SAN FRANCISCO -- After years of hot air and lame product rebranding, security techniques and products for cloud computing are finally starting to appear. However, they seem to be of little interest to IT pros that must secure today’s enterprise IT organizations.
Fighting malware threats, in particular, remains an issue for many attendees here at this week's RSA Conference.
I can't wait until everyone does this the same way.
Jon Greaves, CTO of Carpathia Hosting, on cloud standards
"If our systems are infected by malware, that could be a major problem," said Peter Tam, a security engineer with NASA. He spends most of his time protecting NASA’s researchers. "The cloud is interesting," he added, "but it does not impact my job today."
"The cloud is a future thing, it’s a black hole right now," echoed Mike Myers, lead technical analyst for Marriott International. Top of his mind was monitoring client machines and internal systems to combat malware. That said, Marriott uses a cloud provider to host the maps on its websites.
"This information is not sensitive; we wouldn’t put anything sensitive in the cloud," Myers said.
Trust remains a big barrier to cloud in the minds of security practitioners.
"I don’t know you, you don’t know me," said Andy Gram, chief platform architect at BlackRidge Technology. "The cloud is like that, so why would I put anything sensitive there?" BlackRidge is building a product that provides identity-based switching and routing in the cloud.
Security consultant John Kinsella said that the scale enabled by cloud services is another problem security engineers must worry about. Cloud doesn't fit standard security models, and most security products that are allergic to cloud-style automation; they do not take into consideration that someone is launching and terminating entire servers by the hundreds every day. Today’s security products were designed, Kinsella said, for inspection, auditing, and reporting within four walls.
New cloud security tools take root
At the conference, RSA announced Trusted Cloud Authority, a service that it claims will move the burden of establishing trust from the customer to the cloud by acting as an intermediary for hosted security and compliance services. A beta that includes identity and compliance offerings will be available in the second half of 2011, but details on the services were scant.
Small advances in virtual machine (VM)-centric security ideas are starting to surface, and providers are beginning to look for ways to offer security in the cloud the same way they offer infrastructure: automated and out of the hands of the user.
Professionals like Kinsella note that using cloud computing for infrastructure doesn’t tend to improve life for the security-conscious. Pure Infrastructure as a Service (IaaS) tends to make secure operations either tedious or risky when compared to traditional deployments. There might be hundreds of virtual servers where there were two or three physical servers before; they may all have public IP addresses; and your operating system (OS) of choice, no matter what it is, needs to be patched and monitored for weaknesses non-stop.
Most of the commonly used techniques and tools for monitoring OSes aren’t ideal for this kind of challenge: the OS can update itself, but it’s not 100% reliable. It’s spinning plates to individually monitor more than a handful of VMs. A small uncorrected problem in the base image can suddenly become a massive hole when it gets replicated hundreds of times. Scripts and alerts and hand checking mean a lot of grunt work, exactly what the cloud is supposed to help avoid.
"It takes a lot of man-hours to proactively go out and manage all these systems," said Tim McQuillen, CIO and founder of StrongMail, an email marketing software company. StrongMail is the poster child for cloud security headaches, as it runs a highly targeted service (email) and delivers everything online, along with running almost entirely in IaaS platforms. McQuillen said StrongMail’s vulnerable surface area in the cloud is large.
Monitoring virtual networks, repeating the same security procedures over and over for each of his systems as he scales operations up and down, is an unproductive grind. To alleviate some of this burden, StrongMail turned to a new startup, CloudPassage, which installs an agent on each of StrongMail’s Linux instances and monitors the systems automatically as a service. Vulnerability patching and reporting also happen automatically. CloudPassage also offer "iptables as a service," Linux-based soft firewalls for individual machines.
It’s not revolutionary technology; given the idea, McQuillen said, most decent administrators could cook up a similar approach. But CloudPassage packaged it up and priced it in such a way that he liked it better than investing in doing it himself.
"There’s a ton of point solutions and open source that’ll get you there, but this is just rolled up in a way that’s really easy, really simple," he said.
CloudPassage hasn’t replaced any of McQuillen's traditional security software or appliances like antivirus and intrusion detection; it’s just scratched an itch exacerbated by the use of cloud computing infrastructure . It also hit right at the big question of effective cloud security: how to effectively protect machines that live outside your firewall.
Compliance and audit in the cloud
"One of the biggest answers we’re starting to see is per tenant and per instance protections; a lot of customers want very fine-grained controls on their environments," said Jon Greaves, CTO of Carpathia Hosting, which serves highly regulated government and healthcare customers. They are clamoring for cloud, driven by federal policy and legislation, said Greaves, but they have non-negotiable compliance and audit requirements.
We wouldn't put anything sensitive in the cloud.
Mike Myers, lead technical analyst for Marriott International
Greaves said that most cloud operations spend most of their security resources on standard perimeter defenses, but that was not going to cut the mustard for very long. While public cloud services like Amazon Web Services (AWS) have very good track records, they also have black-box security. That is not comforting for enterprises and auditors, and Carpathia will offer Vyatta's virtualized security appliances to address those concerns.
Running a cloud, Greaves noted, does have advantages: "The cloud gives us a very repeatable platform. We can build that [security appliance] one time for one platform and the customer can punch that out as many times as they need."
Greaves also said that cloud makes some old ideas new again. For example, the venerable Information Technology Infrastructure Library (ITIL) guidelines for tracking processes, procedures and actions can actually help keep track of fungible cloud computing resources. Carpathia uses ITIL techniques to meet audits for virtualized and cloud environments, which Greaves admits is inefficient.
For now, he’s praying for the day when security automation efforts like CloudAudit and industry standards get adopted: "I can’t wait until everyone does this the same way."