Vanaf 20:15 heeft het virtualisatie-platform xen5.redbee.nl nog onbekende problemen.
Momenteel is de server onbeschikbaar, Er is een engineer on-call om dit probleem zo spoedig mogelijk op te lossen.

Zodra er meer informatie omtrent het probleem beschikbaar is zullen we deze middels een update op deze post doen toekomen.

Met vriendelijke groeten,

Redbee

Voor vragen over deze storing kunt u ons bereiken via email (support@redbee.nl) of telefoon +31 20 7080050. Uiteraard onze excuses voor de overlast.

Cloud computing is gaining popularity every day. Emerging technologies allow complex infrastructures to use cloud technology for fast deployment, dynamically handling of user traffic and easy scaling of web platforms. New technologies allow businesses to rapidly deploy their environment and to offer it to large user groups without heavily investing in hardware and data centre space. These positive developments are possible because cloud technology is advancing just as quickly as the businesses that use them. Storage and bandwidth are relatively cheap, because cloud providers sell the capacity that they do not use and the economies of scale make huge processing power and storage platforms accessible to small and medium-sized companies for attractive rates.

Challenges
From a security and compliancy perspective, cloud computing not only brings in new possibilities, but also new challenges on how to successfully secure and audit the environment. For example, take the emergence of elastic clouds, where capacity is used and charged per usage instead of per server. From an auditing perspective, several interesting questions arise. PCI DSS requires compliant infrastructures to be auditable and to record any actions that are relevant for security. But it is much harder to review an infrastructure where the amount of servers that are active varies over time. A specific server could have been online yesterday, but be replaced by 10 servers tomorrow. During the annual audit, log entries might point to a server that was only active for a brief moment in time and that will never be up again in the future.

Logical security
Within PCI DSS, the implementation of logical security is one of the fundamentals for compliancy. Implementing the right firewalls, log hosts and IDS systems increase the security level and protect the valuable data that businesses store. In a cloud environment, the use of a firewall is restricted to the service offering that the cloud provider uses. This makes the deployment of the firewalls and associated services easier, but also more difficult to review.

Physical security
Another interesting topic is the use of PCI DSS requirements around data centres and physical infrastructure. The standard requires that switchports should be physically secured and that console access should be restricted to a limited group of people, but this requirement is hard to assess if an infrastructure is using a cloud provider for its processing needs. The same applies to camera images or perimeter security: this is difficult to review as the exact location of the servers and the data are not known to the cloud customer and probably never will be.

Deleting the data
Along with data creation, processing and storage, data destruction is an often-neglected theme. Traditional systems focused on data destruction by destroying the physical media that contained the data, but in a large cloud environment, physical destruction is hard to accomplish. Many merchants and service providers accumulate data without thinking of a way to destroy it, just because data is usually regarded valuable to keep and store. Some data however is useless to store for indefinite time periods and might even pose organisational risks. PCI DSS focuses on credit card security, specifically the storage of PAN data, but in many cases the storage of the actual PAN is only needed during processing. Destroying the data would lower the impact of any security breach and would be a smart thing to do if the data is no longer needed. When thinking about cloud technology, the method and technology of data destruction is just as important as the actual storage. Relying on the cloud provider for the data destruction process would require contractual agreements about the data destruction and this is usually hard to accomplish when dealing with global cloud providers. Another option would be to set up a data destruction process that destroys the data before the storage capacity is handed back to the cloud provider.

Learning from clouds
Does this mean that cloud computing cannot be used from a PCI DSS perspective? Although using cloud providers and cloud computing seems hard at first sight, some technological development might just point in favour of cloud technology. The elastic clouds, for example, use a model where users can fire up servers based on immediate needs. By nature, this requires developers and system administrators to think in terms of scaling the platform. We have seen many cases where this leads to building blueprints of servers that are provisioned automatically when they come into existence. From an auditing perspective, this would allow an auditor to investigate the blueprints and provisioning system and validate the design, baselines and configuration principles instead of auditing
every resulting system. Within PCI DSS, an auditor can never skip the auditing of the systems for compliance, but it allows the use of sampling to choose a relevant subset of systems, and documenting any resulting clones is just as secure as the subset under investigation. This reduces the amount of work during the annual audit and makes it easier to implement the right controls on every server in the cloud.

New technologies
New technologies emerge faster than any security standard can adapt. And while the PCI DSS is revised and reviewed at regular intervals, it is impossible to get head-to-head with current developments. Virtualisation, cloud computing and geographic load balancing are all techniques that require technical knowledge from the auditor to allow implementation in a PCI-compliant environment. A good QSA is comfortable working in an environment in which the applied techniques develop faster than the security standard. From our part, we continuously train our staff to support clients that base their success on the availability of cutting-edge technology.

The added value of a QSA
The requirements of PCI DSS are the same for every merchant and service provider, but no two merchants are the same. This is exactly the situation where the qualified security assessor shows their added value. Guidance by the right PCI QSA allows organisations to get through the PCI rules without much delay.
No QSA can make the rules of the PCI DSS easier or less applicable: all players within the compliance field adhere to the same rules and have to follow the same procedures to become compliant or to declare someone compliant. However, the right QSA knows your business, is technically skilled and understands what drives your operation. It requires a lot of effort and expertise to meet all 12 requirements of the PCI standard. Our customer cases show that a QSA could perform best if (s)he ‘fits’ the organisation. This enables the QSA to implement feasible measures and formulate appropriate yet secure compensating controls to reach the ultimate goal of PCI compliance.

Vincent Ossewaarde is CEO of Fortytwo. Based in Amsterdam, the Netherlands, Fortytwo is a PCI DSS QSA and offers security, infrastructure audits and consultancy. Fortytwo serves clients in the fields of e-commerce, hospitality, financial services and media.

Vanaf 15:30 heeft de server sydney.redbee.nl problemen met de disks. Momenteel is de server down. Op dit moment word er aan gewerkt het probleem zo spoedig mogelijk op te lossen.

Onze excuses voor het ongemak.

Met vriendelijke groeten,

Redbee

Gedurende het vervangen van de routers en switches zullen op een bepaald moment kabels verplaatst moeten worden. Hierdoor zullen er korte onderbrekingen optreden in de beschikbaarheid van de connectiviteit. Dit geldt voor zowel colocatie als managed klanten.

Voor vragen over dit onderhoud kunt u ons bereiken via email (support@redbee.nl) of telefoon +31 20 6470598.

When you have a Redbee managed server, you will have been contacted regarding this issue. If you have a colocated Windows server we urge you to apply the security patch released by Microsoft to resolve the vulnerability as soon as possible.

On the following page you can find more information regarding this Remote Vulnerability and instructions on how to patch this security issue.

http://technet.microsoft.com/en-us/security/bulletin/ms12-020

Through Windows Update you are also able to patch this Security risk.

The following Windows Operating Systems are vulnerable:

• Windows Server 2003
• Windows Server 2003 R2
• Windows Server 2008
• Windows Server 2008 R2
• Windows XP
• Windows Vista
• Windows 7

If you are behind an (software or hardware) Firewall we encourage you to restrict the access to RDP (Remote Desktop Protocol) to only your trusted IP addresses. It can also be a good idea to change the default port of RDP to something else than 3389. (see also http://support.microsoft.com/kb/306759) Also After you have applied the Security patch we recommend that you change your passwords to make sure no external party can login with the old (and maybe compromised) password.

Voor vragen over deze storing kunt u ons bereiken via email (support@redbee.nl) of telefoon +31 20 6470598. Uiteraard onze excuses voor de overlast.