The evolving threat

On a consumer level there are the phishing sites, out to steal your credit card or online banking details by pretending to be a trusted brand, and at a business level there are threats and extortion

dDOS (distrubited Denial of Service) attacks are typically launched from “bot nets”, or collections of compromised personal computers and servers. While alone any one of those machines, usually on the end of a home ADSL connection, cannot do much damage, if thousands of them flood a Web site with bogus requests Unfortunately the only real defense against such is to have more bandwidth than an attacker, but with more companies moving to cloud providers with massive pipes like us that means that the attacker would need a bot net of many thousands of machines to cause damage.

There has also been a marked increase in criminals attacking popular sites and advertising engines to steal information and disable websites for political reasons. The recent wave of ‘hacktivists’ presents new issues for web hosts, as many traditional organisations are now having their sites hacked.

Web Development

The first stage in solving the security problem starts with the development and design stage. If developers neglect to address all security issues, a future hacker will very likely exploit the flaw to run commands which can compromise the data on in your hosting account, some of which might even be confidential. To fix this problem, you must ensure scripts are very well planned and tested, especially those parts that deal with private information. Testing all inputs to the software is vital – ask your developer if they have enabled taint checking and if they look at you blankly get another developer!

Any forms that handle sensitive data should be using HTTPS (secure HTTP) of course. Be sure to enable SSL and buy a a Digital Certificate (Digital ID) from a trusted certificate authority – SSL certificates do not cost much compared to the cost of securing your site! Ensure that your developer makes any sensitive forms redirect to HTTP versions of the site too. Why is SSL encryption important? Well if you’re accessing a Web site over normal HTTP using, say, a public Wifi then I can “sniff” (read) your traffic (with a little cleverness) just by being on that same Wifi network! End-to-end encryption is always best for all online communications – don’t trust the network.

Finally, if you are using a content management system like WordPress be sure to keep it updated. The number one culprit we see after bad passwords (see below) is a WordPress site that has not been updated in ages. The same goes for all software you put online – keep it updated! With the automated tools that allow you to do so there is no excuse not to. The number two is badly-written PHP sites by the way – see above!

Password Management

The majority of hacks are caused by bad passwords. Its not just a simple matter of changing ‘l’s’ to 1′s either, as these are still easy to hack. Anything based on a dictionary word or piece of memorable information is vulnerable. It is vastly better in my experience to choose a good password and then stick with it for that site rather than changing it often also.

We have performed rigorous mathematical analysis on how good a password needs to be by working out how much money it would take to crack if you had the password file and were using cloud computing. We determined that an 8 character random string formed from a-z, A-Z and 0- (using open source pwgen) is adequate for the vast majority of purposes, costing about $100,000 to break. A 10 character randomly generated password will cost $13m to crack using cloud computing and quite frankly there are easier ways for hackers to get your information for that amount of money!

We get all staff to choose an auto-generated password created PWgen. This approach is much better than making them choose their own (often guessable) one and changing it periodically (which means they need to write it down to remember it).

Finally, having lots of different passwords to remember can be a pain. There are packages to help though. For most Web sites I use my browser’s password safe, which is encrypted because my entire laptop is entrypted, though many have encryption options available. For other passwords such as banking details I keep them in a password safe called KeePassX. I then use a 16-character randomly generated password (from pwgen) as my master password and I don’t have to remember any others. You should really have one password per site but personally I group a few together based on how much I trust the sites. For banking always use a unique password per site though!

Tight Controls on Accessing Data

If you are allowing access to your Web site’s back end, for example for order fulfilment, that will often expose a vulnerability that a hacker could exploit. Therefore it is important that you ensure that any device accessing that “soft spot” is secure.

That should not stop you operating completely over the wire / in the cloud though. We allow all staff to access from anywhere using a laptop and a browser, using HTTPS for the security. However, we do not allow access from just any laptop; it must be a company one, we require that everyone follows good password practices (see above) and every person has their own unique loginl.

Unique logins for each member of staff is vital, so that you can react quickly in the event of a compromise. We have regularly tested and audited procedures for revoking user access quickly so that in the event of a lost laptop or compromised user password (or SSH key for command-line access to systems) we can rapidly change that user’s access credentials.

As an additional precaution, any laptop that is used to store company data (most of it is in the cloud, but sometimes information is stored locally) must have an encrypted hard drive.

In conjunction with requiring that everyone uses a screen saver password lock our company laptops are effectively impervious even if stolen while running and decrypted in RAM. No data can be retrieved since the thief would have to power down the machine in order to access the drive.

Personnel / ‘purchase key’ attacks

The biggest security weak-point for any organisation is its people. A determined attacker will not bother with trying to steal servers nor hack into them, but will attempt to gain leverage over key members of staff; the “purchase key attack”. To protect yourself and your data, you should look to take steps to mitigate the risks. These are some of the things we do at Memset:

1. All staff with access to company and customer data are CRB / background checked.
2. Access to servers is gained via personal keys and all activity is logged.
3. Access to Web-based systems is gained via personal credentials and all activity is logged.
4. Logs and activity should be routinely checked by head of security.

Carefully Select Your Hosting Provider

The only thing one can really do about bot nets is to have more bandwidth than the attacker (ie. an army of hijacked home computers), which is yet another reason why companies should be giving up owning and managing their own data centres and moving to the cloud where providers like us have gigabits of connectivity so can withstand such attacks, which happen frequently.

We also have firewall technology to dynamically detect and block attacking IPs in real time. This sort of cyber warfare is not new though, but has only recently made the news. We have been fighting off such attacks for as long as I have been in the hosting industry (12 years). All that has changed is the scale of the weaponry.

Finally, at Memset we are very upfront about our approach to secure hosting. I would be strongly suspiscious of a provider that was unwilling to share with you how they protect your data. Be sure to ask them and look for externally-audited credentials like the well-recognised ISO 27001 Information Security Management System.

Cloud computing can be regarded as essentially the provision of computing resources and/or software as a utility, in the same way that your business uses familiar utilities, such as electricity, water, gas etc. Cloud computing enables you to pay for computing resources as you need them. These services are provided over the internet, on a consumption-based pay-as-you-use model, with short-term contracts and without up-front expenditure.

Whether you realise it or not, you’re probably already using cloud-based services. Facebook and Google are two prominent companies offering cloud-based software as a free online service to billions of users across the world. Google, for example, hosts a set of online productivity tools and applications in the cloud such as email, word processing, calendars, photo sharing, and website creation tools.

Broadly speaking, to be considered “cloud computing” an application’s data and core processing functions would be hosted/stored and managed online or ‘in the cloud’, and accessible from any PC, laptop or mobile device with a network connection in real-time.

In this context, “in the cloud” actually means that the application, along with the data it uses, is installed one or many powerful computers called servers, which are similar to home computers but in a different form factor and without screens, that reside within specially adapted buildings called data centres. Data centres are like warehouses filled with banks of servers in cabinets called racks. Data centres have powerful air conditioning systems to keep the servers cool and highly resilient power and internet connections. A picture of one of ours before being filled up is here.

Three Flavours of Cloud – the “service models”

One of the biggest confusions over cloud comes from the fact that it actually applies to a number of different layers in the “stack”. Don’t worry about what I mean by the stack, but if you’re curious see this post. There are three flavours of cloud, which broadly go down in cost but up in the required level of technical know-how in the order I have listed below:

Software-as-a-Service (SaaS)

These are usually applications or services that you access via a Web browser. Google Mail and Google Docs are examples of this kind of cloud computing. Some companies host an application on the internet that many users sign-up for and use without any concern about where, how, by whom the compute cycles and storage bits are provided.

Some SaaS is delivered via customised client applications, for example if you use Twitter or Facebook from an app on your phone. Our own SquirrelSave personal cloud backup product is also an example of SaaS in that sense – you, the user, doesn’t have to worry about where the data is getting stored nor the internal workings of the platform we have developed.

A better term than “software” might be “application”, since the platform part is also really just software, but SaaS has already gained wide acceptance. SaaS is usually the most expensive form of cloud since you are paying for the software as well as the underlying infrastructure and it requires no technical know-how. Examples of paid SaaS include Salesforce.com, though presently the most widely known examples are “free”. Of course, nothing is truly free, and by giving away their services companies like Facebook and Google are getting something – your information and time.

