I got the pleasure of moderating a great “Cloud Computing in Government” panel a few weeks ago at a conference in D.C. The panelists included Mark Krzysko (Department of Defense,) Tim Schmidt (CIO, U.S. Dept. of Transportation,) and Mike Nelson (Professor, Georgetown University.)
The videographer jumped me on the way out to capture the essence of our discussion.
Direct link here.
Embedded below:
/Hoff
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=c13a67e5-ba53-43f5-b309-05ac1d8d952e)
This is bound to be an unpopular viewpoint. I’ve struggled with how to write it because I want to inspire discussion not a religious battle. It has been hard to keep it an incomplete thought. I’m not sure I have succeeded 
I’d like you to understand that I come at this from the perspective of someone who talks to providers of service (Cloud and otherwise) and large enterprises every day. Take that with a grain of whatever you enjoy ingesting. I have also read some really interesting viewpoints contrary to mine, many of which I find really fascinating, just not subscribed to my current interpretation of reality.
Here’s the deal…
While our attention has turned to the wonders of Cloud Computing — specifically the elastic, abstracted and agile delivery of applications and the content they traffic in — an interesting thing occurs to me related to the relevancy of networking in a cloudy world:
All this talk of how Cloud Computing commoditizes “infrastructure” and challenges the need for big iron solutions, really speaks to compute, perhaps even storage, but doesn’t hold true for networking.
The evolution of these elements run on different curves.
Networking ultimately is responsible for carting bits in and out of compute/storage stacks. This need continues to reliably intensify (beyond linear) as compute scale and densities increase. You’re not going to be able to satisfy that need by trying to play packet ping-pong and implement networking in software only on the same devices your apps and content execute on.
As (public) Cloud providers focus on scale/elasticity as their primary disruptive capability in the compute realm, there is an underlying assumption that the networking that powers it is magically and equally as scaleable and that you can just replicate everything you do in big iron networking and security hardware and replace it one-for-one with software in the compute stacks.
The problem is that it isn’t and you can’t.
Cloud providers are already hamstrung by how they can offer rich networking and security options in their platforms given architectural decisions they made at launch – usually the pieces of architecture that provide for I/O and networking (such as the hypervisor in IaaS offerings.) There is very real pain and strain occurring in these networks. In Cloud IaaS solutions, the very underpinnings of the network will be the differentiation between competitors. It already is today.
See Where Are the Network Virtual Appliances? Hobbled By the Virtual Network, That’s Where… or Incomplete Thought: The Cloud Software vs. Hardware Value Battle & Why AWS Is Really A Grid… or Big Iron Is Dead…Long Live Big Iron… and I Love the Smell Of Big Iron In the Morning.
With the enormous I/O requirements of virtualized infrastructure, the massive bandwidth requirements that rich applications, video and mobility are starting to place on connectivity, Cloud providers, ISPs, telcos, last mile operators, and enterprises are pleading for multi-terabit switching fabrics in their datacenters to deal with load *today.*
I was reminded of this today, once again, by the announcement of a 322 Terabit per second switch. Some people shrugged. Generally these are people who outwardly do not market that they are concerned with moving enormous amounts of data and abstract away much of the connectivity that is masked by what a credit card and web browser provide. Those that didn’t shrug are those providers who target a different kind of consumer of service.
Abstraction has become a distraction.
Raw networking horsepower, especially for those who need to move huge amounts of data between all those hyper-connected cores running hundreds of thousands of VM’s or processes, still know it as a huge need.
Before you simply think I’m being a shill because I work for networking vendor (and the one that just announced that big switch referenced above,) please check out the relevant writings on this viewpoint which I have held for years which is that we need *both* hardware and software based networking to scale efficiently and the latter simply won’t replace the former.
Virtualization and Cloud exacerbate the network-centric issues we’ve had for years.
I look forward to the pointers to the sustainable, supportable and scaleable 322 Tb/s software-based networking solutions I can download and implement today as a virtual appliance.
/Hoff
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=b79ce913-a6ec-45d0-a56a-477879960341)
At the RSA security conference last week I spent some time with Tom Gillis on a live uStream video titled “Securing the Network.”
Tom happens to be (as he points out during a rather funny interlude) my boss’ boss — he’s the VP and GM of Cisco’s STBU (Security Technology Business Unit.)
It’s an interesting discussion (albeit with some self-serving Cisco tidbits) surrounding how collaboration, cloud, mobility, virtualization, video, the consumerizaton of IT and, um, jet packs are changing the network and how we secure it.
Direct link here.
Embedded below:
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=9a02ae58-fbb1-4380-9c5a-7e4b80f40dec)
I don’t pay much attention to lists or awards, other than to usually make fun of them (especially when I’m put on one.)
However, this time I’ll make an exception. I was nominated this year for the RSA Security Bloggers Awards in the category of “Most Entertaining blog” and was voted “most likely to do something stupid” (in other words, I won.)
I was up against some stiff competition from the likes of Mike Rothman, Jack Daniel, Erin Jacobs and Adam Shostack (et. al) All these folks are fantastic bloggers and I’m lucky enough to call them all my friends. In between ejecting party crashers and making fun of Rich Mogull during my acceptance speech (the whole one sentence,) it was great to chill with people I only get to see in person at conferences.
Thanks very much to all who voted for me and thanks to the hard work by the judges and those who organized the bloggers meetup. Next year I hope they have a category for “best bouncer for the meetup.”
I’d like to congratulate the winners in the other categories, also:
Best Technical Security Blog - The SANS Internet Storm Center Blog
Best Non-technical Security Blog - Krebs on Security by Brian Krebs
Best Podcast - Pauldotcom
Best Corporate Blog - Jeremiah Grossman, White Hat Security
Thanks again.
/Hoff
Related articles by Zemanta
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=03bd60fc-ae3f-4bec-b66e-74c7bde9f0e0)
David Sparks (c/o Tripwire) interviewed me on the state of Information Security in virtualized/cloud environments. It’s another reminder about Information Centricity.
Direct Link here.
Emedded below:
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=12772d45-267a-4f9c-9ba5-41735ecf3eca)
Here are the slides from my Cloud Security Alliance (CSA) keynote from the Cloud Security Summit at the 2010 RSA Security Conference.
The punchline is as follows:
All this iteration and debate on the future of the “back-end” of Cloud Computing — the provider side of the equation — is ultimately less interesting than how the applications and content served up will be consumed.
Cloud Computing provides for the mass re-centralization of applications and data in mega-datacenters while simultaneously incredibly powerful mobile computing platforms provide for the mass re-distribution of (in many cases the same) applications and data. We’re fixated on the security of the former but ignoring that of the latter — at our peril.
People worry about how Cloud Computing puts their applications and data in other people’s hands. The reality is that mobile computing — and the clouds that are here already and will form because of them — already put, quite literally, those applications and data in other people’s hands.
If we want to “secure” the things that matter most, we must focus BACK on information centricity and building survivable systems if we are to be successful in our approach. I’ve written about the topics above many times, but this post from 2009 is quite apropos: The Quandary Of the Cloud: Centralized Compute But Distributed Data You can find other posts on Information Centricity here.
Slideshare direct link here (embedded below.)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=cd8f4d01-515e-4df8-b8b5-923ee7afc323)
About a year before I started working at the Jolly Green Giant (Cisco) I had a rather loud and addictive hobby that was focused on proving that Cisco would offer a “third party” virtual switch for VMware environments. This sort of unhealthy fascination also dovetailed with another related to “Project California” which later became the UCS (Unified Computing System.) Both are now something I talk about in my day job quite a bit.
So I don’t normally directly blog about specific work-related stuff here, but I’m going to make a quasi-exception.
The PM’s from our SAVBU (Server and Virtualization Business Unit) who own the Nexus 1000v and UCS product lines asked me if I’d get together a bunch of bloggers, analysts, end users, pundits, crusaders, super heroes, networking and security geeks and have a discussion about virtual networking — specifically the 1000v.
Of course they ask me to do this on the first day of the RSA Security Conference. At 9am. In the morning. Nice.
They didn’t tell me what they wanted me to say because honestly I think they want to see just how flustered the group above can get me…
So here’s the addy to the WebEx: https://ciscosales.webex.com/ciscosales/onstage/g.php?t=p&d=203474089
The event starts at 9am PST and I’ve got a room that can hold 8 people physically (or so I’m told) in our building across the street from Moscone at 201 3rd Street, San Francisco. If you plan to attend physically, the first 8 folks can meet me downstairs at the Chevy’s Mexican restaurant and we’ll go up at 8:30 SHARP. Otherwise, dial-in and have a good time.
It’s scheduled for an hour.
Talk/see you then. With the folks that have already said they’d participate, it ought to be fun. No, you don’t have to be a fanboy.
