CloudBeat 2012 - "Whose job is cloud security?"

Tuesday, December 11, 2012

Rafal Los

0a8cae998f9c51e3b3c0ccbaddf521aa

Thanks to the folks over at VentureBeat, I was asked to participate on a panel discussion on "Is the Cloud Secure?" with the likes of Andrew Hay and Wolfgang Kandek and hosted by Meghan Kelly of VentureBeat.  The panel was interesting on many fronts, and for a variety of different reasons, but when I try to remember all the topics we covered over that hour a few things stick out at me...

  1. People are still stuck on authentication, mainly passwords. We as an industry or customer base haven't been very good at figuring out how to manage identities, without sticking our customers with a million different sites which don't share common identities - so now they have a thousand different passwords, many of them shared, across disparate levels of risk on different websites. Many of these folks are starting to use password management tools - but alas these tools still require a "master password" to get into them ... isn't that a problem? While we argued over federation and what password 'standards' should be it became clear that what the audience was asking for is a way to manage, in some sane central fashion, the different identities they carry on the Internet, at the office, and at home. There aren't any good solutions, but there are lots and lots of bad ones out there - which is why the customer population is so confused. Ultimately someone asked if SAML for authentication and authorization was mature and usable ... and if so why everyone wasn't using it out there on the Internet to manage identity.  It's obviously not quite that simple as SAML is a simply an open-source, XML-based standard for exchanging authentication and authorization information between parties. In this ecosystem you still require a central identity service, of which today there are none. This is a difficult question because ultimately for federation at this global level to succeed there needs to be a commonly agreed-upon, central authority for authentication...good luck with that.
  2. "Who is responsible for cloud security?" one person asked during the Q&A portion of the panel ... I admit I was caught a little off-guard since I haven't had someone ask that in a while. Clearly, asking this question demonstrates at least a minor misunderstanding of the concepts of cloud computing as we're not sure whether they're asking for IaaS, PaaS or SaaS implementations - and each one of these has a vastly different answer. I guess what we ultimately agreed upon as a panel, after several attempts, is that security is the joint responsibility of the CSP (cloud service provider) and the consumer - whether you like it or not. Just like when you co-locate your servers at a hosting provider, the security responsibility is shared and joint at the various levels in the stack. Unfortunately when you start with an IaaS provider much of the time you get to take on most of the responsibility of the system yourself, which is what I think many of the cloud service consumers (enterprise or otherwise) still miss. Your provider isn't responsible for your security, and to extend that one more level, the poorly coded applications "inside your firewall" are now outside your firewall and defenseless. The lesson here for me is that we need to push hard and continue to educate our consumers. Just because cloud computing isn't new anymore doesn't mean that even the "experts" agree on terminology or principles 100% of the time. For the consumer this is a bad thing because if you don't know what you're buying into and you just dive head-first into the poor you may find out the water's pretty shallow as you enjoy your concussion. The same goes for cloud consumers. My favorite type of customer is an educated one... whether I educate them or they learn from somewhere else. Known what you're getting into and make yourself comfortable with the fact that the attorneys will likely dictate the split of responsibility and liability in the end. This is as inevitable as death and taxes.

I feel quite fortunate to have been a small part of this great conference put on largely with the customer as the focus. there weren't thinly veiled marketing pitches, just many customer stories, case-studies and real-life wins of cloud computing lore. From PepsiCo to FRS, we heard how organizations are using cloud to gain a competitive advantage and really benefit from the ideas of elastic, on-demand computing according to the 5 key components set out by NIST. By the way, if you've not read the NIST guideline 800-145, go do that before your next cloud computing conversation. You'll feel more equipped to speak intelligently.

Here's some coverage on our panel from VentureBeat writer Sean Ludwig, complete with hilarious photo of me live-tweeting ... http://venturebeat.com/2012/11/28/cloud-security-cloudbeat-2012/

Cross-posted from Following the White Rabbit

Possibly Related Articles:
10567
Cloud Security
Information Security
Authentication Cloud Security Cloud Computing Managed Services
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.