4 valuable additions to your cloud security toolkit

If you ask IT execs why they're hesitant about moving to the public cloud, security comes up at the top of the list. But security vendors are responding to these concerns with a raft of new products. Here are four interesting cloud security tools that we tested.

Digital Persona's ProWorkgroup SaaS is a cloud security tool that automatically encrypts hard drives on end user PCs and laptops. GlobalScapeMIX delivers a secure FTP service in the cloud.NetIQ Cloud Security Service provides a secure proxy for logging into SaaS apps, like Google Apps and Salesforce.com. And CloudPassage embeds a security monitoring and policy enforcement tool into online cloud instances.

DigitalPersona Pro Workgroup SaaS

Most of DigitalPersona's work has been in bio-authentication — fingerprint readers and their associated security components. But in July, DigitalPersona launched Pro Workgroup SaaS, a cloud security product that provides hard disk encryption for Windows machines.

While the product had been targeted at OEM systems makers (HP is one), it's available now via SaaS (and also as a local server appliance.) We liked it, although that fact that it's currently compatible only with Windows is a drawback.

Developed with an eye towards small/mid-sized organizations, DigitalPersona does something complex, yet simple: it pushes a policy to Windows machines that initiates encryption, manages the keys, then uses its driver app to populate a server database of metrics for reporting purposes.

For some organizations, systematic disk encryption is a critical capability. In a world where laptop/notebook disk losses or thefts can spawn huge liability and costly post-loss processes, DigitalPersona believes that its AES-256 encryption coupled to a full audit trail (the machine phones home every 90 minutes or so with a status) is crucial.

Sensitive data is ostensibly protected; we feel the technique used is strong.

While DigitalPersona's methodology sounds great, there are some issues that DigitalPersona claims to be addressing in future releases. First: it is Windows and Active Directory only. Secondly, it's hosted on Amazon Web Services, which will be fine for some organizations, and not for others because of perceived problems with AWS, including outages and security.

DigitalPersona is also available as a server appliance, but when used in this way, backups and application security is up to an organization's own auspices, responsibilities, and policies.

Finally, it does the internal drive, and not removable drives or drives not on the same controller. It's not a complex application, and we could not break it or thwart it.

We found the steps needed can be divided into three areas: setup the initial server and users, get the policies pushed and the drives encrypted, then deal with the aftermath of servicing users who forget their password.

The drill is that you install (in the case of the appliance), or log onto a pre-generated website obtained from DigitalPersona, then setup groups and users according to AD membership. Then you build a policy file; deliver the file to end users via email, text, flash drive, whatever.

Users download the app, get the policy, and encryption begins (either BIOS or software) — but the entire drive is encrypted, including the all-important masterboot record. DigitalPersona also supports alternate bootloaders, like GRUB 2 if needed. Users are required to type in their password, one that's hopefully long and difficult to guess. Password types are enforced according to AD policy.

Should the user forget the password, or the machine needs to be surrendered, there are two ways to get the password. A temporary password can be generated from the SaaS or server application. Alternately, an initial secondary authentication (ask and answer a question) can be done to get a new password.

You can also use smart and/or bio-authentication cards as an authentication option. In our trial of two notebooks, it worked. Encryption takes a while, depending on the notebook (SSDs are likely much faster) and can be successfully interrupted/continued.

But no Macs, no Linux, and a few single points of failure are there. However, for those that loathe the thought of having to blare out to the world that a notebook with valuable data on it was lost somehow without encryption, this is a strong tool.

GlobalScapeMIX

GlobalScapeMIX (Managed Information eXhange) is a SaaS cloud security tool and portal to replace self-hosted secure file storage and transfer. GlobalScape is much like a secure FTP service with top-down lockdown on who obtains access, under what circumstances and for how long.

MIX provides a history of who obtained what, with what authentication, from what IP address, and all of the chain of data regarding file transactions.

It's a hosted service, and it blazes. It's not user programmable in the sense that you can't use SAML or other secure languages to get data files in and get out. It's accessible by virtually any client and has web-based authentication via encrypted sessions. It's great for files and folders, although it's not designed for the large object storage used by cloud VM instances, even though MIX can swallow almost any file size.

GlobalScape provisioned us with our own portal. We examined the https security, and found that they had self-signed certificates, SHA-1 with 256-bit public key certificates, including additional encryption certificates that were all in order.

They handily snatched our logo from our website just to post in the portal to make us feel at home. After accepting two other certificates, we could then post or download files individually or by tick-mark selection. Globalscape claims three independent routes to their servers, with full redundancy internally. We were able to verify a large part of their hardware/routing claims and lack the geography to test it all, but they do hold numerous certifications backing their claims.

The downloads were as fast as we've ever been able to obtain either at our network operations center (NOC) or via Comcast's somewhat ancient routing. In our nFrame NOC, we were able to achieve 58Mbps downloads with slightly faster uploads. The user interface is simple enough that any civilian can figure it out in minutes. Files can be queued uploading and downloading concurrently. The processes can be stopped and resumed simply. Little training would be needed to help users make use of MIX.

The sites used by GlobalScape MIX are FIPS 140-2 compliant and SAS-70II certified. GlobalScape offers "tight" service-level agreements (SLA), and is currently hosted at Rackspace, although we were told alternate sites were in the works.

