News Roundup: Week of Jan 12, 2020

News Roundup: Week of Jan 12, 2020

Register Security Roundup

The recent Register security roundup has highlighted issues with the recent Citrix vulnerability, TikTok security bugs and holes, and the Honey shopping addon being flagged as a security risk by Amazon, among other things. The Citrix security hole has created a situation where “up to 80,000 systems were thought to be at risk, with some 25,000 instances found online over the weekend.” We highly recommend double-checking to make sure you’ve addressed the situation effectively, as “A full patch for the hole is not due to be released by Citrix until January 20.”

Google Cloud Introduces Premium Support Plan

In a recent blog post, Google announced the introduction of a Premium Support Plan for enterprise customers in order to bring themselves up-to-par with support tiers from the likes of AWS and Azure. The promised 15 minute response time for P1 issues is now the industry standard across the board. The introduction of third-party technology support and promise of “Content aware expertise” should help to increase the overall quality and efficacy of Google’s support.

U.S. Financial Regulators Scrutinizing Cloud Data

A recent articlefrom the Wall Street Journal calls attention to increased auditing scrutiny from U.S. financial regulators concerning how firms manage data stored in the cloud. The article cites the Capital One breach as well as recent Facebook breach as obvious contributing factors. The SEC is hoping that their increased pressure on firms to properly and securely handle data in the cloud, especially as elected officials move to “label big cloud providers as systemically important because of their increasingly critical role in the industry.”

AWS Moves to Block JEDI Progress

According to a recent Federal Times article, “Amazon Web Services will ask a federal court to block the Pentagon and Microsoft from beginning work on the Department of Defense’s controversial enterprise cloud, according to a Jan. 13 court filing.” The grounds for this motion are allegations from AWS “in a December complaint that the contract award to Microsoft was influenced by President Donald Trump.” AWS has presented evidence in the form of “videos of Trump bashing Amazon in a 2016 campaign rally and saying ‘we’re going to take a look at it [the contract]’ in the Oval Office last summer.”

Microsoft’s 2020 Patch for Windows

KrebsOnSecurity published an articlerecently analyzing Microsoft’s first significant 2020 patch for Windows operating systems. The patch included “updates to plug 50 security holes in various flavors of Windows and related software.” KrebsOnSecurity highlights a severe bug ( CVE-2020-0601 ) in Windows 10 and Windows Server 2016/19 that the “NSA says the flaw may have far more wide-ranging security implications.” We highly recommend backing up and updating your systems as necessary to address this vulnerability.

AWS re:Invent 2019 Recap

AWS re:Invent 2019 Recap

AWS Reinvent photo

Last week was AWS’s annual reinvent conference in the putatively beautiful and blissful Las Vegas. Andy Jassy, Amazon’s CEO, announced plenty of new products and features to excite and alarm the computing and soft-warring world. The conference also highlighted AWS’s leadership in highly resilient software architecture and design with their launch of the AWS Builders’ Library. Let’s run over some of the highlights.

Cloud Descending Back to Earth via New Edge Environments: AWS Local Zones, Outposts, and Wavelength

AWS launched two new environment types this year with AWS Local Zones and Wavelength. Local Zones was spurred by AWS customers requiring ultra-low latency for their compute, notably gaming companies based in L.A., where the first Local ZOne is now generally available. New zones will come online as customer demand in a city necessitates. Wavelength is an AWS environment colocated with telecom infrastructure, providing access to 5G endpoints. The general availability of AWS Outposts, a rack of AWS servers providing AWS on-premise, was also announced, enabling the rollout of Local Zones and Wavelength in fairly short order. AWS Outposts enable companies to test deployments in cloud-like environments without fully committing to the cloud, and give customers like Morningstar and Philips Healthcare ultra-low latency, hyper-local availability zones.

These environments showcase a new battle for the edge. AWS basically won the general compute cloud race, but we now find different telecommunication and networking competitors offering edge environments, with startups the likes of Packet and Vaper IO joining the race. As developers gain access to these new endpoints, along with increased networking capabilities and incredibly low hyper-local latencies, we are sure to see a revolutionary new age of applications and services.

We Have a Size for That: New Compute Instance Types

Amazon launched multiple new instance types including Graviton2 instances and EC2 Inf1 instances. The new Graviton2 boast a whopping 40% price performance improvement. They are based on the ARM architecture, effectively challenging Intel and AMD’s dominance in the chip space, and combined with the Nitro System security chip to support encrypted EBS storage volumes by default. The EC2 Inf1 instances are dedicated Machine Learning training instance types, effectively challenging Nvidia’s domination of the market with their GPUs. AWS promises that these chips provide a significant increase in throughput and price performance relative to Nvidia-powered instance types.

AWS Continues to March into SaaS Markets With New Machine Learning Services

Also announced were multiple ML based services including Code Guru for automated code reviews, Fraud Detector for automated fraud detection, Kendra for search indexing, Transcribe Medical for call transcription in the medical industry and Augmented AI for AI workflows requiring human intervention. You would be hard pressed to find a SaaS market Amazon isn’t capable of stepping into with their army of engineers and data scientists.

The release of the SageMaker IDE and SageMaker Debugger seems to be an attempt by AWS to capture the hearts and minds of data scientists with the promise of streamlining the building, training, debugging, deployment, and monitoring of Machine Learning models. This new IDE bypasses the need for users to understand and deploy a Python or R environment, enables progress reporting for long jobs, promises a simplified and automated debugging process, automates alerts about input data drift, and auto-trains your ML model from CSV data files. In early use, the IDE has proven to come with a steep learning curve and a high deal of complexity of use. The SSO feature, notably, only seems to work with newer AWS accounts. According to VentureBeat , the IDE provides “some features that appear to be just rebrandings of older products and some that solve new, legitimate customer pain points. Even the best new features are incremental improvements on existing products.”

Reducing Cloud Anxiety With New Security-Focused Services

It seems Amazon has heard the cries of its customers as they struggle to manage the complexity of their cloud environment’s security. They announced Amazon detective, Macie , and IAM Access Analyzer to review organizational security lattices and catch any potential privilege or access issues. IAM Access Analyzer helps to solve misconfiguration problems, one of the most common problems with AWS deployments, and can purportedly monitor and evaluate thousands of security policies across a deployment environment in seconds.

Thought Leadership in Designing Resilient Software Systems

Amazon showed some responsibility for their dominance of the cloud with their release of the AWS Builders’ Library. A number of sessions at re:Invent included references to their cell-based architecture approach and explained how AWS achieves high uptime numbers for their most important services.

News Roundup: Week of Jan 12, 2020

News Roundup: Week of Nov 10, 2019

Forrester Predicts 2020 as the Year of Edge Computing

According to Network World, a new set of predictions from Forrester Research sets 2020 as the year that “propels edge computing into the enterprise technology limelight for good.” The article suggests that this shift will bring telecom companies into a much more prominent role in the cloud market, especially given the increasing availability of edge computing via 5G infrastructure. Multi-vendor solutions and integrated systems that can leverage this new infrastructure are predicted to be in high demand in the near future.

Edge computing is very similar to the Cloud, Fog and Flood concept Patrick Kerpan described on the CohesiveFT Blog back in 2012. We’ve always believed this was the natural future progression of cloud and distributed computing. We’ll be re-publishing some updated discussions of this and similar insights in the coming weeks, including the Cloud, Fog, and Flood post, so stay tuned!

Google Gets Access to Patient Data via Ascension Deal

The New York Times recently revisited an event earlier this year where Google “signed its biggest cloud computing customer in healthcare to date” with Ascension, in a deal that, according to The Wall Street Journal, allows Google to “collect and crunch the detailed personal-health information of millions of people across 21 states.” Google has promised that patient data “cannot and will not be combined with any Google consumer data” and both parties claim the partnership is in full compliance with HIPAA. Ascension is optimistic that Google’s AI capabilities will allow them to “help improve clinical effectiveness as well as patient safety.”

