Monday, November 28, 2011

Cloud Copyright, Capital and The Courts

In 2006, Cablevision was developing a service which allowed customers to record, pause and replay their television content on/from servers located at Cablevision’s data center rather than on the customer’s Digital Video Recorder itself – in the cloud rather than on a local hard drive.  A consortium of U.S. television and copyright holders challenged Cablevision in court arguing that Cablevision’s Remote Storage Digital Video Recorder (RS-DVR) infringed on copyrighted content laws in that, they were making copies of protected works and infringing on exclusive right of reproduction; briefly buffering/storing that content also infringes on exclusive reproduction rights; and by transmitting the data back to the customer, they were infringing on exclusive rights to public performance.  In 2007, a district court found in favor of the copyright owner but in 2008, the decision was reversed by the Second Court of Appeals.  The court clarified that Cablevision was not directly infringing copyright by offering a remote DVR service outside the customer’s home.  Viewers could now record and save authorized TV content on a device within Cablevision’s infrastructure.

This ruling, according to Josh Lerner, Harvard Business School’s Professor of Investment Banking, had a huge impact on U.S. venture capital moving to cloud computing.  A risk was removed.  In Europe, where the ruling had no authority, the venture investments in the cloud were much less.  This is an important economic topic and ruling due to the relationship between venture, innovation and job growth.  The ruling might also be relevant in Australia where Optus is facing the same legal challenge today.  They started a service in July called Optus TV Now that does essentially the same thing as Cablevision’s.  Allowing customers to record and watch the 15 free-to-air stations that are available.  Customers can watch the content directly or over their smartphone or computer via the internet.  In their July announcement they even included, ‘it is a breach of copyright to make a copy of a broadcast other than to record it for your private and domestic use. Optus accepts no responsibility for copyright infringement.’  Well, the owners of the copyright material being stored and retrieved are saying breach, especially the AFL and NRL, the football and rugby leagues.  Optus is saying it’s no different than people recording on a personal DVR at home.  It’ll be interesting to follow this.

Back to the ‘funding the cloud’ story.  Lerner’s study, 'The Impact of Copyright Policy Changes on Venture Capital Investment in Cloud Computing Companies,' he examines the impact and effect of the US Second Circuit Court of Appeals decision.  The authors found that the decision led to additional incremental investment in U.S. cloud computing companies compared to Europe.  Figure 1 of their paper:
vc emea cloud

The same growth did not occur in Europe and in some cases, these types of services have been blocked from even getting to market.  Imagine how much different services from Amazon, Apple and Google would be if the court did not reverse the 2007 ruling.  

ps

Related:
Technorati Tags: F5, costs, integration, cloud computing, Pete Silva, security, business, venture capital, technology, application delivery, cloud, emea, infrastructure 2.0, web, internet

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Monday, November 21, 2011

A Blog of Thanks

With the shortened Thanksgiving holiday work week, I had a blog ready but thought I’d just thank all of you for reading, watching and listening to the various pieces of content I produce.  I do appreciate it!

ps

Technorati Tags: blog, social media, comscore, music, statistics, blog traffic, web traffic, digital media, mobile device, analytics, video

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Friday, November 18, 2011

Dynamic Attack Protection and Access Control with BIG-IP v11

We try to offer many learning opportunities thru webinars so if there are other topics you’re interested in, there are some links below but also check out the F5 WebCasts page along with DevCentral’s Media site.  We also post video content to our YouTube Channel, if that’s your game.  In this v11 webinar, I tell stories around various threats like DDoS, insecure DNS, web 2.0, AJAX, JSON payloads along with some unified access security/control based on identity. Originally offered to our EMEA audience, now for everyone to enjoy.  Running time: 65:50

ps

Related:

Technorati Tags: F5, webinar, integration, Pete Silva, security, business, v11, technology, dynamic, big-ip, video, data center

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Tuesday, November 15, 2011

F5 BIG-IP Platform Security

When creating any security-enabled network device, development teams must fully investigate security of the device itself to ensure it cannot be compromised.  A gate provides no security to a house if the gap between the bars is large enough to drive a truck through.  Many highly effective exploits have breached the very software and hardware that are designed to protect against them.  If an attacker can breach the guards, then they don’t need to worry about being stealthy, meaning if one can compromise the box, then they probably can compromise the code.  F5 BIG-IP Application Delivery Controllers are positioned at strategic points of control to manage an organization’s critical information flow.  In the BIG-IP product family and the TMOS operating system, F5 has built and maintained a secure and robust application delivery platform, and has implemented many different checks and counter-checks to ensure a totally secure network environment.  Application delivery security includes providing protection to the customer’s Application Delivery Network (ADN), and mandatory and routine checks against the stack source code to provide internal security—and it starts with a secure Application Delivery Controller.

