Akamai Diversity

The Akamai Blog

Recently by Andy Ellis

Andy Ellis

Andy Ellis

November 1, 2013 9:08 AM

Whither HSMs

Hardware Security Modules (HSMs) are physical devices attached or embedded in another computer to handle various cryptographic functions. HSMs are supposed to provide both physical and logical protection of the cryptographic material stored on the HSM while handling cryptographic functions for the computer to which they are attached. As websites move to the cloud, are HSMs the right way to achieve our goals? Before we talk about goals, it is

Andy Ellis

Andy Ellis

August 12, 2013 9:52 AM

Assessment of the BREACH vulnerability

The recently disclosed BREACH vulnerability in HTTPS enables an attack against SSL-enabled websites. A BREACH attack leverages the use of HTTP-level compression to gain knowledge about some secret inside the SSL stream, by analyzing whether an attacker-injected "guess" is efficiently compressed by the dynamic compression dictionary that also contains the secret. This is a type of an attack known as an oracle, where an adversary can extract information from an

Andy Ellis

Andy Ellis

August 1, 2013 9:02 AM

Environmental Controls at Planetary Scale

A common set of security control objectives found in standard frameworks (ISO 27002, FedRAMP, et al) focus on environmental controls. These controls, which might focus on humidity sensors and fire suppression, are designed to maximize the mean time between critical failure (MTBCF) of the systems inside a data center. They are often about reliability, not safety[1]; fixating on over-engineering a small set of systems, rather than building in fault tolerance.

Andy Ellis

Andy Ellis

June 18, 2013 3:38 PM

DNS reflection defense

Recently, DDoS attacks have spiked up well past 100 Gbps several times. A common move used by adversaries is the DNS reflection attack, a category of Distributed, Reflected Denial of Service (DRDos) attack. To understand how to defend against it, it helps to understand how it works. How DNS works At the heart of the Domain Name System are two categories of name server: the authoritative name server, which is

Andy Ellis

Andy Ellis

March 28, 2013 4:25 PM

How big is 300 Gbps, really?

The 300 Gbps attack this week against SpamHaus certainly seems epic. But how big is it, really? When we think about an attack an Akamai, we think about three things: the attacker's capacity, their leverage, and the target's capacity. And when we think about leverage, it's really comprised of two smaller pieces: how much cost efficiency the attacker expects to get, and how the target's resilience mitigates it. 300 Gbps

Andy Ellis

Andy Ellis

March 22, 2013 11:45 AM

RSA Conference Recap from CSO, Andy Ellis

I want to take the time to thank everyone who connected with Akamai at the RSA® Conference! Whether you just dropped by to pick up some shwag, or got to spend time discussing our Kona Security Solutions, I appreciate that you took the time in your busy schedule to engage with us. As Akamai's Chief Security Officer, I also get a lot of vendors reaching out to me after a