Thursday, November 12, 2009

First Thoughts on Cloud Computing and the "Information Bank"

(From a discussion on the NAISG list in the fall of 2009)

After thinking about this for some time, I wonder if the day will come when locating transaction processing systems in a cloud-based "information bank" makes sense for the same reason we put our cash in a bank and not under our mattress. Banks evolved in response to the management and security needs of accumulated wealth; there was a time when people stored and protected their own wealth. As crime innovated and proliferated in size and sophistication, the cost of protecting one's own wealth tended toward asymptote. Perhaps the same transition will take place as data becomes more valuable.

On a pragmatic level, as a security architect who has to (within budget) construct defenses against a threat landscape that seems to have infinite creativity and resources, there are some aspects of the "cloud" paradigm that are attractive to me;

- controlled environment; not a general purpose information system like the modern OS
- quantifiable application footprint / behavior (unlike the modern enterprise with its eleventy million applications)
- exclusion of frivolous applications and/or requirements
- no (or hopefully smaller) backwards compatibility albatross(es)
- better security / survivability capabilities - thanks to greater resources through shared costs
- survivability: one environment has a problem? fail over to another..and if virtualization allows you to have an (affordable) heterogeneous environment, even better

All of this might tend to allow the security practitioner to employ a larger arsenal of tools. Key applications could conceivably be developed and QA'd to inter-operate well with strong host-based intrusion prevention tools in enforcement mode with a full ruleset (try that today without a HIPS babysitter). Quantifiable behavior allows for all sorts of behavioral and statistical anomaly detection in addition to traditional specification-based IDS (again, try that today on any large scale). Want to require two-factor auth, encryption everywhere, or IPsec compartments? No problem, we don't have eleventy thousand legacy applications. Want great analysts to monitor and respond to threat detects? That's OK too, as the cost is shared by many budgets (and probably less than what we were spending to do it ourselves).

The potential implications seem quite profound. If someone succeeds in building an "information bank" - using current and future security technologies - with better assurance levels than the average corporate security program offers today (and I think this likely) than we may have to contemplate facing the prospect that we've had it backwards all this time. It would be a startling realization to find that have spent enormous resources fighting a hopelesssly asymmetric battle to protect our accumulated data wealth. It's a bit like a 19th century business, after spending its fortunes trying to run a more secure pony express and field office operation, realizing what they really need to do is use (or better yet, invent) a bank with alarm systems; bank vaults; armored cars and monitoring / fraud detection tools..

No comments: