Security needs to pay more attention to the protocols which bind the applications and infrastructure together. That’s where the cracks are appearing.
What is cloud computing? In an interview with Cigital’s software security expert Gary McGraw, Network security expert Christopher Hoff tries to answer that question from two perspectives — a cloud provider and a consumer. After understanding what cloud computing is, the conversation ultimately moves to what is being done right and perhaps wrong to secure it. Hoff, formerly of Unisys Corp. is currently director of cloud and virtualization solutions at Cisco Systems Inc. The podcast is a good overview of cloud computing and security because it peels away all the vendor marketing hype that, pardon my pun, has clouded the issue.
According to Hoff:
- From the perspective of a consumer, cloud computing is “any vendor, any technology that would allow them to take their content and their data and place it in the stewardship of somebody else.” Hoff says it could be Apple’s MobileMe, iTunes, and any other services where you connect and are using the Internet.
- From the perspective of a cloud provider, cloud computing is “an operational model; a way of more efficiently, more effectively using computing resources.”
The cloud is not impervious to failure, Hoff says. A lot of interesting expectations are being set and Hoff says that is illustrated by Larry Ellison of Oracle Corp. who says there’s nothing new and we’ve been doing it for years versus the perspective from others who say that how we’re using the cloud is different.
“Every time we’ve had a new instance, a new way of operationalizing our computing resources we’ve had this same sort of turn that takes place in the industry. It ultimately smooths out.”
McGraw says while we’re not so bad at protecting hardware, we’re really bad at protecting virtual operating systems and applications.
Hoff explains the three levels of cloud computing and how security applies: Infrastructure as a service, platform as a service and software as a service … He says the lower down the stack you go the more responsible you are as a consumer for the security of that service. “With infrastructure as a service you are essentially building in security, with software as a service you are basically contracting it …” Hoff goes on to say that platform as a service is more interesting from a security perspective because your apps are somewhat tied into the platform. Since you are writing the applications and you own the data “maintaining security as it relates to that model is a shared, cooperative approach.”
Security is always playing catch up and disruptive innovation and cloud computing is a good example of that, Hoff says. It ultimately comes down to the age old problem that “consumers see security and applications thereof as an adverse function of convenience.”
“When it comes down to any enterprise architecture in general, time to market and delivery just trumps our capability, desire, wants and needs and ultimately budgets to get stuff done as a balance of security versus convenience.”
The final part of the podcast talks about the problems companies are having applying security to the three cloud computing models from a design pattern versus the bolt on approach. Hoff says the people behind the cloud model are fragmented — developers work on their applications — network architects deal with the network — and the security guys try to figure out what each of them are doing.
Hoff says what is terrifying is the metastructure pieces — the protocols, the glue that holds the application layer and infrastructure layer together is for the most part completely ignored. DNS and identity and access management issues are starting to show cracks.
Check out Hoff’s blog Rational Survivability for more of his great insight into the cloud computing models and the security issues they raise.