In this week's episode of Cloud Cover TV, Jo sits down with Davi Ottenheimer of security consulting firm Flying Penguin to discuss best practices for protecting and controlling your assets in a cloud environment.
For the rest of the episodes, check out the Cloud Cover TV archive.
Read the full transcript from this video below:
The nuts and bolts of cloud security
Jo Maitland: Hello, and welcome to Cloud Cover TV, our
weekly show on all the juiciest news in the cloud computing
market. I am Jo Maitland, in San Francisco. This week we
are talking about the jolly topic of cloud security. It is still
one of the number one reasons cited in all the research for
why the people will not adopt cloud services, there is a lot of
fear around this whole security problem. We thought we would
bring an expert onto the show to break it down for us. With
us here today is Davi Ottenheimer, who is the security
consultant and runs the Flying Penguin Company.
Davi Ottenheimer: Thank you.
Jo Maitland: First of all, tell us about Flying Penguin. What
exactly is it? I liked your conversation about that. Tell us about
Davi Ottenheimer: Flying Penguin is a consulting company
that I started. We specialize in security, and we deal with
compliance and risk. It was really started back in 1996 when I
was working with Linux, and people always ask me, ‘Does the
Penguin have to do with Linux?’ Yes. Linus Torvalds, at the time,
said that he was going to make the penguin the mascot. I started
to do research and I realized, at that time right away, that
penguins, when they are under water are flying like birds are
flying through the air, so it became a way that I could explain a
paradigm shift to people, by showing them that even though it is
still a bird, and even though it is underwater, it is still flying. There
is no difference; it is still flapping its wings and so forth, and a lot
of scientist classify penguins as flying through water. I think that
is the purpose of the company, to help people see a paradigm
shift in different areas of security so that they can see risk where
it might not have been obvious before.
Jo Maitland: Who do you provide these services to? Who are
Davi: We have a lot of clients in different industries, so we work
with telecom, financial, critical infrastructure, healthcare, and so
forth, a lot of executives, but also engineers. We try to do things
like penetration assessments; we have done audits for many years.
The idea, essentially, is to help people to see things that they did
not see before, risk is one of the hardest things for people to do,
and threat modeling. We start with that, present to them an idea of
where they should spend their money, then help them actually
execute and do consulting practices in order to get them to buy
the right tools and put their assets in the right place.
Jo Maitland: You also advising to VMWare; what are you helping
those guys with?
Davi Ottenheimer: I work with the vCloud team on vCloud data center.
I am helping them with compliance requirements, as well as security
architecture. Building out a matrix basically, that shows if you want to
go into different requirements, such as FIZMA, which has the NIST 853
requirements, or an iSO 27001 or a SAS 70, which is becoming a
SOC 1 report. If you want to do any of these things in a cloud
environment, we have very specific guidelines on how to do that.
Essentially, an architecture that you can use to make sure that
you will be building a compliant infrastructure in a cloud environment.
Jo Maitland: While we are on VMWare, one of the things that I hear
people talk about often, in terms of security in the cloud, is this notion
of VM breakout. What is that, and does it ever really happen in the
Davi Ottenheimer: The idea of things happening or not happening,
the speculation I think is linked to our risk thermostat. People have
a different sense of what reality is, whether they have been attacked
or not, or whether they will be the next person to be attacked. You
can look back to the study of criminology and get a lot of data on this.
For example, if you are walking down the street, there are things you
can predict and there are things you cannot predict; a piano falling on
your head from the sky that maybe you cannot see coming, but you
can also see somebody walking towards you that looks threatening
and walk the other way. I think people being able to sense whether
something is really going to happen or not, has a lot to do with their
own perception of risks, which, again, goes back to why I try to help
people see things better, so they can figure out which risks are real.
A VM breakout is actually a real threat, in the sense that it can happen,
and it is been proven in theory, but that does not mean that it is
happening every day, or that it would happen to somebody who is in a
cloud environment. And in essence, it is that somebody that is supposed
to be in their own container, in a shared environment, gets out of their
container and gets into yours. If you use the analogy of buckets, the walls
between the buckets are supposed to prevent things from mixing with one
another, but it still does not prevent them from coming up out of their bucket
into the space above and then back down, in that sense, they would be able
to come out of their environment and into yours, when they should not be.
Of course, they can poke a hole through if they are really sophisticated, or
they are determined enough, or they can build high enough ladders to get
over walls, and so forth; there are a lot of ways to stretch the analogy. The
bottom line is, people aren't staying in the space they are supposed to be,
and you are in a shared environment, so there is a greater likelihood that
they would try.
Jo Maitland:bIs there a way, today, to have a lid on that bucket and
secure the hole?
Davi Ottenheimer: That is correct. The old model that we used to use
was the six-sided box, and it is from critical infrastructure or from utilities,
in particular, where there is a requirement that you can build a fence
around certain assets, but if you wanted to prevent people, or even animals,
from digging under or jumping over the fence, you had to build the six-sided
box, and that would ensure that it was more secure than just the fence alone.
To take the analogy and put it in a cloud environment, you have to find out a
way to put controls around your assets, such that somebody that had more
authority than you would not even be able to get into your environment, so
somebody who has a taller ladder than you can build, or has more determination,
an attacker who is more sophisticated than you are, still cannot get in just
because they can get up higher than you can go. You put a lid on, so you
can only build to 20 feet, but they can build a ladder to 30 feet, but there is
a lid, so it does not matter.
Jo Maitland: Amazon Web Services make the claim that they provide
all the security tools for customers, if only they would use them. One
of the things that they talk about a lot is extending your internal private
VPN security capabilities to their cloud service, and basically not exposing
anything to the outside world. Is this an adequate argument? Is that an
Davi Ottenheimer: It really depends. Everybody has their own risk
thermostat, so people have to ask themselves, are they going to
trust somebody, so there is a question of whether you are going to
give over your assets to somebody who says. ‘It is up to you to protect
this, even though you're giving it to me.’ I think people might want a
relationship with a provider that says that they are going to protect
things as well as you would expect them to, yourself. In other words,
you can trust somebody with your assets because they would do
what you would do in the same circumstances, not, they will only
do the very specific things you told them to do, or not that they will
do nothing, it is really up to you to protect your information, even
though you have given them custody of it. In fact, there is a legal
issue now around whether people have custody or control, because
perhaps a cloud provider just holds something, but they do not
really truly have control of it, so maybe that creates a difference
in definition of legal terms now. Those are some of the things that
people have to think about.
The advantage of having multiple providers in cloud is you can
go to an Amazon and say, ‘This is what I need, here is a list of
10 things.’ If they say, ‘We can only provide you five,’ and number
six is, that they will do things a certain way, and they say, instead,
‘No, we will do things our way. If you want things done your way
we cannot possibly do that,’ you may go to another provider. There
are other cloud providers who, perhaps, do things the way that you
would want them to be done, to be secure.
Jo Maitland: Amazon actually announced this week that they
are offering, within their virtual private cloud service, dedicated
instances, so isolated hardware. That is something that some of
the other companies, Savis, Terramark, also offer. Is that the
solution? We will just go back to, ‘Hey, we will just keep everything
in our own boxes and multi-tenancy, not possible to secure it, so we
are back to dedicated systems.’
Davi Ottenheimer: That is one way of looking at it. I think that is
an admission that people are still worried about the environment
to a degree that Amazon has admitted, now, that they are going to
provide a service that other providers were offering. It is a good
example of how the cloud competition allows people to move if they
do not like the level of security, or the level of compliance that they
are getting from one provider. The idea of having those boxes, though,
does not completely destroy the cloud, it does not move us right back,
because it still has some degree of elasticity, there is still an abstraction
layer. You can, for example, move very quickly from one environment
to another environment, even though you are in your own dedicated
space, you can move to a different facility more easily than if you were
just back in a traditional IT model. In that sense, it is still very
Jo Maitland: Talk to us about encryption services in the cloud. What is
out there today, and are people using these?
Davi Ottenheimer: You mentioned VPN before, that is one thing that's
really evolving. I think the ability to encrypt traffic that is in transit,
basically, you have things that are at rest or things that are in transit.
At rest, most people want to encrypt because, for example, if their
hard drive walks away, a laptop, for example, is probably the most
common use, but also in large data centers where you have huge arrays,
if you can encrypt that entire array, if somebody sends a drive back for
repair, you do not have to report it as a breach if it disappears, so there
is the data at rest encryption. Data in transit, the VPN's and so forth,
are really an emerging area, because they can create tunnels, which
people are very attracted to because, in theory, you can create an
extension of your own environment to another facility somewhere else.
The problem with all of this is the key management, again, going
back to trust, you are giving someone else control of your
environment, and you have to be careful that you do not give them
so much control that they have all of your keys and you have no
way of proving that somebody in that environment was not abusing
your keys. In essence, I like to give the example of a plumber.
Some people say that in order for this environment to work, an
Amazon or a Google, for example, they will have a plumber that
is in your house all the time to make sure that your plumbing is
working, that is a huge risk, if you leave to go to work during the
day and that plumber is at your house going through your files,
looking in all of your drawers, opening thing up, and they have
complete access to all of your environment, just because you
need your plumbing working.
