Part 1
Expanding on my introduction to cloud computing article, I wanted to take a look at three of the main platforms being offered for consumers i.e. the Platform as a Service model (PaaS).
As a customer or tenant you should ensure your resources are in place to ensure the maintenance and management of of your identity management and authentication systems.
When drafting your SLA ensure that the provider explains items such as, their facilities to include backup facilities, rack space, power, cooling, networking, physical security and business continuity plans.
Also ensure that there are no conflicts between your security policies and protocols and that of your vendor and look at how they will monitor systems, implement and configure firewall rules, anti-virus, intrusion detection/intrusion prevention systems and their protocol for log collection as well as packet filtering.
--------------------------------
Before commencing on Amazon EC2, I would like to briefly mention Amazon's Virtual Private Cloud(VPC). This system will enable a customer to connect existing infrastructure via a virtual private network (VPN) connection and implements industry-standard IPsec tunnel mode to authenticate gateways and protect data in transit from eavesdropping and tampering.[1]
The VPC gives a customer the facility to extend their existing management capabilities and security services,including the customer's AWS resources, allowing the customer to protect their information in the cloud in the same manner they do at their physical location/s.
--------------------------------
Amazon EC2
Amazon Elastic Compute Cloud (EC2) is a web service that provides resizable compute capacity in the cloud by enabling a customer to launch and manage Linux/UNIX and Windows server instances in Amazon's data centers via APIs or other available tools and utilities
It is designed to make web-scale computing easier for developers as, a developer can increase or decrease capacity within minutes rather than hours or days. It delivers scalable, pay-as-you-go compute capacity in the cloud as it gives a user the ability to commission one, or several hundreds to thousands of server instances simultaneously which are all controlled with web service APIs. [2]
Functionality in EC2 is very straightforward as either a customer can select and implement a pre-configured, template image and be up and running in a very short time, or a they can create an Amazon Machine Image (AMI) containing all items they want implemented within EC2.
Per the EC2 technical site some examples of what the system can be used for are :
-Scalable Applications
-Temporary Events e.g. conferences in virtual worlds, live blogging, distribution of newly released media, and short-term promotional web sites.
-Batch Processing e.g. video and image processing, financial data processing, and science and research applications.
-Fault Resilient Applications
EC2 Security:
One of the goals per their security publishing is to ensure that customer data contained with the EC2 system cannot be intercepted by an unauthorized user.
This by providing security on multiple levels viz. the operating system(OS) of the host system, the guest OS,firewall,and signed API calls, where each portion adds onto the security of the others.
--------------------------------
A key selling point for me is that as with all Amazon Web Services, Amazon does not “lock in” a customer into long-term contracts, or required some minimum payment scheme.
Also regarding Statement on Auditing Standards No. 70 (SAS70) Type II Audit,they have obtained a favorable unbiased opinion from independent auditors. This basically means that they have had an in depth audit of their controls related to operational performance and security with regard to safeguarding customer data and passed muster.
EC2 Operating Systems
-Red Hat Enterprise
-Linux
-Windows Server 2003/2008
-Oracle Enterprise Linux
-OpenSolaris
-openSUSE Linux
-Ubuntu Linux
-Fedora
-Gentoo Linux
-Debian
Pricing
As mentioned pricing is separated into On-Demand Instances or Reserved Instances (currently available for Linux/UNIX operating systems).
A simple calculator for services can be found here:
http://calculator.s3.amazonaws.com/calc5.html
Other Amazon Cloud Services:
Amazon SimpleDB
Amazon Simple Storage Service (Amazon S3)
Amazon CloudFront
Amazon Simple Queue Service (Amazon SQS)
Amazon Elastic MapReduce
Amazon Relational Database Service
AWS Premium Support
--------------------------------
There was a posting on CA Security Advisor Research Blog on December 9th 2009, which stated " A new wave of a Zeus bot (Zbot) variant was spotted taking advantage of Amazon EC2’s cloud-based services for its C&C (command and control) functionalities."[3]
Before we go off joining Chicken Little, I have to state that this abuse of EC2 service possibly stemmed from compromised computers at the customer/tenant side,where possibly an application in use was not updated/patched thus allowing the hacker into the cloud system.
Amazon could not take pre-emptive action as the trojan originated outside of their control zone and the same could happen to any Cloud Service provider.
Resources
[1]http://awsmedia.s3.amazonaws.com/Extend_your_IT_infrastructure_with_Amazon_VPC.pdf
[2]http://aws.amazon.com/ec2/
http://aws.typepad.com/
http://docs.amazonwebservices.com/AWSEC2/2009-10-31/GettingStartedGuide/
[3]http://community.ca.com/blogs/securityadvisor/archive/2009/12/09/zeus-in-the-cloud.aspx
