Archive

Posts Tagged ‘SaaS’

Bruteforce become DOS

May 27th, 2013 Comments off
Reading Time: 1 minutes

I noticed that I started too get a few emails from Wordfence about invalid login attempts. Now as I have both wordfence and Google two factor authentication happening I wasn’t worried, though I thought I’d do a large IP range block just to cut down on the noise.

 blocked login
What I found was that my provider was being really awesome in their pro-activeness and started automatically detecting brute force attacks on WordPress sites and removing the login.php
As I stated above I have both Wordfence installed, this will automatically block users and IP addresses that have attempted too many times to log in to a site. But what I also have is Google 2 Factor authentication set up as well, stopping these clowns.
 2FA
So whilst my provider was doing an awesome job preventing those-bad-guys™ from getting to my site, they in essence have locked me out too. Hats off to the support team for pulling this together. But the next stage really needs to include, not only scanning for the fact I run wordpress to block attacks, but scan for plugins too. Or even better, allow me to opt out..

Thoughtlet: Data Security in the cloud

April 2nd, 2011 Comments off
Reading Time: 4 minutes

It seems to be an almost biannual occurrence, people arc up and talk about cloud security, specifically data security/protection. It even got attention at this year’s Cisco Live in Melbourne. The last time I had a rant about this in “Cloud computing protection – Is this the place for Law?” I looked at malpractice laws for misuse or mishandling of data but not the bigger picture:

  • Data sovereignty;
  • Government mandate on export of data (EU as an example);
  • Compliance and regulatory;
  • housing in politically unstable regions;
  • Data Destruction; and
  • Damage and/or destruction.

The above are by no means exhaustive, these are just the ones that I’ve got kicking about in my head at present. 12-18 month ago I had a great chat with a lawyer who was taking a keen interest in this area and at the time was as confused as I on some of the ramifications (he put out a paper as well, when I can find it I’ll link to it here). For getting it out of my head sake I thought I’d put it here for good measure; as it has been sitting in my drafts for about that long.

Data Sovereignty – In a nutshell, this is the issue where what laws come into play based on the location of the data. This is a nebulous area and one that I think most in the law profession are still coming to grips with. Even here in Australia we have a crazy scary amount of laws, depending upon the information type (personal, financial, health, etc) not to mention international laws. This need to be taken into account when looking at what it is you place in the cloud.

Government mandate on export of data – I was thinking of the EU’s law specifically here, where the personal information (combined & interpreted data) cannot be exchanged with non-EU countries unless they have equivalent or better security standards (adequate level of data protection). What does this mean for a providers infrastructure residing in the EU destruction, or for someone in the EU trying to use a cloud service. There is a good blog article it including some examples and explanations. here. Another issue could be that the local/federal government may dictate that data is not to be off-shored. Are you sure that the provider is going to provide you with the ability to ensure that? Including backups?

Compliance and regulatory – This is the same old piece that every monkey trots out. Most of the control requirements are subjective, as in it is up to the auditor’s discretion on whether or not the control is adequate or not (unless it is extremely specific). Most of these are box ticking exercises. If there is a smart control mechanism that will meet your businesses security requirements, and you have clearly documented your rationale so you can call it a compensating measure.

Housing in politically unstable regions – Comes back to knowing what country your data resides in. If by chance it happens in a country where the local government has no qualms in walking in and taking ownership of the entire facility (or a subset there of), including your data, what happens then? What happens if that can be used to replicate your business model, take your customers, etc? Similarly, what about when government or law enforcement requests that data be disclosed, does the provider comply with the request or resist?

Data Destruction – When you decide to move platforms, services, providers, etc, will the provider destroy your data sufficiently so that it isn’t recoverable?

Damage and/or Destruction – What happens to you/your business when data is accidentally or maliciously damaged or destroyed. What happens to your reputation? What are your liabilities? This I covered off briefly in the above mentioned post, “Cloud computing protection – Is this the place for Law?“.

Depending on he size of your business and the service you are going for your ability to negotiate the SLAs will vary greatly. At the end of it, you will still have to look at all of these generic risks as well as the specific risks associated with your business and decide accordingly (through risk assessment). As with most of these, there are compensating measures that can be put in place to mitigate or reduce the affects.

At the end of the day, like any traditional outsourced relationship you don’t want to rely on a service credit against a breached SLA when your business is impacted. I’m not trying to take an alarmist approach, I prefer to see this as a more pragmatic one.

