What is the future of Cloud Security?          March 16, 2012 Author: Jonathan J. Spindel, Ph.D.   White Paper – Cloud Sec...
What is the future of Cloud Security?                                   March 16, 2012                                    ...
What is the future of Cloud Security?                                                                       March 16, 2012...
What is the future of Cloud Security?                                                                       March 16, 2012...
What is the future of Cloud Security?                                                                         March 16, 20...
What is the future of Cloud Security?                                                                        March 16, 201...
What is the future of Cloud Security?                                                                            March 16,...
What is the future of Cloud Security?                                                                           March 16, ...
What is the future of Cloud Security?                                                                          March 16, 2...
Upcoming SlideShare
Loading in …5

What is the future of cloud security linked in


Published on

An overall white paper type overview of cloud security, where we are, and where we're heading

Published in: Technology, Business
1 Comment
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

What is the future of cloud security linked in

  1. 1. What is the future of Cloud Security? March 16, 2012 Author: Jonathan J. Spindel, Ph.D. White Paper – Cloud Security 1
  2. 2. What is the future of Cloud Security? March 16, 2012 SummaryAn open ended question, within every IT industry leaders mind is, “how do I operatein an open environment, allow for the maximum use of resources, and still keep a lidon security related issues”. Within Cloud Computing this question is even moreprevalent, as we attempt operate in an open environment, and still worry aboutsecurity concerns. This new quandary holdsvalidity, if the correct actions are takento target attacks, which almost seam to be programmatically created for such atechnology. In order to control and remediate emerging threats, we must adoptintuitive security policies and procedures, along with proactive defenses,whileincorporating intelligent management to solemnize these processes. Thispaper will delve into those avenues, address pinpointed benchmarks, within thesubjects of distributed computing security, capitalizing on thePrivate/Hybrid/Public Cloud topics, and the management/remediation of suchissues.Understanding the underlying complexities, as relates to information and datasecurity, will help the reader expose their own concerns regarding internal andexternal security related concerns, as well as propose solutions that will assist in theremediation of those issues. Address anxieties revolving around the adoption ofoutdated information security concepts, andsolutionsmerging innovative ideassurrounding “intelligent” protocol and application behavioral analysis and pattern“DNA” matching techniques, utilizing more advanced computational tools.In tandem with protocol and application behavioral analysis, these techniques willassist the reader in understanding the value proposition in using more advancedintelligent technology, and how that will add, and level out theirapprehensions. Bythe end of this paper, the reader should be able to understand emerging threats, asthey are rapidly changing, in succession, adopting new attack patterns, targetingapplication based computing, and assuming more lucrative attack scenarios. 2
  3. 3. What is the future of Cloud Security? March 16, 2012 OverviewCloud Computing, as they say, is an old idea, officiated through new technology.The inclusions added over the years, give distributed computing new depth,growing from an infantile rationality to what we view as a distributed cloud model,or fabric, today.As history shows us, we transgress from the typical roaming profile to VDI (VirtualDesktop Infrastructure), from smartphones, to mobile computing platforms, fromvirtualization to full elastic computing. As we grow and feel the pains of adjusting tosuch development, our security infrastructure must follow closely to account forchanges. With this in mind, take a look at the technological hurdles we have leaped,through the mastery of innovation, and then visualize how security mustfollow.Threats have become more brazen, and have targeted objectives; ones, which ifoverlookedwill have drastic consequences. We moved beyond the typical DOS(Denial of Service) attacks, to cyber-criminals targeting serversat the applicationlayer; these emerging and advanced persistent threats are distributedwith the solepurpose, being monetary gain. Information or data theft has become one of thenumber one issues surrounding monetary loss from a corporate and end-userstandpoint. 1With the increase in distributed architectures, such as cloud computing, we alter thedirection of, not only how we achieve business IT objectives, but in the way in whichwe enable our internal IT establishments. The industry is seeing a gradual, yet1 http://www.riskandinsurancechalkboard.com/uploads/file/Ponemon Study(1).pdf 3
