Focusing on the Application is Key to Sound Security in the Cloud
Focusing on the Application is Key to Sound Security in the
Edited transcript of a sponsored podcast video presentation from the RSA Conference on cloud
computing and how it affects and is affected by security concerns.
Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor:
Dana Gardner: We're in San Francisco, at the RSA Conference, to talk about security and
cloud computing. I'm Dana Gardner, Principal Analyst at Interarbor Solutions,
your host and moderator for today's special sponsored podcast video
We're going to look at the intersection of cloud computing, security, Internet
services, and Internet-based security practices to look at the difference between
perceptions and reality.
Today's headlines are pointing towards more sophisticated and large scale malicious activities
and, for some folks, the consensus seems to be that the cloud model and vision is certainly not up
to the task when it comes to security.
We're going to look at why security counts, not only as a risk, but also as an amelioration of risk.
We're going to talk about how security is not something that is part of the cloud or part of the
enterprise, but cuts across all of these different aspects of IT.
When we think about the idea of security, we're not thinking about distributed defense only.
We're not talking about the edge only. We're talking about best practices across all aspects of IT.
Join me in welcoming our panel. Here to look at the reality versus the perception is Chris Hoff.
He is the director of Cloud and Virtualization Solutions at Cisco Systems.
Chris Hoff: Thanks, Dana. Great to be here.
Gardner: And Jeremiah Grossman, the founder and Chief Technology Ofﬁcer at WhiteHat
Jeremiah Grossman: Thank you very much for having me.
Gardner: And, Andy Ellis, the Chief Security Architect at Akamai Technologies.
Andy Ellis: Great to be here, Dana.
Gardner: As I mentioned, we're looking at security across a wider spectrum. People have honed
in on the cloud and said, "Wow, that can't be secure. I can't put data and applications there and
expect it to be mission critical and reliable. I can't expect people won't be able to get to it if they
want to, if they tried hard enough." Is there a gap here between perception and reality, or are we
not looking at the problem in the right context?
Ellis: Absolutely. There's a huge gap in what people think is secure and what people are doing
today in trusting in the security in the cloud. When we look at our customer base,
over 90 of the top 100 retailers on the Internet are using our cloud-based
solutions to accelerate their applications, and what's more mission critical than
expecting money from your customers.
At Akamai, we see that where people are saying, "The cloud is not secure, we
can't trust the cloud," at the same time, business decision makers are evaluating
the risk and moving forward in the cloud. A lot of that is working with their
vendors to understand their security practices and comparing that to what they
would do themselves. Sometimes, there are shifts. Cloud gives you different capabilities that you
might be able to take advantage of, once you're out in the cloud.
Gardner: So, 12, 15 years ago, people were saying, "I can't use my credit card on the web. I
can't do eCommerce. I can't do retail sales." We've seen quite a bit of that. Tell us a little about
Akamai and what you do and why that was relevant to the web now and perhaps is relevant to
the cloud or the web then and the cloud now.
Ellis: At Akamai we have a network of over 61,000 servers, distributed in about 950 different
networks around the world. Our customers use those servers to deliver
content, accelerate their applications to their end users, and take
advantage of the cloud-based computing inherent in our servers to gain
capabilities they wouldn't have otherwise.
For instance, recently we added our web application ﬁrewall, which
permits our customers, just at the click of a button, to have an application ﬁrewall running all the
way out at the edge of their network. We look at that and say, "This is a great opportunity for our
customers to quickly scale, deal with the cloud, and gain those advanced capabilities."
People, as you noted, used to say, "Oh, credit cards aren't secure on the web. I will never do
that." At the same time, you saw people using credit cards online. People weren't necessarily as
happy about it, until they gained that level of comfort. I think that's an area where people are a
little resistant to change.
We see cloud computing, and everybody jumps to big heavyweight cloud computing, that
virtualized server out at the edge. There is a whole spectrum of capabilities in between
virtualized server and just delivering some content that people take advantage of and are doing
Gardner: Do you think that cloud computing is the problem, the solution, or both to security?
Ellis: I don't think it's either the problem or the solution. It's a piece of the solution. It's a piece of
the problem. People look at how to secure applications. Sometimes, people get very comfortable
with a given security model. They say, "This is how I've done business for the last year. This is
how I will secure it."
You say, "Well, you could do business in a different fashion." Often, that's driven by a business
owner inside a company. They see an opportunity to accelerate their revenues and reduce their
cost, but it has to change the model that people think about. I don't see that as a problem of
security. I think the bigger problem is that sometimes we're resistant to change.
Gardner: Jeremiah, WhiteHat Security takes it upon itself to ﬁnd what's wrong with the security
in certain organizations and you focus on it. First, tell us about WhiteHat and then also tell us
what people should be worried about, when it comes to cloud computing. Is this a different
problem set when it comes to security?
Grossman: WhiteHat Security is in the website vulnerability management business. Our job is
to assess the security of a website, as it exists in an operational environment,
to get the same point of view that a hacker would if they tried to break in.
Our job is to ﬁnd those vulnerabilities ahead of time and help our customers
ﬁx those issues before they become larger problems. And if you look at any
security report on the web right now, as far as security goes, it's a web
security world. Bad guys have broken into website after website after website
and stolen everything that they possibly can. Our our job is to help stop that
and measure the security of the web.
Gardner: What's different about cloud computing? As people look to do more applications and
infrastructure in the cloud, should they be thinking about the same level of security that they
would with their website -- or is this a different problem set?
Grossman: An interesting paradigm shift is happening. When you look at website attacks, things
haven't changed much. An application that exists in the enterprise is the same application that
exists in the cloud. For us, when we are attacking websites and assessing their security, it doesn't
really matter what infrastructure it's actually on. We break into it just as same as everything else.
What's different among our customer base is that they can't run to their comfort zone. They can't
run to secure their enterprise with ﬁrewalls, intrusion detection systems, and encryption. They
have to focus on the application. That's what's really different about cloud, when it comes to web
security. You have to focus on the apps, because you have nothing else to go on.
Gardner: Chris Hoff, not only are you active in cloud solutions at Cisco, but you are a founding
member of the Cloud Security Alliance (CSA). So, this is something you have been focused on.
When we look at cloud services, we're talking about the livelihood of the cloud provider. If they
don't do security well, they're not going to last very long. Is there a different level of competency,
a higher bar, for a cloud provider than for a typical enterprise? And, is that part of the solution?
Hoff: That's an interesting question, because in many cases we use the term cloud and cloud
computing synonymously. Depending upon the conversation you're having,
cloud computing could be a noun, a verb, or an adjective. Why that's
important is that there is no such thing as the cloud. There's not a single thing
to which you could point to suggest that there is a common implementation
and deployment model for cloud computing, which is an operational model,
not a technology.
The reason that's important to your point is that, when you look at a cloud
provider, they could be in the business of providing software-as-a-service (SaaS), which, in
many cases, has emerged from plain old web (POW) apps that don't have many of the technical
characteristics that one would associate with cloud computing -- elasticity, dynamism, self-
service. They are just Internet connected web apps, SaaS. But then, there's a new generation of
SaaS that's actually based on a lot of this ﬂexible infrastructure that powers these very dynamic
In that case, where a vendor who is a SaaS supplier manages the entire stack infrastructure,
applications, and content, we have over time come to put a great deal of trust in the sanctity of
the operations security, conﬁdentiality, integrity, and availability of those services. There's not a
whole lot new in that business.
For example, if you're trusting your sales ﬁgures context, and you have for years, that provider,
whether they're cloud based or not, has a particular set of service level agreements (SLAs) that
they strive to hit, regardless of whether they brand themselves cloud or not.
The further down the stack you go, to platform and infrastructure-as-a-service (IaaS) providers,
in many cases, those providers are in the business of maximizing availability, and give you the
most robust, scalable, high performance, and available set of resources. But, conﬁdentiality and
integrity, the applications and data that Andy and Jeremiah were speaking to, are really still the
responsibility of the business owner.
Those cloud providers -- cloud service and cloud computing providers -- are in the business of
making sure that they can offer you really robust delivery. At this time, they focus there. We have
a challenge to take everything we have done previously, in all these other different models, still
do that, and deal with some of the implementation and operational elements that cloud
computing, elasticity, dynamism, and all this fantastic set of capabilities bring.
We in the security industry in some way try to hold the cloud providers to a higher standard. I'm
not sure that the consumer, who actually uses these services, sees much of a difference in terms
of what they expect, other than it should be up, it should be available, and it should be just as
secure as any other Internet-based service they use.
So, we get wrapped around the axle many times in discussions about cloud, where a lot of what
we are talking about still needs to be taken care of from an infrastructure and application
Gardner: I want to focus on this notion of things being done differently now with cloud
computing and its various permutations. You alluded to this as well Andy, in terms of a paradigm
As I understand it, if you're a SaaS provider, you have full control over the entire stack and you
can control and manage security appropriately. If you're an enterprise, similarly, you have
complete control over what happens inside your ﬁrewall, you can manage your perimeter. But
now we're talking about cloud computing as a hybrid, where some aspects of what you are doing
may be on-premises and other aspects might be on a single provider or a variety, and the network
is the go-between.
What’s different now, Andy, about managing this from a security perspective? Who is in charge?
Who can be in a governance role to oversee that spectrum across a hybrid affair?
Ellis: Ultimately, the data owner, the business who is actually using whatever the compute cycles
are. As Chris alluded to, it used to be that people would fall back on certain types of security to
deal with their issues. Jeremiah also alluded to that as well.
That’s the challenge for people who are moving out to the cloud. That area may be in the
purview of the provider. While they may trust the provider, and the provider has done the best
they can do in that arena, when they still see risks, they can no longer say, "I'll just put in a
ﬁrewall. I'll just do this." Now, they have to tackle a really sticky wicket. Do you have a safe
application wherever it lives?
That’s where people run into a challenge, "It’s cloud. Let me make the provider responsible."
But, at the end of day, the overall risk structure is still the responsibility of the business.
Gardner: At WhiteHat, if you were to look at the application, would you be able to go back and
say to the service provider, "Listen, you don’t want to let that application in, because it hasn’t
been architected properly?" Do you think that the providers of cloud services need to be taking a
governance role in deciding what applications should or shouldn’t be allowed to live in their
It's not yours
Grossman: To piggyback on what Andy said, something has been lost. When you host an
application internally, you can build it, you can deploy it, and you can test it. Now, all of a
sudden, you've brought in a cloud provider. At somebody else’s infrastructure, you have to get
permission to test it. It’s not yours anymore.
Actually, one of the big things out there is a right to test. You have no right to test these
infrastructure systems. If you do so without permission, it's illegal. So, you have lost visibility.
You've lost technical visibility and security of the application. When the cloud provider changes
it, it changes the risk proﬁle of the application, but you don’t know when that happens and you
don’t know what the end result it. There's a disconnect between the consumer, the business, and
the cloud computing provider or whatever the system is.
Gardner: Chris, are we talking about more of a level of complexity, the complexity being how
you secure a cloud-based activity versus on-premises activity? Is that complexity something that
plays into risk, and therefore people should be more concerned about cloud-based activities? Are
we getting ahead of ourselves?
Hoff: Going back to the statement I made about getting wrapped around the axle, what’s been
interesting over the last year is that we as an industry, or just in general, have been so focused on
what is cloud computing that we have forgotten the more important point, which is, how can we
use cloud computing?
You alluded to a hybrid model, on-premises, off-premises, enterprise, self-governance of
controls, at the perimeter or the edge, and then outsourcing things with hosting and collocation
and SaaS. The last time I checked, we have been doing that for about 10, 15 years, probably
To your question, the complexity has come about when we've tried to adapt new or relevant
advances in technology and associate them in some sort of branding. I like to say that if your
security stinks before you move to the cloud, you will be pleasantly unsurprised by change,
because it’s not going to get any better or probably not even necessarily any worse, when you
move to cloud computing.
It's important to really take a look at what you already do, in terms of practices, extranets, how
you integrate business partners, and the hybrid model of access -- the blurring, with
consumerization of IT. Is this a work device, is this a home device, where do I access it from,
how am I using the information?
Cloud computing has become a fantastic forcing function, because what its done to the business
and to IT. We talked about paradigm shifts and how important this is in the overall advancement
The reality is that it causes people to say, "If the thing that’s most important to me is information
and protecting that information, and applications are conduits to it, and the infrastructure allows
it to ﬂow, then maybe what I ought to do is take a big picture view of this. I ought to focus on
protecting my information, content, and data, which is now even more interestingly a mixture of
traditional data, but also voice and video and mixed media applications, social networks, and
The complexity comes about, because with collaboration, we have enabled all sorts of fantastic
interconnectivity between what was previously disparate, little mini islands, with mini perimeters
that we could secure relatively well.
The application security and the information security, tied in and tightly coupled with an
awareness of the infrastructure that powers it, even though it’s supposed to be abstracted in cloud
computing, is really where people have a difﬁcult time grasping the concepts between where we
are today and what cloud computing offers them or doesn’t, and what that means for the security
Gardner: So, it sounds as if the emphasis on security is being elevated. We used to look at
securing components or parts or maybe a stack, if we were really good. Now, we're talking about
securing a process. We're looking at security from a different vantage point and elevation. That
might be a good thing. That might give us better security, because we are thinking about it as a
function of a cloud-based activity. Does that make sense, Andy?
Ellis: Absolutely. There's a great initiative going on right now called CloudAudit, which is aimed
at helping people think through this security of a process and how you share controls between
two disparate entities, so we can make those decisions at a higher level.
If I am trusting my cloud provider to provider some level of security, I should get some insight
into what they're doing, so that I can make my decisions as a business unit. I can see changes
there, the changes I am taking advantage of, and how that ﬁts my entire software development
It’s still nascent. People are still changing their mindset to think through that whole architecture,
but we're starting to see that more and more --certainly within our customer base -- as people
think, "I'm out in the cloud. How is that different? What can I take advantage of that’s there that
wasn’t there in my enterprise? What are the things that aren’t there that I am used to that now I
have to shift and adapt to that change?"
Gardner: So, we're here at RSA, perhaps the premier security show. We've been talking about a
lot of interesting things this week. One of the things that jumped out at me was an announcement
from the CSA that prodded enterprises to be thinking differently about security.
One of the things that really grabbed me was to help secure other forms of computing, being
cloud-based in your security emphasis. How does that work? How is it that you can focus on
cloud-based security and have it trickle down, if you will, and make you more secure across all
of your IT activities?
Hoff: As I alluded to previously, cloud computing, depending on who you talk to, encompasses
almost everything; your kitchen blender, any element that you happen to connect to your
enterprise and your home life.
There are really two views, when it comes to deﬁning cloud computing, as it relates to your
question. There is the technician and the clinician’s view, which is very empirical, has lots of
layer, stacked models, things that IT professionals can relate to in ways that allow us to break
things down and be very analytical. They have delivery models, service models, and essential
characteristics. It's a great thing to sit there and debate on Twitter.
What’s really interesting is the juxtaposition of the consumers' view, which basically and simply
stated says that anything that connects to the Internet on any device that interacts with my
information of data in any way is also cloud computing.
So, you look at those two things, you juxtapose, and you are not going to tell a your customer
that they're wrong. You could try. It’s like jousting with windmills. But trying to reconcile those
two things is very important, because, when we think about the opportunities here, the reality is
that cloud computing offers us a tremendous set of beneﬁts from the perspective of ﬂexibility
and agility. In some cases there are cost savings. Sometimes, it might cost more. That is just
Anything with the word dynamism in it, that’s dynamic, doesn’t compute quite literally, as it
relates to how we think about security today. So, what’s happening ultimately is an adjustment
on focusing in on the information.
Regardless of how I use the information, cloud computing, could secure other forms. Take your
smartphone, for example. You think of that now as an amazingly rich and capable platform for a
computing experience, which it is. Is that cloud computing? In many cases, people would say
We focus a lot on the backside -- moving parts of data centers, IaaS, and we get wrapped around
the axle on how it's important to IT. Consumers could care less whether it's running on a blade
server, distributed in 1,000 countries, or in outer space. What they care is that the services are
What we're learning today is that if we secure our information and applications properly and the
infrastructure is able to deal with the dynamism, you will, by default, start to see derivative
impacts and beneﬁts on security, because our models will change. At least, our thinking about
security models will change.
Gardner: So, the expectation of the consumer is perhaps the starting point and you need to back
up from there. The consumer’s expectation has been, "I want to be able to do everything I can
possibly do on this mobile device, no matter where I am, and I don’t care what's between me and
that application, that's somebody else’s problem." Here we are on the IT side, thinking, "Now we
have to adapt to that."
Jeremiah, is there going to be a market advantage for companies that accept as their reality and
their vision that we need to look at security through a different lens, we need to look at cloud
computing as the future, recognize the expectations of the consumer and the business and
channel partners that we deal with? If we do that right, are we going to be able to leapfrog our
Awareness of break-ins
Grossman: What I've seen in the last couple of years is that what drives security awareness is
break-ins. Whether the bad guys are nation or state-sponsored actors or whether they are
organized criminals after credit card numbers, breaches happen. They're happening in record
numbers, and they're stealing everything they can get their hands on.
Breaches make headlines. Headlines make people nervous, whether it's businesses or consumers.
When a business outsources things to the cloud or a SaaS provider, they still have this nervous
reaction about security, because their customers have this nervous reaction about security. So
they start asking about security. "What are you doing to protect my data?"
All of a sudden, if that cloud provider, that vendor, takes security seriously and can prove it,
demonstrate it, and get the market to accept it, security becomes a differentiating factor. It
becomes an enabler of the top line, rather than a cost on the bottom line.
Gardner: Trust is a very important business advantage. We've seen that in the auto industry to a
disadvantage recently. If you are in the Internet services side of things, trust is going to be
perhaps assimilated with your brand for better or worse. Andy, what should our audience know
about cloud-based security solutions in order for them to take advantage of these but without
being subjected to the risk?
Ellis: I like to look at security as being a business enabler in three areas. The obvious one, we all
think, is risk reduction. How can I reduce my risk with cloud-based security services? Are there
ways which I can get out there and do things safer? I'm not necessarily going to change anything
else about my business. That's great and that's our normal model.
Security can also be a revenue enabler and it can also be a protection of revenue. Web application
ﬁrewalls is a great example, fraud mitigation services. There are a lot of services available
through the cloud that can be used to protect your brand and your revenue against loss, but also
help you grow revenue. As you just said, it's all about trust. People go back to brands that they
trust, and security can be a key component of that.
It doesn't always have to be visible to the end user, but as you noted with the car industry, people
build the perception around incidents. If you can be incident free compared to your competition,
that's a huge differentiator, as you go down into more and deeper activities that require deep trust
with your end users.
Gardner: Let's get to the heart of the matter here. What is it that really should concern people,
risk-wise, about moving to a cloud model? What is it technically that is different? And, if it's not
technical, what is it about this paradigm shift of doing things differently that needs to engender
some kind of a change? What is it that we are facing?
Hoff: What's interesting about cloud computing as a derivative set of activities that you might
have focused on from a governance perspective, with outsourcing, or any sort of thing where you
have essentially given over control of the operation and administration of your assets and
applications, is that you can outsource responsibility, but not necessarily accountability. That's
something we need to remember.
Think about the notion of risk and risk management. I was on a panel the other day and
somebody said, "You can't say risk management, because everyone says risk management." But,
that's actually the answer. If I understand what's different and what is the same about cloud
computing or the cloud computing implementation I am looking at, then I can make decisions on
whether or not that information, that application, that data, ought to be put in the hands of
In some cases, it can't be, for lots of real, valid reasons. There's no one-size-ﬁts-all for cloud.
Those issues force people to think about what is the same and what is different in cloud
Previously, you introduced the discussion about the CSA. The thing we really worked on initially
were 15 areas of concerns, and they're now consolidated to 13 areas of concern. What's different?
What's the same? How do I need to focus on this? How can I map my compliance efforts? How
can I assess, even if there are technical elements that are different in cloud computing? How can
I assess the operational and cultural impacts?
As an industry, the security industry, we come about with novel and interesting ways every once
in a while. Sometimes they're big, sometimes small, revolutionary/evolutionary, incremental
ways to solve some of these problems. As we're forced into these new models, we will continue
to do so.
Businesses have the challenge of what this means to their staff -- how they transfer things and
interact with legal and HR and their contractors. Some of it you've still got to build in, and some
of it you use RFP and contracting. That’s an interesting dynamic that has been moved more and
more to a model where you are distributing your applications and content.
Gardner: Is it fair to say that a security problem is fundamentally a management and
Hoff: It ought to be treated or thought about that way. Part of the problem is that we don’t. We,
as an industry, and in many cases those that are responsible for what they think is securing assets,
immediately drop down into kind of a realm of technology. It becomes a discussion about tools,
and that’s problematic, because for the business, the consumer, it's a different language. They
don’t care. They just want to know that their information is safe.
Gardner: Jeremiah at WhiteHat Security, let's put on a black hat for a minute. Say you're a bad
guy. Maybe you're a foreign organization, military, or government, or competitor. You want to
get inside. You want to ﬁnd out what's going on or steal some intellectual property. Maybe you
want to get access to some email. People are doing cloud-based activities. Where are you going
to go to look for those cracks, those weaknesses?
Grossman: Fortunately or unfortunately, from a cloud computing standpoint, all the attacks are
largely the same, whether one application is here or in the cloud. You attack it directly, and all
the methodologies to attack a website are the same. You have things like cross-site scripting,
SQL injection, cross-site request forgery. They are all the same. That’s one way to access the data
that you are after.
The other way is to get on the other half of web security. That’s the browser. You infect a
website, the user runs into it, and they get infected. You email them a link. They click something.
You infect them that way. Once you get on to the host machine, the client side of the connection,
then you can leverage those credentials and then get into the cloud, the back-end way, the right
way, and no one sees you.
They can't see you
That’s the interesting thing from a black hat perspective. They can't see you. When it's in a cloud
operating model, they lose visibility. There are no intrusion detection systems. You really don’t
know who accessed your data and, when there is no visibility, even though they think they
deleted their data, they really didn’t. There is a great big undelete button in a lot of these systems.
That’s what we're looking at.
Gardner: If we look at that now not through not a technical lens, but that organizational and
management lens, when you're probing around as a bad guy, what's going to make it likely that
you are going to ﬁnd what you want? Is that going to be a lapse of best practices, or is it
technology, both? How do you protect yourself?
Grossman: It's going to be that visibility question. It's how can the provider tell you or inform
you when things change? What the security posture is of the organization? When somebody
accesses my hosted email account, can you tell me when? Or even on the insider threat side, can
they tell you how many people have access to your data in their organization; because they are
just at risk to comprise on their desktops as you are. So those are all going to be very important
questions to get visibility, not only at the point in time, but all the time.
Gardner: Andy Ellis, as a network services provider at Akamai, what is that you can do or
perhaps take on a different role so that you can look out for your customers in such a way that
those cracks, those weaknesses, are less likely?
Ellis: A lot of what we try to do is build a wrapper in a sandbox around each customer to give
them the same, consistent level of security. A big challenge in the enterprise model is that for
every application that you stand up, you have to build that security stack from the ground up.
One advantage cloud does give you is that, if you are working with somebody who has thought
about this is, you can take advantages of practices that they have already instituted. So, you get
some level of commonality. Then, if a customer sees something and says, "You should improve
this," that improvement can affect an entire customer base. Cloud has a beneﬁt there to match
some of the weaknesses it may have elsewhere.
Historically, in the enterprise model, we think about data in terms of being tied to a given
application. That’s not really accurate. The data still moves around inside an enterprise. As
Jeremiah noted, the weak point is often the browser. Compromise the client, and you get access
to the data.
As people move to cloud, they start to change their risk thinking. Now, they think about the data
and everywhere it lives and that gives them an opportunity to change their own risk model and
think about how they're protecting the data and not just a speciﬁc application it used to live in.
Gardner: Some of the thinking out there, as I observe, is around the idea that this data is stuff I
can put in the cloud, because it's not that important to me, but that is very sensitive data, and I am
going to keep that on-premises. Is that the wrong way to look at things?
Not thinking in depth
Ellis: I often think it is, because sometimes that shows people aren’t thinking about it in depth.
As we noted earlier, a large fraction of the Internet retailers are using cloud for their most
mission critical thing, their ﬁnancial data, coming through every time somebody buys something.
If you are willing to trust that level of data to the cloud, you are making some knee-jerk reaction
about an internal web conference between 12 people and a presentation about something that
frankly most people aren’t going to care about, and you are saying, "That’s too sensitive to be in
the cloud." But, your revenue stream could be in the cloud. Sometimes it shows that we think
parochially about security in some places.
Gardner: We maybe break it up between transactions and data when we should be thinking
about securing it generally?
Gardner: James Fallows, in the most recent Atlantic Magazine, points out that many security
experts like yourselves, expect the equivalent of a 9/11 in terms of cyber security. Should there
be such a breach that creates some sort of a reckoning or rethinking, will people gravitate toward
cloud for security or away from it, in your opinion, Chris?
Hoff: I was asked actually to comment on that article. I wondered if the author has actually read
the Verizon Breach Report, because there are mini 9/11s every single day.
Everyone likes to talk about catastrophe, Armageddon, and apocalypse. It's fun. It creates
headlines. We have seen the emergence of everything, as Jeremiah pointed out, from nation,
state-sponsored espionage, laded with political intrigue and geopolitical overtones. Is that not
important? Is that not a 9/11? How do you measure the impact? Is that death? Is it millions of
pieces of personal information released? Is it millions of credit cards? Because if it's any of
those, that happens everyday.
Gardner: Let’s say it's something that really grabs the attention or the imagination of the general
Hoff: Will there be a single event? Perhaps. Will it do much to change people moving to or from
cloud computing? Probably not. What are you going to move to or back to? Depending upon
your deﬁnition of cloud computing, you probably are engaged in many different variations of it
and I can't fathom the economic cost of what it would mean to abandon an entire computing
What it might do is drive awareness. We're actually doing a very good job, especially given the
innovation shown typically by the U.S. government, which in many cases you don’t think of as
an early adopter, pushing the boundaries, pushing the thought processes, where a mistake, as it
relates to security and information, could mean death. It could mean the comprise of national
If they're looking at the model, working backwards from the worst sets of outcomes, and
thinking about how, when applying risk, they should or shouldn’t move things, then the notion
that translates back to the rest of the community. We're talking about how we secure a paradigm
closer to its arrival on the scene than we ever have in any other model. We're much better
prepared to deal with and solve some of these problems than we ever have been before.
So, I don’t believe that we will suffer a catastrophe that will cause people to completely abandon
cloud. I think that’s ludicrous.
