Incomplete Thought: Cloud Security IS Host-Based…At The Moment
See the diagram to the right? It is my masterful “Hamster Sine Wave Of Pain.” The HSWOP demonstrates where and how, over time, we manifest our investment in security controls and approaches.
We waffle between securing the host to the user to information to applications and then to the network and back again. It’s how it’s always been and how it always will be. It makes for some timing problems, however.
The gap in approach shows up when we overlay disruptive innovation and technology such as virtualization and Cloud Computing on top of this security response curve and we realize we’re out of synch. When we’re busy being information-centric from a security perspective and a disruptive networking event occurs…oops.
The inspiration for this post came from a complaint on Twitter this morning from my buddy Rich Mogull in which he lamented that too many people are equating “HIPS (host-based intrusion prevention)” with “Cloud Security.”
The reality is that depending upon the *aaS model you’re referring to, HIPS *is* Cloud Security. Specifically, in IaaS/PaaS environments when you can’t plumb in virtual network appliances (or physical for that matter) then you’re basically left with whatever the provider gives you at the “network” layer (which is usually not much) or you focus on host-based controls. HIPS is as good as any other solution at that point.
In SaaS environments, you’re dependent upon whatever the provider engineers into their network platforms and the applications themselves.
To generalize, when you’re talking about having security as a visible operational capability presented to the user versus being bundled as part of the service, besides application security and the odd ACL, HIPS/HIDS/AV/Hardening Scripts/etc… is Cloud Security for most folks at the moment.
Ultimately, this Cloud Security gap at the IaaS/PaaS level will close over time as it is beginning to do so technologically with virtualization.
You’ll have more options as the mechanisms for integrating network-based security solutions become available. At issue here is the fact that security capabilities caused by inflexible policies based on IP addresses, are out of step with connectivity advances and how Cloud services are composed, provisioned, orchestrated and managed. Hence the host/guest-based security focus. It’s simply the easiest and most prudent thing to do given our options at the moment.
We’ve seen the hints of advancement with what VMware is doing with VMsafe and their API’s. As the notion of VDCOS evolves, I maintain we’ll see this sort of capability appear with IaaS/PaaS vendors in the Cloud, too, and it will expand beyond things like firewalls and IPS’s — we’ll see load balancers and other network-based capabilities emerge through creative plumbing. We’ll see what other virtualization platforms bring to the table in this scope as introspection capabilities mature (if they do at all…)
We ought to see a bunch of innovative solutions that will emerge slowly as the “internal” virtualization and unified computing capabilities make their way “outward” and become the same platforms powering more mainstream Cloud offerings. This might take a while. Perhaps a very long while.
Until then, enjoy your agents.
Same as it ever was…same as it ever was.
/Hoff
Perhaps you mean "All of this has happened before, and all of it will happen again."?
Host security must come first, or all network-based security is irrelevant. A pure, strong, resilient network with compromised hosts/apps/data is useless. The host OS(es), applications, services, and the *architecture thereof* is extremely important in terms of resilience and maintaining availability under attack; DNS is a good example of that (i.e., there are a *lot* of DNS infrastructures out there with inadequate architectural and operational properties which render said DNS infrastructures a weak link in terms of resilience. Same for network infrastructures, see below).
That being said, there are a ton of network-based BCPs and techniques which can be and are used to combat DDoS, and in general provide detection/classification/traceback/reaction capabilities for all types of security-related events. Unfortunately, there is a cultural disconnect between the networking folks who understand these things and the application developers and sysadmins, as well as a reluctance in many quarters to expend the opex (and in some cases, capex) required to implement said BCPs and techniques.
Moving to a cloud model means that the DDoS issue *must* be addressed – DDoS totally invalidates the cloud model, it is is the elephant in the room that no one wants to discuss. The majority of the security research and infosec communities (there are enlightened exceptions) do not have a sufficient grasp of the issues, much less the solutions.
For the first time in the history of IT, the router jocks need to understand application architectures and requirements in detail; likewise, the application architects, developers, and sysadmins need to understand the network capabilities and requirements. We will continue to see discontinuities resulting in inadvertent and deliberate DDoS unless and until the cultural gaps between these communities are bridged, until they’re all involved together in the design phase from day 0, and until management are appraised of all the issues by united virtual teams consisting of all these communities of interest.
Once this cultural shift is underway, there’s still lots to do in terms of the underlying technologies themselves. However, education, collaboration, and consequent empowerment to handle resilience and availability by utilizing and deploying existing architectural principles, BCPs, and techniques must come first, and will result in a material improvement in security posture as a result.
I’m really impressed with your writing skills as well as with the layout on your weblog. Is this a paid theme or did you customize it yourself? Anyway keep up the nice quality writing, it is rare to see a nice blog site like this one nowadays.. Bless you, Nickie Marantz