Posted by: Greg Ness | September 11, 2008

Cloud Computing and the Internet Integrity Challenge

Om Malik certainly deserves credit for talking about the vision of cloud computing two years ago, as well as understanding the potential opportunity posed by new relationships between the browser and the service provider in his recent piece in BusinessWeek:

 

In the meantime, always-on broadband connections at home, work, and on the move have become commonplace. This has served as a catalyst for those who have developed Web services that are now screaming for browsers that allow your data to live on the Web but be accessible offline, a trend I first wrote about in a column for the now defunct Business 2.0 magazine back in March 2006.                 - Om Malik, BusinessWeek

 

Yet underneath the silver lining of cloud computing (or software as a service) there are a multitude of issues symptomatic of collisions that occur when technologies experience “mission shift.”  When virtualization, for example, moved from development and test environments to the production data center we saw virtualization security suddenly take center stage at VMworld in Cannes.

 

As cloud computing takes off we’ll see a new level of traffic and security demands facing the same old tired infrastructure. The DNS exploit and the recently discovered BGP attack are harbingers of things to come as the Internet ages and new capabilities and scales of processing power continue to pressure the Internet’s core protocols.

 

The demonstration is only the latest attack to highlight fundamental security weaknesses in some of the internet’s core protocols. Those protocols were largely developed in the 1970s with the assumption that every node on the then-nascent network would be trustworthy.  The world was reminded of the quaintness of that assumption in July, when researcher Dan Kaminsky disclosed a serious vulnerability in the DNS system. Experts say the new demonstration targets a potentially larger weakness.

- Kim Zetter, Wired, Aug 26

 

I just watched a 12 minute “bloxTV” video interview with Cricket Liu, one of the world’s leading experts on DNS.  Blogger John Furrier asks him about the recent DNS vulnerability and why it received so much fanfare.  Cricket answered that it was “the biggest vulnerability” we have ever seen; and that it impacted close to 11 million servers responsible for directing Internet and TCP/IP network traffic.  That’s a lot of traffic between lots of destinations.

 

According to some pundits, we’ve heard enough about the DNS vulnerability and exploit issue and its time to put it behind us. I beg to differ.  The DNS exploit meme explosion will be a mere poster child for many new exploits and challenges to come; and many of them will directly threaten the core integrity of the Internet.

 

At about 7 minutes into the interview Cricket responds to a pointed question from Furrier about the core (DNS) stresses and strains on the Internet by tactfully noting that it recently celebrated a 25 year anniversary.  DNS, Cricket also noted, has been able to amazingly scale from the ARPANET with thousands of hosts to the Internet with hundreds of millions of hosts.  The original ARPANET backbone bandwidth capacity was 56k.

 

Cricket is right; the DNS story is an incredible success story.  As Cricket also notes, it is understandably creaking under the pressures of increasing traffic, demands, endpoints and even outdated approaches to managing core network services/protocols.  More patches and more exploits are on the way, as we watch service providers announce their plans to excited audiences.

 

 

Mission Shift on a Grand Scale

 

As Google, Microsoft, Amazon and others drive us toward software (and other IT capabilities) as a service; a sublime implication circulating through the blogosphere is that the Internet has perhaps evolved beyond the capabilities imagined by its developers.  Simply conduct a blog or news search on “DNS exploit” and “DNS vulnerability” and track the meme explosion since the first of the year. 

 

This year was a watershed year in security because we saw how an old and pervasive vulnerability could be exploited in seconds.

 

Cloud computing necessarily means even more demands on traffic and security.  Google Chrome reportedly generates as much as 3 times more DNS queries per site visit than other browsers.  In effect, it automatically sends a DNS request for every link on the page you visit whether you hit that link or not.  That’s just the beginning.  Wait until the new cloud apps start raining on the Internet.  There will be new security requirements and they will be critical. 

 

If DNS can be exploited the integrity of the Internet can be compromised.  Without trust, the fabric of ecommerce and communication that has benefited from ubiquitous connectivity becomes a mesh of hunters and hunted.  The casualties would obviously include software-as-a-service vendors and their customers.

 

Security expert and blogger Amrit Williams also recently blogged about the very critical relationship between security and cloud computing:

 

Security, especially integrity of the service and confidentiality of the information, is critical to the market success of companies offering cloud computing and SaaS solutions.

- Amrit Williams

 

So as we continue to read about the promise of cloud computing, the blogs will be buzzing about security and load impacts. Nir Zuk just launched his personal blog and started a conversation about the impact of cloud computing’s mission shift on IT organizations: 

 

The migration of applications from the enterprise data center to Google and Salesforce.com, accompanied by the corresponding shift of information from the data center to the Internet is slowly changing the IT department’s role. It also changes the security risks that need to be resolved. When users have the ability to choose the applications they use, when data resides outside the corporate network, and when everyone can use any application and access data wherever they are in the world – we are dealing with a completely different beast than we are used to!                                

- Nir Zuk: Security Nirvana Blog

 

Security caught virtualization by surprise.  It seems very likely that it’s about to catch cloud computing by surprise.  Then there is the load issue, also discussed by Nir:

 

The IT department only needs to provide the pipes. Google will take care of the rest. And speaking of pipes – that DS3 link you have isn’t big enough. It needs to be upgraded – quickly! Google needs you to have more bandwidth. With everything coming in on ports 80 and 443 to the browser, QoS doesn’t work. So, more bandwidth please.

- Nir Zuk

 

One has to ask: Is the Internet really ready for cloud computing?

 

 

You can read my disclaimer at: About ARCHIMEDIUS.

About these ads

Responses

  1. [...] involved in the discussion around the Kaminsky findings.  Greg Ness who contributes here posts on his blog about the big picture in security. He also refers to my podcast with Cricket [...]

  2. [...] Gregness a trouvé la faille dans le modèle du Cloud Computing : puisque les infrastructures et le modèle d’économie d’échelle des géants de l’internet peuvent difficilement être mises en défaut, attaquons-nous à ce qui les relie à l’entreprise, c’est à dire à l’infrastructure d’Internet elle-même. Il nous promet des failles DNS de plus en plus fréquentes, pourquoi pas, mais j’ai surtout du mal à voir pourquoi cela n’impacterait que les services SaaS et pas les communications inter-sites actuelles des entreprises (applications du SI interne, VPN, mail…). [...]


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

Follow

Get every new post delivered to your Inbox.

Join 35 other followers

%d bloggers like this: