4 steps for hardening your Cloud Storage buckets: taking charge of your security

By Scott Ellis and Subhasish Chakraborty, GCP Product Management

This post is the second in a new “taking charge of your security” series, providing advice and best practices for ensuring security in the cloud. Check out the first post in the series, “Help keep your Google Cloud service account keys safe.” 

Cloud storage is well-suited to many use cases, from serving data, to data analytics, to data archiving. Here at Google Cloud, we work hard to make Google Cloud Storage the best and safest repository for your sensitive data: For example, we run on a hardened backend infrastructure, monitor our infrastructure for threats and automatically encrypt customer data at rest.

Nevertheless, as more organizations use various public cloud storage platforms, we hear increasingly frequent reports of sensitive data being inadvertently exposed. It’s important to note that these “breaches” are often the result of misconfigurations that inadvertently grant access to more users than was intended. The good news is that with the right tools and processes in place, you can help protect your data from unintended exposure.

Security in the cloud is a shared responsibility, and as a Cloud Storage user, we’re here to help you with some tips on how to set up appropriate access controls, locate sensitive data and do your part to help keep data more secure with tools included in Google Cloud Platform (GCP).

Check for appropriate permissions

The first step to securing a Cloud Storage bucket is to make sure that only the right individuals or groups have access. By default, access to Cloud Storage buckets is restricted, but owners and admins often make the buckets or objects public. While there are legitimate reasons to do this, making buckets public can open avenues for unintended exposure of data, and should be approached with caution.

The preferred method for controlling access to buckets and objects is to use Identity and Access Management (IAM) permissions. IAM allows you to implement fine-grained access control to your storage buckets right out of the gate. Learn how to manage access to Cloud Storage buckets with this how-to guide. Just be sure that you understand what permissions you are granting to which users or groups. For example, granting access to a group that contains a large number of users can create significant unintended exposure. You can also use Cloud Resource Manager to centrally manage and control your projects and resources.

Check for sensitive data

Even if you’ve set the appropriate permissions, it’s important to know if there’s sensitive data stored in a Cloud Storage bucket. Enter Cloud Data Loss Prevention (DLP) API. The DLP API uses more than 40 predefined detectors to quickly and scalably classify sensitive data elements such as payment card numbers, names, personal identification numbers, telephone numbers and more. Here’s a how-to guide that teaches you how to inspect your GCS buckets using DLP API.

Take Action

If you find sensitive data in buckets that are shared too broadly, you should take appropriate steps to resolve this quickly. You can:

Make the public buckets or objects private again
Restrict access to the bucket (see Using IAM)
Remove the sensitive file or object from the bucket
Use the Cloud DLP API to redact sensitive content

You should also avoid naming storage buckets which may contain sensitive data in a way that reveals their contents.

Stay vigilant!

Protecting sensitive data is not a one-time exercise. Permissions change, new data is added and new buckets can crop up without the right permissions in place. As a best practice, set up a regular schedule to check for inappropriate permissions, scan for sensitive data and take the appropriate follow-up actions.

Tools like IAM and DLP help make it easy to secure your data in the cloud. Watch this space for more ways to prevent unintended access, automate data protection and protect other GCP datastores and assets.

Quelle: Google Cloud Platform

The Government Has Dropped Its Demand That Facebook Not Tell Users About Search Warrants

Matt Rourke / AP

Federal prosecutors are dropping their demand that Facebook be barred from alerting users about search warrants for information about their accounts, according to a new court filing on Wednesday.

In making the decision, prosecutors did not concede the legal arguments raised by Facebook and civil liberties and electronic privacy groups against the nondisclosure orders attached to the search warrants. According to court papers filed jointly by Facebook and the US attorney's office in Washington on Wednesday, prosecutors determined that the underlying investigation that prompted the search warrants — the details of which are under seal — had “progressed … to the point where the [nondisclosure orders] are no longer needed.”

The announcement came less than 24 hours before an appeals court in Washington, DC, was set to hear arguments in the case. According to the joint filing, a lower court judge vacated the nondisclosure orders at the government's request, making Facebook's appeal of those orders moot. The lawyers asked the District of Columbia Court of Appeals to dismiss the case, and the court granted that request on Wednesday afternoon.

Nate Cardozo, a lawyer for the digital rights group Electronic Frontier Foundation, told BuzzFeed News that although the organization was pleased with the outcome, he expected there would be other cases in the future that would ultimately lead to definitive court rulings on the issue of when the government can block tech companies from notifying customers about demands for their information. EFF was one of several advocacy groups that filed briefs in the case arguing that the gag orders were unlawful.

“We've won the battle but the war is not over,” Cardozo said.

There’s already another case pending in federal court in Seattle that touches on some of the same concerns raised in the Facebook case. Microsoft is suing the Justice Department over a section of federal law that the government relies on to seek court orders that block tech companies from notifying subscribers when prosecutors request information. The judge ruled in February that part of Microsoft’s constitutional challenges could go forward. A trial is scheduled for June 2018.

Although most information about the case is sealed, EFF speculated in its court papers that the case relates to the mass arrests during protests in Washington on President Trump's inauguration day. More than 200 people were arrested in the hours around the inauguration, and felony charges for rioting and property destruction are pending against the majority of those defendants.

According to information about the case that is public, federal prosecutors served Facebook with search warrants for three account records over a three-month period. A District of Columbia Superior Court judge signed off on nondisclosure orders that prevented Facebook from telling users about the warrants until Facebook complied with the government's request.

Facebook unsuccessfully challenged the nondisclosure orders before the Superior Court judge, and appealed to the DC Court of Appeals. The appeals court issued a public order in June saying that it would accept input from any outside groups that Facebook or the government wanted to weigh in, although those groups wouldn't be privy to details about the investigation.

Several civil liberties and electronic privacy groups filed briefs in late June opposing the nondisclosure orders, arguing that users should have the right to challenge demands for their information, particularly if they involved First Amendment–protected speech activity. Facebook's interests may not always be the same as its customers, they said.

The DC Court of Appeals had scheduled public arguments for Sept. 14.

Arthur Spitzer, legal director of the American Civil Liberties Union of the District of Columbia, said in an email to BuzzFeed News that although the fight over the gag orders was over, it was still possible that the individuals whose Facebook accounts were at issue could go to court to challenge the government's requests for their information.

“Now that Facebook is free to notify these three users that their accounts are subject to a search warrant, we hope the users will contact us or other lawyers to challenge the government's attempt to conduct a fishing expedition through their Facebook accounts,” Spitzer said.

A spokesman for the US attorney's office did not immediately return a request for comment. Facebook's lawyer, John Roche of the law firm Perkins Coie in Washington, referred a request for comment to the company, which did not immediately respond.

Quelle: <a href="The Government Has Dropped Its Demand That Facebook Not Tell Users About Search Warrants“>BuzzFeed

Apple's Best Product Is Its Media Strategy

The big question on everyone’s mind, as Apple CEO Tim Cook stepped onstage to announce an array of iPhones and a new Apple Watch and a new Apple TV on Tuesday was: Will there be a nuclear war with North Korea?

No. Wait. That wasn't it.

It was: What is happening in Florida and Texas and the islands in the Atlantic in the aftermath of two brutal hurricanes? Or maybe the question was actually about Russia and the election. Or DACA. Or Ted Cruz masturbating. Or, well… In fairness, there’s a lot going on.

Which is why Apple's ability to cut through the noise and din is so remarkable. Of all the ways the world has changed since Steve Jobs rolled out the first iPhone a decade ago, our frenzied public sphere seems the loudest and most unrecognizable. We're louder, courser, more unpredictable; the radio is at full volume, stuck between stations, forever.

Thanks to the power and success of the company he leads, boring Tim Cook may be the one human alive better able to make news break through than Donald Trump, at least on occasion. And so, on Tuesday, the big question on everyone's mind was ultimately about iPhones. (Don't take our word for it, here's what Twitter's trending topics looked in the United States after Apple's presser. Worldwide trends were similar.)

No other person or entity, no politician or even Hollywood franchise is so able to so fully peel away the layers of our daily reality in service to engineered desire. This is Apple's specialty. Its entire purpose is to make you pay attention to it; to make you want it. And it is very, very good at that. This was so fully on display Tuesday that it's worth examining, and understanding.

Apple doesn't have press conferences, it has “events.” On Tuesday, the event was in Apple's new home, a vast new 175 acre campus that, as Cook said, “fuses buildings with an open parkland.” It's a stunning place, with rolling hills and — according to Apple — some 9,000 newly planted trees. The landscaping neatly conceals Cupertino's nearby suburban clutter of strip malls and cookie-cutter apartment homes. Everything is utterly new, so much so that there was a strong scent of manure fertilizing all those freshly-planted trees and grasses. And forever looming in the distance, across the park, is Apple's new headquarters building. It's spaceship.

Apple's new campus, under California clouds.

Mat Honan

As the media floated in on waves of warm California air, we were greeted by handlers, standing every 30 feet or so directing us to where they want us to go; directing us to have a nice day. They were almost reinforcing the notion that we would have a nice day.

They ushered us into the Steve Jobs Theater, which is buried like a bunker in the earth and topped with a great glass shrine. There we were fed quail eggs on polenta, and salmon with creme fraiche for breakfast. The portions were small, but there seemed to be a limitless supply. And at the appointed hour, they directed everyone through the glass emptiness of that upstairs reception hall, through the white emptiness of a downstairs lobby, and into the theater below, all leather seats and rumbling speakers. The stage was set, very literally, for a show in which the venue itself played a large supporting role.

Ahhhhhh…. And then off went the lights. The international press, ostensibly there to disseminate news of the newest Jesus Phone throughout the world, was asked to shut their laptops so as not to muck up the show. And in the darkness, there came the Voice of Steve. The press conference itself began with Steve's words to Apple the company, telling it what it was and what it would be after he was gone. “What’s going to keep Apple, Apple, is if we keep us, us,” said the voice in the darkness.

View Video ›

video-player.buzzfeed.com

It was an emotional scene, one that left both a visibly affected Cook, and several of the employees seated in the audience choking back tears. The theater erupted in applause. This is something that people watching from livestreams nearly always comment on: the applause in the theaters at these events. You could be forgiven for thinking the press is howling in appreciation. Although some certainly do, the clapping is largely driven by Apple employees, who were seated (or seeded) throughout the audience, and broke into applause

But the real show began when Cook called Angela Ahrendts, the former Burberry CEO who left to run Apple's retail efforts, onstage. As a part of her update on the company's retail efforts, she told the audience that “we don’t call them stores anymore, we call then town squares, because they’re gathering places.”

View Video ›

Facebook: video.php

Sneer at this statement if you want, but it is key to understanding precisely how the company engineers desire. Apple isn't in the phone business, or the computer business. It is in the business of selling you the person you want to be. And very often this is the work of branding language.

Why would anyone go to a store, when they could gather in a square? One comes to the Apple Town Square not to do something as gauche as commerce, but to associate and wander and learn.

From here, there were a slew of product announcements. Watches. Apple TVs. Phones. We were told that Apple Watch is number one. (At what? Who cares.) The chip that powers several of these devices would have no pedestrian numeric designation, rather it is the A11 Bionic. There was Animoji and face unlock and “one more thing.” The presentation that began with an address from the former Burberry CEO, ended with a phone that can only be described as a luxury device.

What's really surprising is that exactly none of the announcements were surprising. This year, thanks to a barrage of leaks, everyone knew what was coming, more or less, but we all watched anyway. Rapt.

