products for cloud
computing are finally starting to appear. However, they seem to be of little interest to IT
pros that must secure today’s enterprise IT organizations.
Fighting malware threats, in particular, remains an issue for many attendees here at this week's
RSA
Conference.
I can't wait until everyone does this the same way.Jon Greaves, CTO of Carpathia Hosting, on cloud standards
"If our systems are infected by malware, that could be a major problem," said Peter Tam, a
security engineer with NASA. He spends most of his time protecting NASA’s researchers. "The cloud
is interesting," he added, "but it does not impact my job today."
"The cloud is a future thing, it’s a black hole right now," echoed Mike Myers, lead technical
analyst for Marriott International. Top of his mind was monitoring client machines and internal
systems to combat malware. That said, Marriott uses a cloud provider to host the maps on its
websites.
"This information is not sensitive; we wouldn’t put anything sensitive in the cloud," Myers
said.
Trust remains a big barrier to cloud in the minds of security practitioners.
"I don’t know you, you don’t know me," said Andy Gram, chief platform architect at BlackRidge
Technology. "The cloud is like that, so why would I put anything sensitive there?" BlackRidge is
building a product that provides identity-based switching and routing in the cloud.
Security consultant John Kinsella said that the scale enabled by cloud services is another
problem security engineers must worry about. Cloud doesn't fit standard security models, and most
security products that are allergic to cloud-style automation; they do not take into consideration
that someone is launching and terminating entire servers by the hundreds every day. Today’s
security products were designed, Kinsella said, for inspection, auditing, and reporting within four
walls.
New cloud security tools take root
At the conference, RSA announced Trusted Cloud Authority, a service that it claims will move the burden of
establishing trust from the customer to the cloud by acting as an intermediary for hosted security
and compliance services. A beta that includes identity and compliance offerings will be available
in the second half of 2011, but details on the services were scant.
Small advances in virtual machine
(VM)-centric security ideas are starting to surface, and providers are beginning to look for
ways to offer security in the cloud the same way they offer infrastructure: automated and out of
the hands of the user.
Professionals like Kinsella note that using cloud computing for infrastructure doesn’t tend to
improve life for the security-conscious. Pure Infrastructure
as a Service (IaaS) tends to make secure operations either tedious or risky when compared to
traditional deployments. There might be hundreds of virtual servers where there were two or three
physical servers before; they may all have public IP addresses; and your operating system (OS) of
choice, no matter what it is, needs to be patched and monitored for weaknesses non-stop.
Most of the commonly used techniques and tools for monitoring OSes aren’t ideal for this kind of
challenge: the OS can update itself, but it’s not 100% reliable. It’s spinning plates to
individually monitor more than a handful of VMs. A small uncorrected problem in the base image can
suddenly become a massive hole when it gets replicated hundreds of times. Scripts and alerts and
hand checking mean a lot of grunt work, exactly what the cloud is supposed to help avoid.
"It takes a lot of man-hours to proactively go out and manage all these systems," said Tim
McQuillen, CEO of StrongMail, an email infrastructure and messaging service. StrongMail is the
poster child for cloud security headaches, as it runs a highly targeted service (email) and
delivers everything online, along with running almost entirely in IaaS platforms. McQuillen said
StrongMail’s vulnerable surface area in the cloud is large.
Monitoring virtual networks, repeating the same security procedures over and over for each of
his systems as he scales operations up and down, is an unproductive grind. To alleviate some of
this burden, StrongMail turned to a new startup, CloudPassage, which installs an agent on each of
StrongMail’s Linux instances and monitors the systems automatically as a service. Vulnerability
patching and reporting also happen automatically. CloudPassage also offer "iptables as a service,"
Linux-based soft firewalls for individual machines.
It’s not revolutionary technology; given the idea, McQuillen said, most decent administrators
could cook up a similar approach. But CloudPassage packaged it up and priced it in such a way that
he liked it better than investing in doing it himself.
"There’s a ton of point solutions and open source that’ll get you there, but this is just rolled
up in a way that’s really easy, really simple," he said.
CloudPassage hasn’t replaced any of McQuillen's traditional security software or appliances like
antivirus and intrusion detection; it’s just scratched an itch exacerbated by the use of cloud
computing infrastructure . It also hit right at the big question of effective cloud security: how
to effectively protect machines that live outside your firewall.
Compliance and audit in the cloud
"One of the biggest answers we’re starting to see is per tenant and per instance protections; a lot
of customers want very fine-grained controls on their environments," said Jon Greaves, CTO of
Carpathia Hosting, which serves highly regulated government and healthcare customers. They are
clamoring for cloud, driven by federal policy and legislation, said Greaves, but they have
non-negotiable compliance and audit requirements.
We wouldn't put anything sensitive in the cloud.Mike Myers, lead technical analyst for Marriott International
Greaves said that most cloud operations spend most of their security resources on standard
perimeter defenses, but that was not going to cut the mustard for very long. While public cloud services
like Amazon Web Services (AWS) have very good track records, they also have black-box security.
That is not comforting for enterprises and auditors, and Carpathia will offer Vyatta's virtualized
security appliances to address those concerns.
Running a cloud, Greaves noted, does have advantages: "The cloud gives us a very repeatable
platform. We can build that [security appliance] one time for one platform and the customer can
punch that out as many times as they need."
Greaves also said that cloud makes some old ideas new again. For example, the venerable
Information Technology Infrastructure Library (ITIL) guidelines for tracking processes, procedures
and actions can actually help keep track of fungible cloud computing resources. Carpathia uses ITIL
techniques to meet audits for virtualized and cloud environments, which Greaves admits is
inefficient.
For now, he’s praying for the day when security automation efforts like CloudAudit and industry
standards get adopted: "I can’t wait until everyone does this the same way."
Carl Brooks is the Senior Technology Writer for SearchCloudComputing.com, and Jo Maitland is
the Senior Executive Editor. You can contact them at cbrooks@techtarget.com and jmaitland@techtarget.com.
This comment has been removed by the author.
ReplyDelete