Microsoft Releases Graphcore AI Chip to Azure Customers

Microsoft recently announced the availability of its new Graphcore AI chip, which promises to better “support the calculations that help machines to recognize faces, understand speech, parse language, drive cars, and train robots.” According to a recent article from Wired, many companies “claim that certain image-processing tasks work many times faster on Graphcore’s chips” and are praising the programmability of the chips. Graphcore plans to increase adoption and usability via their own software framework, Poplar, “which allows existing AI programs to be ported to its hardware.”

Enterprise Cloud Prefers Hybrid-Cloud Deployments

In a recent Yahoo! Finance article , Nutanix, Inc. revealed the results of an Enterprise Cloud Index survey, which suggest that 85% of respondents favored a hybrid-cloud deployment as their ideal operating model. The article highlights some key findings from the report, emphasizing the flexibility and agility offered by hybrid-cloud deployments:

  1. Apps are migrating away from the public cloud back to on-premises infrastructures.
  2. Security remains the biggest factor impacting enterprises’ future cloud strategies.
  3. IT professionals deem the hybrid cloud the most secure of all the IT operating models.
  4. Nearly a quarter (23.5%) of respondents currently aren’t leveraging any cloud technology today.
  5. Enterprises are striving to integrate cloud computing with their digital transformation goals. Nearly three-quarters (72%) of 2019 respondents said digital transformation was driving their cloud implementations, and 64% said that digital transformation was the top business priority in their organizations.

The report emphasizes that “hybrid cloud will continue to be the best option for enterprises, enabling them to securely meet modernization and agility requirements for workloads.”

AWS re:Invent 2019 is Almost Here!

If you’re as excited as we are for re:Invent 2019 than you’re probably also counting down the days. As 2020 shapes up to be a very impactful year for the cloud, hybrid-cloud, and edge computing, we’re intrigued to see what AWS has in store for all of us. If you are joining us as attendees this year please don’t hesitate to contact us beforehand!

News Roundup: Week of Jan 12, 2020

News Roundup: Week of Oct 6, 2019

TSA Releases Cloud Strategy 2.0

TSA’s Cloud Strategy 2.0 was released recently, “[calling] for a mix of public and private cloud” to properly deal with both sensitive and transactional data. According to Nextgov: “the most significant principle” of this strategy “requires TSA programs to only purchase agency-approved cloud services.” Although “the document does not provide details on TSA’s preferred procurement strategies,” the document did detail clearance criteria for potential cloud products:

  • Its security posture must be certified by the Federal Risk and Authorization Management Program, or FedRAMP
  • It must have an open architecture in order to avoid lock-in to a closed set of vendors
  • It must be capable of integrating with multiple clouds, platforms, and infrastructures

According to FedScoop, “the agency will first consider software-as-a-service (SaaS) solutions and then infrastructure- and platform-as-a-service alternatives.”

Investigating Worldwide VPN Vulnerabilities

The NCSC published an alert describing “vulnerabilities [that] exist in several SSL VPN products which allow an attacker to retrieve arbitrary files, including those containing authentication credentials.” The alert claims that “an attacker can use these stolen credentials to connect to the VPN and change configuration settings, or connect to further internal infrastructure.” The list of “highest-impact vulnerabilities known to be exploited by APTs” are as follows:

Pulse Connect Secure:

Fortinet:

  • CVE-2018-13379: Pre-auth arbitrary file reading
  • CVE-2018-13382: Allows an unauthenticated attacker to change the password of an SSL VPN web portal user.
  • CVE-2018-13383: Post-auth heap overflow. This allows an attacker to gain a shell running on the router.

Palo Alto:

The NCSC recommends the following steps to “mitigate these vulnerabilities”

  1. Apply the latest security patches released by vendors
  2. Reset authentication credentials associated with affected VPNs and accounts connecting through them

How Much is Google’s Cloud Really Worth?

Barron’s recently published an article discussing a Deutsche Bank valuation of Google’s Cloud offering. Two Deutsche Bank analysts “place a 15 times revenue multiple on GCP” and “find that the total Google Cloud business is worth about $225 billion.” This valuation is presented in contrast to the market’s current valuation of the Google Cloud business at “zero” and might cause investors to rethink their GOOGL share valuation. The analysts are particularly optimistic about Tom Kurian’s continued positive influence on the success of Google Cloud.

The Cloud-Native and Serverless Future is Now

In an articlewritten for Forbes by Eugene Khazin, Principal and Co-Founder at Prime TSR, calls our attention to the fact that Amazon has “[started] an initiative to re-train 100,000 peopleacross their organization” as a clear sign that “cloud-native and serverless are the future” and the future is now. The article attributes the success of digital transformations to leveraging cloud-native data to “[build] a data-driven culture that includes self-service analytics as part of the company DNA.” This cultural transformation necessitates not only “[training] employees for a new way to build software” but emphasizes the importance of technological, programming, and analytical knowledge in other areas of the business.

AWS re:Invent 2019 Reserved Seating Opens Soon!

Here’s a friendly reminder for those of you joining us at AWS re:Invent 2019 that reserved seating for sessions opens this coming Tuesday, October 15, 2019. As you probably know, sessions tend to fill up pretty quickly so make sure to take a look at the se s sion schedule and pick out your favorites beforehand! If you have any questions about re:Invent, we recommend taking a look at the “ 2019 AWS re:Invent Ultimate Guide ” published by a re:Invent regular from A Cloud Guru. If you are planning to join us at re:Invent this year and would like to meet with our team we encourage you to contact usand let us know!

News Roundup: Week of Jan 12, 2020

News Roundup: Week of Sep 22, 2019

Feature Release of VNS3 Controller 4.8.0

We are very excited to announce the 4.8.2 release of our VNS3 controller! Version 4.8 includes a new API for dynamically configuring traffic monitoring on VNS3 as well as custom webhook alerts for real-time alerts on your network. Cloud meta-data was integrated to improve security of default passwords and adapter/address discovery. Enhancements were also made to the API system and time access URLs from our 4.6.1 release. This latest version of our VNS3 controller is currently available in the AWSand Azuremarketplaces. Please check out the release notesfor a full list of features and optimizations, and keep an eye out for upcoming feature-focused video briefs!

McAfee Reports Only 1% of Cloud Misconfigurations Are Caught

A recent survey from McAfee “[demonstrates] that 99 percent of IaaS misconfigurations go unnoticed.” The survey of 1,000 enterprise organizations worldwide exposed cloud misconfigurations as the dominant threat to network security. According to Yahoo Finance , “IaaS breaches don’t look like your typical malware incident, instead leveraging native features of cloud infrastructure to land the attack, expand to adjacent cloud instances, and exfiltrate sensitive data.”

According to Yahoo Finance, the key findings of the report are:

  • Cloud-Native Breaches are not like the typical malware-based attacks of the past, instead capitalizing on misconfigured, native features of the cloud
  • Only one percent of misconfiguration incidents in IaaS are known—companies claim they average 37 per month, when in reality they experience 3,500
  • Data loss prevention incidents in IaaS increased 248 percent YoY

In light of this report, TechRepublic suggests the following:

  • Build IaaS configuration auditing into your CI/CD process
  • Evaluate your IaaS security practice using framework like Land-Expand-Exfiltrate
  • Invest in cloud-native security tools, and training for security teams

In both cases, the emphasis here is on increasing communication and understanding relative to this new type of Cloud Native Breaches (CNB) and the potential vulnerabilities created by cloud misconfigurations. Designing a network with as simple (not simplistic) approach to cloud security that is easy to implement and maintain (see VNS3) is essential to avoiding a misconfiguration.

5G Potential for India and Huawei

With the deployment of 5G spectrum-based trials on the horizon for India, The Economic Times released an articlediscussing Huawei’s potential involvement in the project being under renewed scrutiny. Huawei brings “more than 2,500 standard essential patents for 5G” to the table and is “[advocating] to the industry to sign [a] ‘no backdoor’ agreement with the Indian government” as it works to solidify its official participation in the project.

