Cloud Computing’s Vendor Lock-In Problem: Why the Industry is Taking a Step Backward

For more than a decade, IT managers and advocates have been working tirelessly to enable solutions based on common standards and protocols that can be built, supported, swapped out and replaced, regardless of vendor. And they almost succeeded — until lately.

Cloud computing may be erasing the gains we’ve made in terms of vendor dependence lock-in. Going with a cloud solution means buying into the specific protocols, standards and tools of the cloud vendor, making future migration costly and difficult. How is this so? Because standards are still being formed, and cloud computing is still too immature to reach the point where customers are demanding vendor independence. The problem is, when companies sit down to calculate the cost of using cloud computing services, they don’t factor in the costs of migrating off the system – expenses which could be prohibitive and unexpected.

Thomas Erl: Rude awakenings await cloud customers that decide to try to switch vendors.

That’s the caution being expressed by Thomas Erl, CEO of Arcitura Education Inc., a service technology education and certification provider, incorporating SOASchool.com and CloudSchool.com.

I recently caught up with Thomas, who is also a best-selling and perhaps most prolific IT author on the planet, who shared some of his concerns with the emerging cloud computing paradigm.

“With cloud environments, its kind of a new level of lock in,” he points out. “You can have your application. It can be standards-compliant for certain interoperability functions. But the actual hosting of the application, the actual requirements for that application to exist in a cloud environment, to connect to the virtualized resources and whatever administration tools the cloud providers may give you to configure and maintain the application, will be, for the most part, controlled by the cloud provider.”

This new degree of cloud vendor lock-in “is a step backwards from all the work that has been done with approaches such as service oriented architecture,” Thomas adds. “SOA helped free us from the tech vendor lock-in model that we had a decade ago, in terms of motivating the transition towards interoperability level standards.”

By motivating, Thomas means getting vendors on board to enable the unfettered movement of data and services between any solution you happen to install. However, there really hasn’t been any compelling reasons for vendors to do that now in the cloud world. “The whole industry is really not that standardized at all,” he points out.  “The cloud environments themselves are really in no way regulated, or there’s no sense yet that there’s a need to comply with industry standards.  Cloud providers benefit from keeping things proprietary as long as possible, because it locks consumers into their environment.”

Thus, many companies now using cloud services from third-party vendors are in for a rude awakening when it’s time to move on. And there may be many reasons why it’s time to move away from your  current cloud provider. “The cloud provider could be bought out by a larger company, and a bunch of policies change,” Thomas illustrates. “Or the cloud provider may increase their leasing costs, or change the leasing terms, or geographically they shift around so that everything that you own is in Russia, and that conflicts with some legal requirements you may have.”

How easy will it be to move when circumstances change?  What if a good part of your application infrastructure resides with a single cloud provider? “When you put a lot of your resources, a lot of your data in the cloud, you want to know that, a year later, you want to be able to move that to another cloud provider,” Thomas says. “You want to know that you can move all that away to another cloud provider, or even bring that back on premises, if that’s the exit strategy.”

Vendor lock-in may be unavoidable at this point, but what companies need to do is understand up-front what the exit strategy will be, and build those costs into the initial cost analysis. “Knowing that you can move it in the future, and knowing the impact of that helps complete that analysis,” Thomas explains. “Then you understand not just the cost of the move, but you can also view it as an additional risk factor in the move to the cloud. It will help you to determine to what extent you want to move resources to the cloud. Once you take that into account, it might help moderate some of that.”

Only one thing will eliminate or reduce the risk of vendor lock-in in the long run: if end-user customers start demanding standardization and interoperability, just as they have in the past with on-premises applications. “Once it dawns among organizations that use third-party clouds that they need to demand this from cloud providers, then the cloud providers will fall in line.”

Advertisements

Facebook identifies porn spam perpetrators

Facebook said it has identified many of those responsible for a wave of pornographic content that showed up on users’ news feeds this week.

Those behind the coordinated spam attack, which began on Monday, leveraged a cross-site scripting (XSS) web browser vulnerability to flood Facebook news feeds with explicit and pornographic material, including images depicting acts of violence, self-mutilation and bestiality. The attackers managed to trick users into pasting and executing malicious JavaScript in their web browser URL bar, causing them to unknowingly share the offensive content, Facebook said in a statement sent to SCMagazineUS.com.

No user accounts or data was compromised during the attack.

The social media giant is “pursuing the appropriate action” against those responsible for the campaign, a Facebook spokesman told SCMagazineUS.com on Friday. He declined to provide any additional details.

Facebook described the issue as a “self-XSS,” meaning users themselves had to execute the code needed to launch the attacks, as opposed to a traditional XSS attack, which involves malicious code being injected directly into a website. Users may have been told to paste the code into their browser to win some type of prize or sweepstakes, Chester Wisniewski, senior security adviser at security firm Sophos, wrote in a blog post Wednesday.

“Considering that the flaw is not within Facebook’s website, it appears to have been rather difficult for them to respond to this threat,” Wisniewski added.

It is not known which web browser is vulnerable. Until it is fixed, the same flaw could potentially be used in attacks against other sites, he warned.

Facebook, meanwhile, said it has put in place mechanisms to quickly shut down the malicious pages and accounts that attempt to exploit the flaw, and is providing security education to affected users. As well, it has put in place back-end measures to reduce the rate of such attacks.

By now, most of the offensive spam has been eliminated. Facebook said it is working to improve its systems to prevent a similar attack from recurring.

Many users this week took to Twitter to express their frustration over the explicit content. Some users said they were planning to deactivate their accounts over the issue.

“Seeing a dead dog on my Facebook newsfeed,” one user wrote in a Tweet. “Officially deactivating it.”

Some have speculated that the hacktivist collective Anonymous is behind the attack, though the group has not taken credit for it.

The 25 Worst Passwords of 2011

passwordWhenever idiotic passwords are discussed, the following story always comes up: five years ago, a group of Slovak hackers breachedSlovakia’s National Security Bureau (abbreviated NBU), which stores tons of classified information. It was an easy hack. The NBU’s master login/password was simply nbusr/nbusr123. After cracking it, the hackers publicized the information, much to the NBU’s embarrassment.

What’s even worse? Days later, the password was still “nbu123.”

That was five years ago, but bad passwords still abound. SplashData, a password management app maker, compiled a list of the 25 worst passwords of 2011, based on millions of stolen passwords that were dumped online. Typically after hackers compromise a server, like Sony’s or CIA.gov’s, they post all these personal details online.

Many of the passwords are sequential numbers like “12345” or “654321,” while others contained messages like “letmein” and “trustno1”. Even if you thought you were being clever with “qazwsx,” (look at your keyboard, you’ll get it) it’s number 23 on the list. “Monkey,” “password,” and “qwerty” are ALWAYS on these lists. I know I’m preaching to the choir here but, seriously?

1. password

2. 123456

3. 12345678

4. qwerty

5. abc123

6. monkey

7. 1234567

8. letmein

9. trustno1

10. dragon

11. baseball

12. 111111

13. iloveyou

14. master

15. sunshine

16. ashley

17. bailey

18. passw0rd

19. shadow

20. 123123

21. 654321

22. superman

23. qazwsx

24. michael

25. football

Having a tough-to-crack password won’t thwart a sophisticated cybercriminal, who can use other methods to breach a server in which passwords are stored. But a solid password will at least deter the lowest common denominator like a nosy partner or a low-level hacker using a dictionary attack that simply tries thousands of passwords.

If you, like me, are rather scatterbrained, perhaps it’s time to invest in a password management app which generates unique passwords for you and stores them under one password-protected program. LastPass 1.72 Premium is PCMag’s Editors’ Choice for password managers. It keeps your encrypted password collection online and works across Windows, Mac, and Linux machines. For more, see security analyst Neil Rubenking’s selection of Six Great Password Managers.

A few months ago a software architect at Microsoft, compiled after the Sony PSN hack, revealed that most of us have three, easy-to-crack passwords. For tips on how to how to do passwords right, read PCMag’s Password Protection: How to Create Strong Passwords. See Passwords: You’re Doing it Wrong to avoid some common errors.

Android malware downloads instructions from blog

Researchers from Trend Micro have spotted a piece of malicious software for Android that receives instructions from an encrypted blog, a new method of communication for mobile malware, according to the company.

The malware, which can steal information from an Android phone and send it to a remote server, purports to be an e-book application. It has been found on a third-party Chinese language application store.

Trend Micro calls the malware “ANDROIDOS_ANSERVER.A.” If the application is installed, it asks for a variety of permissions. If those are granted, it can then make calls, read log files, write and receive SMSes and access the Internet and network settings, among other functions.

The malware uses the blog to figure out which command-and-control servers it should check in to. The command-and-control server then feeds the malware an XML file, which contains a URL where the malware can update itself. It can also connect with the blog to check for new updates. Trend Micro found that 18 variants of the malware have been posted to the blog between July 23 to Sept. 26.

“This is a blog site with encrypted content, which based on our research, is the first time Android malware implemented this kind of technique to communicate,” wrote Karl Dominguez, a Trend Micro threat response engineer, on a company blog.

Malware writers have been known to abuse blogging platforms before. Dominguez noted that a botnet discovered earlier this year obtained instructions posted to Twitter.

Some of the newer versions of the malware on the blog “had the capability to display notifications that attempt to trick users into approving the download of an update,” Dominguez wrote.

Security experts generally recommend that users should be cautious when downloading Android applications from third-party application stores due to the number of rogue applications that have been found. Users should also keep an eye on what permissions an application asks for and only allow the fewest permissions lest the application has nefarious functions.

Android malware explodes, jumps five-fold since July

Malware targeting Google’s Android mobile operating system exploded in the last several months, its volume quintupling since July, Juniper Networks said today.

