions (DNSSECs), designed to alleviate some of these shortcomings, are still not widely deployed.

Hence, many SIP-based VoIP implementations are designed to use private DNS. Private DNS breaks the hierarchical tree structure of the DNS and does not allow recursive queries. Instead, private DNS uses a standalone server or servers to provide exclusively VoIP-related DNS services for SIP clients within the managed network. All other DNS requests continue to be serviced by the standard DNS network of servers.

VoIP telephones could be mis-configured by the end-user, either while attempting firmware updates or when adjusting parameters of operation, leading to vulnerabilities or loss of service. Early SIP-based VoIP devices commonly used TFTP to update firmware or configuration files. TFTP is not a very sophisticated or secure mechanism for file transfer, and using it for updating critical files could lead to compromising either the fundamental operating firmware or the configuration of the SIP device.

Modern SIP-based VoIP devices use the more secure FTP or secure HTTP (HTTPS) for firmware updates, and XML over HTTPS for remote configuration by the service provider. In addition, the ability to modify firmware or SIP parameters is usually blocked by the service provider, thus leading to greater reliability of the firmware updates and SIP configurations.

Such a mechanism for configuration and updating also provides service providers with the ability to provision devices based on rate structures such as local or long-distance plans, etc. In addition, it also allows the service provider to hide SIP configuration and dial plans, information that could potentially be used by hackers to steal services.

Author: Vinay R. Rao
Source

Avoid Desktop Virtualization ROI Traps

Leave a reply

If potential cost savings are driving your desktop virtualization decision, beware the ROI killer: Over-provisioning.

Over-provisioning is a nice way of saying you’re throwing money away. That could happen in a variety of forms, such as buying infrastructure that it better suited for a much larger company, planning for growth that doesn’t happen, or not doing your homework on what other technology you’ll need to support virtualization. But fear of wasteful spending shouldn’t stop you in your virtual tracks; rather, it should motivate informed, careful decisions.

Raj Dhingra, CEO of NComputing, believes 2011 is a turning point in desktop virtualization deployments among small and midsize businesses. Dhingra, who left Citrix to take the NComputing helm in April, also said the broader field of virtualization vendors has taken note: “Everybody sees there is a big opportunity there.”

As the number of viable virtual desktop infrastructure (VDI) options for SMBs increase, Dhingra recommends paying close attention to four key areas when making a decision. Doing so can help minimize the over-provisioning risk and ensure a real return on the investment.

1. Look for platforms specifically designed for SMBs. While a vendor’s ability to scale with the growth of your company is important, don’t let your daydreams overshadow your actual needs–starting small can provide a bigger ROI in a shorter period time.

“Buy the shoe that fits rather than buying the shoe that’s two sizes bigger in hopes that you’re going to fit into it over time,” Dhingra said.

The most obvious place to look is the cost per seat: This often tops the $1,000 mark in enterprise platforms, which makes the total cost of ownership (TCO) and return on investment (ROI) case trickier for SMBs. “If it’s now costing you more than a PC, that’s your first red flag,” Dhingra said. He added that TCO/ROI analysis for a 100-seat deployment is not the same thing as a 100-seat proof of concept–with an expectation that several thousand seats will be added later.

It should be noted that for some SMBs, ROI isn’t just a matter of comparing virtual desktop versus traditional PC costs. At Infinity Sales Group, for example, both desktop support and power costs were major factors. For Silicon Valley Builders Group, mobility was the critical payoff in going virtual. In fact, the firm’s CIO noted in an interview that just comparing per-seat costs can be a dead-end: “It would be a hard sell. Virtualization is still something like $1,200 per user, versus a PC I can go buy at Fry’s for $500,” he said.

No matter your particular business case, cost-per-seat is obviously still important. The moral: Don’t pay for seats you don’t need.

2. Know your supporting infrastructure needs. Desktop virtualization doesn’t mean you’re leaving hardware behind. Make sure you have a complete understanding of the supporting pieces you need, both on the server or host side and the client side. For the former, this includes things like servers, storage, and networking equipment. On the client side, don’t forget to account for the actual devices–such as thin clients, for example–as well as your software needs.

Dhingra said not taking all the necessary components of VDI into account is a key budget pitfall for SMBs, particularly if the initial investment is based on an expectation of significant growth. It can also lead an organization to an infrastructure it’s ill equipped to manage.

“That means not only the capital to actually procure [VDI], but then do I have internal expertise within my company to actually deal with this and work with it?” Dhingra said.

3. How many vendors are you willing to work with? Another possible sign you’re headed down a path of over-provisioning: If your desktop virtualization project requires one or more multi-vendor components. This is likely a bigger issue for the “S” in SMB. While a midmarket firm with, say, 750 employees has more resources to manage multi-vendor platforms, a 50-person company might not want the potential headaches. More importantly, it might not have enough IT resources to do so. “It becomes a systems integration project that is typically suited to a larger company,” Dhingra said.

4. How soon until you’re up and running? You can’t really start the ROI meter until your deployment is complete, right? For budget-constrained SMBs, a multi-month (or even year-plus) VDI project adds hidden costs–another form of over-provisioning–that can immediately dull the shine of potential savings. Moreover, smaller companies usually thrive on their speed and agility–IT projects should be no different. Dhingra said IT pros at SMBs should factor training and skills developments here, too: If you lose two days at an off-site training, for example, that’s an expense–even if the event is “free.”

Source

CXO Expectations Still Clouded on Virtualization

Leave a reply

Enterprise-level business and IT executives and decision-makers may now have a greater understanding of the benefits of private and hybrid cloud computing environments, but a new study has found that there is still a large gap between expectations and the reality of what cloud computing and virtualization offer.

Symantec’s “2011 Virtualization and Journey to the Cloud Survey” surveyed 3,700 executives and decision-makers from 35 countries about their perspectives on the adoption and deployment of private and hybrid clouds, as well as virtualized technologies. Symantec found there are different approaches being taken with cloud computing, but perhaps the most troubling finding of the survey is the gap between the expectations of what cloud delivers and what, in reality, it actually provides.

“There’s a lot of understanding. There’s also a lot of misunderstanding on what private and hybrid clouds can do in an environment,” said Sean Derrington, director of cloud product management at Symantec.

Perhaps not unexpected, IT executives and business executives were out of sync in what they were looking for from cloud computing, and the gap between expectation and realization was also different.

“We’re also seeing a lot of companies increasing the deployment of business-critical applications in these private and hybrid clouds, much more so than before,” Derrington said. “I think it’s one of the early signs of maturity, but it’s also to keep in mind that as companies look to deploy cloud applications, they have to [attain] quality of service.” They need to get the same quality of service in private and hybrid clouds that they’re getting in traditional IT environments, he added.

Quality of service is proving to be a challenge, and it’s become a top priority among enterprises. When asked about virtualization and cloud technologies, 76 percent of respondents who have implemented server virtualization said performance was a somewhat or extremely large factor in making people concerned about placing business-critical applications on virtualized servers. Of those who have implemented private or hybrid clouds, 72 percent said performance was a significant or extreme challenge, so there are still a lot of wrinkles to iron out before enterprises are completely happy with private and hybrid clouds.

The Symantec survey asked IT and business executives about their adoption of storage virtualization, desktop/endpoint virtualization, server virtualization, private storage-as-a-service, and private/hybrid cloud computing. Unsurprisingly, the smallest gap between expectation and realization was with the most mature technology – that being server virtualization, with a 4 percent gap between goals and reality. All of the other technologies were well into the double-digits between expectation and reality, with storage virtualization at 33 percent, desktop/endpoint virtualization at 26 percent, private storage-as-a-service at 37%, and private/hybrid cloud computing at 32 percent.

What’s the lesson to be learned? Simple. There is still a lot of confusion around what virtualization and cloud computing can actually provide to organizations in terms of benefits. The expectations of benefits pre-deployment are much different than what is actually being realized post-deployment. Derrington noted that some of the problem is that if businesses don’t deploy virtualization and cloud computing technologies correctly, then the benefits people are expecting won’t be fully realized. He said he believes there is a lot of over-selling on what the technologies can do.

Part of the problem that still exists is in evolving the way IT organizations function, Derrington said. To get the full benefits of virtualization and cloud computing, it’s necessary to remove the silos of administration found in traditional IT infrastructures. If that’s not done, then the full benefits can’t be gained.

“There’s a lot of process that has to happen to take advantage of some of these new technologies,” Derrington said.

Additionally, some people are confused about what private cloud computing is. As Derrington noted, it’s more than simply deploying a VMware-based environment.

“Private clouds really are about looking at virtualizing the resources of storage and server, looking at resource utilization, and having a dynamic environment that can be elastic as you scale and contract resources on an as-needed basis,” Derrington said.

It’s likely the gaps between expectation and reality will begin to shrink in the coming years. Symantec plans to survey companies on this topic again next year, so it should be interesting to see what has changed at that time.

Derrington noted there is much interest in cloud among enterprises, and most enterprises surveyed are, at the very least, discussing cloud adoption. There is still some confusion about what private and hybrid clouds are, but that’s more on the business side rather than the IT side.

“I think in enterprise there is more of an understanding of what cloud is and its capabilities, but there is still a little bit of a disconnect,” he said.

There is also an increasing focus among enterprises when it comes to virtualization and cloud technologies. Some are even going beyond deploying business-critical applications in virtualized or cloud environments and starting to discuss moving mission-critical applications over to virtual servers and the cloud.

“I personally wasn’t expecting 41 percent of respondents looking to virtualize ERP applications,” Derrington said.

As he noted, putting financials, human resources or any other mission-critical applications in virtual environments is betting the business on that environment. CIOs are more open to the idea of moving mission-critical applications to the cloud or virtual environments, whereas CEOs and CFOs are much more risk-averse. Business leaders, as opposed to IT leaders, tend to want to be a little behind the technology curve instead of leading it, Derrington said.

