Incomplete Thought: Cloud Security IS Host-Based…At The Moment
See the diagram to the right? It is my masterful “Hamster Sine Wave Of Pain.” The HSWOP demonstrates where and how, over time, we manifest our investment in security controls and approaches.
We waffle between securing the host to the user to information to applications and then to the network and back again. It’s how it’s always been and how it always will be. It makes for some timing problems, however.
The gap in approach shows up when we overlay disruptive innovation and technology such as virtualization and Cloud Computing on top of this security response curve and we realize we’re out of synch. When we’re busy being information-centric from a security perspective and a disruptive networking event occurs…oops.
The inspiration for this post came from a complaint on Twitter this morning from my buddy Rich Mogull in which he lamented that too many people are equating “HIPS (host-based intrusion prevention)” with “Cloud Security.”
The reality is that depending upon the *aaS model you’re referring to, HIPS *is* Cloud Security. Specifically, in IaaS/PaaS environments when you can’t plumb in virtual network appliances (or physical for that matter) then you’re basically left with whatever the provider gives you at the “network” layer (which is usually not much) or you focus on host-based controls. HIPS is as good as any other solution at that point.
In SaaS environments, you’re dependent upon whatever the provider engineers into their network platforms and the applications themselves.
To generalize, when you’re talking about having security as a visible operational capability presented to the user versus being bundled as part of the service, besides application security and the odd ACL, HIPS/HIDS/AV/Hardening Scripts/etc… is Cloud Security for most folks at the moment.
Ultimately, this Cloud Security gap at the IaaS/PaaS level will close over time as it is beginning to do so technologically with virtualization.
You’ll have more options as the mechanisms for integrating network-based security solutions become available. At issue here is the fact that security capabilities caused by inflexible policies based on IP addresses, are out of step with connectivity advances and how Cloud services are composed, provisioned, orchestrated and managed. Hence the host/guest-based security focus. It’s simply the easiest and most prudent thing to do given our options at the moment.
We’ve seen the hints of advancement with what VMware is doing with VMsafe and their API’s. As the notion of VDCOS evolves, I maintain we’ll see this sort of capability appear with IaaS/PaaS vendors in the Cloud, too, and it will expand beyond things like firewalls and IPS’s — we’ll see load balancers and other network-based capabilities emerge through creative plumbing. We’ll see what other virtualization platforms bring to the table in this scope as introspection capabilities mature (if they do at all…)
We ought to see a bunch of innovative solutions that will emerge slowly as the “internal” virtualization and unified computing capabilities make their way “outward” and become the same platforms powering more mainstream Cloud offerings. This might take a while. Perhaps a very long while.
Until then, enjoy your agents.
Same as it ever was…same as it ever was.