The rash of infected apps aimed at Android owners shows no sign of abating, said Dan Hoffman, Juniper’s chief mobile security analyst and a member of the company’s global threat center.

“We’re seeing a mix of the traditional hacking community [working] on malware very similar to organized efforts on the PC side, as well as people who are just a little smart, the ’15-year-old kid crowd,’ who are able to hide some malicious content in an app,” said Hoffman in an interview today.

According to Juniper’s research, the number of Android malware samples — each defining a different piece of attack code, or a variant of one discovered earlier — increased by 472% since July 2011. The bulk of that growth occurred in September and October.

“We’ve seen an exponential growth in Android malware over the last several months,” Juniper said in a blog post that accompanied Juniper’s recently-published mobile threat report.

The prime threat remains purposefully-malicious Android apps that are crafted by criminals, often pirated versions of legitimate applications, then planted in either Google’s official Android Market or in one of the scores of alternate download sites, which are especially popular in Asia — China in particular.android

“That is very clearly the threat now,” said Hoffman, who added that the hackers’ strategy would likely continue indefinitely.

That’s because Google doesn’t control what apps can be installed on an Android mobile device, as Apple does with code-signing technologies for iOS apps, and so makes third-party app download centers possible. Nor does Google vet apps submitted to the Android Market.

Other security researchers have noted the same when they have found malicious apps in the Android Market or in unsanctioned e-stores.

At least three different waves of malware — in March, June and finally July — infiltrated the Android Market this year. The malicious apps were removed by Google only after they had been downloaded by an unknown number of users.

Far more attack apps have appeared in Chinese app stores that distribute Android software.

Juniper speculated that the hackers now crafting Android malware are those who used to specialize in Symbian and Windows Mobile attack code. But as those operating systems’ share plummeted — Web metrics company Net Applications put their shares during October at 3.5% and 0.07%, respectively, down from 8% and 0.2% a year ago — the criminals have abandoned those platforms and jumped on Android.

And those hackers know their stuff.

“Together, the Symbian and Microsoft Windows Mobile platforms are the oldest and most researched mobile platforms, and devices running those mobile operating systems have been the targets of the most prolific and effective malware known to affect mobile devices,” said Juniper.

While Google’s practice of not policing the Android Market, and its inability to restrict all apps to its own distribution channel, has been pegged as the primary reason for the OS’s vulnerability, Hoffman argued that the policy also gave users the means to protect themselves.

“There may be a better vetting process on iOS, but a really critical point is that Android users have the benefit of a security marketplace,” said Hoffman, referring to the large number of anti-malware programs available for Google-powered smartphones and tablets.

“In iOS, consumers and even enterprise don’t have a choice,” Hoffman said. “There’s no benefit of competition because users are completely reliant on Apple for security.”

Hoffman has a point: When Lookout Security, a leader in Android-based antivirus software, recently introduced a version for iOS it was unable to provide any malware scanning capabilities in the app.

Not surprisingly for someone who works for a security firm, Hoffman also argued that it wasn’t up to the OS provider to guarantee a secure device; users have responsibilities, too.

“No matter what policies an app store may have, the real way is to protect a device is to protect it with security software,” Hoffman said. “You have to protect your mobile devices just like you protect your PCs.”

Why Kenyans do it better?……. Very touching and something to be proud of

I am just very excited after watching this clip which i came across in Facebook.

Why Kenyans do it better

A Senior Marketing Manager with 13 years Management experience in telecommunication and consumer electronics industry. He has worked for global brands in fast changing business environments, whilst having a focus on Central & South East Europe. At the present time he is Head of Marketing at Nokia, covering several countries, including Switzerland, Cyprus, Israel and of course Austria. Adding to his durable career path, Alexander is also co-author of the first handbook for mobile marketing and mobile campaigns in German language, “Mobile Marketing”

I felt so touched and proud to be associated with Kenya. The technological advancement we have achieved in such short period of time.

Another Cloud Computing Platform Launched in Kenya

A cloud service has been launched by a tech firm, three weeks after mobile service provider Safaricom did so.

Internet Solutions firm will offer data management services to local banks. It is a division of local firm, Dimension Data.

As with Safaricom Cloud, InfoConnect will offer disaster recovery, back up and also host data centres for customers.

This is intended to reduce companies spending in buying and managing their network infrastructure, said Loren Bosch, Internet Solutions managing director.

Cloud computing is a technology through which firms host their data or entire network to a third party, saving them the expense of buying and maintaining network infrastructure.

A month ago, consultancy firm Deloitte released a report showing that about 40 per cent of local banks were not ready to adopt cloud computing.

Ninteen per cent thought the technology is premature for the region.

InfoConnect will sell through Internet Solutions and Paynet, which operates the Pesapoint ATMs.

Mr Bosch said Internet Solutions will not be eyeing small and medium companies but will focus on big firms.

Mr George Makori, of Safaricom Cloud, has said they will focus on small and medium size firms.

Information Security Evangelist

%d bloggers like this: