Security

With security and cloud-computing both hot-button topics, Verizon Communications and McAfee are joining forces to offer customers a combination of the two.

Verizon's business unit and McAfee announced Thursday a new joint venture to sell cloud-based security products and services to large businesses and government agencies. With more companies tapping into the "cloud" to lower costs and outsource administration, McAfee and Verizon will sell a new suite of cloud-based security products, expanding on Verizon's current lineup.

Managed by Verizon, the new cloud-based services will offer an array of security products, including firewalls, intrusion prevention, anti-malware, and Secure Socket Layer (SSL) virtual private networks (VPNs).

"This strategic agreement with McAfee enables us to drive even more complete and integrated IT solutions to enterprises across the world," said Kerry Bailey, senior vice president of Verizon Business global solutions. "Our newly expanded and next-generation cloud capabilities will enable organizations to better use security as a strategic tool and business enabler."

The team-up will also allow Verizon and McAfee to tap into each other's portfolio of products and services.

Verizon will offer its customers McAfee's entire line of security software and will soon provide McAfee's PCI (Payment Card Industry) compliance services to banks and other organizations that need to secure credit card data.

The PCI services will be targeted to "Level 4" merchants--businesses that manage up to 1 million credit card transactions each year. Verizon said this business class is at the highest risk for security breaches and accounts for one-third of all credit card transactions. In April, Verizon released a report showing that more payment card records were breached in 2008 than in the previous four years combined.

McAfee's customers will now be able to contact Verizon's network of 1,200 security professionals for assistance on setting up and managing in-house security.

Finally, Verizon will help McAfee consolidate its data centers, so that McAfee can better offer 24/7 management for its own Web hosting and cloud-based services.

Verizon and McAfee will target the new products and services to small-to-medium companies, large enterprises, and government entities.

McAfee has been pushing to grow beyond the consumer market through a series of deals and acquisitions. In July, the company said it would buy MX Logic, which provides cloud-based e-mail and other services. In May, McAfee bought white-listing vendor Solidcore.

FORT BAKER, Calif.--As data moves to the cloud, attackers and thieves will follow, a federal prosecutor said on Friday.

Matthew Parrella, assistant U.S. attorney

(Credit: Elinor Mills/CNET News)

The days of tracking down software counterfeiters in other countries who are selling pirated CDs are numbered as companies increasingly distribute software and store data online via hosted computing services, Matthew Parrella, an assistant U.S. attorney based in San Jose, Calif., said at Symantec's Norton Cyber Crime Day.

"That model of importation of software is becoming obsolete because we're seeing on the horizon cloud computing where so many of these operations are pushed from a user's PC or a user's computer onto Google Docs or Salesforce.com," he said.

Looking ahead five years, "I'm thinking the attack is going to be on cloud computing centers," said Parrella, chief of the computer hacking and intellectual property unit at the U.S. Attorney's Office.

The immediate threat will be attacks to steal data from the servers they are stored on, either remotely or by an insider or someone who gains access to the data center, he said. Later on it's likely any stolen data could be pirated, he said.

Parrella spends a lot of time prosecuting counterfeit software cases, as well as trade secret theft, he said.

His office also has been tracking a botnet for a long time that has grown to include 100,000 or so compromised computers.

"We don't know what it does," he said. "That's the type of threat we're looking to prosecute...malware that may lead to distributed denial of service attacks."

Parella declined to comment on the most recent DDOS attacks that have targeted Web sites in the U.S. and South Korea since the July 4 weekend.

FBI agent Donna Peterson said her office had seen a "tremendous uptick in large-scale, fairly devastating data breaches," with the biggest heist being close to $10 million stolen in 24 hours.

Cyberthieves "are getting more organized and their technical sophistication is better," she said. "They do what they need to get the job done...if they can use a 5-year-old exploit in conjunction with an exploit that they paid a programmer in another country $60,000 to (write), they will do it."

Cybercriminals can spend anywhere from two weeks to six weeks to completely own a corporate target's computer system so completely that "you won't even know that they're there," she said.

Businesses have opened on a Monday morning only to discover that so much money has been stolen since employees went home on Friday that they are no longer solvent and there is no record on their systems of the activity, Peterson said.

Also on the cybercrime panel was San Jose Police Sergeant Edward Schroder, who talked about how he spends his time investigating fraud related to sites like eBay and Craigslist, Nigerian or lottery scams, and money mule or work-from-home scams.

Schroder also said he gets a fair share of cases involving phishing attempts and e-mail extortion cases in which someone's life is threatened if someone don't pay the hired killer money.

Even at the cutting edge of cloud computing, Web-based applications can be frustrating to write and to use.

Spreadsheets can't sort data well, there are lags between mouse clicks and the program's response, graphics look Mickey Mouse rather than lavish. But Google, among the most aggressive cloud computing advocates, is trying to address some of those shortcomings.

The company has released experimental but still very much real software that brings in some of the power of the PC, where people often use Web applications. Google Native Client--first released in 2008 but updated with a new version Thursday--is a browser plug-in for securely running computationally intense software downloaded from a Web site. And on Tuesday, Google released O3D, a plug-in that lets Web-based applications tap into a computer's graphics chip, too.

The projects are rough around the edges, to say the least. Native Client--NaCl for short--is more security research project than usable programming foundation right now, and O3D exists in part to try to accelerate the arrival of some future, not necessarily compatible, standard for building 3D abilities into Web applications.

Google Native Client is shown here running a fractal landscape explorer.

(Credit: Google)

But both fundamentally challenge the idea that Web apps necessarily are stripped-down, feeble counterparts to the software that runs natively on a personal computer, and they come from a company that has engineering skill, a yen for moving activity to the Internet, and search-ad profits that can fund projects that don't immediately or directly make money.

"There are things you can do in desktop apps that you can't do in Web apps. We're working very hard to close that gap, so anything you can do in a desktop application you can do safely and securely from a Web application," said Linus Upson, a Google engineering director.

SAN FRANCISCO--A group of pioneers in the security field, whose work in encryption is used to protect Internet data and communications every day, spoke about the state of security at a cryptographer's panel at the RSA security conference on Tuesday.

They tackled various questions about cyber security in general, but the topic that dominated was cloud computing.

"Cloud computing is a challenge to security, but one that can be overcome," said Whitfield Diffie, chief security officer at Sun Microsystems. "I believe cloud computing will get to (the point) where no real program...will be done anymore on the computers of the company that's doing it," he said.

"I'm worried about cloud computing," said Adi Shamir, a computer science professor at the Weizmann Institute of Science in Israel. While a virus or other problem on a desktop computer can be a big annoyance, computation centers in hosted computing could spread problems more widely, he said.

Bruce Schneier, chief security technology officer at BT Counterpane, said, "I'm kind of bored with it." Cloud computing is presented as a new paradigm...but fundamentally I don't see a lot of differences" between it and client-server and dumb terminals, he said. "It's still all about trust."

Ronald Rivest , a computer science professor at MIT, predicted that cloud computing "will really be a focal point in our work in security." "I'm optimistic about cloud computing," he said. "I think a lot of us have hard work to do."

Asked about their thoughts on the likelihood of a "Digital Pearl Harbor," the researchers concurred that the threat is hyped.

The talk about risks of a cyberattack on the magnitude of a Pearl Harbor strike is overblown, said Schneier. The real threat "will be boring things" like viruses, identity theft, and buffer overflows. "We're better as an industry if...we look at the more common risks...that cost (people) money."

"We're more likely to suffer a digital 9/11," said Diffie. Pearl Harbor was an attack by a known entity as opposed to an unknown threat from a mysterious source, as cyberattacks tend to be, he said. "I think we could suffer some astounding event," he added, noting that there was an electricity blackout in the 1990s and a severe telephone outage in the 1980s due to a bug.

Shamir said cyberattacks should be put in perspective and compared with other events that can have even more serious consequences. "If the government has extra money to spend they should spend it on regulating the financial markets and not spend it on regulating cybersecurity," he said.

Martin Hellman, professor emeritus at Stanford, said he has been focusing on nuclear weapons security lately and looking at how risky nuclear deterrence is with his NuclearRisk.org site. It's "at least 1,000 times riskier than having a nuclear power plant located near your home," he said.

Technology "has given human beings power that has historically been reserved for the gods; the ability to create new life forms, the ability to destroy civilization, and the potential for creating unbelievable cooperation or unbelievable chaos," he said.

"Our species is like a 16 year old with a new driver's license who somehow gets his hands on a 500-horsepower Ferrari," Hellman said, adding that people need to learn to control our impulses or risk destroying everything.

In just two weeks, the annual RSA Conference takes place in San Francisco. What can we expect as the "hot topics" at this annual security love fest? I'm sure there will be plenty of buzz about securing virtual servers and cloud computing infrastructure, but this topic will likely focus on blue sky vision describing the safeguards we will need in 2012 or so. Rather than this hyperbole, I am looking forward to discussions focused on the marriage of identity and security.

Haven't these two areas been linked forever? Well, yes and no. Security folks think of identity in terms of authentication issues like password management, role-based access controls, or biometrics. But other aspects of identity like user provisioning, fine-grained entitlement management, and single sign-on usually live elsewhere in IT. When network access was restricted to internal employees, this division made sense, but identity and security can no longer remain apart. The marriage of these two IT disciplines will take place for a simple reason--identity and security must work together to enable modern business processes.

Identity is all about who gets access to applications and data so in theory, strong identity skills let organizations get users more productive sooner than the competition. Think of identity management as the magical formula to unleash Metcalf's Law. More users come with a cost, however--a greater number of security threats from hackers, malicious code attacks, and data breaches. Thus IT executives must balance their ability to let users into the network with proportional safeguards to keep bad things from happening.