Gardner: Jeremiah, do you think that this notion of an awareness event of some kind will
change perceptions, or do you think that if it's good enough for the U.S. government and military,
it should be good enough for corporate 2000 businesses and therefore it is going to continue to
be good enough?
No singular event
Grossman: That's an interesting question. I don't think there is going to be a singular cyber
event that's going to cause massive physical world destruction and loss of life. I am not a
believer on that one. If that were to occur, it would probably be a precursor to actual war. A
computer and cyber attack is just a weapon. There would have to be something that goes along
It's not to say that security events or lapses in application security or application quality haven't
caused loss of life before. Mistakes and bugs have done that, but from an organized crime
standpoint, there is no money in that. They're not looking to down systems and lose control. They
want control. They want visibility. They want it to stay up. They even want us to make money,
because they will capture some of it.
Gardner: More of a parasite than an attack, right?
Grossman: Yeah, absolutely.
Gardner: The host needs to be well enough for the parasite to survive.
Grossman: They will grab as much as they can, but they are not looking to destroy the system.
Even nation and state-sponsored activities want command and control, they don't want
destruction, at least not initially.
Gardner: So, this notion of moderate risk, managed risk, acceptable risk, Andy, are we there and
will we continue to be there, and will cloud computing allow for that risk to be always an
Ellis: In some cases, we are there, and in some cases, we are not. We're moving and we're
deﬁnitely getting better. As Chris noted, every day there are attacks and every day there are
challenges and every day people face them. That's a great sign.
Cloud computing changes the model for people and, in some ways, it forces them to think
differently. That helps them look at what they're doing today. Maybe we were accepting risk that
was unacceptable before, and cloud computing just opens our eyes to that level of risk, and we
say, "Let's do something a little different."
As for the question of that giant event that will change the way we think about risk? I often think
that's wishful thinking, as macabre as that may sound, on the part of people who have had a hard
time getting others to look at risk differently. They sort of hope that maybe people will change
their mind if something really bad happens. But, the reality is that we can't wait for that, and in
fact, we don't want that to happen. It's our job to make that harder for an adversary to do.
We don't want that and we don't want to wait for that to change people's minds. It's our job as a
community to help people grow and to help them manage the risks that are appropriate to them,
in appropriate fashion.
Gardner: So, where to get started? If you're thinking about security differently, if you recognize
that the cloud is here to stay, that it has signiﬁcant productivity beneﬁts to you as an organization,
that your end users, your consumers, are expecting this, and that their expectations are actually
increasing rather than decreasing around what the cloud can provide, where do you get started?
How do you change in order to keep up with this risk and keep
Understand your own business
Ellis: The ﬁrst thing you have to do is to understand your own business/ That's often the ﬁrst
mistake that security practitioners may make. They try to apply a common model of security
thinking to very unique businesses. Even in one industry, everybody has a slightly different
You have to understand what risks are acceptable to your business. Every business is in the
practice of taking risk. That's how you make money. If you don't take any risk, you're not going
to make money. So, understand that ﬁrst. What are the risks that are acceptable to the business,
and what are the ones that are unacceptable?
Security often lives in that gray area in between. How do we take risks that are neither fully
acceptable nor fully unacceptable, and how do we manage them in a fashion to make them one or
the other? If they're not acceptable, we don't take them, and if they are acceptable, we do.
Hopefully we ﬁnd a way to increase our revenue stream by taking those risks.
Gardner: Jeremiah, same question. Where do you start? How do you get the right balance and
Grossman: Andy is absolutely right. You have to understand your business and where the value
is. One of the things to look at is what assets you hold. What is it worth to you? And, you begin
What's interesting about security spending versus infrastructure spending or just general IT
spending is that it seems security is diametrically opposed to the business. We spend the most
money on applications and our data, but the least amount of security risk spend. We spend the
least on infrastructure relative to applications, but that's where we spend the most of our security
dollars. So you seem to be diametrically opposed.
What cloud computing does, and the reason for this talk, is that it ﬂattens the world. It abstracts
the cloud below and forces us to realign with the business. That's what cloud will bring in a good
way. It's just that you have to do it commensurate with the business.
Gardner: Cloud computing forces you to consider security from soup to nuts, from the
beginning, the middle, and an ongoing value for your business, not just your IT.
Gardner: Interesting. So. the question also to you, Chris, where do you get started? How do you
keep risk managed and keep it there?
Giving up control
Hoff: Cloud computing ultimately is about gracefully giving up control. Control is not the same
thing as trust and is not the same thing as security, in terms of deﬁnition. When you look at the
notion of trust, which is really what we talk about when we talk about any situation where you
don't have ultimate ownership, or you don't have the ability to point to a particular location and
say, that's where my app and data lives, trust is really made up of security, control, compliance,
and service levels.
One things that we haven't brought up here, but that I think is critical, is that in many cases,
when you basically give up control and you have the ability to enable self-service, the business
has a capability to not even have to talk to you, if you are in security.
They can take your credit card, they can run and pull up a web browser, and they can go
instantiate potentially hundreds of images on a public-facing cloud provider, using a shared
image that doesn't use any of your security controls, never been vetted, was uploaded as a
community service by somebody, and start instantiating your data on applications they had built
or that they downloaded from somewhere, and you would never know.
So, the point here from where you get started, is that, when you talk about knowing your
business, what that means is understanding whether you are a barrier to their ability to actually
conduct business. Were you to tell them, "No, you can't use cloud computing," ﬁrst of all, how
would you stop them and how would you know? Getting engaged from a business and
organizational perspective is very critical.
The way that I've seen success start to propagate its way through a company is when the CEO
picks up the Wall Street Journal and says, "Oh, cloud computing. Andy, make that happen
tomorrow. Why aren't we doing this? Everybody else is. Saves us money. It's green. It's
whatever." This really gains a shared understanding of what cloud computing is.
The CSA guidance is fantastic. I've been in meetings with product managers, application
architects, the development staff, the CIO, the CTO, and, believe it or not, business unit leaders,
who say, "We're thinking about this cloud thing. What do we do? What does this mean to us?
Anybody knows the pragmatic discussions of what they do today, how they do it, whether they
think it's moving, what kinds of data, what kind of apps? And here is the risk. Do you have a risk
assessment framework? Yes, we do. Great, use it."
Look at the guidance and understand what this means. Quite honestly, the end message in these
brieﬁngs that I have with these customers is that cloud computing is not a destination. It's another
tick along the time axis here.
We think we are going to arrive at some point where we just stop, where cloud computing and
whatever we have today is the end. It's simply not going to happen that way.
One of the things I like to draw attention to is that I try to time things and discussions in business
terms, value terms, about three or four years ahead of the curve. We try to have discussions about
where things are headed.
In my keynote at the CSA, I was asked to talk about the future of cloud, and I thought it was kind
of absurd since we are barely in the present. But, what I talked about was the notion that where
we are massively recentralizing data and applications in these very huge mega data centers and
cloud providers, we are at the same time massively decentralizing applications and content on
smartphone platforms, on Netbooks, on things like new iPad delivery devices.
You have two completely different security models you have to deal with. If folks don't
understand that what's important again is the information or the content and how that affects the
business, they're not going to be able to make rational decisions. Security won't make rational
decisions. We'll end up in a car crash, and ultimately, the arbiter of all of this, the thing we
haven't talked about yet, is compliance.
So, if the regulators don't understand, if the auditors don't understand it, as much as you might do
a good job and be able to use cloud computing to your beneﬁt, when they come in to do an audit
and they don't understand the business value in what you have done, you can't show them you
understand it, game over.
That's a huge issue for us right now. We're measured not on security and how well we do
security, but how we comply to standards, because we haven't done well in security, and that's
Gardner: Perhaps a distillation of that is to know yourself, and know yourself the way you're
going to be tomorrow, because you are going to change and the world around you is going to
Gardner: Very good. We've been talking about cloud computing and security. We're here at the
RSA Conference in San Francisco. I would like to thank our panelists; Chris Hoff, director of
Cloud and Virtualization Solutions at Cisco Systems.
Hoff: Thanks very much.
Gardner: I appreciate your input. We have also been joined by Jeremiah Grossman. He is the
founder and Chief Technology Ofﬁcer at WhiteHat Security.
Grossman: Thank you very much for having me.
Gardner: Thank you. And also Andy Ellis, the Chief Security Architect at Akamai Technologies.
Ellis: Thanks Dana.
Gardner: I'm Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks for joining this
special sponsored video podcast. Come back next time for more information on cloud
Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor:
Edited transcript of a sponsored podcast video presentation from the RSA Conference on cloud
computing and how it affects and is affected by security concerns. Copyright Interarbor
Solutions, LLC, 2005-2010. All rights reserved.
You may also be interested in:
• Cloud and Security Join Boundaryless Information as Top-of-Mind Issue for the Open
• Business and Technical Cases Build for Data Center Consolidation and Modernization
• Panel Discussion: Is Cloud Computing More or Less Secure than On-Premises IT?