Published on the same day by Forbes is an articlewritten by Andy Purdy, CEO of Huawei Technologies USA, titled “Why 5G Can Be More Secure Than 4G.” The article is optimistic about the security of 5G, reassuring readers that “5G maintains a clear separation between RAN and core” even though “some 5G applications do push computing power to the network edge.”

Department of Defense Embraces Zero Trust Model

The US Department of Defense released an articleurging users to “Assume Networks are Compromised.” The article supports the trend towards implementing a zero trust model as opposed to a “perimeter defense model.” When faced with the reality that “there is no secure system,” microsegmentation of your network can provide a lattice of security within a network that prevents an intruder’s ability to freely traverse a compromised network.

Edge Computing Considerations

In a Forbes articlediscussing edge computing, especially as it relates to the possibilities of 5G networks, Irina Farooq from Kinetica lays out “5 strategies for leveraging edge computing for enterprise applications.” These strategies are: focus on the application use cases, understand your options, make explicit decisions about security, privacy, and governance, develop the right data and machine learning strategy, and be prepared to learn and adapt. The article emphasizes informed, careful, and explicit decision-making when it comes to “[processing] data close to the end user.”

News Roundup: Week of Jan 12, 2020

News Roundup: Week of July 30, 2019

Concerning CapitalOne’s Security Breach

The news about the CapitalOne security breach has been covered media outlets all over from the traditional to the security and tech-focused. AWS and CapitalOne have agreed that this was not the result of a cloud specific issue but a misconfiguration on a web application firewall (WAF). Given the public disclosures by the accused, we have more information on this breach than normal. Social media posts and websites mentioned in the criminal complaint suggest a Server Side Request Forgery (SSRF) was used. While not a new exploit, SSRF is likely to get more attention in the coming days along with AWS Metadata Service and AWS IAM Roles.

AWS Expands into the Middle East

Werner Vogels recently announcedthat AWS has now successfully launched three new Availability Zones in the Middle East (Bahrain), creating new innovation opportunities for all manner of organizations in the region. AWS continues to devote resources towards expanding their network into new regions, with Indonesia, Italy, and South Africa on the radar in the next few years. Significant investments also continue to be made in the education, training, and certification programs. Increased service availability, increased access to training, new use cases and solutions, and new developer insight should prove to fuel some creative innovations in the not-so-distant future.

Airlines Taking off into the Cloud

According to a recent articlefrom ZDNet, ATPCO, the company who “has collected and distributed fare and fare-related data for the airline and travel industry” for more than 50 years, has taken its automation journey to the AWS cloud. When you factor in the more than 1600 data elements the company provides airlines into the equation, the move to the cloud seemed to be the only cost-effective and efficient way to manage, automate, and fully leverage this increasing pool of data. Exposing a new industry to the capabilities of big data, blockchain, machine learning, and real-time data could create some interesting new innovations in pricing and business models for airlines.

Google Brings VMware to Their Cloud

Google continues to follow AWS when improving their cloud offering. In this instance they too are bringing a “VMware in cloud” solution to market. According to Forbes, this VMware solution (powered by CloudSimple) will be available later this year. This move by Google is yet another step in closing the gap between their cloud and others. Slowly but surely Google will look to combine this partnered growth with the addition of new and competitive features within their cloud offering in order to increase service usage and solve new use cases.

Freeing Your Data via Native Cloud Infrastructure

Forbes published an articlerecently discussing the benefits of native cloud infrastructure for enterprises working to “provide real-time services to their customers.” Providing real-time access to ever-growing lakes of data in efficient and meaningful ways requires new levels of automation and scalability that can only be achieved in via cloud infrastructure. The article suggests managing your data at the container and app level to support automating from the app down instead of from the infrastructure up. Some of the suggestions they provide to start your journey in this direction are:

  • Break down monoliths

  • Ensure a robust CI/CD process

  • Begin with stateless apps

  • Crawl, walk, then run