Security in the Cloud

One of the basic philosophies of security is defense in depth: overlapping systems designed to provide security even if one of them fails. An example is a firewall coupled with an intrusion-detection system (IDS). Defense in depth provides security, because there's no single point of failure and no assumed single vector for attacks.

It is for this reason that a choice between implementing network security in the middle of the network -- in the cloud -- or at the endpoints is a false dichotomy. No single security system is a panacea, and it's far better to do both.

This kind of layered security is precisely what we're seeing develop. Traditionally, security was implemented at the endpoints, because that's what the user controlled. An organization had no choice but to put its firewalls, IDSs, and anti-virus software inside its network. Today, with the rise of managed security services and other outsourced network services, additional security can be provided inside the cloud.

I'm all in favor of security in the cloud. If we could build a new Internet today from scratch, we would embed a lot of security functionality in the cloud. But even that wouldn't substitute for security at the endpoints. Defense in depth beats a single point of failure, and security in the cloud is only part of a layered approach.

For example, consider the various network-based e-mail filtering services available. They do a great job of filtering out spam and viruses, but it would be folly to consider them a substitute for anti-virus security on the desktop. Many e-mails are internal only, never entering the cloud at all. Worse, an attacker might open up a message gateway inside the enterprise's infrastructure. Smart organizations build defense in depth: e-mail filtering inside the cloud plus anti-virus on the desktop.

The same reasoning applies to network-based firewalls and intrusion-prevention systems (IPS). Security would be vastly improved if the major carriers implemented cloud-based solutions, but they're no substitute for traditional firewalls, IDSs, and IPSs.

This should not be an either/or decision. At Counterpane, for example, we offer cloud services and more traditional network and desktop services. The real trick is making everything work together.

Security is about technology, people, and processes. Regardless of where your security systems are, they're not going to work unless human experts are paying attention. Real-time monitoring and response is what's most important; where the equipment goes is secondary.

Security is always a trade-off. Budgets are limited and economic considerations regularly trump security concerns. Traditional security products and services are centered on the internal network, because that's the target of attack. Compliance focuses on that for the same reason. Security in the cloud is a good addition, but it's not a replacement for more traditional network and desktop security.

This was published as a "Face-Off" in Network World.

The opposing view is here.

Posted on February 15, 2006 at 8:18 AM • 9 Comments

Comments

Grant GouldFebruary 15, 2006 9:23 AM

To me, the big problem with security "in the cloud" -- built into the bones of a network -- is the problem of "agenda" that you go into into in your books. It's certainly the reason that I avoid it as much as possible in the networks I manage: I don't trust my own agendas.

With security at endpoints, a security distributor (whether a company IT person like me or a security services vendor like yourself) is limited in how much control he or she can take by the fact that someone else has primary use of that endpoint. My ability to assert my security agenda at the expense of the user's actual use of the network for its intended purpose is checked.

Security in the network infrastructure has no such check. Whatever stupid idea you or I have at any given moment can just go in. At worst, we have some oversight from an easily-led committee with agendas of its own (usually to centralize and control as much as possible). If it causes trouble, most people won't know to whom to complain, know how to explain the problem, or have the time to do so. Particularly in environments with lots of less-technical users, security initiatives will rapidly cause resentment and sap morale.

For an example, ask almost any schoolteacher about the school's IT policies -- you're sure to get a tirade about blocked sites and services, over-aggressive mail filtering, unavailability of useful educational resources, and the like. As far as I can tell, half the schools out there filter out educational resource blogs, for instance. With security in the network and nontechnical users unable to fight back meaningfully, security slowly ratchets up to the point of forcing out actual use of the network. That is a security failure: The usability of the network is not adequately secured against the security experts.

The endpoint owners, even if nontechnical, know more than we do about what they need. If they are not security experts, then one of the foremost threats we need to secure against is ourselves -- our own unaccountable and misguided ideas about what security tradeoffs are sensible, our own agenda to make network security manageable. One of the best ways to secure security policy against our own agendas is to shift the balance toward endpoint security wherever possible and so force ourselves to face off with users.

Philip StorryFebruary 15, 2006 9:24 AM

And the most important thing is that security at the endpoints means that end-users get an opportunity to see security at work.

Partly, that re-assures them that something's being done.

But the biggest benefit is that it gives you an opportunity to get the user involved in security. To educate them a little.

Humans are always the weakest link in the security chain, as today's crop of viruses show again and again.

By informing the user and giving them a chance to educate themselves, endpoint security adds even another layer - a smarter user.

GMFebruary 15, 2006 11:00 AM

I think the "pro-security-cloud" writer's company says it all: Perimeter Internetworking. It is NOT all about the perimeter, and it is NOT all about external threats. As Bruce said, a lot of traffic stays internally and never leaves the cloud. We have to get away from the implicit assumption that all network activity is Internet-bound.

Security issues are detected, decided, mitigated, and/or ignored by people. And people are everywhere, not just in the cloud or the perimeter.

RoyFebruary 15, 2006 11:17 AM

I have Yahoo's mail service with their spam filtering active. Curiously, mail from one particular colleague keeps getting 'detected' and routed to my Bulk folder (i.e., presumed to be spam). Fortunately I always check this to catch routing mistakes. I have no clue why this person's mail gets 'detected'. Whose agenda is at work here?

I guess I'm an example of an end-point check on in-cloud processing quality.

Davi OttenheimerFebruary 15, 2006 12:34 PM

@ Roy

Have you tried using Yahoo's interface to fix this problem? From their instructions:

"Report messages you want in your Inbox that were delivered to your Bulk folder using the Not Spam button"

Ari HeikkinenFebruary 15, 2006 6:32 PM

I have to say this article felt more like some random obviousness with marketing in between.

It's all good, in theory. Take viruskillers, for example, they're about useless against other than blocking known nuisances, yet about everyone seems to think they're the grand solution simply if you layer them. However, the sad reality is, anyone who writes their own and tests their stuff with most commonly used viruskillers will likely get thru.

And to add, if your endpoints are broken as cheese no firewall or viruskiller or anything in between will make you secure. Security has to start with the endpoints, not with firewalls or any other stuff in between.

Ari HeikkinenFebruary 15, 2006 6:49 PM

Also, there's still the difference between trying to protect against some automatons bouncing around the internet (I'd include kids with publicly available attack tool to this categoty) and real human hackers with their custom tools.

Viruskillers do absolutely nothing to stop the latter, be they layered or not.

NicolletFebruary 16, 2006 4:00 AM

"In the cloud" systems conflicts with the end-to-end phylosophy: "smart terminals with dumb network". Intelligent cloud means a less extensive network.
Costs and political aspects of the cloud systems are to be taken into accounts, IMHO. Conceptually, Internet took the power from the network providers and gave it to the end-users.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.