  4. 4. What is the future of Cloud Security? March 16, 2012definitive, shift towards these models as a whole, through not only the typical servervenues, but alsosimilarly the change in mobile computing. The “distributed model”has multiple issues such as scalability, application elasticity, orchestration,automation, etc., these are not as difficultorcomplex as cloud security itself. Unlikelegacy or local area computing, which communicates primarily through layers 1-4,Cloud is labeled as being much more application based and communicates primarilythrough layers 4-7 of the OSI model. There are also concerns regarding user, andusability, such as remote user authentication, to a much higher degree. This istakingdata, or information security to a new parallel, understanding applicationcommunication, how these processes, and protocols effectively communicate, andhow to manage overall security for such fabrics. The underlying fact is, that becauseof this shift, attacks have transitioned from the transitional signatures, to the moreadvanced attack scenarios, such as advanced persistent attacks (APT).2In recent years, the security industry has been inundated with news ofinformationtheft or dissemination of internal proprietary data, penetrationsresulting in catastrophic loss, through attacks programmatically engineered,targeting application based computing. These subjects are far outweighed bysecurity vendors themselves having issues themselves, with theft or loss of data, andthe distribution of classified material, from multiple government agencies. Suchconcerns are mostly internal, and do not translate to hybrid or public cloud2 http://www.cio.com.au/article/406586/assessing_apt_threat/?fp=4&fpid=18 4
  5. 5. What is the future of Cloud Security? March 16, 2012computing, not because it hasn’t, or could happen, but the under utilization of publicresources. These anomalies can generally point toward fear of losing control overresources, and/or general mistrust of the public/hybrid cloud, due to overall lackofsecurity or concerns regarding security capabilities as a whole. 3. As it standstoday, cloud overall, is an annual $37B enterprise, growing exponentially, to anestimated $121B by 20154, and only a portion is related to Public Cloud.5Elastic computing models could save organization billions in overall hardware costs,head count, and increase revenue. The “on-demand” ability to scale up or downseamlessly offers a dynamic value add to DR (Disaster Recovery), and HA (HighAvailability), as well as the “pay for what you use” model offer a great value-add tosmall, medium, and enterprise customers across the board. Hybrid Cloud usagecombines public and private fabrics, allowing the ability to gain functionality frompublic cloud resources, and in tandem, utilize private cloud resources internally.Although these models are best of breed, they exhibitsome of thesamecharacteristics regarding security, and even add more legitimacy as the solutionsbreed more complexity.Proportionally the public cloud is utilized, under the auspices of an unsecured fabric.Although security itself, if you want to route requests through a physical portal, israther robust. There are several organizations offering solutions stacks,surrounding the usage of public cloud without the necessity of rerouting data,mostly packages, which rely on agent based architectures, or virtual appliancesutilizing agents within the virtual instance itself. These solutions, although robust innature, are somewhat diluted by the inability to manage multiple rule sets, and/orthe ability to communicate with other virtual appliances within the fabric, andfunctionally forget about the hypervisor structure itself. The idea of managing asingular blade server, through one virtual appliance, has been brought up in manydifferent fashions, from usability to the assumption of managing each blade serverin a separate virtual container.6Some issues surrounding these architecture genres’ stem from the idea of resourcepools, and the presence of multiple virtual appliances within pools. From this wecan discern that the possibilities of collisions between these appliances are adefinite possibility, as well as manageability concerns of the pools themselves, i.e.“what handles what and where?”3 "Hype Cycle for Cloud Application Infrastructure Services (PaaS), 2011") – Gartner ReviewCloud Application Infrastructure Services. Cloud application infrastructure services (also known as platform as a service, or PaaS) form the foundation of a cloud computingplatform by enabling development, execution, management and life cycle control for cloud-based application solutions (see"Hype Cycle for Cloud Application InfrastructureServices (PaaS), 2011"). It is a less developed and less understood layer in the cloud computing architecture when compared with system infrastructure services (IaaS) andapplication services (SaaS), but is the fastest growing with innovation and new vendor investments.4 http://www.marketsandmarkets.com/Market-Reports/cloud-computing-234.html The global cloud computing market is expected to grow from $37.8 billion in 2010 to $121.1billion in 2015 at a CAGR of 26.2% from 2010 to 2015. SaaS is the largest segment of the cloud computing services market, accounting for 73% of the market’s revenues 2010.The major SaaS-providers include Adobe Web Connect, Google Mail, Cisco WebEx, and Yahoo