Friday, March 01, 2013

What's coming for cloud and device security?

Mega security conference RSA has been underway in San Francisco this week. I didn't make it out there, but I've been remotely following the goings on. I've also been spending time reading up on security, governance, and legal topics as they relate to cloud computing, mobile devices, big data, and other related trends; they're top of mind in so many cloud computing discussions. Expect more in-depth treatments as the year goes on, but here are some brief thoughts about a few things I'm thinking about.

The first related thoughts come courtesy of twittered observations from RSA by Joyce Tompsett of EMC (and a former analyst colleague of mine). The first was that there was "less paranoia around mobile/social this year." The second that "Big takeaway from #RSAC - we have to build security for systems of engagement now rather than systems of record." At first this may seem a bit contradictory; after all, social media and mobile devices are a big part of systems of engagement. But I don't see it that way. Rather, I see it as acceptance that social and mobile will be part of the IT landscape and are not to be feared—but they do need to be sensibly managed as part of an IT governance plan.

In a related vein, I expect to see bring your own device (BYOD) to proceed in a mostly informal way and to remain primarily about tablets and smartphones, rather than PCs. In other words, not a whole lot of change. I very much doubt we'll see any widespread backlash—which isn't to say some company won't institute a policy that prompts hundreds of breathless headlines to that effect. Nor do I expect to see a lot of formal programs in place around BYOPC or mainstream adoption of software intended to isolate personal and professional uses on a single system. At the same time, company-issued devices will remain the norm in some sectors (think government and finance). Some nice mobile device policy examples here.

VMware's most recent protestations notwithstanding, computing is hybrid. And that means finding ways to manage that hybrid environment. At Red Hat, we've been focused on open, hybrid cloud management because that's the reality at our customers. For most cases, it's increasingly a non-starter to agitate for private or public; it's private and public (and heterogeneous to boot). Mechanisms for secure multi-tenancy, centralized policy, and consistent and certified runtimes that extend across these hybrid environments are all part of the equation.

I've also started thinking about computing supply chain risk. A big part of this relates to hardware components, but that's not what I'm talking about here. Rather, as we move to more distributed and service-oriented software architectures, we'll be consuming APIs and software components from an increasing variety of sources—and perhaps running workloads on a more diverse group of cloud providers. How do we ensure availability, performance, security, compliance and all the rest under these circumstances? I don't consider these intractable problems, but they require new ways of thinking about application architectures and sourcing decisions.

In the wake of increasingly sophisticated attacks, including those by state actors, it's also worth asking to what degree we need to do things differently. Some of this is using the tools that already exist. SELinux, for example, incorporates mandatory access controls into the Linux kernel and provides an additional level of protection against many kinds of attacks—but it's not turned on nearly as often as it should be. Google's Tim Bray has argued that we should use secure web connections by default. Two-factor authentication should also arguably see wider use. (You may observe that most of these suggestions trade off some degree of ease-of-use for security.) It's also fair to say, however, that we as an industry may need to take new approaches in certain areas.

Next week, I plan to interview Red Hat's product manager for identity management Ellen Newlands about what she observed out at RSA. I'll be posting that when it's done.

No comments: