Summary: Law Enforcement and the CloudBy Rich
While the big story this week was the FBI vs. Apple, I’d like to highlight something a little more relevant to our focus on the cloud. You probably know about the DOJ vs. Microsoft. This is a critically important case where the US government wants to assert access on the foreign branch of a US company, putting it in conflict with local privacy laws. I highly recommend you take a look, and we will post updates here.
Beyond that, I’m sick and shivering with a fever, so enough small talk and time to get to the links. Posting is slow for us right now because we are all cramming for RSA, but you are probably used to that.
BTW – it’s hard to find good sources for cloud and DevOps news and tutorials. If you have links, please email them to <mailto::firstname.lastname@example.org>.
If you want to subscribe directly to the Friday Summary only list, just click here.
And don’t forget:
Top Posts for the Week
- Huge HUGE vulnerability you need to start patching. Magnitude of glibc Vulnerability Coming to Light
- Cloud Security Alliance hackathon offers $10,000 prize This is for the Software Defined Perimeter project.
- Another great CloudAcademy post. This is something we work on in every single client engagement. Down the road we will detail our process and recommendations. Centralized Log Management with AWS CloudWatch: Part 1 of 3
- We’ve posted a bit on this ourselves, and I talk about it a lot in presentations, but a very cogent view of some of the security advantages of the cloud. Bill Shinn and I will be going more in-depth in our RSA presentation. How the Cloud Simplifies Security
- Oops. VMware re-issues patch after vCenter fix fails to ‘completely’ fix bug
- Designed for mobile apps, but also has cloud implications: Tidas: a new service for building password-less apps
- Last week we talked about logging in our Tool of the Week. Here’s a slightly-older AWS post on building everything cloud-native. Personally, I’m still torn on which pattern I like better. I think it will largely come down to costs, because you can also build alerts based on Kinesis events.
Tool of the Week
This is a new section highlighting a cloud, DevOps, or security tool we think you should take a look at. We still struggle to keep track of all the interesting tools that can help us, and if you have submissions please email them to email@example.com.
One issue that comes up a lot in client engagements is the best “unit of deployment” to push applications into production. That’s a term I might have made up, but I’m an analyst, so we do that. Conceptually there are three main ways to push application code into production:
- Update code on running infrastructure. Typically using configuration management tools (Chef/Puppet/Ansible/Salt), code-specific deployment tools like Capistrano, or a cloud-provider specific tool like AWS CodeDeploy. The key is that a running server is updated.
- Deploy custom images, and use them to replace running instances. This is the very definition of immutable because you never log into or change a running server, you replace it. This relies heavily on auto scaling. It is a more secure option, but it can take time for the new instances to deploy depending on complexity and boot time.
- Containers. Create a new container image and push that. It’s similar to custom images, but containers tend to launch much more quickly.
As you can guess, I prefer the second two options because I like locking down my instances and disabling any changes. That can really take security to the next level. Which brings us to our tool this week, Packer by HashiCorp. Packer is one of the best tools to automate creation of those images. It integrates with nearly everything, works on multiple cloud and container platforms, and even includes its own lightweight engine to run deployment scripts.
Packer is an essential tool in the DevOps / cloud quiver, and can really enhance security because it enables you to adopt immutable infrastructure.
Securosis Blog Posts this Week
- Firestarter: RSA Conference – the Good, Bad, and the Ugly.
- Securing Hadoop: Technical Recommendations.
- Securing Hadoop: Enterprise Security For NoSQL.
Other Securosis News and Quotes
- I posted a piece at Macworld on the FBI vs. Apple that has gotten a lot of attention. It got linked all over the place and I did a bunch of interviews, but I won’t spam you with them.
We are posting all our RSA Conference Guide posts over at the RSA Conference blog – here are the latest:
- Securosis Guide: Training Security Jedi
- Securosis Guide: The Beginning of the End(point) for the Empire
- Securosis Guide: Escape from Cloud City
Training and Events
- We are giving multiple presentations at the RSA Conference:
- Rich and Mike are giving Cloud Security Accountability Tour
- Rich is co-presenting with Bill Shinn of AWS: Aspirin as a Service: Using the Cloud to Cure Security Headaches
- David Mortman is presenting:
- Rich is giving a presentation on Rugged DevOps at Scale at DevOps Connect the Monday of RSAC
- We are running two classes at Black Hat USA: