Trend Cloud Security Blog

Security FOR the Cloud

Posted by Andy in Cloud-based Security, Securing the Cloud, Virtualization Nov 16th, 2009 | No Comments
At Trend Micro we are leading the way in security FROM the cloud with our Smart Protection Network by providing threat correlation in the cloud.  That strategy, rubbished by some at the time, has since been proved out by the number of competitors now trying to imitate it and the recent real world test results from NSS labs. We were also lucky enough to acquire Third Brigade, a Canada-based security firm,  earlier this year and get our hands on their superb “Deep Security” threat protection for Virtual servers.  More than just protection ahead of the patching cycle it offers excellent resource... read more

PaaS and The Dark Side

Posted by Raimund in Securing the Cloud, Threats from the Cloud Nov 10th, 2009 | 1 Comment
The public cloud holds tremendous possibilities for goodness in lowering computing costs and increasing flexibility, but the dark side of the world is always ready to take advantage of cloud delivery models like Platform-as-a-Service (PaaS).  Arbor Networks recently spotted a Google AppEngine Platform-as-a-Service application being used for Command and Control (CnC) for a botnet (here is a news article).  Google promptly took down the application, but the event raises some interesting issues. In the malware realm, this is nothing new and has been referred to previously as “Malware as a Service”. ... read more

Catch the Cloud Before It Chases You

Posted by Wael in Privacy, Compliance and Identity, Securing the Cloud, Virtualization Nov 9th, 2009 | No Comments
Are you still a skeptic about cloud computing? Do you remember when you refused to bank online because it couldn’t be safe? I do. In fact, I even remember working with one of the leading banks in Canada when the CIO declared that no employees should have access to the Internet—for any business reason, ever. He did not last long in his job. Over the past 15 years our reliance on the Internet has steadily increased, encouraged by advancements in technology (including security), a culture of instant gratification and an obsession with efficiency. After a year of media frenzy, some of us are still... read more

Preventing Catastrophic Failure

Posted by Jon in Securing the Cloud Nov 2nd, 2009 | 1 Comment
Recently, there have been some high profile failures of cloud computing, including the Sidekick outage, the DDos attack on Amazon’s EC2 and disruption to Google’s hosted email.  Following these debacles, some people have expressed scepticism about the cloud computing model. For example, a response to a CNET article was:  “Putting all your beans in a single point of failure for users (in an enterprise or corporation) is suicide.” Here I will consider a range of activities as “Cloud Computing” including SaaS, PaaS and IaaS.  All three raise some concerns for companies. Companies that... read more

Cloud Computing Standards, Dream vs. Reality

Posted by Justin in Secure Data Centers, Securing the Cloud Oct 28th, 2009 | No Comments
Portability and interoperability in cloud computing may seem tangential to security, but avoiding vendor lock-in is about more than having access to competitive pricing or better service. When relying on a single provider there is inherent risk, especially in the availability of the service and data. Throughout history the need for portability and interoperability has usually been dealt with through standardization. Standard railroad gauges enabled cross continental travel, just as TCP/IP unlocked worldwide communications. It’s not surprising then, that many people look at cloud computing... read more

When Data Gets Breached in the Cloud, Who Owns the Mess?

Posted by Todd in Securing the Cloud Oct 26th, 2009 | 2 Comments
Trend Micro has been talking to many data center security folks and Infrastructure-as-a-Service (IaaS) providers to understand the dynamics of cloud security.  Something that strikes me is their frequent (mis)perception that the Infrastructure-as-a-Service provider will take care of security in the public cloud. IaaS providers are doing a decent job of baseline security (physical security, perimeter firewall, load balancing, perhaps a network IDS/IPS, etc) and have to provide a basic ante to the game.  While the occasional IaaS vendor strives to differentiate themselves with higher degrees of... read more

The Sky is Falling on Cloud Computing

Posted by Andrew in Securing the Cloud Oct 20th, 2009 | No Comments
Adding to what my colleague Todd has written on the Microsoft/Danger data loss issue… What has been billed as a large scale failure of cloud computing, more specifically, cloud storage, is making headlines and generating lots of heat but little light. Major outage hits T-Mobile Sidekick users:  “Users of T-Mobile’s Sidekick have been suffering through a major outage over the past several days that left many without access to the Web or their address books.” Lawsuits filed over Sidekick outages:   “In that lawsuit, Thompson’s lawyers argue why the outage... read more

Danger and the Cloud

Posted by Todd in Securing the Cloud Oct 19th, 2009 | No Comments
T-Mobile USA’s Sidekick mobile phone service operated by Microsoft’s Danger subsidiary encountered a service disruption  that resulted in some Sidekick phone customers losing their personal information including contact names, phone numbers and digital photos  (the New York Times had a summary, and The Register has some juicy speculation on the origin of the outage).  Many commentators used this episode and other recent “cloud” system outages to cast doubt on the reliability of cloud computing.  I suggest taking a breath and a think. What happened to Microsoft with Danger was an IT... read more

Myths and Misunderstandings of Cloud-based Security

Posted by Wei in Cloud-based Security Oct 13th, 2009 | No Comments
Andreas Marx and Maik Morgenstern presented their paper “Why in-the-cloud scanning is not a solution” at the recent Virus Bulletin 2009 conference.  The paper provided a list of the shortcomings of cloud-based security. Over the past year or so there have been several discussions on this topic, but Marx and Morgenstern have done a good job articulating the issues.  However, I’d like to counter their issues with some thoughts: Issue #1:  The implementations are not proactive, but reactive in nature, despite better response times to new threats. Reality:  Replacing hash signatures with... read more

DDoS and the Cloud: Sad but True

Posted by Todd in Cloud-based Security, Threats from the Cloud Oct 9th, 2009 | No Comments
Amazon EC2 customers recently suffered from a concerted Distributed Denial of Service (DDoS) attack that caused some consternation for the web-based code hosting service Bitbucket (news courtesy of my favorite IT tabloid, The Register).  An unfortunate fact of life about the massive DDoS such as Bitbucket appears to have suffered is that there is no defense once the incoming network pipes are full other than shutting off the DDoS.  Trend Micro has to wrestle with DDoS attacks as part of our antivirus business as well as our hosted security business (shameless sales plug: check out InterScan Hosted... read more

« Previous Entries