The BIG-IP system and TMOS are designed so that the hardware and software work together to provide the highest level of security.  While there are many factors in a truly secure system, two of the most important are design and coding. Sound security starts early in the product development process. Before writing a single line of code, F5 Product Development goes through a process called threat modeling.  Engineers evaluate each new feature to determine what vulnerabilities it might create or introduce to the system.  F5’s rule of thumb is a vulnerability that takes one hour to fix at the design phase, will take ten hours to fix in the coding phase and one thousand hours to fix after the product is shipped—so it’s critical to catch vulnerabilities during the design phase.  The sum of all these vulnerabilities is called the threat surface, which F5 strives to minimize.  F5, like many companies that develop software, has invested heavily in training internal development staff on writing secure code.  Security testing is time-consuming and a huge undertaking; but it’s a critical part of meeting F5’s stringent standards and its commitment to customers.

By no means an exhaustive list but the BIG-IP system has a number of features that provide heightened and hardened security: Appliance mode, iApp Templates, FIPS and Secure Vault

Appliance Mode

Beginning with version 10.2.1-HF3, the BIG-IP system can run in Appliance mode.  Appliance mode is designed to meet the needs of customers in industries with especially sensitive data, such as healthcare and financial services, by limiting BIG-IP system administrative access to match that of a typical network appliance rather than a multi-user UNIX device.  The optional Appliance mode “hardens” BIG-IP devices by removing advanced shell (Bash) and root-level access.  Administrative access is available through the TMSH (TMOS Shell) command-line interface and GUI.  When Appliance mode is licensed, any user that previously had access to the Bash shell will now only have access to the TMSH.  The root account home directory (/root) file permissions have been tightened for numerous files and directories. By default, new files are now only user readable and writeable and all directories are better secured.

iApp Templates

Introduced in BIG-IP v11, F5 iApps is a powerful new set of features in the BIG-IP system.  It provides a new way to architect application delivery in the data center, and it includes a holistic, application-centric view of how applications are managed and delivered inside, outside, and beyond the data center. iApps provide a framework that application, security, network, systems, and operations personnel can use to unify, simplify, and control the entire ADN with a contextual view and advanced statistics about the application services that support business.  iApps are designed to abstract the many individual components required to deliver an application by grouping these resources together in templates associated with applications; this alleviates the need for administrators to manage discrete components on the network.  F5’s new NIST 800-53 iApp Template helps organizations become NIST-compliant. F5 has distilled the 240-plus pages of guidance from NIST into a template with the relevant BIG-IP configuration settings—saving organizations hours of management time and resources.

Federal Information Processing Standards (FIPS)

Developed by the National Institute of Standards and Technology (NIST), Federal Information Processing Standards are used by United States government agencies and government contractors in non-military computer systems.  FIPS 140 series are U.S. government computer security standards that define requirements for cryptography modules, including both hardware and software components, for use by departments and agencies of the United States federal government.  The requirements cover not only the cryptographic modules themselves but also their documentation. As of December 2006, the current version of the standard is FIPS 140-2.  A hardware security module (HSM) is a secure physical device designed to generate, store, and protect digital, high-value cryptographic keys. It is a secure crypto-processor that often comes in the form of a plug-in card (or other hardware) with tamper protection built in.  HSMs also provide the infrastructure for finance, government, healthcare, and others to conform to industry-specific regulatory standards.  FIPS 140 enforces stronger cryptographic algorithms, provides good physical security, and requires power-on self tests to ensure a device is still in compliance before operating.  FIPS 140-2 evaluation is required to sell products implementing cryptography to the federal government, and the financial industry is increasingly specifying FIPS 140-2 as a procurement requirement.  The BIG-IP system includes a FIPS cryptographic/SSL accelerator—an HSM option specifically designed for processing SSL traffic in environments that require FIPS 140-1 Level 2–compliant solutions.

Many BIG-IP devices are FIPS 140-2 Level 2–compliant.  This security rating indicates that once sensitive data is imported into the HSM, it incorporates cryptographic techniques to ensure the data is not extractable in a plain-text format. It provides tamper-evident coatings or seals to deter physical tampering.  The BIG-IP system includes the option to install a FIPS HSM (BIG-IP 6900, 8900, 11000, and 11050 devices).  BIG-IP devices can be customized to include an integrated FIPS 140-2 Level 2–certified SSL accelerator.  Other solutions require a separate system or a FIPS-certified card for each web server; but the BIG-IP system’s unique key management framework enables a highly scalable secure infrastructure that can handle higher traffic levels and to which organizations can easily add new services.  Additionally the FIPS cryptographic/SSL accelerator uses smart cards to authenticate administrators, grant access rights, and share administrative responsibilities to provide a flexible and secure means for enforcing key management security.

