What can history teach us about securing the cloud?
Phillip Dunkelberger, president and CEO, PGP Corp.
At every step along the way during these transformations we've also developed a remarkable ability to adapt existing technologies to the dominant computing paradigms of the era. Examples of this include virtual computing concepts, the track pad, Ethernet, and the core concepts underlying client/server computing. The other thing we've had to do with each major change in IT architectures is to reinvent how we protect the data in those architectures.
In the mainframe era, walls and a good lock were sufficient. In the late client/server and early Internet days, a good firewall and current anti-virus software kept everything reasonably safe. Now, current best practices include the judicious use of firewalls, intrusion prevention systems, network access control, web security, endpoint protection, email security, vulnerability assessment, services, key management transformation…it's already a long list and now….”the cloud” comes along to negate a good portion of it.
The difference with this transition is that we have the opportunity and obligation to build security in from the start. In fact if we don't, enterprises will not be able to take advantage of the operating leverage the cloud offers. As such, data security is a key enabler of the migration to the cloud.
The compelling economic benefits from both a capital and operating perspective means that no one enterprise will be able to ignore the siren call of the cloud. All enterprise IT organizations will come under increasing pressure to leverage the efficiency, flexibility, reliability and disaster recovery advantages that cloud based computing offers. The problem for many organizations today is that there's little common understanding of just what best practices exist in terms of planning and executing a transition to cloud based architectures.
The one thing that is becoming clear, however, is that every enterprise will need to operate and secure more than one cloud environment. There will be hosted application clouds, infrastructure clouds, web hosting clouds, custom application clouds and even security as a service cloud environments. Each of these cloud environments will present potentially new vulnerabilities that hackers will attempt to exploit in pursuit of the data each holds.
While global enterprises have been managing their transition to Internet based solutions, the hacker community has been managing a transition of their own. For years the primary path of attack was to leverage vulnerabilities in the operating systems platforms. Trojans, viruses and rootkits were all designed to capture control of the platform and then carry out whatever nefarious operations for which they'd been designed. As operating systems became hardened and more secure, the hacker community moved on to attacking applications (most frequently the browser) or the users themselves via social engineering attacks. With hackers now essentially stockpiling zero-day threats it's clear that the internet will continue to be an increasingly dangerous place on which to do business.
What we'll likely start to see as the migration to cloud based computing continues is attacks on the security systems built to protect cloud based systems. The policy engines, key stores, and CAs will become the high value targets. Imagine the damage you could do if you can get a trojan or sleeper agent embedded in some neglected portion of a CA or LDAP directory used to store keys. One consequence of this trend is that security systems must be designed into each cloud appropriate to the role that each cloud plays AND these security systems need to live within the context of their own common “trust infrastructure” to allow them to interoperate and share information on active threats.
At PGP Corp. we believe that the best way to achieve this is to combine the best aspects of encryption and trust to create security infrastructure and solutions that can detect and repel attacks in real time. Encryption, in fact, has several key roles to play in securing the cloud. The first and most obvious is to create security that travels with the data as it moves about the cloud and in and out of the cloud to the increasing number of devices on which it must be used.
Beyond this primary role, however, encryption complements other security tools to allow them to achieve an even higher level of effectiveness. Encryption when combined with content awareness provides real time DLP remediation. When combined with a security policy engine, encryption can provide proof of compliance with current data breach laws. When combined with federated ID and authentication, encryption provides an audit trail of who has accessed what data and when. Finally, encryption when combined with trust, provides a guarantee of authenticity and provenance.
The other critical component required to secure the cloud will be to ensure that we have a comprehensive and highly interoperable trust infrastructure available. Only when people, devices, applications, and services can all authenticate to one another, will we be in a position ensure the integrity of the data and transactions that will take place in the cloud. In addition to this, each “mini-cloud” will need to be able to vouch for its users, applications, services and data in order to interact with other clouds securely.
There is no doubt that we are early in our journey to the cloud and we have some time to develop the security systems needed to fully leverage the promise of cloud based computing. But, this is one of those situations where time will move very, very quickly. If we don't focus on building this new computing infrastructure securely from the start, it will very soon become too late to ever secure it correctly.