Comments on the PwC/TSB Debate: The cloud/thin computing will fundamentally change the nature of cyber security…
I saw a very interesting post on LinkedIn with the title PwC/TSB Debate: The cloud/thin computing will fundamentally change the nature of cyber security…
PricewaterhouseCoopers are working with the Technology Strategy Board (part of BIS) on a high profile research project which aims to identify future technology and cyber security trends. These statements are forward looking and are intended to purely start a discussion around emerging/possible future trends. This is a great chance to be involved in an agenda setting piece of research. The findings will be released in the Spring at Infosec. We invite you to offer your thoughts…
The cloud/thin computing will fundamentally change the nature of cyber security…
The nature of cyber security threats will fundamentally change as the trend towards thin computing grows. Security updates can be managed instantly by the solution provider so every user has the latest security solution, the data leakage threat is reduced as data is stored centrally, systems can be scanned more efficiently and if Botnets capture end-point computers, the processing power captured is minimal. Furthermore, access to critical data can be centrally managed and as more email is centralised, malware can be identified and removed more easily. The key challenge will become identity management and ensuring users can only access their relevant files. The threat moves from the end-point to the centre.
What are your thoughts?
My response is simple.
Cloud Computing or “Thin Computing” as described above doesn’t change the “nature” of (gag) “cyber security” it simply changes its efficiency, investment focus, capital model and modality. As to the statement regarding threats with movement “…from the end-point to the centre,” the surface area really becomes amorphous and given the potential monoculture introduced by the virtualization layers underpinning these operations, perhaps expands.
Certainly the benefits described in the introduction above do mean changes to who, where and when risk mitigation might be applied, but those activities are, in most cases, still the same as in non-Cloud and “thick” computing. That’s not a “fundamental change” but rather an adjustment to a platform shift, just like when we went from mainframe to client/server. We are still dealing with the remnant security issues (identity management, AAA, PKI, encryption, etc.) from prior computing inflection points that we’ve yet to fix. Cloud is a great forcing function to help nibble away at them.
But, if you substitute “client server” in relation to it’s evolution from the “mainframe era” for “cloud/thin computing” above, it all sounds quite familiar.
As I alluded to, there are some downsides to this re-centralization, but it is important to note that I do believe that if we look at what PaaS/SaaS offerings and VDI/Thin/Cloud computing offers, it makes us focus on protecting our information and building more survivable systems.
However, there’s a notable bifurcation occurring. Whilst the example above paints a picture of mass re-centralization, incredibly powerful mobile platforms are evolving. These platforms (such as the iPhone) employ a hybrid approach featuring both native/local on-device applications and storage of data combined with the potential of thin client capability and interaction with distributed Cloud computing services.*
These hyper-mobile and incredibly powerful platforms — and the requirements to secure them in this mixed-access environment — means that the efficiency gains on one hand are compromised by the need to once again secure diametrically-opposed computing experiences. It’s a “squeezing the balloon” problem.
The same exact thing is occurring in the Private versus Public Cloud Computing models.
/Hoff
* P.S. Bernard Golden also commented via Twitter regarding the emergence of Sensor nets which also have a very interesting set of implications on security as it relates to both the examples of Cloud and mobile computing elements above.
Related articles by Zemanta
- Cloud: Security Doesn’t Matter (Or, In Cloud, Nobody Can Hear You Scream) (rationalsurvivability.com)
- Incomplete Thought: The Opportunity For Desktop As a Service – The Client Cloud?
- Thin Clients: Does This Laptop Make My Ass(ets) Look Fat?
- Cloud Computing Security: (Orchestral) Maneuvers In the Dark? (rationalsurvivability.com)
- Security and the Cloud – What Does That Even Mean? (rationalsurvivability.com)
- Ralph the Mouth and Potsie Do A Cloud Security Podcast (rationalsurvivability.com)
- ENISA launches Cloud Computing Security Risk Assessment Document (rationalsurvivability.com)
What's Golden mean by "Sensor nets"?
Are they like bot-nets, stealing credentials on thin clients and mobile devices?
I wonder if we are now creating a huge single point of failure (or a collection of large points of failure). The idea of transfering risk from edge to core is appealing, but doesn't it create a huge target instead of a variety of small ones? The "important" targets on the edge are probably larger entities (e.g., critical infrastructure segments like finance and electic power) that would presumably be better able to defend themselves (i.e., have less of a need for the cloud).
I am intrigued by the notion of this risk transfer, but not convinced yet.