Friday, April 3, 2009

Brief introduction to challenges in Cloud Security

For a lightning round at yesterday's New York Higher Education Technology Forum, I was asked to deliver a 10 minute introduction to "Some Information Security Challenges in Cloud Computing".

As I usually do when I present, I first write down the stuff I want to say, and then I create a presentation based on that text. The draft text is included in the body of this post, the presentation (slides + text) can be downloaded here.

Text: This presentation was heavily influenced by Christopher Hoff's SOURCE Boston presentation on Cloud Security and on Dan Geer podcast comments in which he said that "Somewhere in the past decade, it became far cheaper to keep data than to delete it selectively."

A direct consequence of keeping more and more data is that it becomes nearly impossibly to categorize and classify it. As a result, we must rely on search to find that one bit of information that we are looking for.

In itself, search can be a good thing. Business models like Google's have shown that effective search engines are perceived to be highly useful and search itself has taken the place of browsing in many places. Think for example of Gmail- while labels are supported, the preferred method of finding and retrieving email conversations is by using the search function.

If a lack of selective deletion of data leads to the (partial) disappearance of information classification, and if rather than through classification and browsing, we rely on search to find what we are looking for, a skilled opponent has an advantage that he can leverage through a disinformation strategy.

In other words, if we only see the things that we look for, a skilled opponent can either influence those search results to make us see what he wants us to see, or he can hide his tracks and we will never know about his presence in the first place. Information can literally become invisible.

There is another problem: most information security professionals use information classification to identify the assets that need to be protected the most. With classification becoming less effective, the same may be true for our risk posture.

The trend that our important information becomes less visible may only be amplified when we think of cloud computing.

Data is often moved off-site, and in some cases to servers that we do not control, or even have full access to.

As information security professionals, we must be aware of this trend and we must refocus on the processes that manipulate the data and on the people who participate in those processes.

When moving things "into the cloud", we must never forget that in the end, the security and privacy of information is still our responsibility, despite the fact that we may not be able to fully control it.

Many of our current technologies will be less effective; firewalls, intrusion detection/prevention systems, SIMs, vulnerability scanners, etc. will have to adapt to this new reality of the ultimate distributed information system.

The Cloud is really our next horizon.

The elimination of physical assets on-site is often quoted as one of the driving forces behind the adoption of cloud computing.

Since resources will be "out in the cloud", we will not have physical access to much of the cloud infrastructure.

As a consequence, because the security of information remains our responsibility, we will also have to rethink the way in which we manage the technical response to breaches of security.

Because of the lack of direct access to our IT equipment, organizations will not be able to conduct initial incident response scenarios that rely powering down compromised servers, taking forensics images, or rebuilding servers, without the assistance of a cloud provider.  Building a good relationship with cloud providers and establishing short lines of communication will become an important success factor in dealing with consequences of using the Cloud.

Many cloud-providers do no allow pre-emptive vulnerability scanning of cloud-hosted resources. Amazon's elastic cloud is such an example; its terms of service explicitly prohibit vulnerability scanning. Violating the terms of use may lead to the removal of a virtual machine, which in a cloud-world would be the equivalent to a power outage in the data center.

We must re-think preventing, detecting and containing security incidents.

As information security professionals, our job is to never say "No".

We must enable the primary processes of our organization in a way that the private information, unpublished research results, educational materials, and administrative data are protected against unauthorized manipulation or disclosure, and that they are available whenever needed.

 Especially in a higher education setting, we must be careful not to impose unnecessary constraints on our users. Our primary mission is Teaching and Research, and we must take care not to stifle Innovation and Academic Freedom. While these are sometimes thought of as directly opposed to what we as information security professionals do, we have to continuously realize that we are here.

Cloud computing will present new challenges, we know that it will become harder to directly observe data over our systems and networks, which makes it harder identify and classify information, and as a result to control as tightly as we were able to do when we had central information repositories. Yet, at the same time, most Universities are ideally situated to adopt a cloud model. Most of us are used to deal with highly decentralized organizations, scattered information sources, and conflicting requirements and data exfiltration points. In that sense, the cloud does not present us with anything new. We should be leading the way.

Having said all this, not acknowledging that Cloud Computing brings with it its own challenges---technical as well as from a governance perspective---would be a mistake. In order to ensure that the Cloud does not turn into a vicious thunderstorm, we need to start preparing now.

I look forward to talking to anyone who is interested in this topic, or any information security topic, later today.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.