Friday, October 14, 2011

Notes from the Oasis International Cloud Symposium 2011

Just home from the the Oasis International Cloud Symposium 2011 i made a few notes. The notes should not be seen as giving a view what was most interesting or most important. They are just the notes that I happened to take down, I can have missed things drinking coffee, checking email or whatever.

One conclusion is that Cloud computing promises a lot, but due to legal, security, privacy and interoperability issues use of cloud computing for more sensitive types of data is still far away.

Day 1
Security loves the Cloud. In many cases organizations moving old applications to the cloud gets more secure. They get a platform managed by experts etc.
There are a lot of other security challenges in the cloud, but platform security can often become better.

Local government authorities tend to compete instead of cooperate. Due to how their organizations work and how they procure IT, they do not have any idea of what operation of their services actually cost, and they don't have a mind set of sharing (with other authorities).

Adding complexity (for seemingly increasing availability) can actually decrease availability. Having a back-up site with automatic fail over is not much point if
service work on the back up site brings the primary site down (the speaker had a real example).
(my notes, this we have also noted in practice)

PaaS cloud services can handle availability issues, but you have to spread the applications across availability zones.

Day 2
Private market and government manages risk differently. Government tends to treat things as national security risks, while private views everything as a business risk and only calculates the cost.

Moving lots of things to the Cloud can increase security but also creates huge targets to concentrate on for the bad guys.

ENISA has created a book describing many different risk management methodologies.

Something missing is a way for the (cloud) customer to make informed risk assessments, such as security "grades" or checklists of the cloud provider.

There is a need for, in many applications, of stronger authentication (than the usual username/pwd). The are wide-spread PKI eId infrastructures deployed ready to be used.
Many examples of security breaches would have been considerably more difficult with the use of PKI authentication.

XACML is a flexible authorization framework that makes things better and more flexible. It can de-couple, and centralize, authorization decisions from the apps themselves.

Security audit is essential for real cloud operations.

Privacy issues are important. Users personal data needs protection using technical, business and policy means. There is no single silver bullet, but all areas are needed.

Currently processing of personal data in public clouds is not possible due to data protection reasons.

There is a lot of legal impediments to successful cloud implementations.

An interesting figure is that 50% of all productivity gains (economics, GNP).

Technology issues in cloud computing are mostly solved, or will be solved soon. Remaining issues that are harder are QoS, SLAs, data ownership and jurisdiction.
There are many issues in the legal arena.

Day 3
There are several cloud reference architectures out there. ISO is trying to combine them into one, but there will probably be several for different areas (IT, telecom etc).

EGI (European Grid Initiative) is aligning with NIST and will deploy a federated cloud in Europe.

Microsoft showed a commercial video, a bit of track imho...

Anil Saldhana of RedHat described the work that the IDCloud TC of Oasis is doing with use cases.

There is a lot of standardization efforts in the cloud area. All different standardisation organizations are trying to figure out what of all this is their part to work on.
Everyone is approximately pulling in the right direction but it will take some time before the dust settles and everyone figures out where they can best contribute.

The standardization process must be Open!

IEEE is working on Inter cloud protocols. ISO is looking at a higher level starting with common terminology and reference architectures.

GICTF is trying to find the best of other standard organizations to work with.

IGTF operates as a global CA for, the OGF.

Thursday, October 6, 2011

EJBCA 4.0.4 released

EJBCA, the Open Source Enterprise PKI, version 4.0.4 has been released.

This is a maintenance release with a few new features and bug fixes. In all 33 issues have been resolved.

Noteworthy changes:
  • Improved CMP with many new authentication modules in both client and RA mode, and support for Nested content
  • Support for custom certificate extensions with raw or RA defined values.
  • Many small bug fixes.
With this update EJBCA has support for most use cases for CMP, including the new 3GPP standard for PKI security in 4G/LTE mobile networks.

View the full changelog. in our Jira.

We are currently focusing on bringing common criteria certification to EJBCA, something that will come in EJBCA 5, which is the next release that we are working on.

See the PrimeKey release news.

The PrimeKey EJBCA Team

About the EJBCA project
EJBCA PKI is a Certification Authority and a complete enterprise PKI management system, delivered either as an integrable part or as a turnkey solution. EJBCA OCSP and EAC are sub functions of EJBCA PKI, and are used for on-line validation and ePassports.

EJBCA offers great advantages such as excellent cost-effectiveness, unmatched flexibility, complete integration – and full professional maintenance and support by PrimeKey,