Thursday, March 08, 2012

Cloud Security Chat with Richard Morrell and Ellen Newlands

Our Red Hat cloud team was all together in Westford, MA this week, which gave me an opportunity to sit down with Richard Morrell and Ellen Newlands to discuss security trends in cloud computing. Richard is our new cloud evangelist in EMEA (Europe/Middle East/Africa) so he's basically my counterpart across the pond. Ellen's responsible for Red Hat's security products. They're both serious security experts with lots of experience. We talked about:

  • Cloud standards
  • Whether the cloud is "safe"
  • The role of identity management
  • Why application security matters

And more...

Listen to MP3 (13:43)

Listen to OGG (13:43)


Gordon Haff: Hi, everyone, this is Gordon Haff, Cloud Evangelist with Red Hat. Today, I have two guests. We're going to talk about cloud security, which is something that always seems to be on everyone's minds. We have Richard Morrell, and Ellen Newlands. Richard, why don't you introduce yourself first?

Richard Morrell: Right, so I'm Richard Morrell. I'm the Cloud Evangelist doing the equivalent of Gordon in EMEA, but with a focus very much around cloud security and around application-level security for our ISVs and also our cloud provider partners.

Ellen Newlands: And I'm Ellen Newlands, and I'm doing product management for our certificate system, directory server, and the identity management features and functions that we've recently placed in Red Hat Enterprise Linux.

Gordon: So Richard, I'm going to start off by asking you a question that probably gets your blood pressure up every time you see it in a news headline. Is the cloud safe?

Richard: I think the cloud is as safe as the vendor, the controls that are put in place, and also by the thought and the governance that goes into the development and the architecture of the systems that are deployed on cloud.
I think if we can look at the trailblazers in cloud who have started to move those applications and services into the virtualized environment, into the new world of elastic computing, we have a compelling story to tell, which needs people to start thinking about being courageous enough to start building the internal controls and processes to be able to think about the workloads they want to move to cloud to keep them safe.

Gordon: In other words, it's really a pretty meaningless question without any context.

Richard: What we're doing in cloud security is really no different to the security controls that we've used in the SOA environments traditionally within data centers and in on-premise data. What we need to think about is the cost in ownership of how we actually get to cloud, and once we get there, the management controls and the governance risk control piece that we as IT professionals are dear to as part and parcel of standard business-as-usual activities.

Gordon: Now, Ellen, you were just out at the RSA conference in San Francisco. We talked a little bit the other day, and there was really a lot of attention being paid to cloud out there. Admittedly cloud is a term that is applied to an awful lot of different things, but it does seem to be getting people thinking about security and governance in a somewhat different way.

Ellen: I found it very interesting that many of the IT professionals with a background in security who work for the larger companies, the enterprises, are thinking about what is the best way to take advantage of the cost benefits of the cloud. Some are sophisticated enough to do this quite wisely, and many others are looking for guidance. But clearly, there's no question that the economics of moving to the cloud are quite compelling. Everyone in this field is looking for the best way to maximize their return and minimize their risk of moving to the cloud.

Gordon: Now, we're starting to hear a little bit of discussion around standards in the cloud, in general, but since we've got security experts here, let's maybe focus specifically around cloud security standards. I guess I'd have a couple questions. First of all, does it matter? Secondly, what is happening out there?

Richard: The security standards in cloud have been dovetailed into a mishmash of risk issues, which people like the Cloud Security Alliance are absolutely critically involved. We have been working very, very closely with the CSA now for quite some time, and in past lives I've been pushing and promoting the cloud security matrixes. If none of you are already aware of this, I suggest you Google the words "security matrix" and "CSA," and you will find that there are over 80 individuals working out there, from the Basel, PCI-DSS, ISO, and the open-source community, building levels of controls that you can push to your applicable workloads, in whichever vertical that you happen to be working in, whether it's health, whether it's finance, to enable you to get a standing start in understanding what you need to be able to say to your CIO or your CFO with regards to who needs to sign off against what, and also the controls and matrixes that you need to push against the applicable standards you're building.

Gordon: Now, Richard, I think you touched on something which is I've certainly seen around cloud security. That is that the "security" word seems to get used, really, to cover a much broader range of risk mitigation and governance issues.

Richard: Sure.

Gordon: Ellen, you've obviously worked a lot around identity and access management. It seems that, for instance, those kind of technologies tend to get lumped under security, even though it means something very different from firewalls or protecting against SQL-based exploits or whatever.

Ellen: One of the things that's very common, especially as you're moving into the cloud, is you're moving beyond the borders of the traditional enterprise. You may find that your users are not your employees. So, you may be working with your partners, with your suppliers, with your consumers, your customers. One of the things about that is you want to know who is accessing what you put in the cloud, and you want to make sure that they are only accessing what they're allowed to. That is the security piece. Part of where the standards come in is that, when you move to the cloud, you want as much openness, interoperability, and as little lock-in as possible. What you're seeing in identity and access management is sets of standards that allow great flexibility and interoperability while still allowing you to know who is accessing your information, who has the privileges to access your information, and who, frankly, to blame if for some reason things may go wrong.

