Security in the Cloud
One of the basic philosophies of security is defense in depth: overlapping systems designed to provide security even if one of them fails. An example is a firewall coupled with an intrusion-detection system (IDS). Defense in depth provides security, because there’s no single point of failure and no assumed single vector for attacks.
It is for this reason that a choice between implementing network security in the middle of the network—in the cloud—or at the endpoints is a false dichotomy. No single security system is a panacea, and it’s far better to do both.
This kind of layered security is precisely what we’re seeing develop. Traditionally, security was implemented at the endpoints, because that’s what the user controlled. An organization had no choice but to put its firewalls, IDSs, and anti-virus software inside its network. Today, with the rise of managed security services and other outsourced network services, additional security can be provided inside the cloud.
I’m all in favor of security in the cloud. If we could build a new Internet today from scratch, we would embed a lot of security functionality in the cloud. But even that wouldn’t substitute for security at the endpoints. Defense in depth beats a single point of failure, and security in the cloud is only part of a layered approach.
For example, consider the various network-based e-mail filtering services available. They do a great job of filtering out spam and viruses, but it would be folly to consider them a substitute for anti-virus security on the desktop. Many e-mails are internal only, never entering the cloud at all. Worse, an attacker might open up a message gateway inside the enterprise’s infrastructure. Smart organizations build defense in depth: e-mail filtering inside the cloud plus anti-virus on the desktop.
The same reasoning applies to network-based firewalls and intrusion-prevention systems (IPS). Security would be vastly improved if the major carriers implemented cloud-based solutions, but they’re no substitute for traditional firewalls, IDSs, and IPSs.
This should not be an either/or decision. At Counterpane, for example, we offer cloud services and more traditional network and desktop services. The real trick is making everything work together.
Security is about technology, people, and processes. Regardless of where your security systems are, they’re not going to work unless human experts are paying attention. Real-time monitoring and response is what’s most important; where the equipment goes is secondary.
Security is always a trade-off. Budgets are limited and economic considerations regularly trump security concerns. Traditional security products and services are centered on the internal network, because that’s the target of attack. Compliance focuses on that for the same reason. Security in the cloud is a good addition, but it’s not a replacement for more traditional network and desktop security.
This was published as a “Face-Off” in Network World.
The opposing view is here.
Grant Gould • February 15, 2006 9:23 AM
To me, the big problem with security “in the cloud” — built into the bones of a network — is the problem of “agenda” that you go into into in your books. It’s certainly the reason that I avoid it as much as possible in the networks I manage: I don’t trust my own agendas.
With security at endpoints, a security distributor (whether a company IT person like me or a security services vendor like yourself) is limited in how much control he or she can take by the fact that someone else has primary use of that endpoint. My ability to assert my security agenda at the expense of the user’s actual use of the network for its intended purpose is checked.
Security in the network infrastructure has no such check. Whatever stupid idea you or I have at any given moment can just go in. At worst, we have some oversight from an easily-led committee with agendas of its own (usually to centralize and control as much as possible). If it causes trouble, most people won’t know to whom to complain, know how to explain the problem, or have the time to do so. Particularly in environments with lots of less-technical users, security initiatives will rapidly cause resentment and sap morale.
For an example, ask almost any schoolteacher about the school’s IT policies — you’re sure to get a tirade about blocked sites and services, over-aggressive mail filtering, unavailability of useful educational resources, and the like. As far as I can tell, half the schools out there filter out educational resource blogs, for instance. With security in the network and nontechnical users unable to fight back meaningfully, security slowly ratchets up to the point of forcing out actual use of the network. That is a security failure: The usability of the network is not adequately secured against the security experts.
The endpoint owners, even if nontechnical, know more than we do about what they need. If they are not security experts, then one of the foremost threats we need to secure against is ourselves — our own unaccountable and misguided ideas about what security tradeoffs are sensible, our own agenda to make network security manageable. One of the best ways to secure security policy against our own agendas is to shift the balance toward endpoint security wherever possible and so force ourselves to face off with users.