Platform-as-a-Service (PaaS)

This is a set of lower-level services such as an operating system or computer language interpreter or web server offered by a cloud provider to software developers. Developers write their application to a more or less open specification and then upload their code into the cloud where the app is hosted and automagically scalled without the developer having to worry about it overly. Microsoft Windows Azure and Google App Engine are examples of PaaS.

In old-school hosting parlance, a managed hosting service might also be considered PaaS – the developer gives the hosting provider some code, and the provider worry about how many servers, how much bandwidth (internet connectivity), etc. and just give the developer one bill. Because of the auto-scaling and ease-of-use afforded by PaaS, and the abstraction/obfuscation it gives the vendor, it usually costs a premium over renting the underlying infrastructure directly (IaaS).

For the more astute readers: You might hear people say that that Facebook is also a “platform”. This can easily get confusing; yes they provide a platform for developers to make add-ons, like the popular game FarmVille, but in reality they are just being a gateway (FarmVille runs on servers outside Facebook’s data centres) and are not providing any computer resources, so they are not providing PaaS. A similar example is Apple’s iOS platform – they provide tools to developers and a gateway to sell their apps (the app store) but if those applications that have a cloud component will likely be using IaaS or PaaS from elsewhere.

Infrastructure-as-a-Service (IaaS)

IaaS is the provision of virtual servers and storage that organisations use on a pay-as-you-go basis. This is the most powerful type of cloud in that virtually any application and any configuration that is fit for the internet can be mapped to this type of service, but is also the most technically challenging to exploit. Amazon’s Elastic Compute Cloud (EC2) and Simple Storage Service (S3) are examples of IaaS, as are our own Miniserver VM® cloud compute and Memstore™ cloud storage services.

In practice, cloud suppliers often provide additional services alongside IaaS offerings, so the boundary between IaaS and PaaS can become blurred. However in its purest form compute IaaS can be considered as a bunch of unmanaged virtual machines (VMs) for which you provide the operating system image, that can be scaled up and down (by spinning up and tearing down VMs) according to your application’s needs in near-real time (ie. within minutes). IaaS data storage is more simple, working like a giant disk drive where you only get billed for what you are using, usually on an hour-by-hour basis.

A virtual server or virtual machine (VM), is just like a normal server but is smaller in terms of CPU, RAM and disk than a whole physical server, and several sit on each physical host server. We typically put about 15 VMs on each host server, for example. VMs have the advantage that they can be created and destroyed effectively in real-time in dynamic response to demand.

Private vs. Public – “deployment models”

As well as IaaS, PaaS and SaaS (the “service models”), cloud has a number of “deployment models”. The ones I’m going to focus on here are “private” and “public” cloud. There are also “community” and “hybrid” clouds, but I’m going to save that for a later article. Also, here I am just going to briefly cover what public and private cloud means in the IaaS context.

Public cloud means that your virtual machines are sat on the same physical host servers as other clients. A private cloud is where the host servers, and in some cases the physical network or even an entire data centre facility, is dedicated to one client. When most people say “private cloud” what they usually mean is “a company’s own data centre with some virtualisation software”. This is arguably not cloud since you lose the scalability aspect. When we, as a cloud provider, say “private cloud“, we mean infrastructure dedicated to one client that we scale (by adding dedicated host servers into their set from our standby pool) as necessary. Some people would call that a “virtual private cloud”.

Moving To The Cloud?

One of the great things about cloud is that it can be experimented with very cheaply. If you are looking to make use of cloud services then I suggest just dive in! Start small, with one service, and then move more services once you are ready.

Analysts have indicated that future technology leaders will gravitate to cloud-based models as a way to deploy software and to store content, and we are certainly seeing that trend. A lot of customer start using our cloud as their development “sandbox”, costing a few £10s of pounds per month, and as they gain confidence gradually migrate more critical applications across.

Instead, purchase your software from one provider, but have a direct relationship with the host. Some of our customers are starting to do this with us and Zimbra. Zimbra is sort-of like Google docs, but open source, and they host it with us, and backup to a third-party host (which is cheap to do).

Good for resellers too

Managing the backup and hosting process might be a new way that resellers can differentiate their offering or add value to the supply chain as more and more businesses look to protect their data as they move to a Cloud Computing model. Ensuring ease of data migration between cloud providers is paramount for businesses moving forward.

By not being tied to one provider, a business could easily migrate to another host, or if Zimbra becomes unsupported, for example, they would not lose their data, and we would carry on hosting while they work with us to find a new software solution. If we fail, they still have their data and Zimbra can help them get set up again. We (the managed hosting provider in this example) would not own their data even if we did fail, but no harm in belt-and-braces.

Hosting commoditisation is here

Software providers cannot realistically compete in today’s commoditised hosting market place, and instead should stick to their strengths. This also applies to migrations – when moving customers between hosts there are now companies that specialise in the migration itself but have no interest in selling software nor hosting. One such company is SEM Solutions, with whom we have recently started working.

Another big win from supply chain disintegration is that you gain total price transparency; no more getting stitched up by one provider who is just whacking a huge mark-up on a commodity service like hosting (yes, I’m talking to you, local government CIOs .

Not only does it show you which bits cost what, thus allowing you to compare with the market rates, but disintegrating the supply chain also makes migration to a new Cloud / managed hosting provider easy since you just need to work with the software supplier to migrate to the new host, and are not tied in to one provider. Equally, since you own the data on the service (because you are buying the hosting direct), moving to a new software provider is greatly simplified.

Eating my own dog food

So, do I take my own advice? Yes; Memset is one of the fastest growing technology SMEs in the country, and all our business critical information and systems are hosted in the Cloud (or at least our little bit of it) and accessed over the Web. None of my staff have Microsoft Office, we do not pay for any software, and we do not need servers in our office for administration applications. Everyone has a laptop, and since all our systems and documents (we use a Wiki for the latter) are hosted online everyone can work from home without the complications of a VPN. We do not use any paper for internal communications either, thus minimising “the printer has broken” type problems.

We also use Trac project management and documentation management system for all our internal documentation, task and project management. It is free and simple to host yourself with any managed hosting provider. Simple, scalable systems like Trac have also made it easy for us to obtain and maintain our quality, security and environmental management systems (ISO9001, ISO27001 & ISO14001 accreditations).

I was at the preview of this tool on 30th April in Southampton Street, and it is an amazingly powerful tool. It allow you to rapidly put together a simulated version of your data centre (including characteristics of everything from power cables to server virtualisation systems to external temperature variation), and then ‘run’ it over a period of time to see the costs and power requirements.

During the demonstration in April, Liam & Zahl (the technical and business brains behind the project) used the tool to great effect, neatly and intuitively demonstrating some of the following:

• The inadequacies of DCiE/PUE as useful a metric due to variation with light work loads; you need to measure facilities power and IT power separately.
• How virtualisation drops the total cost of a datacenter by 75% or more (or you can migrate to us and save >85% of course .
• How simply changing from nameplate (typically >400W on the label on the back of a£1,000 1U server) to peak power provisioning (most modern 1U servers never use more than 150W) reduces the 4-year lifetime server cost from £8,000 to just £5,000.
• That a modular build-out is good, but to be most energy- & cost-efficient you really need a dynamic modular approach so that you can switch M&E equipment on/off with diurnal load variations.
• How data centre costs vary with geo-location! Putting it in Iceland does not save you much after all, contrary to popular belief.

The simulator itself is a pure command-line driven tool that has been released under an open source software licence (OSL V3.0), but there is a Web-based interface that is now available to DCSG members, here, although you will need to read the user guide first unless you have a brain the size of a planet.. If you are a member of the BCS but not of the DCSG, you can find out information here: bcs.dcsg.org. If you are not a member of the BCS but are British and an IT professional, then shame on you!

The beta test is likely to last until Autumn, and feedback is welcomed so that the tool can be further improved and any bugs ironed out. Also, the Carbon Trust and BCS are looking for members willing to trial the tool on a case-study basis over the next few months. If you are interested, visit the Carbon Trust data centre sub-site.