Secure Vault

It is generally a good idea to protect SSL private keys with passphrases. With a passphrase, private key files are stored encrypted on non-volatile storage.  If an attacker obtains an encrypted private key file, it will be useless without the passphrase.  In PKI (public key infrastructure), the public key enables a client to validate the integrity of something signed with the private key, and the hashing enables the client to validate that the content was not tampered with.  Since the private key of the public/private key pair could be used to impersonate a valid signer, it is critical to keep those keys secure.  Secure Vault, a super-secure SSL-encrypted storage system introduced in BIG-IP version 9.4.5, allows passphrases to be stored in an encrypted form on the file system.  In BIG-IP version 11, companies now have the option of securing their cryptographic keys in hardware, such as a FIPS card, rather than encrypted on the BIG-IP hard drive.

Secure Vault can also encrypt certificate passwords for enhanced certificate and key protection in environments where FIPS 140-2 hardware support is not required, but additional physical and role-based protection is preferred.  In the absence of hardware support like FIPS/SEEPROM (Serial (PC) Electrically Erasable Programmable Read-Only Memory), Secure Vault will be implemented in software.  Even if an attacker removed the hard disk from the system and painstakingly searched it, it would be nearly impossible to recover the contents due to Secure Vault AES encryption.

Each BIG-IP device comes with a unit key and a master key. Upon first boot, the BIG-IP system automatically creates a master key for the purpose of encrypting, and therefore protecting, key passphrases.  The master key encrypts SSL private keys, decrypts SSL key files, and synchronizes certificates between BIG-IP devices. Further increasing security, the master key is also encrypted by the unit key, which is an AES 256 symmetric key. When stored on the system, the master key is always encrypted with a hardware key, and never in the form of plain text. Master keys follow the configuration in an HA (high-availability) configuration so all units would share the same master key but still have their own unit key.  The master key gets synchronized using the secure channel established by the CMI Infrastructure as of BIG-IP v11.  The master key encrypted passphrases cannot be used on systems other than the units for which the master key was generated.  Secure Vault support has also been extended for vCMP guests. vCMP (Virtual Clustered Multiprocessing) enables multiple instances of BIG-IP software to run on one device. Each guest gets their own unit key and master key.  The guest unit key is generated and stored at the host, thus enforcing the hardware support, and it’s protected by the host master key, which is in turn protected by the host unit key in hardware.

Finally

F5 provides Application Delivery Network security to protect the most valuable application assets.  To provide organizations with reliable and secure access to corporate applications, F5 must carry the secure application paradigm all the way down to the core elements of the BIG-IP system.  It’s not enough to provide security to application transport; the transporting appliance must also provide a secure environment.  F5 ensures BIG-IP device security through various features and a rigorous development process.  It is a comprehensive process designed to keep customers’ applications and data secure.  The BIG-IP system can be run in Appliance mode to lock down configuration within the code itself, limiting access to certain shell functions; Secure Vault secures precious keys from tampering; and optional FIPS cards ensure organizations can meet or exceed particular security requirements.  An ADN is only as secure as its weakest link. F5 ensures that BIG-IP Application Delivery Controllers use an extremely secure link in the ADN chain.

ps

Resources:

Technorati Tags: F5, PCI DSS, virtualization, cloud computing, Pete Silva, security, coding, iApp, compliance, FIPS, internet, TMOS, big-ip, vCMP

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Friday, November 4, 2011

F5 International Technology Center Video Tour

I visited F5's International Technology Center in the heart of London and want to share an amazing tour with Shareef Qureshi, F5 Product Management Engineer. The facility includes a state of the art lab facility, executive briefing center, workroom facilities and an immersive TelePresence room.  See the equipment, how it's managed and cooled, the meeting facilities and more. Only a month old, the F5 ITC showcases some of the latest data center technology.  F5’s new London ITC will be the first Application Delivery & Data Solutions competency center in all of EMEA.  Special thanks to Ross Draper for following us around.

ps

Related:

Technorati Tags: F5, london, integration, Pete Silva, security, business, emea, technology, tech center, big-ip, video, education

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Wednesday, November 2, 2011

When Personal Security is Compromised

My Greatest Fears Realized

I debated about writing and/or blogging about this for a few days since it is very personal and didn’t want a pity-party coming my way.  But covering security, often from the human behavior standpoint, is what I do and what better way to share a security incident than when it happens directly to you.  Plus, being able to simply get it out is cathartic to some extent.  So here goes.

I attended the London IPExpo on Oct 19-20 at Earl's Court Two.  IPExpo is one of the largest IT infrastructure shows in Europe with many focus areas: Cloud, Storage, Security, Network, Virtualization and so forth - pretty much anything that touches IT.  I was invited by the F5 EMEA team to present at a number of speaking sessions F5 offered during the conference.  I also brought my family along since we hadn’t been to London in about 5 years and we really like the city. 

