Tonight I had the opportunity to speak at #VirtualBostonAzure to talk about raising the visibility of security signals in your environment by turning on your WAF. In demos the WAF available in Azure Front Door was used.
On Tuesday July, 30, 2019 I had the opportunity to speak at North Boston Azure. The talk was part of a series on Running Azure Securely and was called Are all these Azure security features for me? and was not really a “talk” in that it was highly interactive. For those who attended, you will recall we filled in some slides collaboratively. Thus, they may not appear so polished for those of you who did not join live. Either way, please find the slides (“collaborative” and all) below.
This was an experimental approach for me and the feedback from the audience tells me it worked pretty well. The group at North Boston Azure was already knowledgeable and engaged, so hopefully made for a interesting experience for all involved (was certainly fun for me).
You can follow me on Twitter (@codingoutloud).
You can also follow Boston Azure on Twitter (@bostonazure).
At most recent Boston Azure meeting I give (what turns out to be…) the first part of a multi-part talk on Running Azure Securely. Even though I did not cover all this content, I’ve attached the whole powerpoint deck below.
Please watch for a Part II to be scheduled.
- Azure Best Practices – How to Successfully Architect Windows Azure Apps for the Cloud @ 1pm ET on 13-March-2013
- VIEW RECORDING HERE: http://bit.ly/ZzQDDW
Discover how you can successfully architect Windows Azure-based applications to avoid and mitigate performance and reliability issues with our live webinar
Microsoft’s Windows Azure cloud offerings provide you with the ability to build and deliver a powerful cloud-based application in a fraction of the time and cost of traditional on-premise approaches. So what’s the problem? Tried-and-true traditional architectural concepts don’t apply when it comes to cloud-native applications. Building cloud-based applications must factor in answers to such questions as:
- How to scale?
- How to overcome failure?
- How to build a manageable system?
- How to minimize monthly bills from cloud vendors?
During this webinar, we will examine why cloud-based applications must be architected differently from that of traditional applications, and break down key architectural patterns that truly unlock cloud benefits. Items of discussion include:
- Architecting for success in the cloud
- Getting the right architecture and scalability
- Auto-scaling in Azure and other cloud architecture patterns
If you want to avoid long nights, help-desk calls, frustrated business owners and end-users, then don’t miss this webinar or your chance to learn how to deliver highly-scalable, high-performance cloud applications.
The core ideas were drawn from my Cloud Architecture Patterns (O’Reilly Media, 2012) book:
Hosted by Dell:
On October 9, 2012, I was pleased to speak to the Connecticut .NET Developers Group. It was really fun since the crowd was extremely engaged. 🙂 There was a lot of good back-and-forth discussion.
This was the talk abstract:
Just because we get an application to run on cloud infrastructure does not ensure that it runs well. To truly take advantage of the cloud we need to build cloud-native applications. The architecture of a cloud-native application is different than the architecture of a traditional application. A cloud-native application is architected for cost-efficiency, availability, and scalability. We will examine several key architecture patterns that help unlock cloud-native benefits, spanning computation, database, and resource-focused patterns. By the end of the talk you should appreciate how cloud architecture is more demanding than you might be accustomed to in some areas, but with high payoff such as handling failure without downtime, scaling arbitrarily, and allowing aggressive cost-optimization.
All the concepts and patterns I spoke about are also discussed in my recently released book, Cloud Architecture Patterns:
More info on the book is here:
If you do read the book, I’d very much appreciate a short review on Amazon.
Also, please stay in touch via twitter (@codingoutloud) or email (my twitter handle at gmail). Got Azure or Cloud questions? Feedback on the book? Please reach out.
And the slide deck I used is attached here:
Architecture Patterns for Building Cloud-Native Applications — CT.NET — 09-Oct-2012 — Bill Wilder (blog.codingoutloud.com)
You new to Windows Azure?
Experienced with Windows Azure?
Wondering what all the buzz is about…
You can Meet #WindowsAzure in a live stream featuring keynote speaker Scott Guthrie (@ScottGu) along with other Azure/cloud experts. Event is June 7 at 4:00 PM Boston time (UTC-7 hours).
I will be watching and you can find discussions on the Twitters…. I am @codingoutloud, the event hashtag is #MeetAzure, and be sure to check out the Lanyard page that Magnus set up.
Also if you are an Azure fan in the Boston area, please check out the Boston Azure cloud user group (www.bostonazure.org). The group meets monthly, with occasional special events, such as the 2-day bootcamp later this month. The group events are usually at NERD in Cambridge, MA.
- Registration page: http://go.microsoft.com/?linkid=9809415
- Live Stream page: http://go.microsoft.com/?linkid=9809426
- Boston Azure cloud user group: www.bostonazure.org
MEET Windows Azure Blog Relay:
I attended Vermont Code Camp 2 yesterday (11-Sept-2010) at the University of Vermont. Many thanks to the awesome crew of Vermonters who put on an extremely well-organized and highly energetic event! I look forward to #vtcc3 next year. (Twitter stream, while it lasts: #vtcc2)
I presented a talk on Building Cloud-Native Applications using Microsoft Windows Azure. My slides are available as a PPT download and on slideshare.net.