Just my $0.02 worth.

Why do we ask: “Is the cloud secure?”

February 20th, 2010 Comments off
Reading Time: 4 minutes

There have been several debates on the twittersphere of late, OK these have been raging over several months, discussing how secure or insecure cloud computing is. Generally this is focused on Public clouds and comments have ranged from the surreal, or down right ridiculous , to the sublime. so I decided to pause a little and gather my thoughts.

What I find amusing is that a lot of these comments I’ve seen are from providers, some vendors. I don’t understand painting everyone with the same brush because cloud computing is still a relatively new[1] industry offering and providers are still defining and re-defining their niche. Everyone sets up their product a little differently and aims to please certain markets.

The question:

How secure is the Cloud, or Cloud computing? Well that depends,  you need to know what your requirements are. I wrote about this some time ago talking about collaboration tools, and I even alluded to the same considerations being applicable to the cloud model at the time. Essentially: Know what you are after (requirements), understand the risks of going down a certain path, and mitigate those risks.

The counter argument:

“How do I know that the IaaS/PaaS/SaaS provider is doing what they say they are in order to confirm to my requirements?”. That, in itself, has been another heavily debated discussion. Current practice is to bombard the service provide with documentation requests. This is great if it is a contractually obliged deliverable. Providers are overwhelmed with request from customers, or potential customers, asking about SAS70 auditsISO27001 compliance, PCI DSS compliance, and the list goes on.

Read more…

Cisco’s EOS platform to challenge MySpace

August 14th, 2009 Comments off
Reading Time: 2 minutes

HeadphonesI came acrose this article “Cisco’s Eos Platform Could Challenge MySpace.” via a tweet from @padmasree (Cisco’s CTO).

The quoted quote I love is below:

Cisco CEO John Chambers told reporters that he believes the Eos platform will ultimately transform the entertainment industry’s business model by introducing new revenue opportunities online.

Not wanting to be narrow-minded, I still feel the need to rant a little as on the surface this is nothing new. It’s looks just like any other site that offers musicians the ability to template up their website and provide some nice widgets that can be used across multiple sites (I’ve been using ReverbNation for this for some time now). Offering the ability to allow artists to do “special” promotions?!?!?! Guys, are you serious?

Having a small insight into the psychie of the musician, a lot will jump on this as soon as they can, not wanting to miss the boat, however others will instantly shun this as it is related to Warner Music regardless of what it can offer them (that said this would generally be the hardcore independant variety with a loyal fanbase of 3).

In my own opinion what they need to do is take this idea, add some API integration (where possible) for other major sites and types, Facebook, MySpace, WordPress, Typeface, etc so that musicians have 1 portal that they go to where they update information.

Honestly, if Cisco did that, musicians would flock to them like there is no tomorrow. I can tell you that updating 50 different music sites is a tiring task, even when split up amongst band members.

Just like the corporate world, we want 1 interface, 1 true source of information, oh and we want it for free 😉

/rant

Given that this is Cisco and Warner together with potentially a few other major players, I’m sure that they have already thought of all this and need somewhere to start.

And if anyone has the Data Centre capacity and ability to take on such a venture, it’s Cisco.

Categories: Technology Tags: ,

Cisco EOS.. Come again?

August 13th, 2009 Comments off
Reading Time: 2 minutes

ciscoCisco just announced their EOS platform today. Stepping up from a just supplying building blocks, Cisco now move into the Software as a Service (SaaS) space.

I’m still trying to get by head around this one but at first glance I think can see where it’s going. Cisco and Warner team up, build up a content management platform and then offer it to other Media and Entertainment providers, building themselves up into an online content provider (this is a SaaS offering afterall).

Cisco with their SOHO brand, Linksys, already play in the Home Media Network space, build the platforms and infrastructure that Telecommunication companies deliver their network on, and are starting to be big players in the Data Centre space. The next step would be to round it all off as a content provider too I suppose.

As @danieljbaird put it:

Cisco wants to move up the “value chain”, makes sense from their perspective. They want to sell business solns, not only technology. They don’t want to be a commodity.

Will be very interesting to see where Cisco goes with this. A lot of different players in the market are ramping up their content delivery capabilities in preparation for bigger badder better internet and whilst Cisco is partnered with some today, tomorrow could be a whole new game.