This blog comments on a variety of technology news, trends, and products and how they connect. I'm in Red Hat's cloud product strategy group in my day job although I cover a broader set of topics here. This is a personal blog; the opinions are mine alone.
Ellen Newlands is the product manager for Red Hat's cloud security productds. This dicussion covers some of the ways that the "cloud"--large-scale network-connected computing really--introduce new challenges for IT security. Topics include:
Haff: Hello everyone. This is Gordon Hat, Cloud Evangelist with Red
Hat, and I'm sitting here with Ellen Newlands who is the product manager for
our Cloud security offerings. Welcome, Ellen.
Newlands: Welcome, Gordon.
Although there are still headlines every now and then about the Cloud
being insecure as some macro thing, most observers at this point realize that
these blanket statements really don't have any meat to them.
Gordon, I completely agree with you on that score. Whether the Cloud is
secure or insecure depends on a number of things. It depends on what kind of
Cloud computing you choose, whether you go with public or private or a
combination of the two, hybrid Cloud, who you choose for your Cloud provider,
what kind of technology you pick, what is your use case, and how carefully you
have set up and thought out what information you are putting in the Cloud and
how best to secure that as you move to Cloud computing. There are a number of
factors to consider with what you call or we call Cloud secure computing. One
of the first things I think that we really ought to think about is going into
the Cloud, public Cloud, for example, can actually make you more secure
depending on the level of expertise and the kind of programs you had for
security on premise in your enterprise or your agency.
can find that there are public Cloud providers who can give you a more holistic
view of security and provide you with even better security than you might
previously have had. And, of course, as we see from the number of break‑ins,
the opposite can also be true.
One of the things that I think is often overlooked is that people raise
various types of issues related to public cloud providers, whether it's
security or really more commonly it's outages of various types. Obviously, we
conflate things like social networks into there. There's lots of questions and
issues around privacy and so forth, also. I think often that discussion takes
place in a way that ignores the fact that particularly when you're talking
smaller businesses, in many cases businesses that don't have full time IT
staff. Those types of businesses haven't historically had very good security
backup or really IT practices in general.
I think that that is actually true, especially now, IT security expertise
is scarce and expensive and in great demand. Setting up your own internal
secure software network, bringing in those people, can be expensive and that's
very, very hard to judge. I think that security as provided by a knowledgeable
public cloud provider can, in many cases, up your security rather than reduce
thing that I think I've found very interesting is you still read about security
breaches in the public cloud. It is interesting to me that many of the breaches
that you read about in the public cloud have nothing to do with public cloud
computing and are the same old scams that we have always seen on premise and
now just move, perhaps, to cloud providers.
of the ones I think is very interesting recently was a fellow who writes for
many of the security journals. He had his account hacked and lost information
at Google and Amazon, et cetera because somebody called up the support services
and talked them into giving out the password. Same old same old, same old
Social engineering plays a huge part in those break‑ins. I think this
does reveal, though, some of the tension that you have here because, in the
case that you mentioned involving Apple and Amazon, social engineering a
password. Of course, one approach that those types of companies can take is to
simply say, "Well, if you have lost the key, so to speak, to your account,
that's just too bad because...So that we don't risk exposing someone else's
through social engineering."
is somewhat of a trade‑off that the easier you make it for someone to recover
an account of theirs, for example, the harder you make it for somebody who has
a legitimate need to recover an account, which is frankly probably the more
common instance, at least with consumer services.
As you know, one of the things that we're seeing used in public cloud or
even in enterprise security is identity management. Two of the areas that are
very common now are what we call two factor authentication, sometimes known as
something you have and something you know.
If you haven't turned on two factor authentication for your Google
account, finish listening to this podcast but then go off and do that right
Let's say it's something you have and something you know, traditionally.
It's something that you have like a token, et cetera and something that you
know like your own PIN. If you lose one, you still know the other. Both are
"secrets," and the combination is what unlocks your account. You find
the two factor authentication is far more secure and you can recover one
without the other without jeopardizing the private account.
other thing that we see a lot of now, as you may know, are the security questions
where you fill out the forms in advance with information theoretically known
only to you, although, I personally believe everybody's first pet was named
"Sam." This set of what I'm going to call "20 questions" is
also a way to identify you.
So many of those questions are terrible, though, because so many of them
are either things that someone who has any appreciable information about you
they do know or can easily find out, or they're questions like, "What's
your favorite color?" which may vary from one day to the next.
Absolutely. And remembering your own information sometimes can be a
little bit difficult.
Let's switch gears here maybe a little bit. I think, hopefully, we've
made the case that security in some macro sense isn't worse in the cloud than
anything else, even in the public cloud. But I think we can still say that some
security concerns are somewhat different in the cloud, especially with public
cloud, but even in private cloud resources. What are some of those that
Well, security is different when you move from your traditional way of
managing IT into the cloud. Again, as you point out, whether that is a public
or a private cloud. One of the things that's different is, on average, you'll
have more servers on the Internet when you're in a cloud architecture. The more
servers you have on the Internet, the more exposed, frankly, you are. When you
have moved from using VPN technology to allowing access to all users with
certain credentials, the more entry points you have given to malicious users to
hack into your larger network.
second area where cloud computing is quite different, especially with public
cloud computers, is the concept of what we call "multi‑tenancy." A
public cloud offers space‑‑think of it like the apartments in a large apartment
building. Each area that the public cloud provides, each container, is assigned
to one account, one company, whatever.
a multi‑tenancy area, you don't want one "tenant" to get out of their
container and start wreaking havoc in the others, either by design or by
of the things to really consider is making sure that the containers in a multi‑tenant
environment have fairly secure walls. Again, an analogy would be you don't want
to make it real easy for malicious neighbors to just wander into your own
apartment in an apartment complex.
Yes, I think I'd probably take a couple of things away there. The first
is that you assume that everything is on the network, and that there are bad
people out there who are constantly probing everything that is on the network.
So, it's really important to have security.
you have a PC‑‑by way of analogy‑‑sitting at home 15, 20 years ago, not
connected to a network or dialup modem, if you weren't 100 percent up to date
with everything, maybe you'd get a virus or something, but by and large, it
really wasn't that big a deal if you hadn't updated your security stuff in a
you're in a computer that's constantly connected to a public network, whether
we're talking about client or a server device, bad stuff can happen very
I think, of course, that's absolutely true. When you say you must assume
that there are bad people out there probing, increasingly, of course, bad people
are frankly bad corporations. There are businesses run nine to five whose sole
purpose is to find and exploit any weaknesses in security and take whatever can
make them a profit. As such, that's one of the reasons why in theory moving
into a public cloud can be safer because public clouds from reputable vendors
are updated. They are patched consistently on time and quite thoroughly.
You also mention multi‑tenancy, and, obviously, you get multi‑tenancy on
premise or multi‑tenancy in a public cloud. But multi‑tenancy is pretty
fundamental to how and what public clouds operate. So, I think it's fair to say
that a reputable public cloud is using technology such as Security‑Enhanced
Linux, for example, that has some really good mechanisms to provide that
additional level at process level for security for multi‑tenant environments.
Now configuring SELinux isn't necessarily the easiest thing in the world. So,
again, going back to how secure is a public cloud versus a SMB. Well, it's
quite fair to say that most SMBs aren’t properly exploiting SELinux whereas
that, along with other techniques and other technologies, large reputable Cloud
providers certainly are.
That's a very good point, Gordon. The Red Hat Enterprise operating system
is foundational and is used in the largest number of available public Clouds
and SaaS offerings today. It's very well installed. Part of the reason for that
is because it does have the security features that allow for more secure multi‑tenancy,
more secure virtualization. For example, the SE Linux that you mentioned, the
fact that the operating system itself is common criteria certified.
of the things I think to bring into focus, too, is that open source software
means that it's been peer group reviewed. It's transparent. It's open to the
sunshine. Errors are found. Bugs are found and patched relatively rapidly.
do find that these fundamental, base level layers that underpin a public Cloud
can be very useful in providing security.
It's actually a little ironic when you go back to early days of open
source becoming really mainstream. By way of analogy, [a lot of people back
then thought] even if you thought you had a good alarm system, you wouldn't put
the schematics on your door for a potential burglar to see. For a lot of people,
who weren't necessarily in the security industry, didn't understand how
exploits happen. They just assumed open source must be less secure because that
the people could see the code. Write exploits because they can see the code. Of
course, that's not how most exploits happen.
No, as a matter of fact, it's not at all. The fact that you can see the
code, that it is transparent, that there is a large international group that
uses the code, that inspects the code, means that it becomes more secure rather
than less so.
Thanks for spending some time with me today. I think, hopefully, doing a
little bit more on our part to show there's nothing inherently insecure about
the cloud, whether we're talking public clouds or private clouds. At the same
time, educating people about things that they need to think about. I'm not sure
it's so much the cloud, but simply a world in which increasingly everything is
network connected, and there are bad actors trying to take advantage of that
I agree. I think that the one thing to always bear in mind is that your
data, your information can be lost, can be stolen, can be compromised, whether
you're using public cloud, private cloud or a hybrid, is to take whatever steps
are necessary to layer on the security that gives you the protection at the
level of the value of the information you're protecting.
That's a good point. Everything, at the end of the day, is about
mitigation. There's no such thing as a 100 percent elimination of risk, 100 percent
security. If you're talking nuclear launch codes, that is probably a little
different from pictures of your cat. Basically, as you say, the backup
procedures, encryption, whatever, the cost in both dollar cost and time and
effort on your part, shouldn't be out of whack with the value of the data and
the privacy associated with that data.
It does seem that a lot of companies now, things that they choose to run
in the public Cloud are the things that are, perhaps, consumer based where the
security capabilities match the value of the information. Some things that are
extremely proprietary are kept in the private Cloud. The combination makes for
great flexibility, faster deployments, and very reasonable economics.
That also speaks to why hybrid is a big deal and why Red Hat is making a
lot of noise around opening hybrid because it really is a mixed world.
As you say, just as Cloud computing is neither secure nor insecure,
public and private Clouds are neither the right choice nor the wrong choice.
It's nice to have a little of both.
I'm in the cloud product strategy group at Red Hat. Prior to Red Hat, I wrote hundreds of research notes, was frequently quoted in publications like The New York Times on a wide range of IT topics, and advised clients on product and marketing strategies. Earlier in my career, I was responsible for bringing a wide range of computer systems, from minicomputers to large UNIX servers, to market while at Data General. Among other hobbies, I do a lot of photography and enjoy the outdoors.