Podcast – Ed Daniel, ITIL, Audit & Cloud

I am joined on today’s show by Ed Daniel. Bit of a coup. Ed is one of Europes leading OSS evangelists but like me shares a background in process management ITIL, security and enterprise enablement. Ed works for Normation and was in London attending DevOps and I didn’t have to push very hard to get him to sit down in front of my microphones.

This podcast is really for the companies who are thinking about deploying Cloud, who are thinking security hardening, process management, ITIL, PCI-DSS, ISO standardisation, deploying against Cloud Security Alliance or SELinux guidelines. If you’re a service provider too this podcast also helps you. It’s your opportunity to hear myself and Ed try and give you a steer on designing your cloud and to get to deployment safely whilst growing the frameworks around Cloud management.

We talk ManageIQ/Cloudforms, how audit and logging is essential, OpenStack and Ceilometer, Heat etc etc. How you should engage with a Cloud provider or upstream vendor.

This is one of those difficult conversations which you rarely hear and that is designed to get you to a point where Open Hybrid Cloud can become a reality. We don’t always agree but between the two of us we try to get you to a point where you are armed to safely and securely start designing and consuming Cloud compute capacity.

 Download the podcast in MP3 format here – or alternatively browse the RSS.

Podcast: Ian Lawson – Mr Red Hat

What a weird title for a podcast episode you think. Actually, nothing could be further from the truth. Ian and I have worked together in two lives. In 2007 I took a sabbatical to go do hush hush secret stuff in the government space for a major vendor and met Ian and gelled immediately. We’ve worked together ever since and when I joined Red Hat I brought him in soon after. This is a coup because after a life spent in the shadows talking common sense doctrine to governments and people in positions of authority Ian is actually on the record and talking Open Source. To say he was outside his comfort zone is an understatement but it was lovely to have the chance to open a door sensibly and only talk about stuff which doesn’t see us carted off to jail for breaching each of our obligations as signataries of Her Majesty’s Official Secrets Act.

Ian had always worked in the proprietary rather sheltered world of data intelligence and manipulation. He definitely wasn’t a Linux user – at all, in fact I gave him his first Linux laptop. He didn’t get Open Source as nobody had ever explained or shown him, didn’t know Open Shift or how to even install Red Hat. A hugely talented versatile developer with a brain the size of a family car and the ability to hold a room in his hand he has become one of the most important hires Red Hat UK has ever made.

Ian, now immersed in Open Source was reborn, reborn with a new verve or vigour and is now truly Mr Red Hat when you put him in front of customers and with his almost unrivalled abilities with the understanding of data storage and data manipulation in the European space is always in demand to help bring projects to conception.

He was nervous as hell recording this, don’t know why – he’s the mac daddy when it comes to big data even if he does hate the term. We talk OpenShift, OpenStack, we pour scorn on some and heap praise on others. A very enjoyable recording session.

I urge you to listen on two fronts:

1) If you’ve ever wondered what Big Data meant come here Ian blow that concept wide apart
2) If you’re considering a change in career and want to understand the passion that drives Red Hatters to go to work – then this is for you.

 Download the podcast in MP3 format here – or alternatively browse the RSS.

Podcast: Max Cooter of CloudPro talks sense

I’m joined on the podcast today by Max Cooter who is editor of CloudPro Magazine for a remotely recorded podcast, Max in Sussex me in windy wet Wiltshire for a podcast I’ve been meaning to record for some time but last time we tried we couldn’t get diaries to sync. Technology allows us to do next best thing other the ether and this is the result we recorded yesterday. We originally aimed to record 8-10 minutes but the discussion got deeper and we ended up putting a lot of things on the table that are vitally important to decision makers and to cloud in general.

I let the session run and listening back when I was mixing the session in the early hours of this morning I am glad I did because here you have a podcast that might just make people start making notes and thinking about their own plans and provisioning and thinking about the structure of their ambitions in Cloud.

Max is a heavyweight, he talks Cloud for a living but gets to see a lot of the actual cloud metrics and deployments across the entire industry so is more “clued up” than most analysts due to exposure. We’ve worked together on a Dell Think Tank before and we were both out at GigaOM Structure in Amsterdam last year (Max is pictured above on the left during one of the fireside chat sessions).

We talk governance, regulation, security, privacy, PRISM fallout for Cloud, we talk Red Hat Certified Cloud Provider Programme, service providers and the need for conformity, PaaS and OpenShift. CTO and CIO pressures in the datacentre – theres a whole wealth of stuff going on.

Do take time out to listen and come back next week where I have a podcast with Tim Kramer my colleague of way way too many years talking OpenSCAP, Cloud Security, OpenShift and the Cloud Security Alliance. Don’t miss it we’re going to make some people sit up.

 

Download the podcast here in MP3 format only

Podcast: David Egts talks Secure OpenShift

If you hadn’t noticed theres a bit of a credit crunch on, it’s affecting every aspect of life including provisioning of every aspect of government and military forces and their supporting services and solutions bodies. Governments and the military use en ever increasing amount of Open Source technologies, and a lot of platforms that have grown up with open APIs and that fit secure accreditation regimes.

We’re talking DISA, STAX, how to get to secure PaaS using OpenShift and how we are helping defence (or defense for those over the pond that can’t spell) get to secured accredited trusted PaaS.

David Egts has been on a podcast here before and appears weekly on the Red Hat Gunnar and David show that I listen to avidly. David recently wrote a great article about how military platforms should not be deployed on proprietary PaaS solutions and frameworks, if you haven’t read it go do so before you listen to the podcast.

Thanks for this show also go out to Red Hat’s Paul W Frields who wrote the amazing Pulsecaster that sits on Fedora and that I used in a very different split channel mode this week thats allowed me to get this remote podcast out fast and in great audio quality considering there is 6000 miles between the two people talking. Also this week both David and I are solely using Samson GoMic’s and the entire thing as usual mixed using the free and open source Audacity DAW. The GoMic is a revelation if you don’t know what I’m talking about follow the link.

Come back soon for two podcasts next week talking CloudForms with James Labocki and OpenStack with Rhys Oxenham.

Download the podcast here in MP3 format only

Podcast: Cloud Security Special

Todays podcast is a must for anyone in Cloud who needs to understand high level security. I’m joined over the ether to my studio in Bath in the UK by Gunnar Hellekson and David Egts. We’re talking access controls, SELinux, sVirt, hardening, security in Government and how we engage in Cloud, security and KVM, Common Criteria – the whole works.

We talk RHEV, RHEL, OpenShift, CloudForms, ManageIQ, auditing, logging, hardening, security – learn how Red Hat secure the important enterprise, Government and industry platforms – allowing our customers to sleep easy.

You cannot afford to miss this weeks show !

Gunnar is the Chief Technology Strategist in Red Hat’s US Public Sector team, trusted by government and the military alike and David is one of our Principal Architects at Red Hat. They both “live eat breathe” security so this podcast is three of us who are very passionate about the topic.

And folks theres more, if you liked this podcast tune in to the first few episodes of Dave and Gunnar’s new podcast – the appropriately named Dave and Gunnar show which you can listen to by following this link directly. I totally recommend it, great listening. I’ve been working with them over the last few months recommending kit and I really think this is a show you should be listening to on a regular basis. Gunnar and Dave have taken a totally different spin on podcasting that Rhys Oxenham and I have been planning since November to do monthly that I bought the kit to do – but we haven’t had the time to do. Since Christmas we’ve been set up to make the changes I keep mooting, and this will happen.

It’s so nice to be back in the studio able to control the level of audio again, seems like an age since I was sat at a mixing desk recording this stuff. Listening to this podcast you wouldn’t think that David was in Ohio, Gunnar in Houston, Texas and me the other side of the pond, and all recorded produced and released using Fedora – no Mac’s here folks.

Come back soon for some great podcast content and if you haven’t yet subscribed via iTunes or my RSS feed simply follow the menu bar above to get the links you need. Come back next week for some more great content.

 Download the podcast here in MP3 format only

Podcast: John Hardy talks ManageIQ

After being disrupted by the snowstorms in the UK John and I finally met up and recorded this podcast at the Red Hat offices in Farnborough here in the UK. This is what fell out of that session, hope it’s helpful and gives more context technical details around what ManageIQ brings to Red Hat.

It’s already available on Apple iTunes (download the Podcast client from the Apple Store), Podfeed.net and will be synced with Stitcher Internet Radio very shortly as they update their RSS feeds.

Come back more next week I’m going to be releasing a podcast on Wednesday / Thursday this week and then recording a lot of content at FOSDEM in Brussels weekend of 2nd/3rd February. If you’re going come say hi – who knows you could end up on a podcast !

 Download the podcast here in MP3 format only

Podcast: Matt Hicks – OpenShift / SELinux

So Matt and I have been trying to record this for an age, technology and ambient noise from the construction crew extending our Westford office got in the way a few weeks back so plan B – DIY remote podcast over Google+ recorded here in the studio in the UK – what we ended up with was a really good tech chat about OpenShift, hosted on-premise PaaS and a deep dive into SELinux and the reasons both of us have for trying to persuade you to leave it on by default.

If you’re into PaaS, use OpenShift, want to know where we are at with regards to releasing OpenShift On-Premise then you NEED to listen to this. It will at least make you even more excited (I hope) about the next two months of stuff coming out of Red Hat.

Matt, if you’ve heard him speak at Summit, or JUDCon (Google or search YouTube if you want to see re-runs of his talks, well worth the time spent doing it) is infectiously enthusiastic about both PaaS and security by default.

Download it, listen to it, comments welcome or questions – we’re here to talk to you.

Download the podcast here in MP3 and OGG formats

OpenShift & SCAP

Red Hat have been releasing OpenSCAP as part of RHEL since 5.7 and it’s been in Fedora longer as a development tree. I’d like to think alongside sVirt and SELinux and our ever vigilant guys in Mark Cox’s Security Response Team who I work with a lot it’s right up there as part of our commitment to understanding and remaining vigilant about security.

OpenSCAP is an open standards based framework allowing you to implement SCAP (Security Content Automation Protocol). SCAP is of course maintained by NIST. Their original and overarching concept was to document and provide a catalogue of standards and capabilities and OpenSCAP takes on where SCAP leaves off to provide that functional set of controls. Understanding alongside paper based controls that we need to arm administrators and developers out the box with the ability to be able to protect themselves but also to be able to report and log against deployed security controls and to query that data in order to have a living breathing management piece around security as a business as usual process. Just having the controls and deploying against them in staging or live isn’t enough. In Cloud and multitenant virtualised environments this could not be more critical so doing this work for you ahead of time is part of our go to market.

Tim Kramer who I have now worked with for nearly thirteen years in the Linux community, originally at VA Linux back in the day has put a detailed brief together on OpenSCAP and OpenShift which is a primer for all those thinking of yet another reason as to why OpenShift should be your defacto goto PaaS environment of choice, especially during Q1 2013 when we release on premise solutions around OpenShift.

I urge you to go and read it as it’s a belts and braces approach to understanding security around PaaS but also shows just how much effort and thought / steering goes into every aspect of our Cloud platform architecture. Here’s the first opening paragraphs for the rest follow the link below.

“I wanted to give a little insight as to the type of security automation that happens in the background of OpenShift. As a provider, it’s always a little scary to talk about what is behind the scenes or isn’t. I have blogged in the past about OpenShift’s use of cgroups, poly-instantiation and SElinux. There are many great web pages that explain what each offers to a multi-tenancy platform so I will dig in on the other non publicized tools. If you are building an OpenShift Origin infrastructure, this would be a good addition to your build out.

In a world of agile development and the ever changing layered build, one must really be careful that security remains at the level that the policy and product demands. At the end of this post, you will have tools that you can implement to help assure security controls stay within your specified policy.

With developers and operations staff that can change a layered build real time, how do you assure that it is still in a safe and secured state since it’s impossible to keep up with every code check in? The biggest thing that comes to mind for me is automation. You will need tools that can check your security policy across all the various instances.”

You can read the full article here

Security 101 for Cloud – building it right

For those of you who’ve known me or my work for the last decade or more you’ll appreciate that one of my main call to arms is security and in particular enforcement of security enforcing technologies at the gateway and application level, my little hobby (developing publishing and supporting a firewall technology which with variants based on the code) reached millions of homes, offices and enterprises across the globe and allowed me to make a career out of security.

So it’s often a question I get asked at conferences and when speaking about security in Cloud and security enforcement and responsibility in the Cloud and virtualisation arena. Fortunately at Red Hat we take security incredibly seriously and have contributed technologies such as SELinux and sVirt into our architectures and supported versions of our releases, as well as employing the mainstays in the SELinux world on our payroll to ensure that we have continuity and those folk are rewarded for their efforts.

However, to put it bluntly most architects and network  guys turn SELinux off when building out platforms and virtualised instances which is quite short sighted. When I do pose the question why a lot of responses are aligned to the fact that SELinux can sometimes due to configuration issues and past experiences where stuff broke and was hard to diagnose so easier to just turn off.

Let’s be blunt, it’s there to help you, it’s a free secure template based technology so turning it off if you haven’t got a full toolkit of other security hardening in your build schema or your platform is at best shortsighted. Did I say it was free ? In this current credit crunch culture can you justify not looking at using it ?

If you’re concerned or you struggle then enable it in permissive mode in the first instance making sure you make relevant mods to /etc/sysconfig/selinux to make it persistent on reboot. Simple boolean logic is the best way (and easiest way) to start experimenting with the functionality you want to add. Then if you want to know more then search for the audit2allow function and remember if you’re concerned with restrictive AVC denials breaking stuff then a quick search through auditd in /var/log/audit/audit.log then aureport is your friend. There are loads of howto’s available or if you’re thinking about large scale SELinux use in anger Red Hat even have a course to upgrade your RHCE to give you a complete comfort blanket in your own capabilities. It’s part of the assurance and certification mode we bring to the whole Linux piece. Belt and braces if you will.

Now this article really isn’t a security masterclass or SELinux howto, I’m actually more interested in getting to grips with culture change and trying to pass on my thoughts of how we need to get traction in influencing how protecting your assets, your data and your reputation in Cloud can take shape.

Over the last three years I’ve been using what I would describe as an almost military approach to building out legacy platforms be they physical or virtual. In days of old people might remember Jay Beale and his Bastille Linux hardening script, which was a great starting point when building simple Linux stacks. I remember vividly when he posted it to newsgroups and Slashdot picked up on it. It represented for the first time really in the Linux Open Source community someone who took a simple exercise but made it mainstream towards security as a standard rather than a retrofit. It enabled many of us to not only run it but get under the hood to find out “how” it worked. What is it they say “a little bit of knowledge is a dangerous thing ?”.

So as we move into provisioning our Cloud environments across one or multiple hypervisor types, or moving applications into hybrid or public Cloud having that “accreditation” process or controls breakdown is invaluable. Mine runs over about 5 tabs of a spreadsheet and would make most auditor feel out of a job. However maybe my way of having a moving spreadsheet of controls that I’ve built up over time for all the certifications / governances that I’ve had to deploy to (including in NATO battlefield accredited above classified environments) probably is going a bit far for standard run of the mill server environments.