Gordon: Yeah. It's not really even just cloud. It's just the way computing, in general, has been evolving, so that the old-fashioned, 19th-century fort model of having this big, honking, strong wall to keep "them" out from the data center, really, increasingly doesn't apply to cloud. Not that it ever really applied all that well to traditional data centers either, given how many security breaches were traditionally done by employees, of course.

Ellen: Your average person now has so much computer power in their hands. You get an iPhone or a tablet of any kind and you find, as you say Gordon, that the walls around the enterprise, the walls around the data, are breaking down. There really is a consumerization of IT. People bring their own devices, people go to the cloud, and the organization has to securely enable that.

Gordon: It's really at the application level, as we've discussed, Richard.

Richard: Sure. The ability now for vendors to start developing the tools and the hooks that customers need to be able to develop security into those applications, to understand who is consuming what, but also to be able to patch control and to keep version control on the libraries and the binaries that you're using or the applications that you're using.
Red Hat came from a community background. We've grown on the ethos and the goodwill that's come from the open-source community, and also the maturity that we help bring to it. But what we see increasingly in the open-source community is greater granularity in the versions of PHP and Ruby and Python, to allow people to get to cloud faster.
It's really up to individuals who consume those technologies and those libraries to ensure that when you go to cloud that you work with your vendor to ensure that you have the latest, greatest patches working there, what your rolling maintenance period is, to make sure, and also to have a complex risk register so you understand, potentially, what that means from a data leakage or a data privacy, especially in Europe and especially in the USA.

I think, more, there's a level of maturity that a sys admin can have from a perspective in his organization, to go from zero to hero. Traditionally, the sys admin's been locked in a cupboard. Now, a sys admin can be an even more bigger hero in his organization, because the safety and security of the whole cloud operation sits on his shoulders daily.

Gordon: As these things scale up--and that's one of the consequences of cloud is that things are really happening at scale. It does seem that it becomes more and more important that you automate a lot of these processes.
Richard: Yeah, sure.

Gordon: Because you just can't keep up with all this stuff at scale.

Richard: No, you can't. If you look at the percentage of people who are using OpenJRE applications in cloud, you'll see a large amount of applications. The community has some very good security people in there, people who are thinking very much about how applications are consumed. But we're also seeing a lot of customers, in the SME space and ISV space and the enterprise, moving across to becoming supported customers, where we have the power of the JBoss Operations Network, known as JON, to enable them to automate those functions, and also to audit and report.

I think we can't lose focus on the fact that, at the end of the day, you need to be able to be auditable. In the US and further afield, we have the SAS 70 certification, which is really no more than an accounting standard. We hope will be surpassed by the sort of standards that the cloud security lines are pushing and promoting, and also the PCI-DSS and Basel piece where companies are actually looking to make revenue from applications hosted either on a public/private hybrid model or directly public cloud providers.

Gordon: Ellen and Rick here, maybe finish up here by asking each of you to share if there were three pieces of advice that you could give people looking at moving to the cloud, whether that means adopting a public cloud, whether it means building a more automated self-service resource internally. What are three pieces of advice you'd give them? You first, Ellen.

Ellen: Well, I think my first piece of advice would be to understand what is the value of what you are moving to the cloud and make sure that you start your movement to the cloud, in security or in any other way, on a business case with an understanding of the business economics. I always believe that business drives security.

The second thing that I would say is there is a great deal of value in working with trusted vendors who understand this space and can certainly help with that movement.

Last, but not least, I think is to begin. I think it is important to take some level, however minor, of risk and start moving those applications that make sense into the cloud so that you'll have the experience and the background to do more over time.

Gordon: Thank you. Great advice. Richard?

Richard: I regularly stand up at conferences and I don't tend to conform to the norm and the first question I ask the crowded room is, "Who wants to go to jail first?" I'm met with a lot of white, ashen faces. I do a lot of cloud aggregation where I sit down with organizations looking to move to public cloud vendors rather than the private model.
That big piece of white paper that we sit down with enables them to start understanding who owns what risk, be it the provider, be it themselves, and what controls you can actually build and place to go to cloud. It's those controls which are the hidden cost to your company of adopting virtualized cloud computing.

The other thing is when you're working with your chosen provider, don't be afraid to ask them for the levels of both security controls and also the physical and mandatory access controls that they have built into their architecture. They should be able to provide it. If a provider just comes back to you saying oh we're secure or here's my SAS 70 certificate that's not enough. You need to be able to push and promote the fact that you're also talking to other cloud vendors that can do it bigger and better. Please can I have the right information.

The third piece is the fact that you need to be able to ensure that the data that you're moving to cloud is secure. Think about the level of risk that your company is willing to be exposed to. Also, is it possible that you can work with your trusted vendors to be able to have a hybrid model where you can tunnel databases from your data center to a cloud provider without exposing that level of risk?

The other thing is this is fun. This is enabling us to change the paradigm of computing. Red has a trusted vendor. We have the ability now to help you get to where you want to go. It's like a level of adolescence now and we're here to help you get to that next level.

Gordon: Thank you. Is there anything else you would like to share with the audience?

Richard: Stay safe.

Gordon: That sounds like good advice, no matter what you're doing. Thanks, everyone. I've been here with Ellen Newlands and Richard Morrell talking about cloud security. Thank you. Bye bye.

No comments: