Oh no, here we go again, Bruce Schneier says the cloud is nothing new, we have seen this before and we know how to deal with it. Its all just a matter of trust.
Gee, I hate to go Marge Gunderson twice in one day, but Bruce while we all love your efforts publicizing infosec, I'm not sure I agree with you a hundred percent on your security architecture advice, there. I realize its very hard to get prescriptions right in distributed computing security. There is just too much complexity, politics and constraints, but I really do expect security people to get the diagnosis right. What we need to do about certain problems is pretty subjective, but problem statements should be pretty objective. Cloud = mainframe is an example of someone not really thinking things through. Just because we logged into remote computers in high school doesn't mean that a business that runs its data, processes, and people on multiple, federated, domains is the same. Not even close technically and not even in the same galaxy risk wise. So no its not the same.
And furthermore, the problems are neither things we have seen nor are the solutions. The problem is not that "we are logging into a computer that is elsewhere" and the solution is definitely not "trust." I don't want to trust the cloud.
Even if I wanted to, I couldn't. Transactions and exchanges don't have much to do with trust - I buy insurance, stocks, services and so on, none of this is based on trust. Its based on contracts, roles, responsibilities, obligations, adjudications, cost, accountability and governance.
With another huge new wave of development coming down the pipe in Cloud Computing, we security people can't simply gloss over the hard stuff like governance and accountability (because "we've got it all figured out"), sit around sucking our thumbs while it all gets built out and then complain about the decisions after the fact. that is getting pretty old.
Its much more effective to focus on building security into the systems we design, and operate. I don't want to trust the cloud, I want to build margins of safety.
Update: Don't Cede the Cloud
Regrettably, I have to disagree with your chart. I think that somewhere around 2005 or so the case could be made (oh, wait, PCI states it) for data encryption as a standard control. I think the need for field, column, or row level encryption by 2007 should have been considered SOP, despite the relative immaturity of key management solutions. I don't think that firewalls or SSL accomplish what good quality data encryption can accomplish, but then maybe I'm just too big of a fan. fwiw.
Posted by: Ben | May 26, 2009 at 10:01 PM
@Ben here is a list of 261 million people who disagree
http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP
its not a matter of whether there are better controls its a matter of them being sine qua non
Posted by: Gunnar | May 26, 2009 at 10:58 PM
Gunnar,
I challenge you to retire your chart above. I find it ironic that the purpose of the chart is to highlight the lack of progress in security over the last decade or so. It has been used in 25% (5/20) of your posts from April and May, showing a staleness in your messages. Or, compromise, and just use it once a quarter :-) But, please, stop emphasizing its usage so much...
Posted by: Jon Passki | May 27, 2009 at 07:14 AM
Ah, so your chart is what is in place, not what /should/ be in place? I guess I can't disagree with that. My point - which you absolutely prove - is that firewall+SSL is not anywhere near adequate any more, and hasn't been for a few years. People seem to fear encryption.
Posted by: Ben | May 27, 2009 at 07:15 AM
@Jon - I am looking forward to retiring the chart. I was hoping to retire it because infosec invented and deployed something rather than because people got tired of hearing about infosec's multi-decade track record of non-innovation.
Posted by: Gunnar | May 27, 2009 at 07:18 AM
I don't want to trust the cloud, either. Unfortunately, we won't have any choice.
Posted by: Bruce Schneier | May 27, 2009 at 07:22 AM
@Gunnar - It's OK to hammer in a point, especially if the audience is dull. But, I'm guessing we're more on your side than against and the message is stale. Eventually, if you keep on saying something is broken, then you'll be the one expected to fix it :)
So, what technology will you add to the 2nd column?
Posted by: Jon | May 27, 2009 at 09:55 AM
Business most certainly is based on trust. Imagine a world in which, when you sign a contract with a supplier, you know there's a 75% chance he won't deliver unless you go to court. And the court order isn't worth the paper it's written on unless it's enforced by, er, enforcers. And what's more, your own partners and subordinates are looking every minute of every day to fit you out with cement overshoes so they can take over.
Trust is the foundation of business. All the other stuff you mention is barely noise-level compared to the huge majority of commercial transactions that go through just as everybody trusts that they will.
Posted by: John Cowan | May 27, 2009 at 10:50 AM
@Bruce Schneier-
I think tusted/untrusted is completely the wrong question to ask. I will address this in the next post
@Jon - how about SAML, Information Cards, Input Validation, and Output Encoding for a start?
Posted by: Gunnar | May 27, 2009 at 12:13 PM
@Gunnar. OK, well, then update the graphic! Don't tell me; tell your readers :-p (I was being a bit rhetorical)
Posted by: Jon | May 27, 2009 at 01:51 PM
Reading your post reminded me of a very interesting presentation by D. Gollmann about the role of trust in security: Why Trust is Bad for Security
http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B75H1-4K0N5H7-2&_user=2460310&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000057412&_version=1&_urlVersion=0&_userid=2460310&md5=39b9e6d6d88aab7c56470755ee9108c1
Posted by: Pedro Felix | May 28, 2009 at 04:55 AM