Home > Uncategorized > Virtualization & Cloud Don’t Offer An *Information* Security Renaissance…

Virtualization & Cloud Don’t Offer An *Information* Security Renaissance…

I was reading the @emccorp Twitter stream this morning from EMC World and noticed some interesting quotes from RSA’s Art Coviello as he spoke about Cloud Computing and security:

Fundamentally, I don’t disagree that virtualization (and Cloud) can act as fantastic forcing functions that help us focus on securing the things that matter most if we agree on what that is, exactly.

We’re certainly gaining better tools to help us understand how dynamic infrastructure, amorphous perimeters, mobility and  collaboration are affecting our “craft,” however, I disagree with the fact that we’re going to enjoy anything resembling a “turnaround.” I’d suggest it’s more accurate to describe it as a “reach around.”

How, what, where, who and why we do what we do has been dramatically impacted by virtualization and Cloud. For the most part, these impacts are largely organizational and operational, not technological.  In fact, most of the security industry (and networking for that matter) have been caught flat-footed by this shift which is, unfortunately, well underway with the majority of the market leaders scrambling to adjust roadmaps.

The entire premise that you have to consider that your information in a Public Cloud Computing model can be located and operated on by multiple actors (potentially hostile) means we have to really focus back on the boring and laborious basics of risk management and information security.

Virtualization and Cloud computing are simply platforms and operational models respectively.  Security is as much a mindset as it is the cliche’ three-legged stool of “people, process and technology.”  While platforms are important as “vessels” within and upon which we build our information systems, it’s important to realize that at the end of the day, the stuff that matters most – regardless of disruption and innovation in technology platforms — is the information itself.

“Embed[ding] security in” to the platforms is a worthy goal and building survivable systems is paramount and doing a better job of ensuring we consider security at an inflection point such as this is very important for sure.  However, focusing on infrastructure alone reiterates that we are still deluded from the reality that applications and information (infostructure,)  and the protocols that transport them (metastructure) are still disconnected from the cogs that house them (infrastructure.)

Focusing back on infrastructure is not heaven and it doesn’t represent a “do-over,” it’s simply perpetuating a broken model.

We’re already in security hell — or at least one of Dante’s circles of the Inferno. You can’t dig yourself out of a hole by continuing to dig…we’re already not doing it right.  Again.

Two years ago at the RSA Security Conference, the theme of the show was “information centricity” and unfortunately given the hype and churn of virtualization and Cloud, we’ve lost touch with this focus.  Abstraction has become a distraction.  Embedding security into the platforms won’t solve the information security problem. We need to focus on being information centric and platform independent.

By the way, this is exactly the topic of my upcoming Blackhat 2010 talk: “CLOUDINOMICON: Idempotent Infrastructure, Survivable Systems & Bringing Sexy Back to Information Centricity”  Go figure.

/Hoff

Reblog this post [with Zemanta]
Categories: Uncategorized Tags: