A few hours ago I finished reading Nicholas Carr’s The Big Switch and was floored by his take on the impending mass adoption of cloud/utility computing and its impacts on information technology and the world. A few minutes ago I read another great piece from InfoWorld, this time on cloud computing and security: The Dangers of Cloud Computing.
I’ve been ranting at The Archimedius Report about virtualization and security and the inherent challenges of securing mobile, state-changing servers. That’s why these paragraphs from Ephraim’s article published Monday set off yet another “implication” for data center and network security, thanks to some insightful comments by Gartner’s chief security analyst John Pescatore:
The area that worries Pescatore most is how quickly cloud-based services are updated and changed. He cites Microsoft’s painstaking development of the SDLC (Software Development Life Cycle) initiative that assumes mission-critical software will have a three- to five-year period in which it will not substantially change.
“In the cloud, every two weeks we add a new feature, changing the app all the time. But the secure SDLC is not built to do that. We are going back to the old Netscape days of pushing out new features real quick, and nobody has a security cycle that moves that fast,” Pescatore says.
What makes matters even worse is that the business user can’t say he wants to stay on the old version. “In the cloud you have to accept the next version, possibly nullifying any security that was built into the old application or assumed through integration at the customer site.
– Ephraim Schwartz, InfoWorld, July 7 2008
As I mentioned in Virtualization-Lite the network security solution leaders have poor visibility into the hypervisor layer and even poorer hypervisor layer enforcement capabilities. Neither Cisco, nor Juniper nor McAfee are well-prepared for the tasks of defending fluid virtual server environments, unless each environment is confined within an individual hypervisor. That’s not really virtualization, but rather virtualization-lite. Virtualization-lite is the acceptance of a reduced business case for virtualization in exchange for a more stable network security posture.
The nature and scale of cloud computing would put even more pressure on this world of static security already put on notice by virtualization in the data center. Imagine millions of blade servers deployed around the world each hosting dozens of VMs capable of following the moon, as Kevin Kelly says.
That level of mobility (servers chasing cheap electricity around the globe thanks to ubiquitous cloud computing) would wreak havoc on the security status quo architected for years to defend fixed servers. Leading network security appliances have assumed inflexibility inside the perimeter, and that has been a key impediment to virtsec and to the rapid proliferation of virtualization of the data center.
Of course, Kelly’s “follow the moon” vision is further off than the vision of virtualization and smaller independent clouds/utilities. Yet there is still trouble on the horizon. If you accept Carr (that utility computing is inevitable) the picture for IT as we know it today is bleak. The security industry wouldn’t be in much better shape either:
In the long run, the IT department is unlikely to survive, at least not in the familiar form. It will have little left to do once the bulk of business computing shifts out of private data centers and into “the cloud.”
– Nicholas Carr, The Big Switch, page 118
A few weeks ago I talked about the tactical nature of network security and its occasional quicksand mentality, where every new move means a risk of sinking even deeper into the perceived risk abyss. At this point it appears that tactical network security teams are not taking the lead when it comes to unleashing virtualization, for obvious reasons. They’re deploying the hypervisor VLANs we just discussed, which limit flexibility and movement to within the confines of a single hypervisor.
IN A NUTSHELL
Security solutions are behind when it comes to virtualization. Security pros are taking a tactical posture. Yet change is coming according to Carr.
With sunrise over the data center comes an array of clouds stretched out as far as the eye can see. Will those clouds tease us into accepting a potentially weaker security posture in exchange for lower IT costs and greater convenience? I think the answer is yes.
As network security pros and pundits struggle to create ROI models for security or new rationales for more proactive postures within increasingly reactive bureaucracies I think it is obvious that we’ll accept more breaches in exchange for more convenience. That is, until the defining moment of an attack so audacious that it forces innovation as a means of service provider survival.
A cloud breach could be monumental and shocking. It may be what netsec needs to get back on top of the game.
A cloud attack could drive a new renaissance in security, with new outlooks and probably even panic overspending. Maybe we would even see application service providers market security in the same way that Swiss banks once marketed privacy. That could make security strategic to brand. And many enterprises already know how to calculate brand ROI.
Disclosure: I’m the VP Marketing for Blue Lane Technologies, a winner of the 2007 InfoWorld Technology of the Year for security, Best of Interop 2007 in security and the AO 100 Top Private Company award for 2006 and 2007. Blue Lane is also a 2007 Best of VMworld Finalist in data protection. I’ve been a marketing executive at Juniper Networks, Redline Networks, IntruVert Networks and ShoreTel. I’ve been an Always On blogger/columnist since 2004. My recently launched personal blog is: www.archimedius.net . I recently added my blog to a growing lineup of editors at BroadDev.com. These are all my opinions, and do not represent the opinions of employers, spouses, kids, etc.
Subscribe to RSS headline updates from: http://feeds.feedburner.com/Security-Bloggers-Network
Powered by FeedBurner