Thursday, August 23, 2012

Podcast: Cloud Security with Ellen Newlands

Ellen Newlands is the product manager for Red Hat's cloud security productds. This dicussion covers some of the ways that the "cloud"--large-scale network-connected computing really--introduce new challenges for IT security. Topics include:
  • What makes the cloud secure or not?
  • What new challenges the cloud brings
  • Social engineering and security
  • Two factor authentication
  • Why open source and hybrid clouds are important
Listen to MP3 (0:18:20)
Listen to OGG (0:18:20)

------------------
[TRANSCRIPT]


Gordon Haff:  Hello everyone. This is Gordon Hat, Cloud Evangelist with Red Hat, and I'm sitting here with Ellen Newlands who is the product manager for our Cloud security offerings. Welcome, Ellen.
Ellen Newlands:  Welcome, Gordon.
Gordon:  Although there are still headlines every now and then about the Cloud being insecure as some macro thing, most observers at this point realize that these blanket statements really don't have any meat to them.
Ellen:  Gordon, I completely agree with you on that score. Whether the Cloud is secure or insecure depends on a number of things. It depends on what kind of Cloud computing you choose, whether you go with public or private or a combination of the two, hybrid Cloud, who you choose for your Cloud provider, what kind of technology you pick, what is your use case, and how carefully you have set up and thought out what information you are putting in the Cloud and how best to secure that as you move to Cloud computing. There are a number of factors to consider with what you call or we call Cloud secure computing. One of the first things I think that we really ought to think about is going into the Cloud, public Cloud, for example, can actually make you more secure depending on the level of expertise and the kind of programs you had for security on premise in your enterprise or your agency.
You can find that there are public Cloud providers who can give you a more holistic view of security and provide you with even better security than you might previously have had. And, of course, as we see from the number of break‑ins, the opposite can also be true.
Gordon:  One of the things that I think is often overlooked is that people raise various types of issues related to public cloud providers, whether it's security or really more commonly it's outages of various types. Obviously, we conflate things like social networks into there. There's lots of questions and issues around privacy and so forth, also. I think often that discussion takes place in a way that ignores the fact that particularly when you're talking smaller businesses, in many cases businesses that don't have full time IT staff. Those types of businesses haven't historically had very good security backup or really IT practices in general.
Ellen:  I think that that is actually true, especially now, IT security expertise is scarce and expensive and in great demand. Setting up your own internal secure software network, bringing in those people, can be expensive and that's very, very hard to judge. I think that security as provided by a knowledgeable public cloud provider can, in many cases, up your security rather than reduce it.
Another thing that I think I've found very interesting is you still read about security breaches in the public cloud. It is interesting to me that many of the breaches that you read about in the public cloud have nothing to do with public cloud computing and are the same old scams that we have always seen on premise and now just move, perhaps, to cloud providers.
One of the ones I think is very interesting recently was a fellow who writes for many of the security journals. He had his account hacked and lost information at Google and Amazon, et cetera because somebody called up the support services and talked them into giving out the password. Same old same old, same old wetware.
Gordon:  Social engineering plays a huge part in those break‑ins. I think this does reveal, though, some of the tension that you have here because, in the case that you mentioned involving Apple and Amazon, social engineering a password. Of course, one approach that those types of companies can take is to simply say, "Well, if you have lost the key, so to speak, to your account, that's just too bad because...So that we don't risk exposing someone else's through social engineering."
It is somewhat of a trade‑off that the easier you make it for someone to recover an account of theirs, for example, the harder you make it for somebody who has a legitimate need to recover an account, which is frankly probably the more common instance, at least with consumer services.
Ellen:  As you know, one of the things that we're seeing used in public cloud or even in enterprise security is identity management. Two of the areas that are very common now are what we call two factor authentication, sometimes known as something you have and something you know.
Gordon:  If you haven't turned on two factor authentication for your Google account, finish listening to this podcast but then go off and do that right away.
Ellen:  Let's say it's something you have and something you know, traditionally. It's something that you have like a token, et cetera and something that you know like your own PIN. If you lose one, you still know the other. Both are "secrets," and the combination is what unlocks your account. You find the two factor authentication is far more secure and you can recover one without the other without jeopardizing the private account.
The other thing that we see a lot of now, as you may know, are the security questions where you fill out the forms in advance with information theoretically known only to you, although, I personally believe everybody's first pet was named "Sam." This set of what I'm going to call "20 questions" is also a way to identify you.
Gordon:  So many of those questions are terrible, though, because so many of them are either things that someone who has any appreciable information about you they do know or can easily find out, or they're questions like, "What's your favorite color?" which may vary from one day to the next.
Ellen:  Absolutely. And remembering your own information sometimes can be a little bit difficult.
Gordon:  Let's switch gears here maybe a little bit. I think, hopefully, we've made the case that security in some macro sense isn't worse in the cloud than anything else, even in the public cloud. But I think we can still say that some security concerns are somewhat different in the cloud, especially with public cloud, but even in private cloud resources. What are some of those that security's different?
Ellen:  Well, security is different when you move from your traditional way of managing IT into the cloud. Again, as you point out, whether that is a public or a private cloud. One of the things that's different is, on average, you'll have more servers on the Internet when you're in a cloud architecture. The more servers you have on the Internet, the more exposed, frankly, you are. When you have moved from using VPN technology to allowing access to all users with certain credentials, the more entry points you have given to malicious users to hack into your larger network.
A second area where cloud computing is quite different, especially with public cloud computers, is the concept of what we call "multi‑tenancy." A public cloud offers space‑‑think of it like the apartments in a large apartment building. Each area that the public cloud provides, each container, is assigned to one account, one company, whatever.
In a multi‑tenancy area, you don't want one "tenant" to get out of their container and start wreaking havoc in the others, either by design or by accident.
One of the things to really consider is making sure that the containers in a multi‑tenant environment have fairly secure walls. Again, an analogy would be you don't want to make it real easy for malicious neighbors to just wander into your own apartment in an apartment complex.
Gordon:  Yes, I think I'd probably take a couple of things away there. The first is that you assume that everything is on the network, and that there are bad people out there who are constantly probing everything that is on the network. So, it's really important to have security.
If you have a PC‑‑by way of analogy‑‑sitting at home 15, 20 years ago, not connected to a network or dialup modem, if you weren't 100 percent up to date with everything, maybe you'd get a virus or something, but by and large, it really wasn't that big a deal if you hadn't updated your security stuff in a while.
If you're in a computer that's constantly connected to a public network, whether we're talking about client or a server device, bad stuff can happen very quickly.
Ellen:  I think, of course, that's absolutely true. When you say you must assume that there are bad people out there probing, increasingly, of course, bad people are frankly bad corporations. There are businesses run nine to five whose sole purpose is to find and exploit any weaknesses in security and take whatever can make them a profit. As such, that's one of the reasons why in theory moving into a public cloud can be safer because public clouds from reputable vendors are updated. They are patched consistently on time and quite thoroughly.
Gordon:  You also mention multi‑tenancy, and, obviously, you get multi‑tenancy on premise or multi‑tenancy in a public cloud. But multi‑tenancy is pretty fundamental to how and what public clouds operate. So, I think it's fair to say that a reputable public cloud is using technology such as Security‑Enhanced Linux, for example, that has some really good mechanisms to provide that additional level at process level for security for multi‑tenant environments. Now configuring SELinux isn't necessarily the easiest thing in the world. So, again, going back to how secure is a public cloud versus a SMB. Well, it's quite fair to say that most SMBs aren’t properly exploiting SELinux whereas that, along with other techniques and other technologies, large reputable Cloud providers certainly are.
Ellen:  That's a very good point, Gordon. The Red Hat Enterprise operating system is foundational and is used in the largest number of available public Clouds and SaaS offerings today. It's very well installed. Part of the reason for that is because it does have the security features that allow for more secure multi‑tenancy, more secure virtualization. For example, the SE Linux that you mentioned, the fact that the operating system itself is common criteria certified.
One of the things I think to bring into focus, too, is that open source software means that it's been peer group reviewed. It's transparent. It's open to the sunshine. Errors are found. Bugs are found and patched relatively rapidly.
You do find that these fundamental, base level layers that underpin a public Cloud can be very useful in providing security.
Gordon:  It's actually a little ironic when you go back to early days of open source becoming really mainstream. By way of analogy, [a lot of people back then thought] even if you thought you had a good alarm system, you wouldn't put the schematics on your door for a potential burglar to see. For a lot of people, who weren't necessarily in the security industry, didn't understand how exploits happen. They just assumed open source must be less secure because that the people could see the code. Write exploits because they can see the code. Of course, that's not how most exploits happen.
Ellen:  No, as a matter of fact, it's not at all. The fact that you can see the code, that it is transparent, that there is a large international group that uses the code, that inspects the code, means that it becomes more secure rather than less so.
Gordon:  Thanks for spending some time with me today. I think, hopefully, doing a little bit more on our part to show there's nothing inherently insecure about the cloud, whether we're talking public clouds or private clouds. At the same time, educating people about things that they need to think about. I'm not sure it's so much the cloud, but simply a world in which increasingly everything is network connected, and there are bad actors trying to take advantage of that fact.
Ellen:  I agree. I think that the one thing to always bear in mind is that your data, your information can be lost, can be stolen, can be compromised, whether you're using public cloud, private cloud or a hybrid, is to take whatever steps are necessary to layer on the security that gives you the protection at the level of the value of the information you're protecting.
Gordon:  That's a good point. Everything, at the end of the day, is about mitigation. There's no such thing as a 100 percent elimination of risk, 100 percent security. If you're talking nuclear launch codes, that is probably a little different from pictures of your cat. Basically, as you say, the backup procedures, encryption, whatever, the cost in both dollar cost and time and effort on your part, shouldn't be out of whack with the value of the data and the privacy associated with that data.
Ellen:  It does seem that a lot of companies now, things that they choose to run in the public Cloud are the things that are, perhaps, consumer based where the security capabilities match the value of the information. Some things that are extremely proprietary are kept in the private Cloud. The combination makes for great flexibility, faster deployments, and very reasonable economics.
Gordon:  That also speaks to why hybrid is a big deal and why Red Hat is making a lot of noise around opening hybrid because it really is a mixed world.
Ellen:  As you say, just as Cloud computing is neither secure nor insecure, public and private Clouds are neither the right choice nor the wrong choice. It's nice to have a little of both.
Gordon:  Great. Thank you very much.

No comments: