Risk and Security in the Enterprise Cloud

Do you know what a “zombie” is?

Really?

How do YOU know that you are not a zombie?

Did you know that there is a whole culture of ivory tower folk who spend their days trying to answer that question? http://consc.net/neh/papers/dretske2.htm http://en.wikipedia.org/wiki/Fred_Dretske http://philsci-archive.pitt.edu/archive/00002546/01/caatkg.pdf

Hmm. Interesting. But, so what?

Do you know what the Principa Mathematica is?

“ It is an attempt to derive all mathematical truths from a well-defined set of axioms and inference rules in symbolic logic.” http://en.wikipedia.org/wiki/Principia_Mathematica

http://en.wikipedia.org/wiki/Bertrand_Russell

Did Russell succeed?

No.

In fact, he not only failed, his failure provoked one of the most profound insights our species has ever achieved…

Kurt Gödel’s Incompleteness Theorems http://en.wikipedia.org/wiki/On_Formally_Undecidable_Propositions_of_Principia_Mathematica_and_Related_Systems

http://en.wikipedia.org/wiki/Kurt_Gödel

Right up there with evolution and relativity, on the “wow, this is a big deal” scale.

So, what did Gödel figure out?

No formal system extending basic arithmetic can be used to prove its own consistency.

Hmm. Interesting. But, so what?

No formal system extending basic arithmetic can be used to prove its own consistency.

Formal system extending basic arithmetic .

Umm, dude. That would, eh, be a computer?

Because computing is a mathematical model…

Computer people tend to assume that such models are not only necessary …

But also sufficient . In other words, they assume that knowing the model means absolute control over the results.

http://en.wikipedia.org/wiki/Kurt_Gödel LOL!

Consider the classic way of defining “risk”…

Risk exposure (RE) = probability(loss) * magnitude(loss) http://books.google.com/books?id=0RfANAwOUdIC&pg=PA800&lpg=PA800&dq=risk+exposure+re+formula&source=web&ots=pENn1no-zn&sig=Xe72BRymob2ftXlp4CciUr-ly-Y&hl=en&ei=QquNSfLdMob00AXB4OGcCw&sa=X&oi=book_result&resnum=5&ct=result (The Handbook Of Information Security)

That formula is not wrong, but…

Some people assume that they can leverage it, and others like it, to “prove” that a complex system is “secure”.

They take comfort in arithmetic.

http://en.wikipedia.org/wiki/Kurt_Gödel LOL!

And recall…

What’s “the Cloud” got to do with this?

It increases the complexity of the overall system.

Makes an existing problem more urgent .

Ludwig Wittgenstein, a fierce critic of Principa Mathematica , conceded that it was useful, but only in the small.

To the extent that naïve use of the Cloud scales systems up beyond “small”, it forces us to confront a problem we may have been able to ignore.

http://www.flickr.com/photos/rachels_secret/220269351/

So. What to do?

There are essentially two approaches: 1) try to build out the existing, Russellian, “defense in depth” techniques.

http://en.wikipedia.org/wiki/Kurt_Gödel LOL!

Or 2) find ways to design systems that cope gracefully with uncertainty.

This also implies finding ways of decomposing systems, and applying techniques to cope with risk and uncertainty, in the small.

Not this…

http://www.flickr.com/photos/peterpearson/347124844/

But this…

http://www.flickr.com/photos/euthman/2989437967/in/set-72057594114099781/

I know what I’d bet on.

Is anybody trying to do this?

Yes! Good examples abound.

The U.S. DOE published an excellent report in December: “A Scientific Research & Development Approach to Cyber Security”. http://chas.typepad.com/dli/2009/01/cyber-security-rd-needs-for-doe.html

The Jericho Forum, part of The Open Group, is doing important work in defining models of security and risk that don’t ignore Gödel’s LOL. https://www.opengroup.org/jericho/about.htm

And, in a shameless plug, CSC’s report on “liquid security” contains lots of information, particularly in the section on “Living on the Web”. http://www.csc.com/aboutus/leadingedgeforum/knowledgelibrary/uploads/LEF_2007DigitalTrustVol5.pdf

So what are you telling me? That everything I thought I knew about security is wrong?

No. Not exactly .

I’m asserting two things…

1) Many (many!) people in the ICT trade think that things like the limits of mathematics or cognitive science is irrelevant to their work.

They are wrong.

Fundamentally, engineering is about knowing and respecting the limitations of one’s materials.

ICT systems are built with software being one of the key materials.

And software is thoughtstuff.

For an engineer of thoughtstuff, the limitations of mathematics and cognitive science are the limitations of the material .

Russellian assumptions underlying “defense in depth” approaches to coping with risk need to be made explicit, because…

“ Defense in depth” not only will not achieve its stated goals…

“ Defense in depth” cannot achieve its stated goals.

http://en.wikipedia.org/wiki/Kurt_Gödel LOL!

2) Because of that, we ought to study complex systems in Nature, learn how those systems cope with risk, uncertainty and so on, and apply those lessons to ICT.

We need to stop thinking in terms of “security” and start thinking in terms of “health”.

This is already true in your enterprise, if your systems landscape is not “small”

http://www.flickr.com/photos/rachels_secret/220269351/

It will become true, at the latest, once you begin to expand your landscape to include the Cloud.

So is everything we’ve got useless?

Of course not.

But we can’t go near the Cloud until we’ve fixed this?

Fortunately, that’s also not true.

You can use the Cloud now.

And that will be just as safe – as healthy – as you already are.

Like this…

You use existing, familiar tools, like VLANs, VPN tunnels, encrypted data (including storage), IPSec, and the faithful firewall.

You will likely run into the following problems:

1) Static, manual configuration and management of your network and security infrastructure will probably not scale with demand.

There are tools on the market, available now and emerging, to meet this demand.

CohesiveFT VPN-Cubed, Cloudswitch, the next version of Cassatt, etc.

2) Static, manual processes to provision and manage VMs will probably not scale to demand.

You will find yourself wanting to archive (versioned) VMs, ensure VMs have specific attributes, and otherwise maintain governance.

But you will also need a way to maintain the “self-service” factor, or risk torpedoing a significant part of the value proposition of the Cloud.

Again, there are tools available and emerging that can address some of these needs…

CohesiveFT ElsaticServer, rPath, Vmware, Enomalism, Elastra, 3Tera, many others

These tools have widely divergent solutions to these problems – choosing one involves many tradeoffs

You are likely to find that you want a coherent, unified platform to deal with both build- and run-time aspects.

And you are going to need to find a way to utilize multiple providers in parallel, if you want to be healthy.

RAIC – Redundant Array of Independent Cloud Providers

http://en.wikipedia.org/wiki/RAID

RAIC “solves” the problems of data portability and lock-in, whilst simultaneously increasing reliability, flexibility, and potentially, performance.

Diversity = health.

Hmm. What about the orchestrator? Single point of failure?

Yes.

So you have to ensure that it is designed to be healthy.

Available and emerging things worth considering in the context of the orchestrator include…

Eucalyptus: http://eucalyptus.cs.ucsb.edu/ UCI: http://code.google.com/p/unifiedcloud/ Ubuntu: https://wiki.edubuntu.org/UDSJaunty/Report/Server GridGain API: http://www.gridgain.com/product.html And also take a look at things like Puppet: http://reductivelabs.com/trac/puppet Chef: http://wiki.opscode.com/display/chef/Chef+Solo AMQP: http://en.wikipedia.org/wiki/Advanced_Message_Queuing_Protocol Hadoop: http://en.wikipedia.org/wiki/Hadoop … and so on.

That’s a lot to digest, but a picture of how to bring the Cloud inside the firewall emerges from it.

What about using the Cloud outside the firewall? What about, for example, collaborating with external partners in the Cloud?

Well, that’s where we all want to go.

But we can’t get there – safely and in good health – until certain hard problems are solved.

Problems like federated identity, for example.

Those kinds of problems cannot be solved via Russellian techniques.

And to the extent that current approaches embody Russellian assumptions, they cannot succeed.

So, no collaborative Cloud?

Not necessarily, but you will have to be aware of the context.

Think differently.

For example, concepts like “firewall” embody Russellian assumptions, and are only useful in the small.

Instead, consider concepts like quarantine , sterilization chambers and disinfection , for example.

Safe = healthy.

Join the conversation: http://groups.google.com/group/cloud-computing/ http://groups.google.com/group/cloudforum http://tech.groups.yahoo.com/group/cloudcomputing-tech/ … and please come talk to us, as well … http://twitter.com/mastermark http://twitter.com/gblnetwkr http://www.jroller.com/MasterMark/ Thanks!