If there are three main pillars for traditional information security—security, privacy and reliability—the move to the cloud is adding two more crucial supports: transparency and control.
The adoption of virtual environments, data center services and cloud applications is continuing apace, with large multinational corporations and SMBs alike adopting the approach in a quest for efficiency of all stripes. But as people move to this new environment, the rules and best practices are changing as far as who has access to information, how it’s possible to control that and when to provide transparency.
During his keynote on enhancing cloud trust at #RSAC2015, Scott Charney, corporate vice president of Trustworthy Computing at Microsoft, pointed out that there are radical differences between the pre-cloud model of securing information, and today’s reality. Traditionally, vendors create technology and put it into the hands of customers, and customers then secure it, or attempt to, on-premise. The bad guys then come along to gain access to the network, using four main attack vectors—supply chain, vulnerabilities and insecure code, social engineering and poor configurations. Vendors, the customers and the government from there together mount a defense.
But the world is changed. Those network boundaries are now distributed and complex and maintained by a multiplicity of players, for one thing; when it comes to the cloud, Big Data and mobility, customers let go of their information from a physical perspective.
In addition to that, the vendor-customer relationship becomes two-way in a cloud environment, Charney pointed out; they’re sending data back and forth to each other. And while that’s happening, it’s worth remembering that organized crime and terrorist organizations can subscribe to cloud services just as normal customers can. So, in addition to the traditional three good guys—vendors, customers and governments, you also have criminals on the same fabric.
“So you have customers asking their provider, how do you protect the fabric? And also, how do we protect our stuff from your fabric? They want to be protected from the cloud as much as they want to leverage it,” Charney said.
And, the government itself, in a post-Snowden world, is no longer seen as being firmly in the “good” column, he pointed out.
“With government having access to lots of data and running espionage programs, we’re having a crypto-debate, and trust boundaries and transparency into that cloud fabric becomes really important because we all now have a little distrust of each other.”
Charney said that the sweeping change in the cyber threat, which has moved from being mainly opportunistic to revolving around advanced persistent threats, is coloring the entire discussion.
“The threat model has continued to evolve in a critical way—breaches continue unabated, but the attacks are more destructive,” Charney said. “When exploitation happens, and data is stolen, that can have a huge impact. But it’s not an immediate impact. It could be felt over three or four years as customers are slowly siphoned off.” He added, “The attacks on RasGas, Saudi Aramco and Sony are examples of destructive attacks that stop you from doing daily business, and that’s changed the conversation to take place outside the IT arena and into board rooms and the C-suite.”
As far as how to mitigate threats in this environment, Charney said that among the strategies that need to come to life falls into the contro category; i.e., a post-password approach to authentication. This echoes the conventional wisdom across the industry. But, it means moving to a more usable security approach; and Charney argues that a hardware-based approach is the best way to do that.
“Passwords can be not just stolen and phished, but also lost—we all know we need to move to a new system,” Charney said. “It will become about more personal computing—your computer will recognize you, and you will have a relationship with your machine.”
He added that secure biometrics is one way of doing that; and when combined with a trusted computing module, the hardware becomes the root of trust: “Your credential may get phished, but in this scenario it can’t get used from a different place, so we can effectively kill passwords.”
At the same time, customers want more transparency on the network, in the virtual machines, and who is accessing them. But system administration privileges have always been a problem.
“Look at the most sophisticated APTs,” Charney said. “They harvest credentials and move laterally across the network.”
Keeping software updated and using whitelisting can mitigate a lot of this, but applying the ideas of just-in-time administration and just enough administration will be key. This is the idea of giving someone a token that allows them to escalate their privileges only when they need that, and in a time-bound way—there is no persistent administration.
Of course, in the end, it’s up to real-world implementation to prove out many of these ideas “It’s great to have a strategy, but it only makes a difference if actually implemented and put in the hands of customers,” Charney said.