Mail. Content, communications, and collaboration (CCC) accounts for about 30%of the SaaS market revenues.5 Cloud computings fear factor: Acknowledge, reduce, move on http://radar.oreilly.com/2010/12/cloud-computing-the-fear-facto.htmlYou also need to be aware and mitigate yoursecurity concerns. Its possible the security risk is over-stated. Most of us do personal online banking dont we? And arent huge components of our infrastructure such as energy,financial markets, and the military already large consumers of the cloud? (Little consolation, I agree, when there is a breach -- but a fact on the ground you cant deny). I arguethat in the short-term these issues are about deliberate and diligent organizational planning and in the long-term its simply about normal business continuity design. Whensomething innovative becomes widely adopted, it just becomes business as normal.6 Hype Cycle for Privacy, 2011 http://www.gartner.com/DisplayDocument?doc_cd=214943&ref=g_fromdocPrivacy. The first "Hype Cycle for Privacy, 2011" is a tool for privacyofficers and other IT professionals who have a responsibility for privacy in the organization. As attention to privacy as a whole reaches a peak, it justifies a closer look at whichregulations are emerging and which have matured, and which technologies are deployed to deal with legal requirements and cultural expectations 5
  6. 6. What is the future of Cloud Security? March 16, 2012In any Cloud scenario, the presence of a “Single Pane of Glass” managementmethodology should be commonplace to function as a “Manager of Managers”, offeringthe capability of “Cross Platform Management”, and a central point of configuration.Within the typical data security model, this becomes a little bit more difficult, ascommunication between devices, is considered to be bad practice. However, there arevarious ways in which management of solutions could be learned, without directconnection and/or communication. Offeringmanagement structures allows theadministrators to streamline operations across multiple machines, resources pools, andthe ability to manage heterogeneous, multitenant environments, which are becomingmore prevalent in the cloud industry.Programmaticallymodifying these methodologies, as our technological capabilitiesincrease, is a must, as we are faced with novel attack scenarios that hamper oursecuritypolicies and procedures. Intelligent systems, with the capability of learningpatterns within these transmissions, “protocol and application behavior analysis”, “packetassembly and de-assembly”, are becoming more established, as these threats matrixesmature, some utilizing the same signatures, but altering behavior. As our tool-setsdevelop, utilizing new technology to assess, interrogate, track, and assemble,transmissions are becoming more difficult to decode, as threats are focusing onapplications, rather than the typical hardware based communications.These new genres‟ of attacks have surfaced, bringing a new mantra on how we protectour assets. We hear more about theft of proprietary information, infiltration of financialinstitutions, andintrusions within the defense industry. Advanced threats take on a newintonation, one of singularity, the focus is to either obtain information through illegalmeans, funneling monetary value from an institution, or disseminating information overthe wire to discredit an organization or cause harm to individuals. 77 http://superconductor.voltage.com/2011/07/breaches-vs-european-countries.html 6
  7. 7. What is the future of Cloud Security? March 16, 2012All thesedevelopments focus on one subject, causing disruption for monetary gain, theability to use stealth like technologies to mask intrusion over multiple sessions,resembling internally to avoid detection. Although there have always been those whomhave desired to gain from these acts, the ever growing presence of ones who have aharmful intent, have drastically increased. With that increase, so have their technologies,as attack methods become more sophisticated.8The ability to forensically approach these issues, and “dig deeper” into the behavior ofeither the protocol or applications being assessed, the way in which the packets are beingtransmitting, or the destination of the request itself. All thesepoints must be met, in orderto secure a fabric such as the “cloud”. How “we” manage these issues will be key instopping the intrusion, and/or the unlawful dissemination of proprietary data. Delvinginto the behavior of such transmissions, and the protocol or application itself is wheretechnology is headed. The ability to assess the transmission, and the way in which theprotocol, or application, is behaving is the essence in which we can discern its‟ truenature, or the proper use of the transmission destination. Focusing on the behavior is key,whether that is protocol, or application based transmission, being able to interrogate thatdata assists in the ability of alerting or stopping the intrusion or transmission ofproprietary information. By way of cohesively applying target based processors assignedto a varied number of protocols or applications,it is possible to determine if there is amalicious nature to a transmission, in which, again is possible to alert or drop associatedpackets or sessions, depending on the destination or the desire of dropping vs. alerting.This