Jo Maitland: Is there a way to have them there a portion of the time,
when they need to upgrade software, or whatever, then they leave
Davi Ottenheimer: There are several levels of security and different
levels of defense that you can put in place. One is tamper-proofness,
there are old models of this in operating systems and elsewhere,
where if they do go into a room then you have a way of setting a
trigger that says they have enter this space. If they have to take
ownership, for example, that would be an even higher trigger, so if
they need to, basically, take over an area and call it their space, you
would have a way of alerting yourself or someone else to go and
make sure that they are monitored or someone reviews their work
afterwards to make sure nothing strange has happened. Another way
of doing it is just by creating an impossibility, like, you create an
encryption box that you only have a key for, again, that is the six-sided;
they cannot get in unless you are there, also, two keys that are
required at the same time, dual control, for them to get in and do
The problem is, in a cloud environment, their mission a lot of
the times, is availability. By putting these controls in place,
the tamper proofness allows them to do their work, but allows
for review afterwards, but a preventive control that prevents
them from getting into an area can disrupt their ability to
create the availability that may be their objective.
Jo Maitland: It slows everything down.
Davi Ottenheimer: Correct. So they may object to that,
and not allow it.
Jo Maitland: You are back to the issue, which has always
been the case, really good key management processes.
Davi Ottenheimer: That is right. In order to manage the keys, and
again back to the bucket, or this six-sided box, if people are able to
dip in and do things, then they are able to get the keys, for example. If
you have a virtualized instance that is running inside an environment,
that is on top of an infrastructure that you really have no control over,
the person who runs the infrastructure below you may have the ability
to watch all of the traffic, to take all of the information, or dip in and get
the information out of your environment. Keys have to be protected by
other keys, and so forth. One solution to that, that people are looking at,
is ways that they can take those keys out of that environment and only
use those keys coming in and opening up themselves, not allow
providers the ability to open up their information or to decrypt that
Jo Maitland: It seems like this is a really complex problem, and
people are working on it. I can see a lot of IT guys saying, ‘If it is
this much trouble, is cloud computing worth it? Let us just keep
everything in-house where we do have control of it, where we
can see it, put our arms around it.
Davi Ottenheimer: That is definitely a point that comes up. I
think there are two parts that I like to talk about. One, is how
the cloud, so far, has been driven by the advanced group or
the early adopters, and that is mostly developers. Developers
have an objective for rapid scalability, because, obviously, the
more people that use their product, the better; that is a sign of
success for them. Whereas people who are maybe slower to
adopt are most IT infrastructure looking at availability. Rapid
adoption is not the key for them, growth is not the key, it is rather
being able to move things very carefully and reduce risk around
downtime. They may say, ‘Why are we even moving into this
environment today because today, because today it is mostly
focused on development requirements and developer needs.’
As the cloud evolves to address the needs of the IT group and
their availability requirements, then I think it will make sense to
them, to move.
You can say, in a lot of cases, it is already there, because the
abstraction layer means that they can move their entire
environment from one area to another area, and it will be
exactly the same, so the recovery point and the recovery
time objectives are much better. They will have a way faster
recovery and a more complete recovery because it is in a
cloud or a virtualized environment, so it is going to be advantageous,
versus what they are doing now. A big part of this too, is not only
to serve the developer versus the infrastructure communities, but
also I think that you end up with an opportunity to, again looking at
encryption as an example, hardware abstraction. Acceleration for
SSL, or acceleration for IP Sec, for VPNs and so forth, is probably
going to be one of the tougher problems to solve right now, because
if you have turn it on everywhere in the virtualized environment it
may be slow in software versus, in the old days, they used to be able
to deploy hardware acceleration. It creates an opportunity for growth
and innovation in the cloud again to look more at the IT operations
side of things.
Jo Maitland: Have you seen any advances yet in cloud security, on the
technology front that you think is interesting?
Davi Ottenheimer: People used to accuse me of being a contrarian
because I would say, ‘Cloud has to catch up to auditors,’ and
everybody else was saying, ‘Auditors have to catch up to cloud.’
In reality, I think the exciting areas of cloud, where there is
innovation or new challenges, are trying to address old audit
requirements. Some compliance requirements, for example, say
that you have to have a stable firewall in place, so there is a push
now to have stable fire walling made simpler, easier to automate
and manage within the cloud. Another example is layer two
fire walling, so you can do things below layer three, and below IP,
and so forth; that is another area.
It is a double-edged sword, of course, because someone who
has control of those devices in a cloud can also have control of
a lot more information. I think the interface also, from the view
that you are only coming in through a virtual interface now and
never through a physical interface, also creates opportunities for
multi-factor authentication, not just two-factor, but three and
four-factor authentication, literally. Things that have been
developed in the past for super secure environments, such as
hospitals, where patient data is on the line, there is a lot of risk
maybe translated into a cloud environment, because they have
been developed there, but now they make a lot of sense, because
the remote interface is so critical to your entire operation.
Jo Maitland: Awesome. Davi, thank you for being on the show.
Davi Ottenheimer: Thank you.