Cloud & Telecom Security

After Google released its new Sidewiki service yesterday, it’s very interesting to imagine what would be Google’s next step.  You know, it’s not a new service to let users share comments for specific web pages. Digg, Slashdot, Reddit, delicious, and other peers have been providing this for a few years.  From the release note, the key point of Sidewiki is “direct”, ie. users don’t need to submit to somewhere else to share their comments. Sidewiki allows users share comments “directly”. Doesn’t “directly” mean shortcut to other page sharing providers? Read more…

很不错的总结，一幅图，简明扼要。虽然业界尚无一致，但是云计算正在取代很多Buzzwords – web2.0, utility computing, on-demand computing, … Read more…

在过去的十年里，企业投入了很大资源，用于建立贯穿覆盖基础架构和主要应用的身份帐号IAM系统。现在，“云”出现了。“云”中的IAM与传统的IAM相比，不仅同样重要，而且出现了更加令人兴奋的新特点。

对一个中大型企业来说，IAM是一个很消耗资源的工作。形象一点来计算，有10000名员工，1000台服务器，500个网络设备，100名IT工程师。这时，在通常的情况下，大概的ID数量已经达到在数十万个。为什么这么多？大概有近百个应用，不多吧。假设大部分应用已经实现了集中的账号和认证，例如不管是基于AD的LDAP,还是其它的企业目录，这样应用层面的ID是10万以上或数万个。大部分Windows服务器也加入了AD域或通过PAM等实现了集中的账号和认证，这时服务器上面的ID数量大概也是10-数万个。网络设备假如也大部分实现了Radius/ACS等的集中账号和认证（通常需要本地的应急和备份账号），网络账号较少，应该数千个。从安全实践上来说，每个季度核查确认一遍ID应该不算过分，确认过程可能是通过HR系统、合同管理系统、邮件系统、手工排查等的联合操作，在一般性的工具和流程条件下，消耗的人力应该在数百人天，全年下来，在上千人天。按照每人天500元计算，安全成本达到了数十万元。即使通过外包等方法，将每人天费用降到100元，费用也是很可观的。您得记住，这里，没有计算进一步核查“访问授权”的部分，那部分的人力资源消耗比ID确认要大数倍，即使你把它降低到非常粗粒度的水平。 Read more…

The newest greatest version of WordPress, version 2.8 “Baker,” is immediately available for download. V2.8 represents a nice fit and finish release for WordPress with improvements to themes, widgets, taxonomies, and overall speed. Over 790 bugs are fixed at this release.

I just can not wait for upgrading my blog.

【说在前面的话】前面已有一些留言说起匿名转载问题，呼吁喜欢埋头“生吞活剥”的网编们提高一下自己的工作品味，尊重原创作者的劳动，署上作者原名和URL，这也是尊重自己的劳动，不要把自己的青春浪费在制造互联网垃圾冗余信息上面。如果您做不到这一点，谢绝转载！
【事先声明】本人不保证内容 正确性，不对后面文字中的分析和预测给您的企业和工作所产生的任何后果承担责任，因为您也不会和我分享您你的收益。呵呵，所以，我说了，您听了，您赚了，您亏了，您笑了、您不屑、您怒了，都与本文和作者无关。

上回书（http://sbin.cn/blog/2009/06/01/cloud-computing-1/）说到了云计算大背景下的一些东家长、西家短的陋见，Chinacloud.cn上刘鹏教授做了大量的、很全面的资料收集，感兴趣者可以自助前往。 故谚云: 云是天上的雾, 雾是地上的云。不管是跳进云里，还是把拉到上，总是要腾云驾雾一番了。书归正传，讨论一下云计算对安全圈的启发 – 这个那个产品和技术会如何演变。在后面的文字中将会讨论到风险评估和渗透测试、安全管理中心、终端安全、身份和访问控制（也包含信任管理）、安全审计、Web应用和生命周期安全、符合性认证和培训等。 Read more…

