The Quandary Of the Cloud: Centralized Compute But Distributed Data
Here's a theme I've been banging around for quite some time as it relates to virtualization, cloud computing and security. I've never really sat down and written about it, however.
As we trend towards consolidating and (re)centralizing our computing platforms — both endpoints and servers — using virtualization and cloud computing as enablers to do so, we're also simultaneously dealing with the decentralization and distributed data sets that come with technologies such as Web2.0, mobility and exposure of APIs from cloud platforms.*
So here we are all frothed up as virtualization and cloud computing have, in a sense, led us back to the resource-based consolidation of the mainframe model with all it's centralized splendor and client virtualization/thin clients/compartmentalized remote access is doing the same thing for endpoints.
But the interesting thing is that with Moore's Law, the endpoints are also getting more and more powerful even though we're dumbing them down and trying to make their exposure more limited despite the fact that they can still efficiently process and store data locally.
These models, one could argue, are diametrically opposed when describing how to secure the platforms versus the information that resides on or is utilized by them. As the cyclic waffling between centralized versus distributed continues, the timing of how and where we adapt to securing them always lags behind. Which do we focus on securing and where? The host, centralized server, network.
The unfortunate answer is always "yes."
Remember this (simplified) model of how/where we secure things?
If you juxtapose the image above mentally with how I represent the centralized <–> distributed trends in IT below, it's no wonder we're always behind the curve. The computing model technology changes much more quickly than the security technology and processes do, thus the disconnect:
I need to update the diagram above to split out the "computing" layer
into client and server as well as extend the data layer to reference
storage modalities also, but it gets the job done.
At any rate, it's probably obvious and common sense, but when explaining to people why I spend my time pointing out gaps with security in virtualization and cloud models, I found this useful.
/Hoff
* It's important to note that while I refer to/group cloud computing models as centralized, I understand they have a distributed element to them, also. I would ask you to think about the multiple cloud overlays as centralized resources, regardless of how intrinsically "distributed" in processing/load balancing they may be.
P.S. I just saw an awesome post titled "The Rise of the Stupid Endpoint" on the vinternals blog that shares many of the same points, although much more eloquently. Check it out here. Awesome!
I have to disagree with the vinternals blog post, and I'm unsure how it's related to what you are talking about here.
First of all, I never thought that distributed computing ever failed. Distributed computing, even distributed desktop infrastructure (thin client computing), were always the bees-knees. Shared storage was always desired in the data center.
Secondly, while I recall the proliferation of the load-balancer model of the 1996-2000 era, I always felt strongly against it. However, not for resource management reasons such as the ones that the vinternals post spoke of, or the endpoint issues. I always felt that these problems could be relatively well-solved with the right tools. Most of these tools went out of style and/or never matured fully. For example, there was lots of Ghost, but not a lot of Ghost Multicast. One of my favorite examples of network management failure at the time was the move from Cricket/RRDtool (good for disparate environments) to Cactus (the ultimate RRDtool front-end with XML support). Nagios is similar to Cricket, but Cactus will never be Zenoss. The fail of Tivoli and every other commercial NMS/EMS offering is certainly what vinternals referred to.
Today, we have vSphere/VC/vCenter and SCVMM/SCOM/PRO in the commercial vEMS space, and nothing in the vNMS (well… vNetwork, VMSafe, and other similar technologies are being worked on right now) or FOSS equivalents. Certainly, there is also little in the vNSS (Virtual Network Security System) space. Reflex Systems has the start of a vNMS/vNSS, but we'll see how far these tools go.
The Endpoint Stupidity problem will come to a head in some places, but there are going to be years of laggards. Before Mainframe, there was nothing. Before NG-Mainframe, there is everything including Mainframe. Mobility (e.g. PDAphone) virtualization and the new VDI (whatever it is) are changing this. I haven't seen anyone address linked clones or differencing disks — which are clear endpoint marketland indicators.
So, just like old times, operational security is becoming a field where you literally have to know everything about everything.
From a security and reliability perspective, I don't see how cloud computing is ever going to be successful – the old adage that you have to have physical control over your system is true for many, many reasons. Dumb endpoints just make that problem worse. 😐
I despair,
mjr.
Oh, you had to go and constrain it to "security and reliability?"
Of course it's going to be successful. You missed the third leg of the stool: marketing.
I see your despair and raise you lament.
/Hoff