Friday Sep 11, 2009

Immutable Service Containers on Amazon EC2

Back in June, we released the very first security hardened virtual machine images for the Amazon Web Services Elastic Compute Cloud (EC2) environment. These original images were based upon the OpenSolaris 2008.11 release and were configured in accordance with the guidelines published by Sun the Center for Internet Security. Since its initial release, we have provided an update to offer this image in the European Region. In August, we took another step forward with the release of a security-enhanced image based upon the OpenSolaris 2009.06 release. This image went beyond just the simple hardening of its predecessor to add functionality such as encrypted swap, non-executable stacks and auditing that was enabled by default. With such a strong foundation, it should have been no surprise that it was likely to be used as a foundation for layered functionality. Just this month, for example, we announced the release of an image pre-configured with Drupal (v6.10) along with Apache (v2.2), MySQL (v5.0), and PHP (v5.2).

In parallel, the Immutable Service Containers project was announced back in June. This project was focused on the creation of secure execution environments for services. One of the key deliverables from this project has been the OpenSolaris ISC Construction Kit (Preview) that transforms an OpenSolaris 2009.06 system into an ISC configuration. Interestingly, several of the functional elements used today as part of the security-enhanced AMIs actually got their start as part of the ISC Construction Kit.

This brings us to today. For the first time, we have been able to create ISCs in the Cloud on Amazon EC2! Using the OpenSolaris ISC Construction Kit and the security-enhanced OpenSolaris 2009.06 AMI, we have deployed an ISC that exposes a representative service (in this case, a web server).

HELLO WORLD!

The nice thing about this is that the installation process was essentially the same as the one we used to create our pre-configured OVF image. There were two settings that needed to be adjusted in order for the ISC Construction Kit to properly work on EC2:

export ISC_SVCS_DOCK="fs network zone encrypted_scratch"
export ISC_DOCK_NET_IF_NAME="xnf0"

These two parameters had to be set before running the iscadm.ksh command. The first parameter simply removes steps that have already been completed in the base AMI (or are not needed for EC2). The second parameter changes the network interface name from e1000g0 (default) to xnf0 which is needed on EC2. That's all there was to it!

If you are interested in ISCs and how you can use them in your environment, I would love to hear from you! Also, just in case you missed it, I had the pleasure of joining Hal Stern to discuss ISCs on a recent Innovating@Sun podcast. Check it out and send us your feedback! Thanks in advance!

Take care!

Technorati Tag:

Thursday Sep 03, 2009

Cloud Security Summit on September 30!

First things first. I want to offer a big "Thank you" to the 1,000 or so people who joined my webinar earlier this week on the topic of Cloud Computing Security. I was completely amazed by the turnout and sincerely hope that the talk was both entertaining and thought provoking! I also wanted to thank Subra Kumaraswamy, Joel Weise, and Luc Wijns for their herculean efforts answering the fast streaming list of questions from the audience! Clearly, this is a lot of interest out there for Cloud Computing and security! For those who were not able to join the live event, the presentation and replay are both now available. If you have a chance to check them out, please be sure to send along your feedback! We definitely want to hear from you!

On the heels of this event, I did want to let you know about another web-based event to be held on September 30, 2009. At this event, Simon Gallagher (a Senior Technical Architect @ ioko) and I will join forces to talk about Cloud Security. The title of our talk will be "Decision Tree: Key questions to ask your Cloud Service Provider". Our focus, as your might guess, is on the key issues and questions that must be addressed before moving to the Cloud. Our goal is to leave you with practical ideas and actual questions that you may want to consider when deciding if/when/and how to move services and data into the Cloud. The announcement includes all of the details.

This event is actually a part of a BrightTalk Cloud Security Summit that will feature talks from several other Cloud Computing vendors, consumers and industry groups such as the Cloud Security Alliance. Should be an information-packed day! Hope to see you (virtually) there!

Take care!

Technorati Tag:

Wednesday Sep 02, 2009

NEW: Security Enhanced OpenSolaris Drupal Stack on EC2

Over the last few months, I have had a number of postings that have talked about security enhanced virtual machine images that we have made available on Amazon Web Services. The goal behind this work was to look at how we could improve baseline security in both virtualized and Cloud Computing computing environments by pre-integrating industry accepted recommended security settings. Organizations leveraging our work would have fewer security steps to undertake as our images were configured to be compliant with the recommendations published by the Center for Internet Security as part of their Solaris Benchmark (adapted for OpenSolaris).

So with this goal in mind, we developed security-enhanced versions of the OpenSolaris 2008.11 and 2009.06 operating systems. The latter went beyond the Center for Internet Security recommendations by also adding support for encrypted swap (as well as enabling auditing and non-executable stacks by default - something that was not done for the 2008.11 version). The next logical step was to validate these images using representative applications and services to illustrate the practiality of having security capabilities pre-integrated into a golden image from which application specific versions can be created.

Building upon the lessons we have learned in the development of the security-enhanced operating system images, today, I am very happy to announce that we have taken a step forward. Using the OpenSolaris 2008.11 image as our foundation, the OpenSolaris on EC2 team with some guidance from Scott Mattoon (all around Drupal Guru!) has installed and pre-configured Drupal (v6.10) along with Apache (v2.2), MySQL (v5.0), and PHP (v5.2). You can read all of the details on the announcement.

There are two things that should be noted about this image. First, no security-relevant changes were necessary to successfully install, configure and test Drupal on this security-enhanced image. While this should likely not come as a surprise, it is an important validation that at least for some (many?) classes of applications, a security tuned golden image can be used as a foundation. This is good news for organizations who are interested in the having a common security baseline for their operating systems. The second thing to note is that MySQL was modified on this image to not listen on the network for connections. This means that the image is compliant with our original security objectives in that it is only exposing required services (e.g., Apache, SSH) and no others by default.

As with all of the others, this is a publicly available AMI (AMI ID: ami-d9ee0eb0) so give it a try and let us know how we can improve it!

Take care!

Technorati Tag:

About

gbrunett

Search

Archives
« September 2009 »
SunMonTueWedThuFriSat
  
1
4
5
6
7
8
9
10
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today