Home > Cloud Computing, Cloud Security > Cloud Computing Security: (Orchestral) Maneuvers In the Dark?

Cloud Computing Security: (Orchestral) Maneuvers In the Dark?

OMDLast week Kevin L. Jackson wrote an insightful article titled: Cloud Computing: The Dawn of Maneuver Warfare in IT Security.  I enjoyed Kevin’s piece but struggled with how I might respond: cheerleader or pundit.  I tried for a bit of both while I found witty references to OMD.*

Kevin’s essay is an interesting — if not hope-filled — glimpse into what IT Security could be as enabled by Cloud Computing and virtualization, were one to be able to suspend disbelief due to the realities of hefty dependencies on archaic protocols, broken trust models and huge gaps in technology and operational culture.  Readers of my blog will certainly recognize this from “The Four Horsemen of the Virtualization Security Apocalypse” and “The Frogs Who Desired a King: A Virtualization and Cloud Computing Security Fable

To the converse, I’ve certainly also done my fair share of trying to change the world both by thought and action in the stance of “cheerleader”; I’ve been involved in everything from massive sensornet deployments to developing AI/Neural Networking based security technologies, so I think I’ve got a fair idea of what the balance looks like.  The salty pragmatist often triumphs, however…

Kevin’s article represents a futurist’s view, which is in no way a bad thing, but I fear it is too far disconnected from the realities of security and operational maturity outside of the navel:

The lead topic of every information technology (IT) conversation today is cloud computing. The key point within each of those conversations is inevitably cloud computing security.  Although this trend is understandable, the sad part is that these conversations will tend to focus on all the standard security pros, cons and requirements. While protecting data from corruption, loss, unauthorized access, etc. are all still required characteristics of any IT infrastructure, cloud computing changes the game in a much more profound way.

Certainly Cloud is a game changer, but just because the rules change does not mean the players do.  We haven’t solved those issues as they pertain to non-virtualized or Cloud infrastructure, so while sad, it’s a crushing truth we have to address.  Further, to get from “here” to “there,” we do need to focus on these issues because that is how we are measured today; most of us don’t get to start from scratch.

To that point, check out “Incomplete Thought: Cloud Security IS Host-Based…At The Moment” for why this gap exists in the first place.

I should make it clear that this does not mean I necessarily disagree with the exploration of Kevin’s future state, in fact I’ve written about it in various forms several times, but it’s important to separate what Cloud will deliver from a security perspective in the short term from the potential of what it can possibly deliver in the long term; this applies to both the cultural and technical perspectives.

I think the most significant challenges I had in reading Kevin’s article revolved around three things:

  1. Mixing tenses in some key spots seemed to imply that out of the box today, Cloud Computing can deliver on the promises Kevin is describing now.  Given the audience, this can lead to unachievable expectations
  2. The disconnect between the public, private and military sectors with an over-reliance on military analogies as a model representing an ideal state of security operations and strategy can be startling
  3. Unrealistic portrayals of where we are with the maturity of Cloud/virtualization mobility, portability, interoperability and security capabilities

In the short term, there are certainly incremental improvements will occur with respect to security thanks to the “lubricant-like” functionality provided by virtualization and Cloud.

These “improvements” however represent gains mostly in automation of manual processes and a resultant increase in efficiency rather than a dramatic improvement in survivability or security given what we have to work with today.

The lack of heterogeneous closed-loop autonomics, governance and orchestration in conjunction with the fact that a huge amount of infrastructure and applications are not virtualization- or Cloud-ready means this picture a vision, not a mission.

Kevin juxtaposes the last few decades of static, Maginot Line IT/Information Security “defense-in-depth” strategy with the unpredictable and “agile, hostile and mobile” notions of military warfighter maneuvers to compare and contrast what he suggests Cloud will deliver with an enlightened state of security capabilities:

Until now, IT security has been akin to early 20th century warfare.  After surveying and carefully cataloging all possible threats, the line of business (LOB) manager and IT professional would debate and eventually settle on appropriate and proportional risk mitigation strategies. The resulting IT security infrastructures and procedures typically reflected a “defense in depth” strategy, eerily reminiscent of the French WWII Maginot line . Although new threats led to updated capabilities, the strategy of extending and enhancing the protective barrier remained. Often describe as an “arms race”, the IT security landscape has settled into ever escalating levels of sophisticated attack versus defense techniques and technologies. Current debate around cloud computing security has seemed to continue without the realization that there is a fundamental change now occurring. Although technologically, cloud computing represents an evolution, strategically it represents the introduction of maneuver warfare into the IT security dictionary.

The concepts of attrition warfare and maneuver warfare dominate strategic options within the military. In attrition warfare, masses of men and material are moved against enemy strongpoints, with the emphasis on the destruction of the enemy’s physical assets. Maneuver warfare, on the other hand, advocates that strategic movement can bring about the defeat of an opposing force more efficiently than by simply contacting and destroying enemy forces until they can no longer fight.

The US Marine Corps concept of maneuver is a “warfighting philosophy that seeks to shatter the enemy’s cohesion through a variety of rapid, focused, and unexpected actions which create a turbulent and rapidly deteriorating situation with which the enemy cannot cope.”   It is important to note, however, that neither is used in isolation.  Balanced strategies combine attrition and maneuver techniques in order to be successful on the battlefield.

The reality is that outside of the military, “shock and awe” doesn’t really work when you’re mostly limited to “compliance and three analysts with a firewall.”  Check out “Security & the Cloud — What Does That Even Mean?

Here’s where the reality distortion fields trumps the rainbows and unicorns:

With cloud computing, IT security can now use maneuver concepts for enhance defense. By leveraging virtualization, high speed wide area networks and broad industry standardization, new and enhanced security strategies can now be implemented. Defensive options can now include the virtual repositioning of entire datacenters. Through “cloudbursting”, additional compute and storage resources can also be brought to bear in a defensive, forensic or counter-offensive manner. The IT team can now actively “fight through an attack” and not just observe an intrusion, merely hoping that the in-place defenses are deep enough. The military analogy continues in that maneuver concepts must be combined with “defense in depth” techniques into holistic IT security strategies.

Allow me to suggest that “fight[ing] through an attack” by simply redirecting/re-positioning the $victim isn’t really an effective definition of an “active countermeasure” anymore than waiting the attack out because there’s no offense, only defense.  There is no elimination of threat.  I’ve written about that a bit: Incomplete Thought: Offensive Computing – The Empire Strikes BackThinning the Herd & Chlorinating the Malware Gene Pool… and Everybody Wing Chun Tonight & “ISPs Providing Defense By Engaging In Offensive Computing” For $100, Alex. Mobility does not imply security.

To wit:

A theoretical example of how maneuver IT security strategies could be use would be in responding to a  denial of service attack launched on DISA datacenter hosted DoD applications. After picking up a grossly abnormal spike in inbound traffic, targeted applications could be immediately transferred to virtual machines hosted in another datacenter. Router automation would immediately re-route operational network links to the new location (IT defense by maneuver). Forensic and counter-cyber attack applications, normally dormant and hosted by a commercial infrastructure-as-a-service (IaaS) provider (a cloudburst), are immediately launched, collecting information on the attack and sequentially blocking zombie machines. The rapid counter would allow for the immediate, and automated, detection and elimination of the attack source.

To pick on this specific example, even given the relatively mature anti-DDoS capabilities we have today without virtualization or Cloud, simply moving resources around in response to an attack does nothing if the assets are bound to the same IP addresses and hostnames. Fundamentally, the static underpinnings holding the infrastructure together hinder this lofty goal.  You can Cloudburst till the cows come home, but the attacks will simply follow.  You transfer all those assets to a new virtual datacenter and for the most part, the bad traffic goes with it. Distributed intelligence can certainly reduce the pain, but with distributed botnets whose node counts can number in the millions, you’re not going to provide for the “…elimination of the attack source.”

With these large scale botnets as an example, the excess capacity and mobility of the $victim could even have unintended worse ramifications such as what I wrote about here: Economic Denial Of Sustainability (EDoS)

In closing, we’ve got two parallel paths of advancing technology: the autonomics of the datacenter and the evolution of security.  I’ll wager we’ll certainly see improvements in the former that are well out-of-phase and timing with the latter, not the least of which is due to what Kevin closed with:

This revolution, of course, doesn’t come without its challenges.  This is truly a cultural shift. Cloud computing provides choice, and in the context of active defense strategies, these choices must be made in real-time.  While the cloud computing advantages of self-service, automation, visibility and rapid provisioning can enable maneuver security strategies, successful implementation requires cooperation and collaboration across multiple entities, both within and without.
The cloud computing era is also the dawning of a new day in IT security.  In the not to distant future, network and IT security training will include both static and active IT security techniques. Maneuver warfare in IT security is here to stay.

It’s absolutely a cultural issue, but we must strive to be realistic about where we are with Cloud and security technology and capabilities as aligned.  As someone who’s spent the last 15 years in IT/Security, I can say that this is NOT the “…dawning of a new day in IT security,” rather it’s still dark out and will be for quite some time.  There is indeed opportunity to utilize Cloud and virtualization to react better, faster and more efficiently, but let’s not pretend we’re treating the problem when what we’re doing is making the symptoms less noticeable.

I am absolutely bullish on Cloud, but not Cloud Security as it stands, at least not until we make headway toward fundamentally fixing the foundational problems we have that allow the problems to occur in the first place.

/Hoff

* I thought that out of all of OMD’s tracks, the most apropos titles to match to this blog post would be “Pandora’s Box,” “Dreaming,” or “The New Stone Age” ;)  Thanks for the motivation, @csoandy

  1. June 14th, 2009 at 07:44 | #1

    When I read Kevin's article, I also thought that moving the resources to deflect attacks was not making sense because the resource will either be attached to an IP address or a hostname or, in some cases, a domain name or subdomain name. Then, I thought I am missing something and shut myself up :-).

  2. June 14th, 2009 at 17:51 | #2

    Excellent! This is just the type of dialog I'd hoped for. I would, however, like to say that my focus is on the use of cloud computing in the DoD, DHS and Intelligence communities. For the foreseeable future, I expect these organization to deploy private clouds where their would be more flexibility in IP addresses, hostnames and communications conduits. Those environment should also have the network visibility required to execute such coordinated actions. I also expect this technology will lead to "tactical clouds" that would link network resources in an adhoc manner in order to increase capabilities for a limited time in a specific geographic area. I am definitely guilty of mixing tenses and will need to watch that the next time.

  3. David O’Berry
    June 14th, 2009 at 20:40 | #3

    I definitely appreciate his enthusiasm but as you point out, I get very worried when someone mixes things up a bit through accidental tense changes or wording and gives a picture like what Mr. Jackson did in that piece.

    I do believe that eventually you can use virtualization technology to create a silver buckshot approach to security instead of always relying on a serial silver bullet mentality but not in the manner he puts forth.

    It’s possible he is simply talking about overwhelming response to an attack through a brute force means which, while I applaud in theory, is not something we can legitimately even attempt right now without huge distributed bot-net type grids of our own. That simply does not exist in most situations and in fact even were it accurate or feasible to attempt to implement now, most Government organizations are going the opposite way in an attempt to reduce the surface area of attack space. DOS, while noisy and a pain, is probably on the lower end of many folks worries right now as attack vectors go.

    -David

  4. June 14th, 2009 at 20:53 | #4

    @David O’Berry

    I enjoy reading Kevin’s writings and I am impressed with his networking (human,) especially given his interactions with folks like Vivek Kundra. This is why it’s important to ensure the messaging surrounding “Cloud,” especially in the federal sector sets the appropriate expectations.

    With Cyberwar this and funding that, we can and should be spending our time and money on things that have the most bang for the buck. For the most part, as it relates to security — and even in the realm of Cloud — that means those boring things Kevin described in the beginning of his article.

    Cloud doesn’t change the need, just the application.

    /Hoff

  5. David O’Berry
    June 14th, 2009 at 22:28 | #5

    Great clarification and that thought pattern is an exciting one to me Kevin based on technologies like CUDA/Stream Processing and standards for security data exchange like IF-MAP. I do believe we have to get to that morphing tactical cloud as well as take that concept to the endpoint in many situations to develop an overall enhanced visibility posture thereby increasing the chance at resilience if not outright mitigation.

    Good stuff.

    -David

  6. Roland Dobbins
    June 16th, 2009 at 03:18 | #6

    @Roland Dobbins

    Grrr – no, this one. I suck at HTML.

    ;>

  7. Roland Dobbins
    June 16th, 2009 at 06:58 | #7

    Moving stuff around dynamically via routing tricks, via DNS tricks (i.e., GSLB-type things), et. al., can and have been done; they can provide some temporary relief in some circumstances, but absolutely, the attackers will note the change and adjust accordingly.

    See this post for more commentary in this arena:

    IF-MAP is somewhat interesting, but there are already existing information interchange formats in the control and management planes which aren’t being leveraged to their fullest – NetFlow, IPFIX/PSAMP, flow-spec, and even basic techniques making use of BGP such as S/RTBH and QPPB. DNS architecture is a particular sore point, as time and time again DNS ends up being the weak link in the chain, followed by a lack of deployment of even the most basic network infrastructure BCPs such as BCP84 via ACLs/uRPF/QPPB, S/RTBH, iACLs, rACLs, CoPP, et. al.

    Situational awareness is an area in which huge improvements in network detection/classification/traceback are required; you can’t mitigate that which you can’t see or understand. NetFlow (and later, IPFIX/PSAMP) telemetry is key to scalable network visibility, and both statistical and behavioral NetFlow-based anomaly-detection are extremely important.

    [Full disclosure; I work for a company which develops commercial NetFlow-based anomaly-detection systems. That being said, I strongly advocate starting out with open-source tools, moving to commercial tools when additional capabilities are required above and beyond what the open-source tools provide, and after gaining operational experience using open-source tools.]

  8. Roland Dobbins
    June 16th, 2009 at 06:59 | #8

    @Roland Dobbins

    The post to which I attemped to link is this one.

  1. June 15th, 2009 at 04:13 | #1
  2. February 16th, 2010 at 21:35 | #2
  3. March 9th, 2010 at 18:21 | #3
  4. April 25th, 2010 at 08:25 | #4
  5. April 25th, 2010 at 09:51 | #5
  6. October 28th, 2011 at 04:48 | #6