is accomplished by encapsulating the virtual instance, or instances, in which affordsthe capability of interrogating packets and transmissions through protocol/applicationanalysis and/or behavior.8 Common Monitoring and Management Solutionshttp://www.infosecurity-magazine.com/blog/2011/5/3/who-moved-my-cloud/334.aspxA single pane of glass is often required to provide a unified look of the entire infrastructure. This will provide an auditor the ability to verify the provider is delivering the level ofservice guaranteed by the solution. Auditors often look for event handling and common management across all systems. By automating the deployment of such monitoringsolutions, and relying on a common platform for the management (including patch management, software revision control, and system lockdown procedures) a level of assurancecan be provided to the auditor that all systems are uniform and follow the controls of the monitoring and management criteria. 7
  8. 8. What is the future of Cloud Security? March 16, 2012In reality, the logical way of determining attack protocols is to measure what is normal vs.what isn‟t. In kind, that measurement should incorporate the “normal” behavior of asystem, thereby being able to determine, or decipher what isn‟t. This realization elevatesthe need for determining the behavior of like application or system attacks. Attaching orcapturing the “DNA” or “foot print” of normal activity within the actions or behavior ofsuch protocols, applications, or servers one will be able to determine the actions of anymalicious activity, including emerging threats, being able to remediate such activity in anin-line, or on-tap scenario.The same concept holds true in reference to the cloud, public, hybrid or private,againbeing far underutilized, mainly because worries of the inability to remain compliant, andthe underlying factor, lack of a cohesive security solution. The same does not hold truein other locations, as use is increasing, especially in Europe as the market expands. Someof the reasoning for the anomaly is compliancy restrictions, referred to above, as well asthe loss of control, security concerns, and the ability to operate autonomously throughoutthe fabric. These anxieties arise from the inability to control our own infrastructure,someone else having access to that technology, and/or the ability to access informationremotely.99 http://wallstreetandtech.com/2012-outlook/the-cloudThe move to the public cloud also will be dictated by the size of the institution. Small to mid-size firms that do not have theirown proprietary data centers will be among the first to move to the low-cost capacity the public cloud offers, while larger banks will initially continue to utilize their large, privateclouds. 8
  9. 9. What is the future of Cloud Security? March 16, 2012EncapsulatingCloud environments, whether that be physical, virtual, or Hybrid/PublicCloud based, allows for “dual vector” protection from the „outside in‟, and „inside out‟,affords organizations a value add, gaining back some of that control. Increasing theability to see what is emerging, not only within the IaaS (Infrastructure-as-a-Service)layer, but also in the SaaS (Software-as-a-Service) or application layer. This allows theuse to gain control, by protecting resources as if they were internal. This is accomplishedvia location parameters, and use of proprietary models that encompass the resources in asecured mesh, thereby allowing for protection of the resources through a holistic model.This enables the deployment of high-value, high-risk Cloud applications, whilemitigating the risks associated with such applications. Intrusion detection and Preventionmust include attack recognition beyond simple signature matching, and the ability to dropmalicious sessions as opposed to simple resetting of connections.10We must become more knowledgeable in way we conduct security operations, and howwe design systems to manage and remediate breaches. Intelligent systems capable ofmanaging such traffic, network discovery, analyzing traffic patterns and protocols,officiates processes, as they do not rely on application changes or structure. These tool-sets attendto traffic, patterns, and protocol behavior, adopting a set of rules capable ofmatching like patterns to suspicious activity. There must be an ability to incorporateintelligence, and machine learning technology, to combat these changes, capitalizingonprotocol and application behavior, and DNA patterns of the transmissions. Theseactions must be met with a robust, like minded, response to a malicious action, with thecapability of forensic level capture, affording the capability to stay compliant, in a timewhere compliancy is so integral to vital business initiatives.10 Public sector cloud use on the risehttp://www.thecloudcircle.com/article/public-sector-cloud-use-rise The number of public sector organizations using the cloud is rising steadily, if not spectacularly, the CloudIndustry Forum, with 11 per cent increased clouds usage over the last nine months. The independent study of the latest cloud adoption rates showed that of the 300 UK-basedorganizations surveyed, 53 per cent are utilizing cloud services in some form. The private sector continues to lead the public sector with 56 per cent and 49 per cent respectively. 9