Many enterprises are relying on third-party service providers for their cloud and virtualization needs.

“They’re relying more heavily on outside providers,” Derrington said. At least 50 percent of respondents rely quite a bit or completely on outside service providers, whether those providers are vendors, resellers or managed service providers.

Based on the survey results, Symantec had a few recommendations for businesses.

“One of the things that we’re recommending is you really have to focus on the line between the IT organization and the executives,” Derrington said. Appropriate expectations about the technologies must be set to avoid the gap in expectations and reality.

Also, old-school IT thinking has to be abandoned. Operating in a silo won’t allow enterprises to get the benefits of virtualized and cloud environments. As companies modernize their infrastructure, they need to modernize their IT departments.

One last recommendation from Symantec is to track results.

“This is one of the things that proves success to upper management and executives in the company,” Derrington said.

Overall, things are looking good for the virtualization and private/hybrid cloud arenas.

“This is one of the areas where a lot of companies are aggressively looking. They think they can improve the way that they run their businesses, and one of the things that we saw is we need to raise some caution in making sure they’re doing it appropriately and not trying to overachieve and failing to meet those expectations, which then leads to other problems, too. But overall, very positive,” Derrington said about the survey results.

Source

Why You Don’t Need a Cloud Computing Strategy

1 Reply

As with any new exciting technology, companies commonly look towards creating a “strategy” around the movement in order to ensure their investments achieve the greatest ROI. In the 1990s, it was all about how companies needed a “Linux” strategy; the last decade has been dominated with companies needing a “virtualization” strategy; and the trend I’m seeing today is everyone talking about needing a “cloud computing” strategy.

While this new saying is good news for large vendors who quickly rebrand existing and/or legacy technologies to go along with the momentum, it can also cause a number of challenges. The main one is that it can introduce risks and new costs with minimal ROI for companies building out cloud strategies outside of their normal IT practice. So, to get it right the first time, rather than looking at the cloud as a separate replacement strategy, companies need to look at it from the bigger picture as a complete IT strategy.

Here are five key things to think about when identifying areas for cloud adoption and driving a successful IT strategy:

1. Understand the cloud and its benefits to your business: Think business, not technology – not all clouds are created equal. There are many choices, from hosted applications to hosted infrastructure – Software as a Service (SaaS), Infrastructure as a Service (IaaS); some run on premise, some run off. Each have significant benefits but only when viewed in the context of how they fit in with your current operations. You need to understand how each of these can augment your IT strategy to achieve the benefits of efficiency and agility.

2. Build off your existing operational choices and be application specific: If existing services such as CRM and e-mail are functioning well you will gain very little by transitioning them to the cloud. In fact, these types of changes could prove confusing and incite end user rejection. However, if you are just implementing these services for the first time the cloud may give the benefits and cost savings that you need. This same rule applies to IaaS clouds. Rather than trying to replace existing infrastructure that is already working, identify workloads that are dynamic or new that constantly require attention on infrastructure to reap the benefits.

3. Think small, but plan big: Start out with a pilot. 2010 was the year of defining the cloud and 2011 will be the year of cloud implementation. James Staten, an analyst at Forrester Research, recently predicted that many will try to deploy a private cloud, but many will fail. The key is to start small and identify areas where you can extend your existing strategy with new technologies to understand their impact. For IaaS clouds, the easiest is to start with your current virtualization strategy, as the cloud uses virtualization as a core technology. Whether it is development, testing, or new web application environments, the cloud can quickly and easily be implemented with a high likelihood for success.

4. Evaluate all of your options – think agility: There are many options when implementing a cloud solution. The choice between a public or private cloud should be made based on factors such as cost, security, availability and control. Each deployment model has pros and cons; the goal is to optimize for your business requirements. If you are choosing to build your own, private cloud, vendors can help you achieve this. Portability and flexibility are important elements to consider. You need to choose a solution that works within your system, but also does not lock you into a specific environment. Additionally, a solution that gives you the ability to migrate to public clouds in the future will prove to be valuable.

5. Acknowledge the immaturity of cloud computing, but don’t let it hold you back: Cloud computing is a new paradigm in IT. It has a few issues including data security and compliance, but new advancements every day continue to take the cloud to the next level. Across the industry, there are more companies and developers working on advancing this segment than many of the traditional/legacy apps. As such, you do not want to get behind the curve of the next wave of innovation. By acknowledging its immaturity and picking applications and workloads that can handle the risk, you get the benefit of getting ahead of the movement and truly understanding the technology as it matures and how it can become an incredible weapon in your IT strategy.

Cloud computing is an exciting new movement that promises to bring many benefits to companies of all size. By taking simple steps to understand how to integrate it into your existing “business strategy” versus treating it like a separate strategic project will increase the likelihood of success and simplify the transition to this new form of IT service.

Source