And then its up and out of the theater and back into the hall, where it's time to get hands-on with the devices — of which there are always just slightly too few, which encourages crowding around the tables, jockeying, shoving to get the perfect shot. Like every other moment at these events, this is not an accident. Apple knows precisely how many people will attend each event, and clearly thinks carefully about how the hands-on area is laid out.

View Video ›

Facebook: video.php

The next phase of this strategy is about access. Some publications — typically bigger ones, or ones with an audience Apple particularly wants to reach — will get review units. (In recent years, this has included BuzzFeed News.) Others will not. Just as significantly, no one gets them exclusively. This creates an incentive for the outlets that do get review units to make a big splash with them, and to heavily promote their review coverage.

Of course, Apple also has to deliver. And historically it has done this. Even antenna-gate, by far the biggest flaw in a phone it shipped, was not a big deal. Its attention to detail makes sure it doesn't ever fall on its ass. Your opinion may differ as to whether or not the iPhone is the best handset on the market — there are certainly cases to be made for other devices — but it's pure nonsense and an indicator that a person should not be take seriously if they argue that it's not among the very best.

These new phones appear to be pretty wonderful. There was some teeth-gnashing about how the late-arriving, very expensive iPhone X will affect Apple's historically strong fourth quarter sales and, subsequently, its earnings. And maybe rightfully so, but ultimately, the company will sell a bazillion of these super high margin devices and reap incredible profits from them.

And so this is what Apple does now, consistently. It rolls out wonderful devices, drapes them in superlatives and its own branded language, and creates an air of exclusivity around them, both by making them hard to get a hold of in advance, and casting them as luxurious but accessible items. People clamor for them, and the press clamors to serve up the news, which makes people want them all the more. And so the cycle of engineered desire goes.

View Video ›

Facebook: video.php

Do you remember when the first iPhone came out? One thing I remember, strongly, is that it was a replacement for a lot of other stuff. Before the iPhone, perfectly reasonable people who had no more pockets then we do today often carried around a cell phone, an iPod (or other MP3 player) and sometimes even a camera too. More than a decade ago, I wrote of the original iPhone that it “brings together several features of the iPod, digital camera, smart phones and even portable computing to one device, with a widescreen display and an innovative input method.” It genuinely offered more convenience and a better way of doing things. It went on to redefine not just the marketplace for cell phones, but also computers, communication, the economy and our very culture. It was, to put it mildly, utterly wild.

It seems extremely unlikely that Apple will repeat that trick. The iPhone X, despite the language around it, is simply a better version of an already very nice thing at the end of the day. But what is repeatable, even bankable, is Apple's corporate myth-making. That is a product unto itself.

It was 90 degrees when we walked blinking, up out of Steve Jobs Theater, and back into the sunlight, surrounded by all that flowing grass, and those freshly planted 9,000 trees. It was a gorgeous, and exquisitely designed space, there's no denying it. But also, come on. You could still smell the bullshit.

Quelle: <a href="Apple's Best Product Is Its Media Strategy“>BuzzFeed

Protecting applications and data on Azure Stack

Azure provides global scale cloud computing running in Microsoft Datacenters in over 40 regions. Azure Stack extends the value of Azure to a wider range of customers and scenarios by making a core set of services available to run on integrated systems running in customer’s or service provider datacenters. Many companies and service providers are evaluating Azure Stack Development Kit (ASDK) to learn more. Many of these companies are going beyond evaluation and thinking through strategy, design, and implementation of a hybrid cloud for modern apps and on-premises cloud services. Business continuity and disaster recovery (BC/DR) planning is an important part of a comprehensive strategy.

Have you downloaded and installed ASDK? Download it now.

Business continuity and disaster recovery planning are closely related processes that a company uses to prepare for unforeseen risks. In this post, we’ll go through the protection objectives for different application types and recovery objectives so you can think about solutions that meet your business needs. These objectives will have a direct impact on the BC/DR strategy that you choose.

