It should come as no surprise that the web application layer is one of the most vulnerable and highly targeted in any IT organisation. The latest report from Imperva I’ve just covered for Infosecurity Magazine, bears that out, and adds some interesting new insights.
Did you know, for example, that public cloud platforms like Amazon Web Services are increasingly being used by cyber criminals to launch such attacks?
According to Imperva, 20% of all known vulnerability exploitation attempts aimed at its customers came from AMS servers – that’s a pretty sizeable chunk.
Director of security research at the Israeli firm, Itsik Mantin, told me part of the reason:
“The ability of the attackers to utilize cloud services to mount their attack, makes it easier for them to carry out longer campaigns, and thus they can scan for more vulnerabilities in more pages in the target application,” he said.
Another point of note from the report is the continued growth in SQL injection attacks – up 10% since the last report – and the less well known Remote File Inclusion (RFI) attacks, which have increased 24%.
So what’s to blame? Well not necessarily bad coding, according to Mantin.
“Applications have become more complicated, with more pages and more functions, relying on more third-party modules that are hard to control, and thus the size of the attack ‘domain’ grows over time,” he explained.
Mantin also pointed out that the attack incidents analysed in the report included attacks that were detected and prevented.
“Thus the numbers in the research indicate more the attacker’s intention and less the vulnerability of the applications,” he said.
That may come as something of a surprise given the heritage of the open source cloud computing project – NASA and US hosting/cloud giant Rackspace.
However, it’s certainly not a one-off, with several other cities in the PRC also boasting significant numbers of acolytes, including Shanghai which also ranks in the global top ten.
I learnt this and rather a lot more about the project at the OpenStack Summit in Hong Kong this week. It was a conference heavy in symbolism for the OpenStack Foundation – its first ever outside the US and the first since the release of Havana – its eighth major release for building public, private and hybrid clouds.
Having slogged my way around IT conferences for more years than is healthy for a person of my age, the summit was a first for me in many ways.
First up the new announcements from vendors were kept very much in the background – barely mentioned at all in the keynotes and not publicised heavily elsewhere at the event.
Now that could be the fault of the event PR team but I’d like to think it’s because the Foundation are trying to send a message of inclusivity to the community – that no one vendor should be allowed to use the platform to market its wares so blatantly to a captive audience of over 3,000 enthusiasts.
That’s not to say there was no news, of course, or that the major vendors weren’t using the show to meet customers, get their message out, etc, but it was certainly toned down from the all-guns-blazing razzmatazz of some industry events I’ve been to.
Part of that no doubt lies in the fact OpenStack Summit is really about bringing the community together to share ideas and best practices on implementations and, quite literally, to sit down and draw up a roadmap for where it is headed next.
It is still very early days for OpenStack versus, say, Amazon Web Services, and there is a certain amount of tension still in the community about whether it should be seeking to emulate the cloud leader or take a separate path of innovation – “letting a thousand flowers bloom”, according to Canonical founder Mark Shuttleworth.
The Rackspace private cloud VP Jim Curry and CTO John Engates I chatted to admitted feature parity isn’t at the same level as AWS yet, but also claimed that itself is a bit of a red herring as few people use all the features in Amazon anyway.
In the end one of the more eloquent and passionate speeches on the open source project came from Red Hat consulting engineer Mark McLoughlin – one of the top OpenStack contributors in the world if rumours are to be believed
“Does anyone think we’re just going to add a handful of new projects in 2014 and then stop? I really don’t think that’s realistic,” he said. “I think it’s going to continue to expand and become a broad umbrella of projects. We need to embrace the collaboration that’s happening under this OpenStack umbrella.”
OpenStack cloud vendor and Amazon–agitator Rackspace Hosting is launching its first public cloud offering for Asia in Hong Kong today, so I caught up with APAC MD Ajit Melarkode to talk all things Hong Kong, cloud and Rackspace.
