Where to start with this?
"Cloud computing isn't anything new, its the old client/server model. You log into a computer that's elsewhere. And over the course of computing this has gone back and forth, computers have been in data centers, they've come out of data centers...now they are going back in again. These are remote data centers that are owned by someone else, but there's not a lot of new here...you have to trust your vendors, and if they don't build their applications securely, you're screwed. So its less a matter of where the data is or where the computer is, but do you trust the people you are buying hardware, software or services from - that's the real issue and that hasn't changed."
-Bruce Schneier, RSA 2009
Now, as glad as I am that we got a shout out for the importance of app security, and I basically agree with the last sentence, there are many things wrong with the cloud = mainframe statement. If that was the case we would just install "RACF for the Cloud" and call it a day. But that's pretty clearly not going to work.
To begin with, this shows the utter disconnect between Infosec and the rest of the world. I mean The Economist knows that the cloud is different if you are in infosec, ostensibly rolling up to IT shouldn't you know this as well? The reason the Infosec Design Debt Clock is still ticking is that we continue to hear that things are the same and we can use the same oll same ol to "protect".
The real issues are much subtler, the reason I said that Infosec people should spend less time reading Bruce Schneier and start reading Martin Fowler, is that there is plenty of new stuff in software, there is next to nothing new in infosec.
The middle column in the above chart is where Infosec needs to focus not broad brush" Cloud=Mainframe, let's buy some more firewalls and SSL, drinks are on me!" We have two working security mechanisms - 1) access control containers and 2) crypto. Your choices are effectively:
1. Use one of these
2. Use both of these
3. Use neither of these
Everything else is an integration problem - where do you want to locate the controls, how does the container relate to the system, and so on. So Infosec engineering is really not about security at all, its about integration. It goes without saying you can't integrate when you think the Cloud is a mainframe. The fact that the "data is elsewhere" is interesting but its not the main thing about the cloud, its that we have new relationships across process and technical boundaries. So for example we need to focus on things like federation standards to convey information securely across these boundaries, these are things that are totally foreign to mainframe.
Security is a service. Infosec's job is to understand that which they are protecting better be it SOA, Web 2.0 or Clouds, and then to build security services that can be virtualized (coverage), interoperate (control) and resuse (cost).
I think the last sentence "So its less a matter of where the data is or where the computer is, but do you trust the people you are buying hardware, software or services from - that's the real issue and that hasn't changed." is the most telling, but I think it's also incorrect. I think we've entered an era where we do not (cannot?) trust vendors, etc. Or, more importantly, if we do and they burn us, we may still be just as liable, even if the contract says they'll do the right things.
To that end, I depart from your table... I think we've truly reached a point where firewalls+SSL are inadequate. I think we really need end-to-end data encryption - and that means encryption and key mgmt solutions, not just SSL.
fwiw.
Posted by: Ben | April 29, 2009 at 01:21 PM
Google also thinks the cloud is more than a big mainframe.
http://www.virtualization.info/2009/04/google-fires-back-at-vmware-about.html
You can see that they are trading towards real "innovation" in appdev for "innovation only through virtualization" in IT. I've got my money on appdev.
Posted by: Andre Gironda | April 29, 2009 at 01:30 PM
@Ben "I think we've entered an era where we do not (cannot?) trust vendors, etc."
I'll go back to Brian Snow's question - if we cannot trust how can we safely use?
http://1raindrop.typepad.com/1_raindrop/2005/12/the_road_to_ass.html
@Andre Google also supports SAML and oauth which are two fundamentally new security protocols that underscore the difference in relationships in the cloud versus mainframe meaning traversing namespaces and factoring in IdP-RP relationships
Posted by: Gunnar | April 29, 2009 at 01:40 PM
I think this just illustrates a disconnect in understanding (or defining) what exactly "cloud" means.
Every new technology that comes around adds complexity, both in raw terms but also in how it actually works.
And every time this happens, we have very competent people who may just be behind the curve in understanding what the hell it is and how it works. This causes a huge amount of churn in IT where the old guard is very quickly overlapped by new pups. This carries over to security too.
It doesn't help when media and marketing bastardize 'cloud' so much that many of us just have to give up and wait for it to shake out to have a chance at keeping up with the 20 definitions.
Even last year's stuff is still hard. How many network guys know the implications of a listening Web Service? And vice versa? But that will never mean network security goes away, because it all still runs on top of what we've used for 5, 10, 25 years. The end result is like a wound with an overly thick layer of bandages on it, but the wound still lingers and makes us gimpy.
Posted by: LonerVamp | April 30, 2009 at 10:00 AM