Call it social networking, the consumerization of IT, Web 2.0, or any other market-speak term you want. To me, it is all about information sharing, collaboration, and business process improvement. IT must create an environment where users can access what they need and come and go as they please as long as they add business value while they are around. Public and private sector organizations headed down this path had better have their identity yin and security yang working together in harmony or they will either hold back the business or greatly increase security risk.

Google discovered a privacy glitch that inappropriately shared access to a small fraction of word-processing and presentation documents stored on the company's online Google Docs service.

"We've identified and fixed a bug which may have caused you to share some of your documents without your knowledge. This inadvertent sharing was limited to people with whom you, or a collaborator with sharing rights, had previously shared a document," the company said in a note, quoted at TechCrunch, that the search giant sent to affected people. "The issue only occurred if you, or a collaborator with sharing rights, selected multiple documents and presentations from the documents list and changed the sharing permissions. This issue affected documents and presentations, but not spreadsheets."

Google said in a later statement that the problem affected only 0.05 percent of documents stored at the site and that affected Google Docs users had been notified.

Though the documents were shared only with people whom the Google Docs users had already shared documents, rather than with the world at large, the problem illustrates one downside of cloud computing, in which Internet servers host software previously run on a person's own computer. The flip side of a cloud-computing advantage, that a person can get access to those documents from any Internet-connected computer or smartphone, is that technical problems or hacking attempts also can expose private information.

It should be noted, though, that housing data on a local machine has risks of its own. A lost or stolen laptop can reveal any number of secrets, as Boeing, Hewlett-Packard, the National Institutes of Health, and others have found.

(Via Google Blogoscoped.)

To critics, cloud computing can't be trusted because you aren't in control of the data outside your network.

But if that's the case, then how secure are the data and collocation centers that corporations contract with to host their data?

"It does come down to vetting the practices of the provider and making sure they meet the standards you want for your business," Phil Hochmuth, a senior analyst at Yankee Group, said Monday, the eve of Cloud Computing Innovation Day in Santa Clara, Calif.

Companies like Salesforce.com, Amazon.com, and Google have built businesses around serving up on-demand services to enterprises that would rather pay a service provider than buy hardware and hire staff to manage their databases. However, handing over the data is still a cause for concern among many corporations.

"What are they doing to the data? Is it persistently encrypted? Are there access controls in place? Do you get to monitor who they hire and who cleans the data centers at night?" said Phil Dunkelberger, chief executive of PGP Corp. in relaying the concerns on peoples' minds about cloud computing.

How secure is the data? "It's one of the first questions we get, especially from enterprises," said Adam Selipsky, vice president of product management and developer relations for Amazon Web Services.

Securing the data is key to a cloud service provider's business, Selipsky said. "We can afford to devote resources to it that, quite frankly, most of our customers can't," he added.

"Cloud computing can be as secure, if not more secure, than the traditional environment," said Eran Feigenbaum, director of security for Google Apps. "Most organizations really struggle, whether they want to admit it or not, securing their networks."

Feigenbaum points to data breaches that hit the headlines, such as the one that exposed credit card information held by payment processor Heartland recently.

Then there are the statistics that show that one-third of breaches result from stolen or lost laptops and other devices and from employees accidentally exposing data on the Internet, with nearly 16 percent due to insider theft.

"Cloud computing can fix some of these issues," Feigenbaum said.

Not only can Google apply patches more quickly than most enterprises to plug holes in software, but the Google Apps Premier edition offers the ability to protect data in transit by encrypting it in the pipe between Google and the user's desktop, as well as offer control over who can access the data, he said.

Cloud service providers are held to high standards, must offer evidence of security certifications, and are subject to inspections by auditors, placing them under much higher scrutiny than typical in-house security teams, according to Peter Coffee, director of platform research at Salesforce.com.

Most data theft results from someone authorized to access the data doing so improperly or handling the data carelessly, he said. With cloud-based services, when a user logs out, the browser cache can be set to flush automatically, leaving nothing on the desktop to be lost or stolen, and logs can show who did what to which data, he added.

"This is inherently safer than the typical client-server model of downloading data that remains on the end-user device, and is far more secure than distributing data as e-mail attachments whose subsequent use and transmittal are largely uncontrolled," Coffee wrote in an e-mail reply to questions.

The security concern with cloud computing is a cultural issue, said Rebecca Wettemann, a vice president at Nucleus Research.

"The question is would I rather be at a huge data center where a vendor is contractually required to keep my data secure or would I rather rely on my staff to do it properly?" Wettemann said. "You need to trust that your vendor will manage your data."

So far, there haven't been any significant security breaches with an on-demand services vendor, she said. And people are getting used to the idea of being able to access their data anytime and from anywhere because it is out on the Internet, she added.

There have also been precursors to cloud computing that people are familiar with, such as the evolution of answering machines to voice mail services, said Peter Evans, director of security strategy and technology integration at IBM Security Systems.

"It is as much an emotional thing as anything," Evans said. "When my data is on my server in my building, there is a good gut feeling about that. When it's out in the ether, how do I know it's protected?"