A couple weeks ago while I was at work at our EMEA headquarters there was an attempted abduction/kidnapping of my 5 year old daughter at one of the underground stations in London. My wife and daughter were on their way shopping when a man grabbed her.  He started with a little lure and when they got closer, he grabbed her arm and tried to yank her away from my wife.  Luckily my wife was able to keep hold of her and said to another woman, ‘Did you see what that guy just did to my daughter?’  She responded with, ‘yes and it looks like he’s doing it to another little girl!’  At that point, my wife asked for assistance from the Underground personnel.  The BTP (British Transportation Police) arrived and took him into custody while taking my wife and daughter to the station for statements.  My daughter asked if she could tell the officer about what happened and she told the PC, ‘that man grabbed my arm.’  That was pretty much all they needed, especially after viewing the CCTV footage and they didn't want to pressure a grueling interview of a child. 

I was finishing lunch with an F5 colleague when I got the call – ‘we are at the police station and you need to come now.’  At first I wasn’t sure if she was joking since she’s used that ‘I’m at the cop-shop’ routine before and I said, ‘What?!?, are you kidding?’  She then briefly told me about the incident, that he was in custody and at that point, it was no joke and my personal security had been threatened.  My co-worker immediately said, ‘I’ll take you wherever you need to go.’  This is one of the things that I love about my working family at F5, personal family is always first.  That was when the flood of emotions overcame me and the gravity of the situation hit.  As an aside, I don’t worry about my family going anywhere since my wife is a former Federal Law Enforcement Agent and certainly knows how to handle such situations.

I often look at human behavior and the ‘feeling of security’ or ‘peace of mind’ when discussing the topic.  I think that many of the fears about say, cloud security or any other topic that seems to take a few years to fully catch-on, has to do with the fact that we humans simply have a hard time with change.  Add loss of control to the picture makes it even more daunting.  Friends will say, ‘Let it go, it’s out of your control,’ and while you may understand, it doesn’t always make you feel any better.  That day, I did not have a feeling of security, peace of mind or any control over the situation.  I knew they were safe but I did not feel safe.  The mind kept telling the belly ‘it’s OK.’ but the gut wasn’t listening.  The stress increases, it’s harder to think, you’re sweating and it’s uncomfortable. 

Finally arriving at the station, the Sergeant tells me everyone is fine, the guy is arrested and we’ll let your family know you are here.  Some anxiety is finally released and soon, we get to hug.  More stress leaves the body and thinking becomes more focused but still has plenty of questions.  The BTP was great and gave us a ride in the blue and white back to our hotel. We were told on the way back that he is well known within the police department and a repeat offender.  Not sure if that was good or bad news.

The following day, the BTP called and said that the guy is being charged with assault (of a minor).  The CCTV caught everything.  Now, I’m not a big fan of the increased surveillance everywhere but in this situation it helped tremendously.  The next day it was determined that he needed a psychiatric evaluation and spent the next week in the mental facility.  My wife was also asked to appear for his trial, which was scheduled for the following week.  Wow, right quick as they fast tracked his trial.

My wife was at the Magistrates' Court most of the day.  After a week in the mental hospital, one doc called him crazy and another said he was fit.  That obviously determines which institution will be his new home. The judge had already watched the CCTV, received testimony from the responding officers, including the one who testified on my daughter's behalf and my wife's testimony only lasted about 10-15 minutes.  The Magistrate just wanted to hear if her story matched what was on the video and other witness statements. His lawyer tried to make it seem like he was just being 'friendly.'  She was let go after her testimony for the final determination.

Later that evening we got a call and was told he had been found Guilty of assaulting a minor.  We dropped a huge sigh of relief and the flow of comfort came back again.  I was starting to feel secure again, I started to feel somewhat in control again and I could think clearly once more.  I believe we all go through stages when trying to make a security decision or faced with a security situation.  It’s called Risk Analysis, Risk Management and Emergency Preparedness.  This was an extreme case, of course, but the threat came unannounced from the outside like many that occur within the corporate infrastructure.  My wife was prepared and I was uncomfortable yet, we still needed to handle the situation and mitigate the risk.  With your corporate infrastructure, be prepared, have a plan, mitigate risk and you will feel secure and know that you are.  And if an incident does arise, you’ll be ready.  Find that common ground between the head and the heart.  Often that’s hard when various groups have different fears and things that make them uncomfortable.  Acknowledge the human factor, ask questions and communicate. 

I truly appreciated the F5 support and warm wishes during this ordeal.  I’ve been with F5 since 2004 and while we recently announced that we’ve passed $1 Billion in revenue, which is an amazing financial accomplishment but I have to tell you that it is the feeling of family that keeps F5 rolling.

ps

Technorati Tags: F5, personal security, police, london, Pete Silva, security, BTP, vulnerabilities, crime, child, CCTV, the tube, abduction, identity theft

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]