Cloudifornication: Indiscriminate Information Intercourse Involving Internet Infrastructure
The talk I was scheduled to give at Blackhat in Vegas had that title. Due to a timing issue, I couldn’t make Vegas.
The summary of CI^6 goes something like this:
What was in is now out.
This metaphor holds true not only as an accurate analysis of what happens to our data with the adoption trends of disruptive technology and innovation in the enterprise, but also parallels the amazing velocity of how our datacenters are being re-perimiterized and quite literally turned inside out thanks to Cloud computing and virtualization.
One of the really interesting things happening with the massive convergence of virtualization and cloud computing is its effect on security models, the corresponding compensating controls and the information they are designed to protect.
Where and how our data is created, processed, accessed, stored, backed up and destroyed in what is sure to become massively overlaid cloud-based services — and by whom and using whose infrastructure — yields significant concerns related to security, privacy, compliance and survivability.
Further, the “stacked turtle” problem becomes more visible as the notion of nested clouds becomes reality: cloud SaaS providers depending on Cloud IaaS providers which rely on Cloud network providers. It’s a house of, well, turtles.
The fragile application layer of infostructure, sitting atop infrastructure and held together with the bailing-wire and bubble gum of outdated metastructure yields unintended information intercourse.
We will show multiple cascading levels of failure associated with relying on cloud-on-cloud infostructure/metastructure/infrastructure including exposing flawed assumptions and untested theories as it relates to security, privacy and confidentiality in the Cloud with some unique attack vectors.
The gist of the talk shows examples of the fragility at each of the largely independent info-/meta-/infra-structure layers and then as a whole.
I spend quite a bit of time on the Metastructure layer:
While I plan to give the talk publicly soon at a venue which I will announce shortly, thematically, the talk’s content is already playing itself out in the real world. If you need good examples as to what I am talking about, I’ll use the two I focus in on with the presentation: DNS and BGP.
You need only look at the latest set of DDoS attacks on social media sites to see how relevant this continues to be.
Much of what holds the Internet and our Intranets together are based upon protocols and architecture never designed to
scale to the levels they are going to get pushed to with Cloud. Further, the inherent trust in the models used to frame fair play are equally as kaput.
The canaries in the coal mine are starting to chirp very loudly…
I find that people spend a lot of time criticizing the styles of delivery and presentation around securing the Metastructure layer.
They say there’s nothing new. They say it’s just a way of seeking attention.
I’d suggest listening to the message regardless of what you think of the messengers.*
Talk amongst yourselves.
*Lori Macvittie has an interesting post highlighting this.