By Craig Nelson

Let’s be direct:  we have a huge personal stake in the push toward cloud computing. Do companies that move to the cloud still need security professionals?

The answer is clear: yes — and even more than ever.

We are at the beginning of a huge paradigm shift in the middle of a deep recession. This perfect storm will drive the cloud to emerge as an architectural option that has clear economic and productivity impacts that will appeal to most IT shops. The decision to use “the cloud” will be one based upon two opposing forces: “do more with less” versus “risk management.”

However, this shift – whose success heavily relies upon abstracting the cost/complexity of underlying infrastructure — demands security professionals “up their game” to reflect that we are in a brave new world.

The stakes are high.

Let’s reflect on a recent headline:  a zero-day vulnerability exploited by a government to access private communications hosted by a major “cloud” provider.

This incident was front-page news – and the rationale for Google to threaten to cease business operations within the borders of China. Coverage and commentary of this incident extended beyond the usual IT publications to the US Security of State.

This is a big deal (and great movie plot).

But is it true?

Sometimes fact is stranger than fiction. In this case, it is likely some aspects are true and others false. Either way, it begs the question: what will the headlines read just a few years from now?

There are two ways security professionals must up their game:

First, security pros need to learn how to operate effectively in the context of business decisions.

Ten years ago, security focused on knocking ports, following exploits, and using flaws in network/core configurations to breach a system. Then the volume of exploits became overwelming, the OS/network became more resiliant, and the auditors moved in. This signaled a shift to checklists and conceptual assessments. The tao of scanning became commodity, and productized through services such as Qualys. IDS configuration became stale (well, also due to protocol complexity and encryption), and we all became unconvinced in the security associated with layer 3 and 4 firewall ACLs and IPS systems.

We’ve already seen a piece of this evolution as “risk management” has dominated security-focused job descriptions.

Security pros are applying “low level” security accumen to drive operational situational awareness and risk-based architectual decisions:

• What security controls does the provider place on data storage?
• Are they strong enough as the sole protection mechanism, or should we encrypt and build the added complexity into our application?
• What happens if the provider reports a breach?
• What is the impact and how will we cohesively respond?
• What do we expect from the provider?
• What does the provider commit to?
• Does the cost balance the consequence and likelihood of an incident?

Second, from a technology perspective, security professionals must build acumen to topics that sit higher in the stack.

Twelve years ago, we were implementing firewalls to defend against the “ping of death” and “smurf attacks”. Since then, the focus has steadily moved away from layers 2/3/4 and into layers 5/6/7 and out of the “stack” to focus on the user and business).

Cloud-based resources further increase the emphasis on applications, users and business. More than privacy and compliance, this means security professionals will need the skills and abilities to focus on these essential aspects and specific challenges like:

• Application Role Based Access Control (with Federation Technologies)
• Security of API interfaces that faciliate programatic access to an instance of a cloud-based service
• Incident Qualification/Response via “cloud” forensics
• Logical Data Encryption within “cloud” based storage
• Security of code that is developed and deployed to IaaS (Amazon/GoGrid) and PaaS (Microsoft Azure) providers
• Configuration and verification of virtual machines (within the IaaS Scenario)
• Defense against Economic Denial of Service Attacks
• Bridging the policies and metrics that the cloud provider exposes to the requirements of the business

For many, these topics are not as easy to master as TCP/IP and SMTP. Complicating the task, many of these concepts differ between providers, mesh together complex application-drive technologies, and change quickly. It’s also unclear how far we can venture into each (since many are based on what and how the provider exposes, and the complex nature of the protocols).

To make the right decisions, businesses must rely on practiced security professionals who are qualified and capable of voicing the appropriate concerns to the business. Without question, this requires greater focus on risk management by explaining complex topics that will drive a risk-managed embrace of cloud computing.

About Craig Nelson

Craig Nelson works at Microsoft, and is the host of the Cloud404 Blog (http://blog.cloud404.com). His expertise and education is in incident response, computer forensics, and security architecture.

By Craig Nelson – special guest to The Security Catalyst

Is Cloud Computing right for your business?

Cloud Computing.

Is it right for you? Sure.

