Cloud Technology and Security Alert News Digest – Issue #15

Update 2019: We’ve been busy working on some great training content around security, check out the Cloud Academy library to prepare on all-things cloud security.

Privacy and Security in the Cloud

Welcome to the Cloud Technology and Security Alert News Digest. This week we’ll discuss the problem of Internet security along with three possible solutions: a new open certificate authority, premium access, and creating an ultra-private internet of your own. We’ll also take a look at the new trend towards Docker orchestration.

Which Internet do you use?

ZDNet has an interesting article about the many ways that the Internet you experience, to a very large degree, depends on our economic and political class. Lenovo’s recent revelation that they only installed Superfish on “consumer” devices – leaving the browsers of their enterprise customer devices under end-user control – is one more indication that enterprise users enjoy a “premium” Internet. In addition, out of mistrust of the activities of US government spy agencies like the NSA, many nations are now encouraging their technology providers to avoid routing regional online traffic through the US, creating still more variations in online experience.

WordPress plugin vulnerability

Ars Technica (among other sources) reports the existence of a critical vulnerability in the Slimstat 3.9.6 WordPress plugin. This version of Slimstat, which is a very widely used analytics tool, is susceptible to blind SQL injection attacks and should be disabled immediately.

The next big Docker thing: orchestration

ZDNet reports that Docker is successfully moving its container orchestration tools through their beta stage. Docker Machine (which allows you to manage containers spread across multiple platforms and technologies), Docker Swarm (a clustering service), and Docker Compose (a tool for marshaling containers playing disparate roles in a distributed app infrastructure) are the key components of this orchestration initiative. Eventually, Docker plans to fully integrate these tools into Amazon EC2, Microsoft Azure, and other cloud platforms.

If you build a better certificate, will they come?

David Holmes at Security Week writes about a proposed initiative designed to provide a practical alternative to inherently weak self-signed SSL certificates. The existence of such weak certificates lies behind many web vulnerabilities, including Lenovo’s recent SuperFish disaster. The Electronic Frontier Foundation (EFF) has proposed a new open Certificate Authority, called Let’s Encrypt, that will make it simpler and more affordable for smaller web providers to deploy secure services. Holmes, while supportive of the effort, suspects that most of the sites that need it most will probably ignore Let’s Encrypt.

Amazon’s CIA cloud goes operational

Amazon’s AWS has long offered specially secured arrangements for sensitive customers like the US government (GovCloud) and China. Now, according to Cloud Computing News, they’ve moved to a new level entirely. Having won the competition to provide private cloud services to the CIA, AWS has now achieved “final operational capability” and can begin supporting communications between seventeen US intelligence agencies.

Cloud Academy