01.27.2010

This post is the first in a series of an in-depth review of some of the security challenges we see with cloud computing. In the following post you’ll find some very high level concerns we have regarding the innovations around cloud computing. More detailed analyses of the various cloud offerings will follow in the coming days and weeks.

Cloud computing has introduced a whole world of possibilities for everyone from the largest enterprise looking to reduce operational expenses down to the individual consumer wanting a place to store their summer vacation pictures. At first glance, the entire concept of cloud computing is a fantastic way to lower data center costs, reduce the number of personnel required to manage a system, save on software licenses and to eliminate the need to purchase a product or service that is not within your core competency.

My guess is that every enterprise is looking for some way to leverage “the cloud” in some form or fashion and the numbers of advertisements for web-based services geared to the small business and consumer are all over the mainstream media. All of these services are promising a lower cost, easier to manage solution or promising a “quicker” something whether it be a tax return or “anywhere” access to files. This generation of computing promises to be great, except for one thing: security.

By definition, security in the cloud computing infrastructure is not possible. That said, nothing is completely secure and risk free except maybe that computer that’s not plugged in and has no users or operating system but then what good is that other than to serve as a paperweight or to hold a floor down? Anyhow, ever since I was an “InfoSec toddler” three things have been driven in to my head:

1 – Confidentiality
2 – Integrity
3 – Availability

Those three simple words describe everything we need to know about security, no matter whether we call it network security, system security, IT security or that all encompassing term – information security. As I said in an earlier post on Cassandra, security is all about protecting information; I agree that it is no fun when a computer is infected with malware which causes the owner to have to rebuild a hard drive or worse, an “outbreak” occurs across multiple systems. It is bad when a gateway device or web server goes offline because of a DoS attack. However, in both of these cases if information isn’t compromised, it can be classified as an internal security event and not a reportable security incident. In fact, if it were not for the above tenets of information security, the attacks that compromised a browser flaw (a vector that was predicted by members of Cassandra Security in 2006 and 2007 to have severe implications to the security of our information) would have been nothing more than a patch event from a security perspective. Again, the time has not come to protect your critical information, it has always been here it’s just becoming more complex with advancements in technology. I would even argue that some forms of cloud computing, specifically Web 2.0 and collaboration, have led to the critical nature of the recent IE exploit that affected so many companies.

Security is all about protecting information and it has been so since the ancient Greeks would shave and tattoo a message to a slave’s head and send them across enemy lines to deliver that message. Whether we call it steganography or encryption, they found a way to protect information that needed to be delivered between two points. Yes, that person may have been at risk or, if that person was killed then the message didn’t get delivered, but there was limited harm because the enemy didn’t have the “key” to decipher the message.

This brings me back to my original point, by definition information security can not be assured in a public cloud computing environment and here’s why: the customer is still the data owner and they are ultimately the organization responsible for the CIA of their information. The act of transferring this information to someone else’s facility does not change that, rather it makes it more difficult.

Confidentiality is difficult at best and not possible at worst. In a public cloud environment, one must ask the vendor if they can guarantee the confidentiality of your data. In order to accomplish this they would have to do a few things:

Integrity is a bit easier than confidentiality of the data is encrypted and can only be accessed by your organization, however how does the hosting company guarantee that only your organization is accessing the data or application.

Availability is probably the most difficult because while you might have a service level agreement in place with the provider for access to their systems, you may have at least two other parties involved; those being the ISPs of the respective organizations. Can you get a guarantee from all of those organizations that your data is going to be available when you expect it to be available?

While this is not all encompassing of the security complexities introduced by the cloud computing initiatives, it should give an organization plenty to think about the next time they hear the advertisement that says “My cloud is secure.” I’m not advocating to not leverage the cloud, rather quite the opposite, educate yourself before exploring the benefits of cloud computing. Stay tuned for specific research papers on the security concerns in the various types of cloud computing and the services offered in that environment.

Filed Under Cloud Computing, Cyber Crime, Cyber Defense, Information Security Philosophy, Next Generation Threats, Risk, SaaS, Security Philosophy, risk management | 2 Comments 

10.28.2009

Impressionist cloudsI have written a little in the past on cloud computing and SaaS however as previously stated, have stayed away from doing so for many reasons the primary being that I am an information security professional as opposed to a cloud computing one.  Cloud computing is all the rage in business today, so I thought I would write a little more on it :) .  Its impact is undeniable as are the debates which rage with respect to what defines or constitutes a “cloud”.  In my view of the world, cloud computing is in many respects like modern art; an appreciation of the abstract is necessary in order to derive a sense of meaning otherwise you are just faking it to impress someone.   I for one have little appreciation for modern art and readily admit it (to the chagrin of my brother-in-law who is an artist and lover of modern art) though I do like impressionism and nature scenes :) .  However, that doesn’t mean that I don’t use or apply abstract thought to concepts which require it (it just means I like pictures and paintings which more often than not look like something though I am evolving in this area too).

Now back to the cloud.   I think cloud computing is in many senses like modern art.  To begin with there is no definite shape, size, context, hue, flow, or tone associated with it – in other words no standards, rules by which to be judged against, or measured up to.  The asymmetrical is accepted alongside the symmetrical; there is no right or wrong way just different ways.   This, I think, will not change until formal standardization occurs in that space.  When will this occur?  Who is to say.  Though “cloudies” and security strategists’ alike pontificate on the implications associated with cloud environments, no one seems to have a solid model for standardization.   I maintain that much of the ‘cloud’ services or infrastructures already exist in one form or another as ‘clouds’ in data and telecommunications environments are not new.   Cloud computing is not my forte as I have pointed out before – information security is.  As such, I default to people such as Chris Hoff (all hail the Hoff!) in areas related to the cloud or Nick Selby as they have both written voluminous amounts on the topic.

My personal feelings are that cloud based solutions, like any infrastructural solution, need to meet minimum criteria from an information security perspective that compliments business need and performance rather than hinders them.  Tall order?  Perhaps.  Impossible?  I think not.  Service Level Agreement (SLA) nightmare?  Maybe, just maybe.   Many people quip and wax ecstatic about cloud computing services without taking the time to digest what they mean to a business  and its data.   Whether or not they are qualified to speak in depth and at length are debatable but nonetheless, many folks are out there doing just that.   In some respects, it does not matter so long as there is an audience willing to listen.  It is for those instances and audiences specifically, which I have constructed today’s piece, so enjoy!

demotivational,regrets,star,wars,storm,trooper-cce03c19fb3a032ab6d96de17de13d64_mClouds are nebulous.  Some of them take on a cumulus form, drifting throughout the skies in comfortably billowing capacities.   However, these are not the clouds we are looking for (I apologize in advance for the awesome opportunity to inject Star Wars humor).   Our clouds are earth bound (let us not introduce the role of satellite communication into this post thank you), and as such, terrestrial and man-made.   Are there challenges associated with cloud computing?  Yes, I believe there are and would go as far as to say that even the most astute “cloudies” would agree that it is not all champagne wishes and caviar dreams in the land of cloud computing services.  Of course there are challenges, to assert otherwise would be intellectually dishonest and would likely brandish the party asserting there were not challenges as a neophyte who should not be trusted (you know who you are and you know we’re watching you!).  Some of the challenges associated with cloud-based services are realistic than others.   Examples of these areas of concern stem from the following:

Having said all that, I have no trouble at all believing that services will continue to be stood up in haphazard fashion while some will take the time to properly design their environments to provide the most optimal environments for their customer bases.   The future should prove interesting with respect to cloud-based solutions, let us just hope there remains always a silver lining.

Tags: , Filed Under Cloud Computing, SaaS | 1 Comment 

10.15.2009

tornado_and_lightingClouds are mysterious.   They come in a variety of shapes, sizes, consistencies and architectures.  I like clouds however, I am not sure I want my data floating about in one any more than is necessary.  Cloud Computing is not my forte however; security is.  I believe that cloud architectures warrant the same directional approach as other architectures, after all carriers have been securing ‘clouds’ for years.  I made a point of not commenting on cloud computing or SaaS (Security as a Service), environments principally because I thought that there were others out there (some very astute and knowledgeable folks), commenting ad nausea on the topic, however I felt that the time had come for me to add my input  to this topic.    Why you might ask, have I decided to change my opinion on this?  Well to begin with I feel there is a great deal of “cloudy” (please forgive the pun), thought and messaging being disseminated in the industry today.  Many industry experts whose kung fu is stronger than mine specifically in the realm of cloud architectures, would have us all believing that cloud architectures are new and subsequently superior to that which we have come to know and embrace as the standard in infrastructure today, let alone securing them.   Perhaps they are right.  Then again, perhaps they are not.   Much has been made of the cloud.  Many suggest that the cloud is both the next generation of computing, as we know it and as such a complete shift in paradigm.

I, for one, do not believe this to be true.   Yes, the advent of cloud computing is popular and as a result, worthy of note. But new?  I think not.    As an idea and concept, as I mentioned earlier in this post, the carriers and others (ASPs, MSSPs, and hosting entities – not to mention third party outsourcing entities), have been providing cloud services for decades.   One might argue that these are not the same type of clouds and that as such the argument is moot.   Well, until someone defines and articulates a standard with respect to clouds, I will maintain my postion.   In particular, SaaS services strike me as being derivative and familiar.  Ask anyone who has worked extensively with Managed Security Service Providers (MSSPs), what their thoughts are regarding SaaS and you will get a number of different responses and more than a fair share of eye rolling.

In fact, one of my former employers offered both comprehensive traditional MSSP services in addition to two distinct “cloud driven” solutions – one provided by a third party vendor now owned by Symantec, built around secure messaging and web transactions and the other built around advanced vulnerability management and compliance.  The arguments and justifications used in identifying and selecting these services are shockingly similar (or not so shockingly), to those used when identifying and selecting MSSP services.   Just ask anyone who has either written an RFI / RFP / RFQ for these types of services or anyone whose job it was to answer them in their entirety without pulling their hair out.   You will note from my photo that I shave my head; I gave up :) .  So why are organizations embracing these services?  To a degree, I believe it has to do with cultural tolerance, profitability, the availability of staff (experienced staff), and the businesses interpretation of the importance of information security as a business enabler however, I believe there is more than meets the eye here.  My experience in the MSSP space demonstrated that that there were certain considerations and realities that led to both the introduction of such services and, at times, the displacement of an incumbent provider.   Here is a short list:

  1. Need or desire to reduce costs as they relate to capital or budgetary expenditures :
    1. Eliminates / minimizes the need for new capital expenditure on equipment (potentially)
    2. Eliminates associated maintenance & support costs for said equipment (potentially)
    3. Enables operational security staff to focus on other, more compelling security driven initiatives on behalf of the business (this is how I used to pitch it)
  2. Complexity of threats and / or evolution of challenges being presented to enterprise security teams  by internal business clients, partners or external clientele continue challenge and strain pre-existent teams:
    1. Expertise is neither easy to come by nor always geographically available; these services can be used to counter act those realities
    2. The ability to correlate, normalize and analyze data from disparate network and host elements enables these teams to provide salient detail pertaining to the enterprise and / or its initiatives and user community.  This is obviously important and of value to external clientele as well
  3. The inability to achieve a realistic risk posture, one which reflects the environments physical, logical and procedural state while providing meaningful artifacts and evidence necessary in appeasing internal audit and risk management entities in addition to external auditors and regulatory bodies.
  4. Transference of risk:
    1. Often times, though not spoken (although at times it was spoken of), the transference of risk was the primary driver though typically it was associated with one or all of the above
  5. All of the above:
    1. Rare but at times the case

My concerns with respect to cloud computing and SaaS provider’s stem from the assurances or lack thereof being made to potential clients when considering these solutions.   I understand that heated debates are going on (probably on a forum near you!) with respect to this very topic and as such I feel it vital to discuss what I feel is solid criteria for initial vetting of these providers.   The first rule however is that we shall not discuss pricing.   Why is the first rule?  Mainly because price varies as does the quality of the services being rendered however, they are not always mutually exclusive.  We will however discuss the forms in which these service offerings are presented in and as it merits, discuss deal or offering structure.   I believe it is necessary for enterprises considering the adoption of such services and architectures to consider how their data is treated as it enters the cloud, what occurs during transmission, what occurs at rest and what occurs during egress.   Put plainly, what occurs from the perspective of confidentiality, integrity, availability and assurance?   One should always inspect what one expects scenarios such as this are no exception.

I believe that those organizations providing cloud driven security or SaaS services should follow the example (minimally), set by MSSPs or at least those that I have worked with and competed against, with respect to data preservation and security.    In my experience, there is no excuse for short cuts with respect to data integrity and preservation, as such, I have worked with and represented organizations that espoused the same ideological stance on the matter of handling other people’s data.  A minimum criterion in my mind includes but is not limited to the following:

  1. Attainment of accreditation and certification relevant to secured carrier or cloud environments
    1. SAS70-II
    2. SafeHarbor
    3. SysTrust
    4. Regular internal & external security assessment and audits performed and delivered by qualified internal employees as well as trusted, third parties:
      1. Penetration Testing
      2. Social engineering
      3. Application assessment
      4. Customer premise ingress (if possible)
      5. Concise, meaningful documentation of the environment and the ability to produce report deliverables, accreditations, and artifacts upon request

Beauty, after all, is in the eye of the auditor and his or her interpretation of the standard against which one is being audited is, paramount in attaining or maintaining status.

cloudsWith respect to the monetary value associated with such services, there is no question in my mind that savings can be achieved via the selection and adoption of such services.   The value represented in dollars in sense can be arrived at when negotiating initial pricing as these contracts are typically written for specific durations; sometimes month to month however it is more often the case where these services are delivered on a term basis (12, 24, 36, 60, 72 months etc.).  The more mature the offering and provider; the easier (typically), it will be to estimate initial (capital) signings costs and subsequent savings over time.   Numbers do not lie; people do, so inspect what you expect.   Again, a familiar model should one look beneath the covers.  You might be saying to yourself, “Wait, wait what if it is a service that is software driven and predicated on a subscription model?,”; my assertion is that fundamentally the numbers will either demonstrate value over time or prove to be cost prohibitive so again, inspect what you expect.   In many respect this is no different from any time an enterprise engages in a long-term contract with a third party for the delivery of a service.   Whether its telecomm, call center or SaaS, I believe fundamentally that they are analogous to one another.

Organizational security posture may also play into the immediate revelation of value realized by the organization upon engaging in this type of service agreement.   Depending on the condition of the enterprise in question, the needs of its user community and its overall risk posture costs may vary (most providers will offer various levels of service all of which will have or should have, differing degrees of service level agreements each with its own merits and penalties to be paid to the enterprise client should the provider miss an SLA), in order to enable and empower the enterprise in realizing their goal: protection of their data, their user community and brand, all while minimizing and transferring risk.  No decision of this sort should be made in a vacuum and as such, decision makers, influencers, recommenders, stakeholders (departmental and within the various and sundry elements representing the business units which make up the enterprise), should investigate all options available and arrive at a decision which best suits their needs while providing the most value to the business.  In doing so, they will effectively enable the business to do what it does best to generate revenue while fostering a culture of cooperation and partnership.   The net effect of which could lead to a fundamental change in comprehension, attitude and application of information security within the enterprise as a whole.  In closing, clouds can be beautiful; amazingly striking things or, depending on the conditions ominous forbearers of storms to come.   In choosing wisely you might just be able to remain in Kansas Toto ;)

Tags: , Filed Under Cloud Computing, Cyber Defense, Information Security Philosophy, SaaS, compliance | Leave a Comment