云计算是当前最热的IT词汇之一，狂热支持者有之，大力推行者有之，冷静观望者有之，以其“引起歧义”号召消灭它的亦有之。不管怎样，业界的大腕们已经下场了，IBM, Google, Microsoft, Amazon, 等等。CSA (Cloud Security Alliance)列出的IAAS, PAAS, SAAS三层云计算提供商名单已是林林总总。或许是限于国际市场交流，上面还没有中国厂商的身影。实际上，已经有几家先行者了。

云计算的安全有两种方向。其一是借用云计算这种形式，来改造、演化相对传统的互联网安全服务，安全大师Bruce早在2006年就对此有过精彩的评论(http://www.schneier.com/blog/archives/2006/02/security_in_the.html)。当前市场上声音比较大的就像Trend Micro, 国内的瑞星, 还有一些网络扫描漏洞管理厂商，这是比较直观的一个安全拥抱云计算的途径（我“云”了，你“晕”了没有，呵呵）。我在很多年前写过一个帖子叫“安全自动化杂谈”（http://sbin.cn/blog/2000/08/29/security-automation/）, 其中的概念已是“云”化的安全了， 呵呵 Read more…

In a service economy, knowledge is a critical asset, and Google has more knowledge than anyone in history. In our opinion, anyone who is not taking advantage of Google’s offerings soon will be fighting an inherent disability.

- What Does Google Know?  Gartner

五一节将至，预祝大家节日快乐。

偶然从网络上发现下面的一幅卡通图片，讲的是云计算。点击看原文链接

Two basic kinds of online websites are online banks and online games. Unlike what we were doing for traditional system security, we must take care of both front-end servers and customers’ applications. Yeah, customer’s desktops and applications! A lot different!

No matter what mode is, C/S or B/C,  we need to make sure both careless users and vulnerable applications are in good security posture. This brings by far tough challenges to security team. Un-registered game server(SiFu in Chinese), phishing website , Cheating Program(WaiGua in Chinese ), variable trojans, leaked password, or compromised users’ system , lots of servers reside in distribute IDCs , different operating systems and applications , all of this make security mess up .

Here is an economic way for your reference. Read more…

Quality in a product or service is not what the supplier puts in. It is what the customer gets out and is willing to pay for.

- Peter Drucker, American management guru.

The traditional security products, including firewall, IDS, and anti-virus are very familiar to us. They are occupying most of security market share. And we know the UTM, IPS, and SOC are the ongoing stars. However, what’s about the future? From the view of ISO/OSI model, we know we have done too much on the network layer; we had focused on this layer and developed lots of products based on it.

Maybe the reason is like this: in the past, we implement the IT infrastructure without security built in it. Internet spread widely in few years as security just can’t keep up with it. This has brought a lot of breaches or exposure at the networking layer. Read more…

昨天看到这则新闻，很复杂的感觉。一方面觉得不新鲜，近年来Sun举步维艰，业务模式上的失败，一步错步步错，在和IBM/HP/Dell等硬件交锋中艰苦挣扎，虽高举Java大旗，还有人见人爱的MySQL, 但软件业务收入无法托起公司成长、中兴的重任。被人收购已经是不可避免。另外一方面，不免心中感慨。十多年前刚参加工作，电信机房里满眼的Sun服务器，Solaris是操作系统中的“圣经”，你用SGI, AIX, 甚至HP-UX，那感觉就是旁门左道。光阴荏苒，时过境迁，现在已是人家案板鱼肉。 Read more…

Recently, the famous networking website Facebook changed its policy which threatens the users’ privacy. While this seems to be an isolated case, however, it sends us strong message on how to protect our own privacy in such an information society.

Generally,we sign up a bunch of accounts at too many websites. For example, we create accounts on financial website for investing, and create another account on the other websites for emailing purpose. One month or one year later, we turned our attention to a new hot subject for one reason or another, say we like playing online game now, so we continue to create accounts, and setup another password for security purpose. We do the same things over and over again. Eventually we have created so many accounts without actually using it. So much of your personal data online without any care! (Even if you are very vigilant about the information, but it’s too long to remember the password to close your account accurately) Read more…

This moring I received one message from “Gmail team” with the subject of “Make Your Own Website With Google For Free”. It’s really a Phishing message to steal your Gmail account and password! Read more…