I covered the news over at The Reg. Given that not many businesses rely solely on the public cloud, the announcement can be seen more in context of Rackspace’s Hybrid Cloud offering – which allows users to mix and match between public and private cloud and dedicated server hosting.
As such, I’m sure IT managers in the region will be keen to have another option for their cloudy needs.
They should also be assured that Rackspace is certainly investing significantly in the region, and Hong Kong, Melarkode told me. “We’ve sent a lot of Rackers out to set up here,” he said. “We’re not treating it as a satellite office – Hong Kong has really come into its own this year.”
Testament to this is Melarkode himself, who has experience of running operations on the ground in the region, and the fact that the firm is setting up dedicated finance, HR and marketing departments, as well as hiring a regional CTO, lead engineers, SMB and enterprise support staff, and ensuring that there is a good spread of local language speakers.
So who is Rackspace hoping to target with its new offering? Well, according to Melarkode, the growth of the Hong Kong office and APAC hub can be seen in parallel with the expansion of Rackspace customers into Asia: “as our customers expand we expand with them – we’re driven in a major part by client requirements”.
Another market he mentioned was that of the smaller innovative local companies in industries like retail and technology which are unencumbered by legacy infrastructure and are “leapfrogging onto new technologies like mobile and cloud”.
Melarkode was unsurprisingly quick to leap to the defence of Asian firms, which are often branded as copy cats and accused of lacking the ability to truly innovate.
He argued that creating services on top of “building blocks” already developed in the West does not necessarily amount to copying – and pointed out that firms from the region are contributing code to OpenStack, which he claimed is certainly not the behaviour of a technology laggard.
The region in general, while perhaps slightly behind the West, is certainly catching up in terms of the maturity of its IT services industry.
“I’ve seen how the region has developed right from the time Indian outsourcing started blooming in 1993, to the more hardware and infrastructure focus in China and the BPO success taking hold in the Philippines,” he explained.
“What I see is lagging behind here but the pace is still fantastic. Look at how it’s catching up. Lots of clients used cloud just for back-up and storage but now they’re starting to use it for app testing and development. The catch-up rate is astonishing.”
Rackspace will certainly need that maturity to expand beyond the handful of early movers in APAC if it’s to recoup some of its growing investment here.
Things are moving pretty fast, though, with the firm doubling headcount and its datacentre space in Hong Kong to meet expected demand and with plans to do so again in the coming year, Melarkode said.
Sometimes it’s reassuring to know that, wherever in the world you travel, IT leaders are experiencing exactly the same challenges.
A day spent listening to CIOs and IT leaders at MIG’s CIO Executive Summit 2012 in Hong Kong on Wednesday confirmed my suspicions.
The major take-aways I, well, took away, from the event were that CIOs are still not taking charge of innovation, strategy and business leadership as they should; that BYOD is a huge challenge made all the more urgent by the demands of Generation Y; and that cloud projects are still by-and-large of the private variety where sensitive data is concerned.
On the latter point it was interesting to hear CIOs on stage and senior IT leaders in the audience back-and-forth about the as-yet-unproven reality of cloud computing.
This is the stuff the vendors probably don’t want you to hear, and went a little something like this:
- Never try to ‘push the envelope with a cloud project without consulting the regulators first. One big name did in Singapore and was forced to dump his Salesforce.com investment as a result.
- It’s very difficult to determine, but proper due diligence would include trying to decide where your prospective cloud provider is likely to be in 8-15 years’ time. An assessment of the cost of moving to another provider or moving everything back in house should always take place
- The more the cloud integrates with your back end systems the harder it is to switch providers. Realistically speaking you need to treat these projects like an old-school SAP implementation.
- Virtual private clouds could be the answer to many corporate IT managers’ prayers, allowing them to fulfil regulatory requirements around isolation of systems whilst taking advantage of the agility of the public cloud.
It’s the same the world over. Beneath the hype, most IT leaders are actually feeling their way with private cloud deployments and possibly using some public cloud projects for non-sensitive data.
It will take quite some time, probably years, before this changes.