RealSecurity

I will tell you right up front that I’m not a cloud computing expert. I “get it” as most people do and can see the pros and cons. You don’t have to be a brain surgeon to connect the dots of virtualization, stacking, web services, “X”aaS, and the like to see that the cloud is extraordinarily compelling to business and is the future of IT as we know it. Seeing that most people have connected the dots, it’s no surprise that security in the cloud (or lack thereof) is seen as the most significant barrier to adoption. As a result, security solutions for the cloud are beginning to come out of the woodwork. This is expected and needed – progress in this space is good. However, I’m not seeing anything necessarily revolutionary and simply, well, more of the same. The problem isn’t these standard security solutions that are tweaked to support the cloud aren’t meaningful; it’s just simply they are addressing an old problem and not really the more fundamental problems businesses are thinking about and beyond.

As an example, Novell recently announce their Cloud Security Service (CSS) as the, “Industry's first cloud computing security service that provides identity and access management for hosted applications and hosted storage, as well as a compliance reporting suite.”

This looks very compelling. When you read the (very) limited materials explaining the service you begin to see the vendor approach. It’s pretty much an integrated identity management solution that ties into applications, systems, and storage solutions.  A few things come to mind.

First, this is interesting and needed. But, not necessarily new in the cloud and solutions of this nature have existed in the SaaS and IaaS space for a little while. However, in Novell’s defense, their solution crosses various boundaries, such as federating and on-demand scenarios. So, again, somewhat compelling.

Second, presenting this as the solution to cloud security issues is – well, let’s just say it gets under my skin. The world doesn’t spin on an Identity management axis. Call it IdM, single sign-on, meta-directory, or whatever, you’re still only addressing one small part of the problem.

Basically, I like that Novell is still moving forward and I think what they’ve accomplished with SLES is outstanding. I like the IdM/SSO cloud security solution and their approach, but shouldn’t sell it as solving cloud security and compliance. Just because you can identify, authenticate, and (presumably) authorize a user in a multi-platform, heterogeneous, distributed environment doesn’t solve all the challenges, not by a long shot. I think it is simply a starting point.

I know I’m picking on Novell a little bit and it’s really not deserved. But, I’m seeing this trend to take something that sorta worked in the enterprise space and say it works for the cloud – and this simply isn’t the case. I think people are underestimating the cloud and the complexities it presents from a security perspective. It also makes the assumption that “traditional” security solutions actually solved problems in the enterprise domain, which is not necessarily the case.

When we look at the cloud we have to begin to address fundamental gaps that have always existed, but have taken on new importance in the cloud. Moreover, the cloud introduces new challenges for security that have no solution. It’s good to look at traditional solutions and traditional problems simply because these don’t go away, and may be an old solution could help with a new problem. But, this is not preordained and to imply heritage solutions address the deeper issues of the cloud is short sighted.

To provide a basic example, look at a simple layered web-application model. You have the presentation layer (HTML, javascript, AJAX, ASP, whatever), the web-server layer (MS IIS, Apache, etc.) and all this implies, and the database layer. These all interact in different ways depending on the purpose of the application, of course. For example, you may have stored procedures, client-side code, web-services (SOAP), widgets and whatnot, and potentially business logic rules in the layers.

So, Bob logs into the website where the web-server passes the credentials to the OS or authoritative source (i.e. directory, etc.) for validation. Once authenticated, Bob is tied to a role in the application defining what he can and can’t do. Bob does his job, accessing reports, adding information, and so forth.

However, we need to acknowledge it is the application that manages who Bob is and performs other functions on Bob’s behalf. For example, Bob may want to run a report, which requires SQL calls and the like. The application – knowing (assuming) who Bob is – understands this action is permitted based on his role. As a result, the application, utilizing the web-server (a process typically running as root or with admin privileges), reaches out to the database server that, for all intense and purposes, sees the application as the user. It is very common to have the database security setup to accept a general, highly privileged account as the source for information requests and submittal. As a result it is the application that is in control, not the database, OS, or anything else for that matter.

Now, we add in web-services, distributed services, and decentralized, multi-platforms and the problem becomes far more interesting. Admittedly, we have SAML that can tie authentication elements in a web environment. In some cases, architects and developers will incorporate (or make extensible) SOAP by using SAML to increate greater granularity and control between systems and service domains. This is good because now the interface between the presentation, server, and database begin to have consistent visibility in user and role. The problem is that this is rare, difficult to build, elongates application development, and is typically not part of today’s web-services cloud services. In fact, products like SecureSphere from Imperva exist to address this core problem in traditional applications.

This is arguably a very simple example and open to interpretation. Nevertheless, the point I’m trying to make is we have deeply rooted security challenges even in the most basic of scenarios that are not easily addressed, and when put in the cloud are exponentially increased. This gets us into interoperability, application migration, compatibility, service orientation needs, and rigid application models.

As far as new problems, the management of the data seems to be on everyone’s mind and has yet to get a meaningful solution. There is a solution from a company that provides a transparent encryption interface between the storage and the upper level systems, which can be anything from a server (i.e. OS), to a VM, stacked application, or web-service. Unfortunately, the problem is the same as we have in the application. The user is separated from the management of the data. The encryption “gateway” has limited visibility and as a result trusts the requesting system or service. Although there is key management, these are not tied to user certificates much less credentials. In this case, companies are buying the solution because the data is encrypted “under” the cloud, but access to the data is based on system role and trust – which is virtually meaningless in the cloud. So, while you can check off that audit box saying your data is encrypted, and it is, technically speaking it’s meaningless in actually protecting the data.

To take this one step further, many organizations using the cloud for various applications can’t encrypt data because it must be processed by the application. Pretty understandable. Solutions such as this are very attractive because their data is “secured”. However, they have no real control over the distribution of keys within the environment – especially when clouds are federated – and do not have the capacity to retrieve said data. It’s really security through obscurity.

I liken this cloud issue with laptop hard drive encryption – something we have today to protect information and something everyone likes. Hard drive encryption is a great security control and I recommend it to everyone I come in contact with – it’s worth every penny. But, we have to understand what threat the control is protecting us against.  In short, it’s protecting our data if the system is lost or stolen, and that it – period. Now, seeing that a vast amount of data loss is associated with laptops walking out of buildings, getting left in the airport, and magically vanishing from the trucks of cars, this is a valuable control relative to the potential of loss and impact. I’m not saying it’s a bad control, I’m saying it’s serving a particular purpose. Once the laptop is turned on and the user logs in, the access to the data is, well, open. There are degrees to this statement. For example, I may have an encrypted partition that I have to mount and authenticate at that point in time and it may force re-authentication after so many minutes of unused. Nevertheless, once mounted or accessible by the user, game over. Malware, worms, viruses, or the user sending data to someone they shouldn’t, and everything in between are threats and scenarios that are not mitigated by hard drive encryption.

This is the basic concept I’m talking about with the cloud. First, I think people underestimate the complexities that are the cloud and what these mean to security. Second, there is a tendency to assume today’s enterprise security solutions solve cloud specific solutions when they don’t even solve all the challenges in the non-cloud space. Third, there are existing, core challenges that exist today which are very difficult problems to solve even when everything is running on the same box, much less stretched out around the world from different entities. Forth, companies saying they have solved the cloud security problem with retuned existing solutions are a bit misleading. The technologies and solutions from the enterprise domain do provide value in the cloud, of course, but are not a silver bullet. Lastly, there is not a great deal of clarity in exactly the applicability of a control to a threat, much less understanding  the types of threat and tactics that are going to emerge in the cloud.

Today we have decent security solutions that help us reduce potential and impact. They’re not perfect, but perfection is not an option. However, one of the things to a company’s advantage in today’s security is that the systems and data are within their domain of influence. This provides some level of visibility and opportunity to the company to address dynamics, risks, compliance, you name it. But all this is goes away with the cloud, which is exactly why the cloud is so darned attractive to businesses and the reason security is the primary concern.

I will say - and will always say - that the cloud is a very good thing and the next evolution of IT that nearly equals the impact of the Internet. I would argue that we have to get the cloud right because it will usher in new and compelling opportunities that we can hardly predict today. I’m not saying approaches to cloud security today are necessarily wrong. We simply have to think bigger, understand the true applicability of what is being proposed, and make no assumptions. And, of course, base everything in security on trust… if you can’t trust it, then there is very little hope for being secure.