The biggest challenge for 2011 will be with concurrent and possibly combinatory change (i.e. additive) and the privacy and security implications of all of this.
There are two types of stories that seem to be most common at this time of year: retrospectives and predictions. We either look back nostalgically or we look forward prophetically. I’ll leave the reminiscing and the crystal balls to others for now, but I will look at IT trends that are particularly relevant to security; so let’s start with the big three “disruptive” trends in computing right now: the Cloud, the Dark Cloud and User-Driven IT.
Hey You, Get Off of My Cloud!*
There’s a lot out there around the Cloud, which is a fairly meaningless term without an adjective like Private, Hybrid, Public, Community or some other word to go with it (incidentally, my favorite definitions are the NIST definitions). However, there is deep security out there happening around “clouds”; and in particular around Hybrid Clouds, extending the security inherent in private clouds to shared, secure, multi-tenant environments.
One of the major challenges of the Hybrid and Public Clouds is in isolation and protection of workloads from each other and from the infrastructure administrators behind the scenes. The recent “Operation Aurora” in fact had this root problem to blame under the hood: the admins in the infrastructure could see the workloads they hosted, and if the admins were corrupted or their privileges were co-opted then the workloads effectively leaked.
The next big, real breakthrough here will come with “Secure Multi-Tenancy” and with being able both to apply policy simply for policies related to physical topography of the computing environment and to monitor behavior simply in virtualized and cloud-like environments. The great irony is that virtualization has fully allowed for the commoditization of hardware and separating the logical and the physical, yet we still care about the physical. We want to apply rules like “only run in country X” or “don’t run on a system with another legal entity’s intellectual property” (as is the case with PCI and PII treatment).
I’m Being Followed by a Small Dark Cloud**
The bad guys are motivated by profit, and that means they are subject to and can be described by the same economic tools we use to look at and analyze the behaviors of legitimate economies and businesses: we can predict how they will behave to a large extent on the basis of ROI, they are subject to supply and demand curves, and we can look to destabilize their “business efforts” by putting economic pressure on them.
The most amazing evolution is what my colleague Uri Rivner coined the “Dark Cloud.” I set about looking for the largest cloud services I could find, of any flavor, and some of the largest are the supply chains and ecosystems around the botnets. These are massive networks of compromised machines and the associated command-and-control, bot-herders, drop zones, infection engines and more that are some of the most fascinating examples of cloud-based computing in action.
The irony in the Operation Aurora vulnerability above is that if Public Clouds could in fact isolate workloads and protect them from administrators with universal access, the Dark Cloud would likely be drastically more abusive of commercially available Public Cloud services to host its workloads.
So Many Things I would Have Done***
While the cloud is (for now) largely about changes in the “Data Center” and in computing stacks, the biggest trend in computing that is taking the world by storm is user-driven IT (aka the consumerization of IT). This really is taking two forms: firstly we are changing the way we use computers in everyday life and this is having a massive social impact (e.g. Facebook, Twitter, etc.) and secondly the power and ubiquity of computing is not just increasing exponentially (as Moore described) it’s also expanding its reach and becoming more pervasive globally (e.g. iPhone, Android and the explosion of tablets).
We all know that the line between public and private is blurring, and that the roles in life are breaking down; but this has large security implications too. Firstly, the bad guys are data mining with a form of "dark DLP" to find intellectual property on compromised systems. Secondly, they are "spear attacking" (as opposed to merely spear phishing), using all the techniques at their disposal to go after specific data and access targets. This calls for a new approach to provisioning identities, rather than systems, and to securing identities as opposed to merely the devices we all use.
Social Engineering seems to be on the uptick again, and some recent reports have shown that it’s easier to social engineer folks in new media and on new devices than it is on the older devices and media. We’ve learned, as users, to watch out for emails purporting to be sent from banished yet wealthy Nigerian royals and bank phishing mails and links; but we haven’t yet learned to apply that wisdom in new places and new ways such as looking for phishing around new-related emails or when someone calls you claiming to be with your banks’ security department and asking to verify you have your credentials securely in your possession.
But Clouds Got In The Way***
In the words of a CISO that I spoke to recently, it’s not that any one disruptor is alarming or something that can’t be handled. What is alarming is that they come in waves whose amplitude and frequency are both increasing. To put it another way, each wave is bigger and comes closer to other waves; and in some cases they can interact in nasty new ways.
We are changing the back-end and the front-end, we are bringing computing to ever more people with ever more capabilities and value at the same time as the bad guys are stepping up and becoming much more organized and professional: this is why I don’t think 2011 is the year of the cloud or the year of the SmartPhone but is rather the year of the perfect storm in computing. One outcome here is that we could see the worst of all three disruptors stack up with hacks from untraceable locations targeting billions of people and stealing potentially so much that it could halt the adoption of new and beneficial technologies.
Then again, to take inspiration from another colleague, Idan Aharoni who expressed optimism in his most recent SecurityWeek column, we could look at it optimistically and look to have our computing delivered ubiquitously, cheaply and with privacy and security. That’s what putting the “I” in the cloud is about: we have to make security and trust in the cloud better than it has ever been before, and we have to do that in the face of an active opponent.
I think that sounds like a good challenge for us all in 2011 (and probably beyond).
* With thanks to the Rolling Stones’ “Get Off of My Cloud”
** With thanks to Kenny Rogers’ “Small Dark Cloud”
*** With thanks to Joni Mitchell’s “Both Sides Now”