Akamai Diversity
Home > Cloud Computing

Recently in Cloud Computing Category

Akamai is aware of a talk scheduled for Black Hat USA 2015 this week that will discuss some potential issues with platforms like ours.

Mike Brooks and Matthew Bryant, security analysts at Bishop Fox, will give the following talk on Aug. 6:

BYPASS SURGERY ABUSING CONTENT DELIVERY NETWORKS WITH SERVER-SIDE-REQUEST FORGERY (SSRF) FLASH AND DNS

OurMine Team Attack Exceeded 117 Gbps

A new hacking group has landed on the Akamai's PLXsert and CSIRT radar for taking responsibility for launching DDoS attacks against several of our customers in the financial services sector.


The entity calls itself the "OurMine Team" and if it is to be believed, it has gained access to one customer's $500,000 account. The group has announced it will give that money to the poor.


How Semantic URL Structure Improves SEO

This is an interesting time to be responsible for your organization's web presence. You've probably heard that marketing is becoming more accountable for business growth from websites, applications and all kinds of digital programs.

We've all been there. Traffic is bumper to bumper, and it looks like you're going to miss your meeting. But you've got access to cloud applications, so you search and find a coffeehouse two blocks ahead. You drop in, order the dark roast, punch in the password (javalover), and scour your email for the meeting link. You finally get your presentation open from a cloud storage app, fire up your smartphone and Bluetooth earpiece, and take a breath. You made the meeting after all (and the coffee is better than the stuff in the conference room to boot).
Remember Saved by the Bell? You know, Zack Morris, A.C. Slater, Screech and the gang from the early 90's Saturday morning TV show? Mindlessly flipping through the late night channels, I landed on the episode in which Lisa Turtle (Lark Voorhies) was trying to impress a "scholarly gentleman" by posing deep questions about life:

"What is art? Are we art? Is art, art?"

Cisco and Akamai Announce Solution to Enable Digital Experiences and Relieve Network Congestion

Today marks another important milestone in Akamai's relationship with Cisco. Together we are enabling IT to respond to the business challenges to support the huge traffic increases brought on by the digital era.  Specifically, the IT challenge of supporting business leaders who are innovating at the branch office. Consider a retailer engaging customers with mobile assisted selling apps, digital displays and customer wi-fi. Think about a banker building out virtual branches to promote new financial services. Contemplate educators delivering a rich media curriculum to thousands of students. Reflect on business leaders adopting myriad digital experiences to improve productivity and drive revenues. In all these situations, organizations across the board are adopting new applications and services that require significantly more bandwidth than has been required in these "branch" locations. As important, these applications are no longer being hosted solely within the corporate data center. They are delivered from private or public cloud infrastructures, or directly from the Internet as a SaaS application.


OPEN Thoughts

It was only six months ago that Akamai opened its core technology, revealing the Open Platform Initiative strategy. The main idea was to enable everyone; every developer, every customer and every partner, to access Akamai technology and benefit from its amazing power. You may arguably say that this was a small step on a long path. But let's look back and see how much we walked, using the evolution of technology as our context.

As technology has evolved, there were milestones that changed the way we use it in our lives, milestones that changed and improved things forever. More importantly, technology plays a key role in the way we all behave, communicate, learn, share and spend our leisure time. Technology is now part of our lives, as it was never before.

Whither HSMs

Hardware Security Modules (HSMs) are physical devices attached or embedded in another computer to handle various cryptographic functions.  HSMs are supposed to provide both physical and logical protection of the cryptographic material stored on the HSM while handling cryptographic functions for the computer to which they are attached.
As websites move to the cloud, are HSMs the right way to achieve our goals?  
Before we talk about goals, it is useful to consider a basic model for talking about them.  Our Safety team often uses the following model to consider whether a system is safe:
What are the goals we are trying to achieve? (Or, in Leveson's STPA hazard-oriented view, what are the accidents/losses which you wish to prevent?)
What are the adversaries we wish to defeat?
What are the powers available to those adversaries? What *moves* are available to them?
And finally, what controls inhibit adversaries' use of their powers, thus  protecting our goals?
Our hazards (or unacceptable losses) are:
An adversary can operate a webserver that pretends to be ours;
An adversary can decrypt SSL traffic; and
An adversary can conduct a man-in-the-middle attack on our SSL website.
In the protection of SSL certificates in the cloud, it would seem that our goals are two-fold:
Keep the private key *secret* from third parties; and
Prevent unauthorized and undetected use of the key in cryptographic functions. While SSL certificate revocation is a weak control (many browsers do not check for revocation), it is that which generally constrains this goal to both unauthorized *and* undetected; a detected adversary can be dealt with through revocation.
I could argue that the first is a special case of the second, except that I want to distinguish between "cryptographic functions over the valid lifetime of the certificate" and "cryptographic functions after the certificate is supposed to be gone."
As an aside, I could also argue that these goals are insufficient; after all, except for doing man in the middle attacks, *any* SSL certificate signed by any of the many certificate authorities in the browser store would enable an adversary to cause the first of the losses.  HSMs don't really help with that problem.
Given that caveat, what are the interesting adversaries?  I propose four "interesting" adversaries, mostly defined by their powers:
The adversary who has remotely compromised a server;
The adversary who has taken physical control of a server which is still online;
The adversary who has taken physical control of a server at end of life; and
The adversary who has been given administrative access to a system.
The moves available to these adversaries are clear:
Copy key material (anyone with administrative access);
Change which key material or SSL configuration we'll use (thus downgrading the integrity of legitimate connections)
Escalate privileges to administrative access (anyone with physical or remote access); and
Make API calls to execute cryptographic functions (anyone with administrative access).
What controls will affect these adversaries?
Use of an HSM will inhibit the copying of keying material;
Use of revocation will reduce the exposure of copied keying material;
System-integrated physical security (systems that evaluate their own cameras and cabinets, for instance) inhibit escalation from physical access to administrative access;
Auditing systems inhibits adversary privilege escalation;
Encrypting keying material, and only providing decrypted versions to audited, online systems inhibits adversaries with physical control of systems.
What I find interesting is that for systems outside the physical purview of a company, HSMs may have a subtle flaw: since HSMs must provide an API to be of use, *that API remains exposed to an adversary who has taken possession of an HSM*.  This may be a minor issue if an HSM is in a server in a "secure" facility, it becomes significant in distributed data centers.  On the contrary, the control system which includes tightly coupled local physical security, auditing, and software encryption may strike a different balance: slightly less stringent security against an adversary who can gain administrative access (after all, they can likely copy the keys), in exchange for greater security against adversaries who have physical access.
This isn't to say that this is the only way to assemble a control system to protect SSL keys; merely that a reflexive jump to an HSM-based solution may not actually meet the security goals that many companies might have.
(Full disclosure: I'm the primary inventor of Akamai's SSL content delivery network, which has incorporated software-based key management for over a decade.)

For years at Akamai, I have spoken at conferences and with customers about the future of the WAN.  While the title of my presentations may have varied - "Next-Generation WAN Services", "How to Redesign your WAN", "Preparing for the Convergence of Private WAN and Internet" - my view has not.  Network architectures need to undergo a huge transformation.  Why?  The increased amount of web traffic finding its way within enterprise private networks.  It's inevitable due to increased adoption of public cloud services, video and other business or recreational traffic.

Mixing web traffic with other business traffic inside the corporate network creates a lot of strain.  The majority of enterprises today still backhaul traffic from the branch office to the data-center to access the Internet.  The primary reason is for security as it is easier to lock-down a small Internet access points as opposed to going "direct-to-net" at every branch and having to protect all of these locations.  The downside to this approach is the performance impact it has for users in the branch office as their traffic is unnecessarily being routed around large distances, along with scalability challenges as bandwidth available at the branch is limited.  Even for those branches that do connect entirely direct to net, you'll still have to bring the optimizations into the last mile, to solve for scalability and performance.  Ultimately, I believe enterprises will increasingly mix and match their Internet strategies for the branch using techniques like direct to net, split tunnel and path selection depending on factors such as security, quality of service, application type and cost.

Today, we announced that Akamai has been developing new technology which we call Akamai Unified Performance that brings application performance "behind the firewall" and into the branch office.  With more than 1,000 Commerce, Retail, Hotel and Travel customers, many of these customers have asked us to help them move their Omnichannel initiatives forward as the digital experience increasingly extends beyond home and mobile into their brick and mortar stores.  One of our customers, Marks & Spencer, recently shared that their shoppers spend 8x as much if they can engage them in all three channels.  But enabling the in store Omnichannel experience requires a new approach to the retail store network, as highlighted in this white paper. It involves a whole bunch of new optimizations that allow retailers to extend their investment and experience with Akamai on the web and get those same optimizations into the store - while also accelerating lots of other 3rd party content delivered by Akamai given the Intelligent Platform already delvers 15-30% of all web traffic.

We also announced today that Akamai and Cisco are working together for future integration of Akamai Unified Performance into the Cisco ISR AX series of routers and we showed a working prototype on the main stage at Edge 13.  The intent is to co-develop enterprise network offerings with Cisco aimed at delivering the world's first combined Intelligent Wide Area Network (IWAN) Optimization solution that provides a high quality end user experience for both public and private cloud applications to all remote offices.  You'll be hearing more from us when products are brought to market, but there are so many possibilities when you think about the routing, performance optimization and security capabilities both companies bring to the table which can overcome existing challenges associated with branch office network architectures and the user experience.

It's an exciting day for the enterprise WAN (and me).   Read more at www.akamai.com/cisco

Neil Cohen - VP Global Product Marketing, Akamai

This October at the Edge Global Conference I'll be joined by technology visionaries from a wide range of industries and organizations discussing topics related to creating cutting edge experiences ... faster. 

I'm specifically excited to share details about the new Developers' Track we'll be introducing. We have some fantastic presenters lined up, including Geoffrey Moore - Author and Business Strategies; Gene Kim - VisOps Author and Entrepreneur; Jason Grigsby - Mobile Web Evangelist; and Josh Clark - Mobile Design Strategist, talking about stimulating topics ranging from DevOps to responsive design, and discussing steps toward adopting these cutting-edge development methodologies.


 

And, of course, beyond that we will share new information about Akamai product roadmaps, discuss best practices, and network with an incredible group of peers whilesharing a beer together after the sessions.

 

Stay tuned and I look forward to seeing you at Edge 2013.

 

Guy Podjarni

Vice President, Chief Technology Officer, Web Experience , Akamai

1 2 3 4 5 6 7