/Hoff
My youngest, Olivia, was interested in a video promo I was filming today for the RSA Security Conference on Cloud Computing. She mentioned that she wanted to film a spot on Cloud, too. Who am I to argue?
Direct link here. Embedded below.
…she gets rather upset about people’s poor password practices around 6:25 or so. Way to make a security daddy proud!
Next up, virtualization!
/Hoff
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=567d042b-b600-47c3-935c-76952e897623)
Here is some of the recent coverage from the last couple of months or so on topics relevant to content on my blog, presentations and speaking engagements. No particular order or priority and I haven’t kept a good record, unfortunately.
Important Stuff I’m Working On:
Press/Technology & Security eZines/Website/Blog Coverage/Meaningful Links:
Recent Speaking Engagements/Confirmed to speak at the following upcoming events:
Conferences I am tentatively attending, trying to attend and/or working on logistics for speaking:
Oh, let us not forget these top honors (buahahaha!)
[I often get a bunch of guff as to why I make these lists: ego, horn-tooting, self-aggrandizement. I wish I thought I were that important. The real reason is that it helps me keep track of useful stuff focused not only on my participation, but that of the rest of the blogosphere.]
/Hoff
I saw a very interesting post on LinkedIn with the title PwC/TSB Debate: The cloud/thin computing will fundamentally change the nature of cyber security…
PricewaterhouseCoopers are working with the Technology Strategy Board (part of BIS) on a high profile research project which aims to identify future technology and cyber security trends. These statements are forward looking and are intended to purely start a discussion around emerging/possible future trends. This is a great chance to be involved in an agenda setting piece of research. The findings will be released in the Spring at Infosec. We invite you to offer your thoughts…
The cloud/thin computing will fundamentally change the nature of cyber security…
The nature of cyber security threats will fundamentally change as the trend towards thin computing grows. Security updates can be managed instantly by the solution provider so every user has the latest security solution, the data leakage threat is reduced as data is stored centrally, systems can be scanned more efficiently and if Botnets capture end-point computers, the processing power captured is minimal. Furthermore, access to critical data can be centrally managed and as more email is centralised, malware can be identified and removed more easily. The key challenge will become identity management and ensuring users can only access their relevant files. The threat moves from the end-point to the centre.
What are your thoughts?
My response is simple.
Cloud Computing or “Thin Computing” as described above doesn’t change the “nature” of (gag) “cyber security” it simply changes its efficiency, investment focus, capital model and modality. As to the statement regarding threats with movement “…from the end-point to the centre,” the surface area really becomes amorphous and given the potential monoculture introduced by the virtualization layers underpinning these operations, perhaps expands.
Certainly the benefits described in the introduction above do mean changes to who, where and when risk mitigation might be applied, but those activities are, in most cases, still the same as in non-Cloud and “thick” computing. That’s not a “fundamental change” but rather an adjustment to a platform shift, just like when we went from mainframe to client/server. We are still dealing with the remnant security issues (identity management, AAA, PKI, encryption, etc.) from prior computing inflection points that we’ve yet to fix. Cloud is a great forcing function to help nibble away at them.
But, if you substitute “client server” in relation to it’s evolution from the “mainframe era” for “cloud/thin computing” above, it all sounds quite familiar.
As I alluded to, there are some downsides to this re-centralization, but it is important to note that I do believe that if we look at what PaaS/SaaS offerings and VDI/Thin/Cloud computing offers, it makes us focus on protecting our information and building more survivable systems.
However, there’s a notable bifurcation occurring. Whilst the example above paints a picture of mass re-centralization, incredibly powerful mobile platforms are evolving. These platforms (such as the iPhone) employ a hybrid approach featuring both native/local on-device applications and storage of data combined with the potential of thin client capability and interaction with distributed Cloud computing services.*
These hyper-mobile and incredibly powerful platforms — and the requirements to secure them in this mixed-access environment — means that the efficiency gains on one hand are compromised by the need to once again secure diametrically-opposed computing experiences. It’s a “squeezing the balloon” problem.
The same exact thing is occurring in the Private versus Public Cloud Computing models.
/Hoff
* P.S. Bernard Golden also commented via Twitter regarding the emergence of Sensor nets which also have a very interesting set of implications on security as it relates to both the examples of Cloud and mobile computing elements above.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=e616d511-36c9-494f-8fad-3fcda4ecf38b)
Recent Comments