So its fortunate that my friends and fellow members of the Cloud Security Alliance started many moons ago to put together an authoritative set of controls to allow you to get to work now building out your platforms or engaging with a Cloud provider regardless of the tenacity or the aggressive nature of your certification or audit model. The controls are designed to get you out the blocks building Cloud platformst that need to meet the regulations around ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP. Let’s not mention SAS 70. I still, do not, and believe me I’ve tried, understand why an accounting standard has ANY place in Cloud service provision. CCM will help you there and you can also take a look at the CSA STAR programme while you’re there.

I’ve mentioned the Cloud Security Alliance before here numerous times (lets call them the CSA from now on). The CSA are one of the most critical building blocks of the Cloud community and Jim Reavis and the steering members of the CSA have made the education and communication of security best practices to the community their ethos and commitment since they were founded. Red Hat support the CSA and if you’ve heard me talk you’ll hear me mention them proudly on a regular basis. I am continually mentioning them.

Shortly I am recording an often re-arranged podcast with Jim Reavis of the CSA and we’ll get that out to to you as fast as I can mix it in the coming days and weeks.

Whether you’re playing with Cloud in your dev/test sandpit or migrating to a hybrid  cloud understanding what part reputation protection of your app dev environment and your underlying transportation of data is critical. Reputations are lost in minutes as are share prices when a company is seen as damaged by data loss. Simple breaches of major household name organisations are often met with lax fines and investigation by sovereign territory governments and information commissioners, however the risk factors involved are enormous. At the back end of the application architecture – in the trenches – are the technical guys who have to turn the dreams and aspirations of sales people and marketing types into the portals and customer facing Cloud hosted environments that will generate the revenue. If we arm you to do your job better and to do it in a way that allows generic controlled growth of your platforms and your Cloud aspirations then thats a good thing right ?

Do visit the CCM matrixes today and learn how they help you go to work in ways that will make your auditor despair. It’s kinda cool actually because auditing Cloud and typically follow the sun type datacentre clouds has always been a dark art. By following this article and my advice you can actually have a retort to this argument. Cut a huge percentage out your auditors workload (and their resulting invoice) by owning the moral upper ground and in the process maybe think about turning SELinux back on. Blended use of SELinux, sVirt, supported certifed Red Hat subscriptions and technology such as CloudForms gives you everything you need from an IaaS perspective today to go to work. If PaaS security is your thing then listen out soon to another podcast I’m going to record with Tim Kramer of the OpenShift team (in fact if you haven’t already read it go visit Tim’s great security post here).

Also I’m promised a security podcast with Mark Cox at some point in the coming month so if security is your thing you’re going to be kept busy listening to me warble down your earbuds about everything related to CloudSec. If you think that more people could benefit from a primer in Cloud security deployment and the need to think out the box then share this article – I appreciate every Twitter mention I get if it helps educate another Linux user as to how to do things better.

Then get to the CSA website and join. It costs nothing and you’ll learn a lot if you are an active participant. Tell them I sent you.

Technical accumen beats a Crystal Ball in Cloud

Last week while I was on vacation, before I got waylaid in preparing for todays Cloud Computing World Forum in London and next weeks Open.CH Cloud event in Switzerland I promised my snapshot on Gartner’s release a fortnight ago now on EMEA Cloud activity being a pale comparison of the US’s activity.You can read it here, in fact reading it before digesting this article might be a great start.

So before we start let’s be very clear, I’m not remotely out to bash Gartner, they have a well earnt position in the pantheon of analysts and are a valued member of the technical analyst community working hard to help a lot of customers across verticals globally make comprehensive strategies. The report itself lists four specific inhibitors for adjudging that Cloud growth in the EU region as a whole will fall behind the North American marketplace.

Inhibitor 1. Diverse (and Changing) Data Privacy Regulations

Gartner make a good job of outlining the concerns many companies have over data regulation and privacy.They do so without actually going into any concise clarified detail but do at least admit that a lot of the privacy issues are communicated and understood badly by organisations, which is a positive. Certainly the Cloud community as a whole has a duty of care to ensure that we make it easier for companies and institutions to understand that issues such as ENISA and EU guidelines at the provider level and your enshrined responsibilities as a data processor are actually quite simple to quantify. That issues such as the Patriot Act and Safe Harbor that apparently scare many companies off hosting in North America are not actually as realistic as painted. It’s an unwritten rule that even in the EU the liason between intelligence services is acknowledged as making local EU sovereign data privacy controls and the Patriot Act immaterial therefore nullifying the concerns in the first instance. If you read the authoritative report by Hogan Lovells on behalf of the OpenForum Academy published last month you’d understand even more that it should be the Cloud community and providers working harder to communicate this as a non risk to customers regardless of geographical location, that actually if you architecture your public key encryption properly it actually disappears as a risk.

Inhibitor 2. Complex B2B Multienterprise Integration and Processes

In the EU we have a better understanding than most other global territories around working across boundaries. It’s a fact many of the boundaries between organisations in multiple EU territories where data transmission storage and processing occur daily have evolved their own processes based around international standards such as COBIT, ITIL, ISO, BASEL as mandatory controls in business nullifying actual risks to growth. So this inhibitor seems to be badly defined and badly understood as a doorstop to Cloud. EU businesses as a whole adopting Cloud are better positioned than many organisations outside Europe given that we have had corporate governance in place that dwarfs SOX, SAS 70 and less capable non EU derived process controls.

Inhibitor 3. The Slowness and Undesired Effects of Some EU Policies

Gartner do a good job of outlining where they think sovereign mandated process and policy can potentially act as a roadblock to inertia in Cloud. In four years of Cloud specific activity up to and including EU government ENISA guided Cloud architecture I’m yet to identify one actual identifiable deployment slowed down by this “inhibitor”. Gartner then give an example of the European Multi Stakeholder Forums e-invoicing guidelines published in March which are at best a steering piece designed to help and assist organisations rather than slow them down, although it has taken almost five years to get to it’s findings it’s still comforting to know that it exists.

Inhibitor 4. The Investment Hold Caused by the Euro Crisis

I can’t argue with this point, there is a critical crisis of confidence in the euro and the financial markets, this is a technical blog not a financial one. You’d have to have had your head in the sand to have not noticed the major slowdown in IT spend across all areas of technology not just Cloud. It’s an added benefit to the marketplace that Red Hat is positioned to actually allow customers in that position to actually achieve a lot more with a huge amount less and the Open nature of Red Hat cloud technologies and our continued work with emerging technologies to prosper growth during a time of economic and financial instability. In fact Red Hat is growing continually even during a downturn as our customers enjoy so much more capability based on our subscription and Cloud access model for their workloads. This then increases when they see how CloudForms and OpenShift start reducing workload costs and reduce complex associated ownership and process costs.

I’m very surprised that nobody from Gartner read the synopsis of the Cloud Security Alliance’s 2011 study into EU Cloud growth and factors which gave more clarified detail and credible guidance to the very readers that digest Gartner articles as verbatim. I’ve uploaded my copy of their slides here as it returns a more authoritative piece to you towards doing your own clarified research.

So my message here is one of balance. Read the Gartner article, it’s a balanced and authoritative viewpoint from a global leader. Once you’re done then go read the links below:

PC World Report on Data Concerns over Patriot Act
Business Software Alliance report on Cloud in Europe (downloadable pdf)
Jipitec EU Cloud Computing Synopsis

My last words on this article from Gartner is that they missed a trick by forgetting that the same people who read their reports are the same architects and technically capable thought leaders who use open architectures and enjoy more competitive and open economies of scale from using Open Cloud.

If you use an Open Cloud, if you think about your architecture planning and build that portability and security of process and control into your Cloud using tools such as CloudForms then I reckon 80% of the actual inhibitors outlined in the Gartner report become actual reasons to go Open and to speed up Cloud adoption.