Category Archives: Layer 7 Technologies

Visualizing the Boundaries of Control in the Cloud

Posted on December 1, 2009 | 5 comments

Two weeks ago, I delivered a webinar about new security models in the cloud with Anne Thomas Manes from Burton Group. Anne had one slide in particular, borrowed from her colleague Dan Blum, which I liked so much I actually re-structured my own material around it. Let me share it with you:

This graphic does the finest job I have seen of clearly articulating where the boundaries of control lie under the different models of cloud computing. Cloud, after all, is really about surrendering control: we delegate management of infrastructure, applications, and data to realize the benefits of commoditization. But successful transfer of control implies trust–and trust isn’t something we bestow easily onto external providers. We will only build this trust if we change our approach to managing cloud security.

Cloud’s biggest problem isn’t security; it’s the continuous noise around security that distracts us from the real issues and the possible solutions. It’s not hard to create a jumbled list of things to worry about in the cloud. It is considerably harder to come up with a cohesive model that highlights a fundamental truth and offers a new perspective from which to consider solutions. This is the value of Dan’s stack.

The issues in the cloud that scare us the most all fall predicatably out of the change in control this environment demands. Enterprise IT has carefully constructed an edifice of trust based on its existing on-premise security models. Cloud challenges these models. Cloud rips pieces from the foundation of this trust, leaving a structure that feels unstable and untrustworthy.

We cannot simply maintain existing security models in the cloud; instead, we need to embrace a new approach to security that understands the give-and-take of control that is inherent to the cloud. This demands we recognize where we are willing to surrender control, acknowledge that this conflicts with our traditional model, and change our approach to assert control elsewhere. Over time we will gain confidence in the new boundaries, in our new scope of control, and in our providers–and out of this will emerge a new formal model of trust.

Let’s consider Infrastructure-as-a-Service (IaaS) as a concrete example. Physical security is gone; low-level network control is gone; firewall control is highly abstracted. If your security model–and the trust that derives from this–is dependent on controlling these elements, then you had better stay home or build a private cloud. The public cloud providers recognize this and will attempt to overlay solutions that resemble traditional security infrastructure; however, it is important to recognize that behind this façade, the control boundaries remain and the same stack elements fall under their jurisdiction. Trust can’t be invested in ornament.

If you are open to building a new basis for trust, then the public cloud may be a real option. “Secure services, not networks” must become your guiding philosophy. Build your services with the resiliency you would normally reserve for a DMZ-resident application. Harden your OS images with a similar mindset. Secure all transmissions in or out of your services by re-asserting control at the application protocol level. This approach to secure loosely coupled services was proven in SOA, and it is feasible and pragmatic in an IaaS virtualized environment. It is, however, a model for trust that departs from traditional network-oriented security thinking, and this is where the real challenge resides.

5 Comments

Posted in Layer 7 Technologies

Tagged cloud computing, cloud governance, control, security

How Secure is Cloud Computing?

Posted on November 27, 2009 | Leave a comment

Technology Review has published an interview with cryptography pioneer Whitfield Diffie that is worth reading. I had the great pleasure of presenting to Whit down at the Sun campus. He is a great scientist and a gentleman.

In this interview, Diffie–who is now a visiting professor at Royal Holloway, University of London–draws an interesting analogy between cloud computing and air travel:

“Whitfield Diffie: The effect of the growing dependence on cloud computing is similar to that of our dependence on public transportation, particularly air transportation, which forces us to trust organizations over which we have no control, limits what we can transport, and subjects us to rules and schedules that wouldn’t apply if we were flying our own planes. On the other hand, it is so much more economical that we don’t realistically have any alternative.”

Diffie makes a good point: taken as a whole, the benefits of commodity air travel are so high that it allows us to ignore the not insignificant negatives (I gripe as much as anyone when I travel, but this doesn’t stop me from using the service). In the long term, will the convenience of cloud simply overwhelm the security issues?

The history of computing, of course, is a history full of such compromise. Right now we are in the early days of cloud computing, where all of us in the security community are sniping at the shortcomings of the technology, the process, the legal and regulatory issues, and anything else that appears suspect. But truthfully, this is the ultimate low hanging fruit. Identifying problems with the cloud is effortless; offering real solutions is considerably harder.

Not surprising, Diffie offers a real solution, which is to look hard at trusted platforms. In the end, convenience will sweep over us all, so it is important to quickly establish the best secure baseline we can. The secure base for cloud computing needs to become like aircraft maintenance schedules–something that is a given part of the process and an important component that allows us to reasonably invest trust in the system as a whole.

I Went for Coffee and RDS was Waiting for Me When I Returned

Posted on November 26, 2009 | 2 comments

Here at Layer 7, we’ve been really excited about Amazon’s Relational Data Service (RDS) ever since they announced it last month. RDS is basically a managed mySQL v5.1 instance running in the Amazon infrastructure. The point of RDS to provide another basic service that we all need all of the time, managed within the AWS ecosystem. It offers some great scaling options (in terms of instance sizing), but best of all, it provides automatic snapshoting of database instances. This revolutionizes EC2 because it solves the nagging persistence problem that we all face when we terminate instances. We’ve all come up with clever ways of dealing with this using S3 and EBS, but now it’s gotten much easier.

Since RDS is really mySQL under the covers, I had been hearing that it’s pretty easy to port to. We’ve been itching to play with it here, using Layer 7’s SecureSpan Gateway AMI that’s runs in EC2. Unfortunately, this Fall has been really busy, so none of us have had an opportunity to play with it until now.

The inimitable Jay Thorne, who is a musician first but holds down a day job here as Director of Development for the Tactical group, finally cleared an afternoon to put RDS through it’s paces. I had to step out for coffee with another of our execs, which turned into a longer-than-expected discussion. But by the time I got back, Jay was done: SecureSpan using persistent Amazon RDS storage. Hello, cloud registry/repository…

Here’s Jay’s summary, which I think speaks for itself:

Total elapsed time: 1.25 hours
Number of pdf documents read: 1
Number of web pages read: 3
Number of command copy/pastes from doc: 6
Number of dbs created by mistake until I got the zoning right: 2
Number of mistyped credentials until I learned to use a creds file: 7
Number of dumpfiles created source side: 1
Number of times I had to import to get it right: 1
Number of characters in the hostname of the db: 50
Number of hosts I put in the db firewall allow list: 1
Number of sets of user credentials I created: 1
Number of lines in our internal wiki article I wrote about this: 35
Number of bangs on the keyboard in frustration: 0

2 Comments

Posted in Layer 7 Technologies

Tagged Amazon, AMI, cloud governance, mySQL, RDS, SecureSpan

Clouds May Be Big, But You Should Start Small

Posted on September 18, 2009 | 5 comments

James Urquardt, from Cisco, published a review of the US Government’s recently announced cloud initiative. I had the pleasure of sharing a panel with James recently at GigaOm Structure, and his CNET column should be on your must-read list if clouds are of interest to you.

In this article, James makes an interesting point that the government is really following the “Adopt at your own pace mentality” with respect to cloud. Obviously this isn’t about moving IT completely into the cloud–let’s face it, governments, of all organizations, hold data that will always be inappropriate for public cloud deployment. But it does demonstrate that a perfectly reasonable strategy is to create the opportunity to move select applications into the cloud (such as blogs, as the article mentions), and provide a mechanism so that these can coexist with existing internal IT. This is the so-called hybrid approach (particularly if there is a private cloud as part of the “internal” deployment).

But hybrid clouds face a big problem. To be useful, there must be secure communications between internal applications and new services deployed in the public (or semi-public) cloud. Amazon recently announced it’s Virtual Private Cloud initiative to address this issue. I was encouraged by their efforts; clearly, Amazon is taking the hybrid model very seriously–no doubt they’ve had a lot of customers asking them to solve this problem. However, I do question the strategy of deploying a VPN tunnel between internal IT and a public cloud. Despite efforts to secure and make private the operating environment of the public cloud, the VPN solution remains a risky proposition.

The trouble with VPNs is that they are indiscriminate over traffic. The trust model of VPNs is based on both ends being equal secure. A VPN makes sense when you integrate a branch office into your central corporate network, as the later is subject to the same corporate security standards and policy. It can be dangerous if the remote site is one where you have any less control over the entire security model, as is the case in the cloud. Imbalance in security implementation is an opportunity for attack. If a single application on the cloud side is compromised, a system cracker can then leverage the VPN tunnel to get full access into the internal network. (This same problem exists with conventional VPNs and laptops, and believe me, it keeps security guys up at night.)

A better solution is to constrain communications on a service-by-service basis, managed under policy control. That way, if a system is compromised, it provides limited opportunity to launch a further attack. Here you are creating zones of trust between services, which is much more finely grained and deliberately constrained. The Layer 7 version of the secure hybrid model looks like this:

Here, virtual and physical SecureSpan appliances coordinate communications between internal applications and services residing in the cloud. All transactions are managed under policy control. They are rigorously monitored, scrubbed for threats, and constrained to the appropriate parties. Architectures like this allow organizations of any size to move at their own pace into the cloud. It’s a model we’ve been advocating for some time. SecureSpan is already the security foundation of what is arguably the largest private cloud in the world, which is an existing government initiative that predates this latest announcement.

5 Comments

Posted in Layer 7 Technologies

Tagged cloud computing, hybrid clouds