Is it right for your business? <crickets>

By now, many have adopted a “cloud”-based service for personal use (sometimes without even realizing it). The definition of “cloud” can be a bit fuzzy at times, but to keep it simple: it’s a service provided over the Internet (“the big cloud”). This cloud includes services (from “smaller clouds”) from providers that offer hosted email, backups, document editing, picture sharing, and even password storage.

By linking all of the “clouds” together via fancy software (running on our desktop or elsewhere), our computing experience is much more fulfilling (and certainly more complex).

Given the vagueness of the definition, we can all rest assured that we are on the cutting edge by using “clouds” for our personal productivity.

But, when will “the cloud” be adopted and considered mainstream by the small, medium, and enterprise businesses of the world?

Three reasons businesses choose the cloud

The business reasons cited for using “the cloud” are likely one or more of the following:

1. Lack of time or expertise (including security) to build and maintain an in-house solution.

2. Seeking the advantage/speed of new features that are released quickly.

3. It’s cheap (either free, or subscription fees).

Beyond simple points, consider the depth and complexity of each.

Software technology can be complex to learn, install (correctly), and run (correctly). It only takes one mistake to reinforce the fact that essential tasks — such as patching, backup and restore, and monitoring — are expensive and time consuming.

With a finite amount of time and resources, many chose to focus on the business and leave the technical challenges to someone else (the cloud provider).

At the end of the day, this boils down to ensuring the service is running with the right features to drive a fulfilling and non-frustrating computing experience.

Can the cloud be more secure?

Many security breaches are due to improper configuration and lax administration and maintenance.

These issues can be pushed into the providers hands, who can manage “low level infrastructure issues” in a cost-efficient way through economies of scale. When a security defect is discovered, it’s likely the provider can quickly patch all of the instances of the software, and centrally determine if the defect had any consequence (i.e. it was used to compromise data).

If additional security is desired, additional security controls can be applied – matched to the value of the information. For example, organizations concerned about protecting the privacy of their data may choose to encrypt it before backing it up into a cloud-based solution.  The encryption will cost some additional CPU time, and add a bit more complexity to the restoration process.  However, it’s a cost that that can be readily accepted.

The Cloud – Personal

At a personal level, “the cloud” allows a consumer to do more with less, and allocate valuable time and money in other ways.

Individuals sitting on the sidelines — who don’t trust the cloud — will dwindle over time as reasonable mitigations are developed to alleviate concerns. For example, many online backup providers offer the ability to encrypt data with keys that are unknown to them (thus partially alleviating the concern that the provider’s employees can view data stored by its customers. I say partially because you still need to trust that the software is doing what they say!).

New services (such as Lastpass) are emerging to protect the most secret of our secret information (passwords).  A few years ago, I couldn’t imagine that such a service would be widely adopted.  However, now, it seems to be trickling into the “essential software” list of well-respected technologists.

The Cloud – Business

It’s a bit different at the business level.

Many businesses today are sitting on the cloud sidelines. This is because using the cloud for business purposes isn’t quite mainstream. From an architectural perspective, there are questions pertaining to the performance and manageability of cloud-based resources, and if the focus should be on “private clouds” (locally hosted resources that use similar patterns and practices related to cloud computing) rather then “public clouds.”

IT shops, who for the last 10 years have been fighting patch management, auditing, and other security issues, need time to understand if the cloud can meet the dizzying array of requirements that have emerged from the “post-9/11 security boom.”

Is the cloud right for business?

So, is “the cloud” right for your business? This is a serious decision – one that could cost a business its reputation. Thus, it has to be answered with clear conviction rather than the typical illusion associated with security.

Here’s a start: ask these three questions and discuss the answers with your team – including your security pros – to start to find out:

1 – What regulations is the business subject to? What operational principles and policies does the business have?  Can the cloud provider provide an adequate level of support? If not, can deficiencies be mitigated?

2 – Does the cloud provider offer security controls that allow an adequate level of protection?  If not, can deficiencies be mitigated?

3 – Does the cloud provider offer a level of operational transparency, so appropriate metrics and logs can be used for monitoring and reporting?

About Craig Nelson

Craig Nelson works at Microsoft, and is the host of the Cloud404 Blog (http://blog.cloud404.com).  His expertise and education is in incident response, computer forensics, and security architecture.