Protecting truckloads of data on the information superhighway

SSL Journal

Subscribe to SSL Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get SSL Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Top Stories

I saw this tweet this morning and I thought "+1" (I guess I am a geek if I am thinking in Digg/Slashdot shorthand). The problem is that in Information Security, "security" is all-too-often used to mean only encryption. A line is considered "secure" if it's encrypted. But often, the real "security" requirements are much broader and include management (as in access management, identity management), business continuity defense against denial-of-service, and privacy. I think language is a big issue here. I've always found it interesting that in German, the words for "security" and "certainty" (sicherheit, literally "sureness") are the same. In French, the words for "safety" and "security" are also the same (sûreté, again literally "sureness"). So, in those languages, "security" has a broad definition, incorporating senses of dependability, management, and safety. I can s... (more)

HTML5 WebSocket Security is Strong

This is a two-part blog post that discusses HTML5 WebSocket and security. In this, the first post, I will talk about the security benefits that come from being HTTP-compatible and the WebSocket standard itself. In the second post (coming soon) I will highlight some of the extra security capabilities that Kaazing WebSocket Gateway offers, things that real-world WebSocket applications will want to be fully secure. A WebSocket connection starts its life as an HTTP handshake, which then upgrades in-place to speak the WebSocket wire protocol. As such, many existing HTTP security mechanisms also apply to a WebSocket connection — one of the reasons why the WebSocket standard deliberately chose the strategy of being HTTP compatible. Unified HTTP and WebSocket Security Thanks to the HTTP/WebSocket unified security model, the following is a list of some standard HTTP securit... (more)

Goodbye Defense in Depth. Hello Defense in Breadth

Over the past few years we’ve seen firewalls fail repeatedly. We’ve seen business disrupted, security thwarted, and reputations damaged by the failure of the very devices meant to prevent such catastrophes from happening. These failures have been caused by a change in tactics from invaders who seek no longer to find away through or over the walls, but who simply batter it down instead. A combination of traditional attacks – network-layer – and modern attacks – application-layer – have become a force to be reckoned with; one that traditional stateful firewalls are often not equipped to handle. Encrypted traffic flowing into and out of the data center often bypasses security solutions entirely, leaving another potential source of a breach unaddressed. And performance is being impeded by the increasing number of devices that must “crack the packet” as it were and exami... (more)

Random Clouds, or Rather, Random Numbers in the Clouds

In the last week or two, the security community has been abuzz with two different papers on the security of RSA keys. It turns out there are tens of thousands of RSA keys out there that are weak: they share a prime modulus with another public key, allowing both keys to be factored (i.e. broken) in a matter of minutes. The dust seems to have settled by now, and the root cause appears to be poor generation of these keys, in other words, low quality random number generators. How does this issue relate to cloud security, Porticor’s forte? Read on… A True Random Number Generator (xkcd.com) Generation of cryptographic quality random numbers is a difficult science, well beyond the scope of this blog. Unfortunately, the old saying applies: you get what you pay for. In the case of crypto randomness, the more initial randomness (a.k.a. entropy) you stir into the pot, the bett... (more)

Sound Off: IPSec versus SSL for Cloud Bridging

I asked this on Twitter as a general question after reviewing the results in the Completely Unscientific Hybrid Cloud Survey Results from Gartner DC 2012 and continued to wonder why IPSec VPN was specifically noted but SSL VPN was not. Certainly a VPN of some kind is a requirement, no argument there, but why IPSec? Why not SSL? Is there some bias against SSL or is it perhaps just that the presenter at the conference failed to offer it as an option? Then I thought this is just one of many questions I'd like to hear more opinions on. Blogs are good for asking questions. Blogs are good at aggregating answers and opinions in one place. By golly, a blog is a good place to ask this question too! So, without further adieu, your question for the week: Why IPSec for cloud bridging? Is it just the default protocol folks think of when hearing the term VPN or do SSL VPNs lack so... (more)

Considering the SOA Reference Model

(SYS-CON Media) - The main drivers for SOA-based architectures are to facilitate the manageable growth of large-scale enterprise systems, to facilitate Internet-scale provisioning and the use of services, and to reduce the cost of organization-to-organization cooperation - SOA RM When approaching a SOA implementation, I would like to consider two fundamental questions that many developers ask: 1)  What's the difference between service-oriented and service-based architectures? 2)  What special architecture elements are defined by the SOA RM? In my opinion, the answer to the first is in the difference between the words oriented and based. I believe that smart IT organizations offer a lot of services already because the technical benefits of services have been well known for a while. However, the applications based on these services are still monolithic and don't provide ... (more)

Innovating Staging of Two-Factor Authentication Succeeds for Rhode Island Bank

To prevent online fraud, financial institutions that offer online banking are required by the Federal Financial Insitutions Examination Council (FFIEC) to double-check that the person logging in to the system is a valid customer. When BankNewport in Rhode Island adopted a Two-Factor authentication plan, its concern was to make the transition as easy as possible on its customers. In addition to requiring online customers to use a password, the bank chose to install digital certificates from Comodo on each customer's computer. The process looked simple: the first time the customer tried to log in, the bank would send the customer a digital certificate, a small document. The document would install itself on the customer's computer. Every time the customer tried to log in after that, the bank's computer would check for the certificate. As required by the FFIEC, BankNewpo... (more)

Mezeo Helps Launch SoftLayer's CloudLayer Storage Solution

HOUSTON, TX -- (Marketwire) -- 05/13/09 -- Mezeo Software Corp. (www.mezeo.com), the leading provider of deployable cloud storage solutions for service providers, congratulates SoftLayer, a leading IT Hosting Provider, on the successful launch of its cloud storage solution, CloudLayer Storage service. SoftLayer (www.softlayer.com), a Mezeo Premier Hosting Partner, introduced CloudLayer Storage last week. CloudLayer Storage is powered by the Mezeo Cloud Storage Platform. "We deployed the Mezeo Cloud Storage Platform because it was purpose-built to meet the needs of service providers," said Lance Crosby, CEO of SoftLayer. "Mezeo's advanced REST-style Web Services APIs made it easy for our development team to integrate advanced storing, managing, sharing and collaboration capabilities into our CloudLayer Storage service, and their white-labeled access clients enabled ... (more)

Sun Releases GlassFish Enhancements

Sun Microsystems has announced several technology updates to the Sun GlassFish Portfolio, the most complete, open source, high-performance Web application platform. The GlassFish Portfolio is comprised of leading open source technologies, including OpenESB, OpenMQ, Liferay Portal, Sun GlassFish Web Stack and GlassFish(TM) – the industry's most downloaded application server. Additionally, Sun announced early access of GlassFish v3 containing a full preview of the forthcoming Java(TM) Platform Enterprise Edition 6 (Java EE 6) specification. To purchase the Sun GlassFish Portfolio, visit: http://www.sun.com/glassfish. “Sun offers virtually the most comprehensive software infrastructure solutions for creating and deploying secure and scalable Web and enterprise applications. With GlassFish Portfolio, Sun brings additional simplicity and lower TCO to customers by delive... (more)

Wildlife Control Supplies Upgrades to Comodo EV-SSL Certificate

In WCS has completed their upgrade to the Highest Level security certificate available for online enterprises, Alan Huot, owner of Wildlife Control Supplies, the nation's leading wildlife control and animal handling manufacturer/distributor, explains why his website has adopted an EV SSL certificate from Comodo.  Here at Comodo we wish Mr. Huot and Wildlife Control Supplies all the best. ... (more)

What Makes Cloud Storage Different from Traditional SAN and NAS?

Many in the IT industry seem to enjoy arguing exactly what does and does not constitute a cloud service. As I mentioned in my post on the controversy over private cloud services, I do not feel that these arguments are productive. We should focus on results and business value instead of arguing about semantics. However, the current crop of cloud storage solutions have many important differences from traditional SAN and NAS storage, something that seems to surprise many end users I meet. Cloud storage capacity is not your fathers blocks and files! Primary, Secondary, and Tiered Storage Most IT infrastructures contain a wide variety of storage devices, but these have traditionally been divided into two categories: Primary or production storage serves active applications and is accessed randomly. The primary category includes most familiar direct-attached disks (DAS), s... (more)