Azure Stack BC/DR Areas

There are four main areas to consider for a BC/DR strategy:

Protect the underlying infrastructure that hosts IaaS virtual machines, PaaS services, and tenant applications and data.
Protect IaaS-based applications and data.
Protect PaaS-based applications and data.
Archive PaaS data for long-term retention.

This blog focuses on the second point: protecting IaaS virtual machine-based applications and data using Microsoft and partner products for backup and restore, and replication and failover. The Azure Stack team is engaged with multiple partners to ensure that their third-party solutions work on Azure Stack. Expect additional blog posts covering the other three areas in the near future. 

Backup and restore IaaS virtual machine-based applications

Azure Stack supports Windows- and Linux-based applications deployed on virtual machines that are provisioned as IaaS Azure Resource Manager virtual machines. Backup products with access to the guest operating system (OS) can easily protect file, folder, OS state, and application data using similar policies you use today for near-line and long-term retention. You have the flexibility to use Microsoft products like Azure Backup and System Center Data Center Protection Manager, and third-party products to back up data on-premises, to a service provider, or directly to Azure. This approach gives you the flexibility of choice for protecting your applications and data using products you are familiar with and trust.

Replication and failover for IaaS virtual machine-based applications

Applications that require minimal downtime and minimal data loss need additional protection. Backup and restore is ideal for customers that can tolerate application downtime for an extended period. However, to achieve minimal downtime, you need to replicate data to a secondary location and orchestrate failover of the application in the event of a disaster. With Azure Stack, you have the flexibility to use Azure Site Recovery to replicate data directly to Azure and failover your application to run in Azure. Applications deployed on Azure Stack that support native replication, like Microsoft SQL, can replicate data to another location where the application is running. You can also use third-party replication and orchestration products to failover applications to another location. Like backup and restore, this approach gives you the flexibility and choice for protecting your applications and data.

Azure Stack partners and deployment scenarios

Important considerations for general availability

In-guest protection—Azure Stack only supports protection technologies at the guest level of an IaaS virtual machine. Azure Stack does not support installing agents on underlying infrastructure servers and does not rely on hypervisor-based technologies.
Azure Site Recovery—Upon general availability, Azure Site Recovery will support failover to Azure, and test failover in Azure. Azure Site Recovery will support re-protection of the IaaS virtual machine to your Azure Stack instance using a manual process, with automation forthcoming. To get failover from Azure to Azure Stack, you will need to shut down the IaaS virtual machines, manually copy the data to your Azure Stack instance, and then recreate the IaaS virtual machine. At that point, you can enable protection for the IaaS virtual machine as a new instance.
Site to site protection—Protecting IaaS VM resources across two Azure Stack clouds is supported using the Azure Backup Server or a third-party product from one of our partners. 

Recovering from a catastrophic data loss

Your BC/DR planning must prepare your company to recover from a disaster that permanently takes your entire Azure Stack cloud offline and results in complete and unrecoverable data loss. Deploying your Azure Stack cloud will require you to engage your hardware vendor. If you have a secondary site, consider deploying an Azure Stack instance there, which will allow you to recover tenant applications and data without having to wait for a new cloud to be deployed.

Next steps

Download and install ASDK today and get familiar with hosting your applications in a hybrid cloud. As you gain insight into the applications that you plan to deploy into Azure Stack, think through the recovery objectives for your applications. Identify the different protection schemes that make sense, and consider the technologies and products that will help you achieve these objectives.

Reach out to your vendor to discuss how they will support BC/DR scenarios on Azure Stack. Start testing application and data protection on ASDK. As we get closer to general availability, you will see updated documentation about Azure Stack. If you want to talk to the Azure Stack product group about BC/DR, fill out this survey so we can reach out to you.

More information

Attending Microsoft Ignite this year in Orlando? Check out these two sessions for information about Azure Stack BC/DR:

Microsoft Azure Stack business continuity and disaster recovery
Recovering Azure Stack infrastructure from a catastrophic data loss

We always want feedback—please sign up to talk to us.
Quelle: Azure