An alchemists view from the bar

Network Security Alchemy

Thoughts of the cloud – Part one of …… some.

with 3 comments

I (via Sourcefire) recently had the opportunity to present at a could computing security event in Ireland organised by Calyx, unfortunately for me the cloud-specific focus of the event managed to slip past both myself and my colleagues in marketing unnoticed until the day before the event. This forced me to take the audience on an unexpected thirty minute tangent away from the cloud centric content they were expecting (sorry about that), but while I wasn’t talking I was given a great opportunity to witness the confusion that is presented as “The Cloud”.

Clearly cloud-stuff is getting more and more headlines, especially when you link the “C” word together with security.

Each presenter provided a slightly different definition of what cloud computing meant to them (and their marketing departments), but somehow they all managed to agree on key security risks associated with suggestions of …….

  • Dumping mission critical internally hosted services and throwing them into the cloud
  • Placing your “trusted data” in the trust of another “untrusted” party
  • Believing that a cloud provider (SAAS, PAAS, IAAS etc) has a magic ability to look after their systems better than your people look after your systems
  • Burying you head in the sand while shouting “la la la don’t remind me that I’m still accountable for all of this with little to no control!”

Quite correctly none of the presenting vendors offered a silver bullet to solve these issues, and if they had offered one up I’m sure someone in the audience would have called them a liar. Instead they provided intelligent thoughts and opinions to potential workarounds, however I don’t remember them touching on what I see as an important and overlooked point.

Cloud technology will rarely provide a complete migration path, it is most likely to be a technology addition. I won’t go into the justification of my point of view right now, but believe me this is the way I see it. This also means that my non-cloud “Know your network better than your enemy” tangent that I took the audience on is still important. I hope the “C” word moves further along the hype-cycle path to sit somewhere better understood soon.

Earlier today I read Amrit Williams’ wonderfully sarcasm-rich post on a similar subject, I relate to it because it touches on my views of cloud addition. Reading it also reminded me to hit the publish button on this posts draft.

-Leon

About these ads

Written by leonward

May 7, 2009 at 1:10 pm

Posted in Security, Sourcefire

3 Responses

Subscribe to comments with RSS.

  1. Cloud is just a term to mean network. All the networks need defense. The local networks that interface with that “cloud” still need defense. Just because the companies are saving a few bucks on not hosting their email locally anymore doesn’t mean that email isn’t still a threat. People will still double click on anything. Virus writers prove that every day. In fact, I think network security becomes even more relevant with Cloud computing as everything is moving on and off the network (hopefully encrypted), going from local network to hosting provider. Who is securing THAT transaction?

    Joel

    May 7, 2009 at 1:34 pm

    • Cloud is not just a term to mean network. It’s a term used to describe resources that are made available as a service over a network. Doesn’t matter if it’s the Internet or intranet. The key word is scalability. The idea is on-demand access to resources.

      The problem in securing the cloud is one of managing data flow from intranet resources with internet resources. Problems also occur with managing distributed storage and data retrieval with a flexible, scalable system. The security standpoint cannot be a simple IDS/IPS/Firewall looking at network traffic, there is no perimeter to secure and internal walls may not exist.

      There are a myriad of issues to think about, too many to list in a comment on a blog post. Probably deserves a white paper to do it justice.

      Let’s see who is looking at the problem…

      http://csrc.nist.gov/groups/SNS/cloud-computing/index.html

      Nigel Houghton

      May 25, 2009 at 5:19 pm

  2. I’ve never been particularly satisfied with any of the disclosures on how SAAS providers secure customer data. I assume they are doing little or nothing, which I think only hampers their adoption.

    Many of these companies could probably be very successful if they gave people a reason to trust them.

    Emory

    May 7, 2009 at 2:20 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 783 other followers

%d bloggers like this: