Tag: Security
Transport Layer Security – a novel approach
by admin on Oct.19, 2009, under Storage
Transport Layer Security – a novel approach
Transport Layer Security (TLS) is widely used in Secure Internet communication, especially for securing Web / HTTP traffic. TLS is a replacement for the Secure Sockets Layer (SSL) protocol, which provides similar protections. TLS provides cryptographic services to application traffic payloads in the form of data authenticity and optionally data confidentiality. Each pairwise (P2P) secure session maintains independent cryptographic state for that session, which can aggregate to a large amount of state held on TLS terminators / servers, when millions of TLS connections are terminating at the same destination or domain (e.g. ecommerce / banks / eBay /etc.). Furthermore because TLS operates at the application layer, all cryptographic operations are performed on large application buffers, which require reassembly of all network packet fragments before operating on that buffer. This results in the need to provision expensive TLS aggregators at the front of each domain providing secure web communications and the solution does not scale well with increase in demand.
In this video, researchers from Intel Labs demonstrate a novel approach for providing a cryptographic scale free TLS solution, which can scale with increase demand. This is achieved by using a cryptographic key derivation technique, where using a ‘master key’ and some identifiers located in the packet, we can dynamically compute unique session keys on a per packet basis, instead of storing individual session keys for each and every session. The technique essentially trades compute for storage, thus allowing a larger number of TLS connections to be supported to a given server / domain. Furthermore, by providing the cryptographic operations on a per-network-packet basis (instead of operating on application payload buffers), it allows early validation of data integrity, allowing bad packets to be rejected without having to wait until the application buffer is reconstructed and applying the crypto operations / buffer validation at a later stage of the network pipeline.
Comments (0)
URL: http://feedproxy.google.com/~r/IntelBlogs/~3/t6D-y-iJxpc/transport_layer_security_-_a_n.php
Can You Trust Your Cloud?
by admin on Oct.15, 2009, under Storage
Can You Trust Your Cloud?
 |
The recent SideKick brouhaha has been an object lesson putting a sharp spotlight on this topic.
Much has been said on this topic, so I won’t recap the obvious. The online service had a really bad day. Much finger pointing, lessons all around. However, as we debate various cloud models, a key aspect between public and private clouds has been highlighted here, and that’s around notions of control, transparency and accountability. Simply put, enterprise IT is always accountable for what happens — whether it’s in the data center, or in the cloud somewhere. The Quick Recap I really don’t want to replay the story, but I have to. During an ostensibly routine infrastructure upgrade, a lot of personal data was lost. And there was no ready backup at hand. Are you cringing yet? Most IT professionals wince when they hear stories like this. Maybe there was a backup routine in place. Maybe it didn’t get done. Maybe the backup wasn’t usable. We may never know. Now, Shift To Enterprise IT Within a data center, IT operations is responsible to make sure that (a) backups get religiously done per agreed policy, and (b) these are usable on short notice if needed, especially if a lot of bad stuff is happening. Doesn’t matter whether the application runs in the data center, or in a service provider — IT is still responsible for the end result. Period. Is it acceptable to blindly accept that your service provider is doing this as agreed? Perhaps not … If I was an IT administrator using an external service provider for my important applications, I’d like to be able to externally monitor that backups were getting done as agreed — using my own tools. I’d like to be able to independently verify that the backups are usable — using my own tools. And I’d like to verify that someone hadn’t made a bonehead configuration mistake like having the backup target data on the exact same storage array as the source data, such is the case with most kinds of snaps. That ain’t a real backup, in my book. I’d be OK with the service provider actually doing the backup work on my behalf — as long as I had complete transparency into what was being done, and how it was being accomplished. Not in a high-level “trust me” kind of way, but in a manner where I could directly observe the low-level detail if needed. That’s what I can do when applications run in my data center; that’s what I would expect if they ran in an external service provider. Now, I could choose to ignore all that detail, if I wanted to. But it’d be there if I thought there was a concern. It’s Not Just Backup I think this line of “transparency” thinking can be extended to just about every other discipline where IT is held accountable: security, performance, compliance, licensing, etc. The “trust me” default relationship we see in so many cloud and service provider models just won’t cut it for many enterprise IT organizations that trust their business to the cloud. This is stuff you can get fired over if it all goes bad. IT will need to be able to probe, audit, interrogate, monitor, etc. IT operations in much the same manner as they do with their infrastructure today. One of the key concepts of private clouds is the notion of control: IT has the option to remain in control, and not the service provider. Sure, the service provider is responsible for whatever they’ve committed to — but IT is capable of monitoring that the work is being done, and being done correctly. Trust but verify. Implications For Management And Security Frameworks This implies a certain level of architectural thinking around “control planes” for fully virtualized environments where some pieces might be run internally, and some externally. We’ll need to think in terms of federated management models that allow the “rented” part of our infrastructures to be managed, monitored, inspected, etc. — regardless of physical location. And we’ll need federated security frameworks that do much the same thing. Not to do a blatant product dive, but I would argue persuasively that you’ll see these exact same themes in EMC’s Ionix and RSA portfolios respectively: federated management, and federated security. In addition, we’ll also need to see service providers who are willing to “open up” virtualized portions of their infrastructure to be under the control of the enterprise IT organizations that they serve as customers. Frankly, not a lot of those in the market today — but I’m betting we’ll see more of these kinds of offerings before long. The Bottom Line Enterprise IT organizations won’t be big users of any cloud model unless they can trust it. And, if they’re experienced IT operators, they won’t trust what they can’t see. Is transparency the new table stakes for service providers who want a piece of the enterprise IT market? We’ll see … |
| Update your feed preferences | |
It was the Roomba in the Conservatory with the Lead Pipe
by admin on Oct.15, 2009, under Storage
It was the Roomba in the Conservatory with the Lead Pipe
A study conducted at the University of Washington has found that home robots may be a security and privacy leak for their owners. The authors of the study point out that it is not the case where intelligent robots will throw off their shackles and attack their owners. It&aposs a situation that some robots on the market can be hacked through the home&aposs wireless network or the robot&aposs wireless connection.
One specific problem pointed out in the press release for the study was the interception of a robot&aposs video and audio streams. If an attacker could also move the robot, I can well imagine compromising photos being shot and posted on the web or the robot could "case the joint" and discover what valuables are in the house and how the home security system might be overcome.
Depending on the model and features, it would seem conceivable to have the robot actually harm a person within the home. This could be the basis for a "locked room" murder mystery plot. The robot is controlled by an external agent to kill, clean up after itself, and then return to a resting state to await the arrival of the baffled detectives.
One would hope that such studies will alert consumers to be more cautious or mindful of the electronics that will be brought into their private lives. Simple things like changing the default passwords and encrypting home wireless networks will go a long way to give the consumer more security and privacy.
URL: http://feedproxy.google.com/~r/IntelBlogs/~3/3BjQsmBT-co/