<aside>Maura and I went to Vermont a day early. We put that time to good use climbing to the summit of Vermont’s highest mountain: Mt. Mansfield. We hiked up from Underhill State Park, up the Maple Ridge Trail, over to the Long Trail, up to the summit, then down the Sunset Ridge Trail (map). It was a really tough climb, but totally worth it. I think the round trip was around 7 miles.
I took notes during the Boston Cloud Computing Group Meetup 23-Sept-2009 – the raw notes are below, but a couple of more noteworthy highlights appear first with some of my views interspersed.
Executive Summary – Key Take-Aways & Highlights
Notes from Javed Ikbal’s talk (http://10domains.blogspot.com) are in regular type. My editorial comments and thoughts are in italics or bold italics – so don’t blame these on Javed. 🙂
- Key take-away – going to the Cloud is waaaay more about Business Tradeoffs than it is about Technology.
- “There are 2 kinds of companies – those which have had a [data security]breach, and those which are going to have a [data security] breach” -Javed
- Centralization of data makes insider threat a bigger risk -Javed
- “On premise does not mean people are doing the right thing” –Javed – right on! I bet the majority of the fortune five-million (as 37 Signals refers to the medium and small business market) have insufficient IT – they just don’t know it. Any stats?
- Someone from the audience stated there are more breaches in on-premise data centers than in cloud. Therefore cloud is safer. I don’t buy the logic. There could so many more publicized breaches in on-premise systems simply because there are so many more on premise data centers today. So this is easy to misinterpret. We can’t tell either way from the data. My personal prediction: today if there is a data breach for data stored in the cloud, people will not be able to believe you were reckless enough to store it in the cloud; 5 years from now, if there is a data breach for data stored on premise, people will not be able to believe you were reckless enough to store it locally instead of in the cloud which everyone will then believe is the safest place.
- Someone from audience commented that business value of losing data will be balanced against business cost of it being exposed. This comment did not account for the PROBABILITY of there being a breach – how do you calculate this risk? I bet it is easier to calculate this risk on the cloud than on premise (though *I* don’t know how to do this)
- Comment from Stefan: We can’t expect all cloud services to be up all the time (we were chatting about Google and Amazon downtime, which has been well documented). I completely agree – And many businesses don’t have the data to fairly/accurately compare their own uptimes with those of the cloud vendors – and, further, if the cloud vendors did have 100% up-time, that may destroy the economies we are seeing on the cloud today (who cares if it is 100% reliable if it is 0% affordable – that’s too expensive to be interesting)
- Off-premise security != in cloud – different security issues for different data – Javed In other words, treat SSN and Credit Card data differently than which books I bought last year. But I can think of LOTS of data that is seemingly innocuous, but that SOME PEOPLE will balk at having it classified as “non-sensitive” – might be my bookmarks, movie rentals, books purchased, travel plans/history, many more… not just those that support identity theft and/or direct monetary loss (bank account hacks). I think it would be a fine idea for data hosts to publicly declare their data classification scheme – shouldn’t we all have a right to know?
- I think IT generally – and The Cloud specifically – could benefit from the kind of thinking that went into GoodGuide.com.
Raw Notes Follow
The rest of these notes are a bit rough – and may or may not make sense – but here they are anyway…
- Pizza & drinks, some social (sat next to Stefan Schueller from TechDroid Sytems and enjoyed chatting with him)
- Went around the room introducing ourselves
- People who were hiring / looking for work spoke up
- Around 30 people in attendance
- Meeting host: Aprigo – 460 Totten Pond rd, suite 660 – Waltham, MA 02451 – USA
- Feisty audience! Lots of participation. This added to the meeting impact.
Twisted Storage talk
From Meetup description: Charles Wegrzyn – CTO at TwistedStorage Inc. (Check actually built an Open source cloud storage system back in ’05)
TwistedStorage is open source software that converts multiple storage
repositories, legacy or green-field, into a single petabyte-scale cloud
for unstructured data, digital media storage, and archiving. The Twisted
Storage Enterprise Storage Cloud provides federated search, electronic
data discovery with lock-down, and policy-driven file management
including indexing, retention, security, encryption, format conversion,
information lifecycle management, and automatic business continuity.
History of Building Storage Management software
- Open Source
- Been downloaded 75k times
- Re-wrote – now version 4 – in Python
Common anti-pattern observed in real world:
- Users storing “stuff” in Exchange since that was a convenient place to store it
- Results in a LOT of email storage (and add’l capacity is easy to keep adding on)
- Can’t find your data (too much to logically manage)
- Backups inadequate
- Complexity, complexity, complexity
The Twisted Storage Way
- Federated storage silos w/ adaptors/agents
- Provide enterprise capabilities spanning sites (access control, audits, search/indexing – including support for metadata, simplified administration and recovery)
- ILM = Information Lifecycle Management
- Open Source
- Work-flow (Python scripts, XML coming)
- Policy-driven (“delete this after 2 years”, “encrypt me”) (Python scripts)
Twisted Storage Design Goals
- Always available content (via replication)
- No back-up or recovery needed (due to replication)
- Linear scalability (scales out)
- Able to trade off durability with performance
- Supports old hardware
- Minimal admin overhead
- Support external storage systems and linkage
- Portable – will run on Linux, Windows, (iPhone?) – due to portable Python implementation
- Pricing: Enterprise Edition: $500 / TB up to 2 PB (annual), minimum $10k for first 20 TB (see web site for full story)
- versus competition like Centera which charge $15k/Silo + Enterprise Edition
- http://www.twistedstorage.com, firstname.lastname@example.org
Info Security & Cloud Computing Talk
From Meetup description: Javed Ikbal (principal and co-founder of zSquad LLC)- will talk about: “Marketing, Uncertainty and Doubt: Information Security and Cloud Computing”
- What is the minimum security due diligence that a company needs to do before putting it’s data in the cloud?
- Since 2007, Amazon has been telling us they are “.. working with a public accounting firm to … attain certifications such as SAS70 Type II” but these have not happened in 2+ years.
- On one side of the cloud security issue we have the marketing people, whohype up the existing security and gloss over the non-existing. On the other side we have security services vendors, who hawk their wares by hyping up the lack of security. The truth is, there is a class of data for every cloud out there, and there is also someone who will suffer a data breach because they did not secure it properly.
- We will look at Amazon’s EC2, risk tolerance, and how to secure the data in the cloud.
- Javed is a principal and co-founder of zSquad LLC, a Boston-based information security consulting practice.
Javed is a Security Consultant
Also co-founded http://www.layoffsupportnetwork.com
Formerly worked in Fidelity (in security area)
- Elastic – provision up/down on demand (technical)
- Avail from anywhere (technical)
- Pay-as-you-go (business model)
- Data stored in China – gov’t could get at it
- We never have direct access
- May be locked in? (for practical reasons)
- March 7, 2009 from WSJ – Google disclosed that it exposed a “small number” of Google docs – users not supposed to be authorized were able to view them. Google estimated < 0.05% of all stored Google docs were impacted – BUT! – this is a LOT of documents. http://blogs.wsj.com/digits/2009/03/08/1214/
- Sept 18, 2009 from NYT – a recent bug in Google Apps allowed students at several colleges to read each other’s emails – this impacted only a “small handful” of colleges (like Brown University, for 3 days)http://www.nytimes.com/external/readwriteweb/2009/09/18/18/18readwriteweb-whoops-students-going-google-get-to-read-ea-12995.html
- Google’s official policy for paid customers states “at your sole risk” and no guarantee it will be uninterrupted, timely, secure, or free from errors
- Amazon states it is not responsible for “deletioreach” – Javedn, destruction, loss” etc.
- Google will not allow customers to audit Google’s cloud storage claims
- Amazon says PCI level 2 compliance is possible with AWS, level 1 not possible
- SAS 70 Type II reports not meaningful unless you can see which controls were evaluated
- “on premise does not mean people are doing the right thing” –Javed
- Perception of more breaches in on-premise systems – but there are so many more of them, it is easy to misinterpret
- Business value of losing data will be balanced against business cost of it being exposed – but this does not account for the PROBABILITY of there being a breach – how do you calculate this risk? I bet it is easier to calculate this risk on the cloud than on premise (though *I* don’t know how to do this)
- We can’t expect all cloud services to be up all the time – right, and many businesses don’t have the data to fairly/accurately compare their own uptimes with those of the cloud vendors – and, further, if the cloud vendors did have 100% up-time, that may destroy the economies we are seeing on the cloud today (it may be 100% reliable, but too expensive to be interesting)
- Off-premise security != in cloud – different security issues for different data
- “There are 2 kinds of companies – those which have had a [data security]breach, and those which are going to have a [data security] breach” -Javed
- Centralization of data makes insider threat a bigger risk
- Customers should perform on-site inspections of cloud provider facilities (but rare?)
- Ask SaaS vendor to see 3rd party audit reports – SalesForce has one, Amazon does not (Google neither? What about Microsoft – not yet?)
- Providers need to be clear about what you will NOT support – e.g., Amazon took 2 years to provide an answer… Amazon/AWS disclaimers are excellent models
- Providers need to understand they may be subject to legal/regulatory discovery due to something a customer did
- Unisys has ISO 27001-certified data centers (high cost, effort)
Creating Secure Software
- Devs care about deadlines and meeting the requirements
- If security is not in the requirements, it will not get done
- if devs don’t know how to code securely, it will not get done right (if at all)
- Train your devs and archs: one day will help with 90% of issues!
- Build security into your software dev life-cycle
- Let security experts, not necessarily developers, write the security requirements
- Secure Code Review can be expensive – bake in an application security audit into your schedule, to be done before going live
- (high customer extensibility + low provider security responsibility) IaaS – PaaS – SaaS (low customer extensibility + high provider security responsibility)