The upsides are very good: organizations get to take file-hosting offsite and don't need to deal with the management of document exchange with partners, yet receive mailbox addresses to send sensitive documents to if desired.

Think of exchanging medical X-rays, legal docs, real estate closing documents. Users can make rapid sense of the UI, send and receive files from anywhere, anytime, in a session-managed environment. The downsides are that it's not directly addressable through SAML or other security markup languages, but also can't be thwarted by them, either. It's not inexpensive, but perhaps beats the cost of doing it internally.

NetIQ Cloud Security Service

The NetIQ (formerly Novell) Cloud Security Service is a SaaS-based proxy system for logging onto SAML2-based SaaS application services, like Google Apps and Salesforce.com.

Like an increasing number of other SaaS services, GoogleApps and Salesforce can be certificate and proxy-authentication protected, as we noted in our review of Symplified.

The service is currently OEM'd and repackaged by cloud services providers, and managed services providers (MSP) for use by their clientele, often as part of a package, or as an option to varying hosting services. It's a federated identity component that works with Microsoft Active Directory (tested), Novell's eDirectory, or Oracle/Sun's directory services.

Each CSS-subscribing MSP develops a customized portal, where numerous known SaaS services can be proxied through a customer's Active Directory as a value-added, audited authentication mechanism. The benefits are that a client can start and stop authentication through Active Directory and use some of the credentials of Active Directory to manage authentication to contracted SaaS services.

We linked our test Active Directory to NetIQ's test portal, which is functionally identical to those used by MSPs. Once accomplished, web access to the portal establishes users, groups and SaaS services. First, we time-synced the servers; getting out of sync can cause problems in terms of certificate generation and expiration, which cause SaaS sites to reject logon credentials through the CSS — and cause subsequent support issues.

Each MSP is responsible for the services that they support, but unsupported SaaS providers can be "programmed" in if the service supports SAML logons. NetIQ CSS has code examples if needed for new/unknown services, and a savvy SAML and Java programmer can put them together as a service selection for the SaaS proxy access. Usually, the CSS takes care of the background SAML code.

We generated a link with an MSI (Windows installation package) for our server. In turn, the server links through a running service to the portal. As expected, the service installed into our Windows 2008 R2 server established a realtime link to the test portal, and the audit portion of the software knew when the server was down.

Indeed, if the server's down, its database of credentials and certificates can't be accessed or updated -- we found this by accident. This also prevents old/dead credentials from being erroneously authorized. Lesson: keep the linkage server up or make it redundantly available.

Each desired SaaS service is initially negotiated; as an example, GoogleApps service is established and advanced logon is modified for certificate and proxy service (both or one or the other). We started a clean GoogleApps account, noting credentials.

In turn, we established the logon criteria for GoogleApps within the portal app. Users then get certificates that are used for authentication, along with proxy URLs for logon to the desired service, example: GoogleApps. This encrypts and authenticates the user-SaaS conversation, and allows administrators control over who can access what, and when the access can be revoked or granted.

The only downsides we saw were that communications between the CSS portal, our servers, and the SaaS sites we connected to could be slow to update and synchronize.

Compared to Symplfied, NetIQ CSS is a bit more primitive in some ways, but for those trying to take many of their applications to the cloud, yet retain a compatible directory service (our example: Active Directory), it's a great way to manage secure and revocable authentication without much hassle.

It's to be used by those with administrative backgrounds at minimum, and its product — the URL that civilians use to get to their apps — is highly simplified. Underneath, it uses LDAP, and so is cross-directory services compatible, and yes, we used it with a Mac.

CloudPassage Halo Daemon

CloudPassage has a cloud service designed to embed a security monitoring and policy enforcement daemon in online cloud instances. The cloud service can then control the group of instances, adding several security elements to them that are pushed out to the servers.

The product is limited to Linux instances (2.16+ kernels) but adaptable to other Linux machines. This is a brown-belt-in-Linux+ product, and not to be attempted by civilians, but they're unlikely to want to wrapper a dozen Linux instances into AWS on a whim, either.

The service currently offered by CloudPassage is free, and according to a CloudPassage spokesperson, will remain free "forever". A future option is planned that will do more. For now, CloudPassage installs with instructions for the two main branches of Linux, Debian and RedHat, and their variants. The instructions on the website to register and install devices has a few errors, but the aforementioned brownbelts will figure them out.

Once an instance has the settings (minimal) and the CloudPassage daemon running, the server phones home to the instance provided to each customer, then describes what it feels is wrong with the server that just logged in.

CloudPassage raises one of three levels of alarms, all related to configuration. There are details and references, and best practices suggestions — some of which can be ignored and are informational only, as in "we told you this might be bad". It doesn't suggest "tricks", rather best-practices configuration.

We tested CloudPassage in two ways, with independent (single) instances, then spun up a half dozen cloned AWS images and embedded the daemon inside via our nFrame NOC data center. The Halo Daemon wakes up initially and runs a scan on the image, and then reports findings, and makes policy changes, based on three broad categories, configuration, software, and firewall considerations.

It reads numerous config files, and critiques them, raising alarms and informational suggestions by server. Periodic updates are then performed to trend changes and educate administrators.