Last week we heard from Joshua Corman on how we can do software better. In round two of Paul Roberts' New Year's Resolution interview series he catches up with Christofer Hoff on the ghosts of cloud security past, present, and future.
Chris Hoff (@beaker) is one of Silicon Valley’s foremost thinkers on the impact of new computing paradigms like virtualization and cloud computing on security - topics he weighs in on regularly through his blog. Currently the Senior Director & Chief Architect, Security at Juniper Networks, Hoff previously served as Cisco’s Director of Cloud & Virtualization Solutions and Unisys Corporation’s Chief Security Architect. A founding member and technical advisor to the Cloud Security Alliance, Chris founded the CloudAudit project and is a frequent keynote speaker at industry conferences like Black Hat, DefCon and Source. He also helped found the HacKid conference - a hacker con designed for school age kids.
Like Corman, Hoff believes that the current security architectures, trust models and operational silos that we’ve created aren’t keeping up with the pace of change. “Unfortunately, as defenders, we’ve been outpaced by both developers and attackers,” he has written. But Hoff is a firm believer in what might be called ‘Darwinian model’ of IT security - one focused on survival and resilience in the face of inevitable and unknowable threats, rather than the pursuit of perfect defense. His blog, originally titled “Rational Security” is now “Rational Survivability.”
I caught Chris on his way to Microsoft’s annual Blue Hat conference in Redmond, Washington, where he was invited to give two presentations. He said the shift in nomenclature from “security” to “survivability” was a natural consequence of developments like cloud computing and virtualization.
“Amazon Web Services is a great poster child for the divergence between existing enterprise models, where you have the ‘hard, crunchy outside and the soft chewy inside,’ with lots of hardware boxes and three tiers, versus what you have now, which is a highly abstracted, simplified networking model. There’s not much in the way of exposed network security services, so this has forced a shift in instrumentation, but also in our threat and risk modeling.
“My blog used to be called ‘Rational Security.’ Now its ‘Rational Survivability,’ because I looked around at what folks were talking about at CMU (Carnegie Mellon University) and in the military and in various engineering practices, where they were dealing with the fact that you can’t threat model everything. But, if you look at and do a diligent job of understanding where you’re exposed, then you can get back up and running. You look at it as an interative process and preserve as much of the integrity of the system, albeit at reduced performance levels.
“After all, large enterprises and banks are under attack every day. They lose money every day from attackers, but its about the spread of risk at scale. So, applied to security, if you look at bleeding edge development teams, they’re putting critical stuff on Amazon’s cloud and taking advantage of its enormous scale. If stuff goes down at any one point, they’re got a highly resilient infrastructure. Back to the banking analogy: Bank of America isn’t going to suffer material damage if one bank branch is held up. They have tens of thousands of them, plus their users are insured by FDIC, so they won’t lose money. But if you look at a community bank, that might only have a handful of branches - they could. It’s the same with the cloud. There are those that do it right, and have multiple points of availability in different zones and regions, and diffuse risk and spread it out, and there are those that don’t.”
Looking ahead, Hoff said the continuing migration to cloud based architecture will transform the security space in ways that have scarcely been considered yet.
“For quite a while, cloud meant different things. One technical, that had to do with taxonomy and OSI models and such. For consumers, it just meant anything that interacts with my device as a service. But that’s mostly over. Cloud has already entered language. So my children and friends - some of whom don’t know tech - talk about the “cloud” not the Internet. Cloud simply is.
“In 2009, I gave a presentation at the Cloud Security Alliance RSA event in which I said that back end of the cloud will become irrelevant. That it will all ultimately be about different consumption models and mobility. That prediction is now becoming realized, so if you go to a conference, its rare that somebody will start with a slide ‘This is what I mean by Cloud.’ It’s now about how we use it and everyone is talking about the “new” cloud which, on the IP side - is Software-Defined Networking.”
Security, he says, could be the “killer application” for software-defined networking, which leverages virtualization and the cloud to give network administrators almost infinite flexibility in how they deliver applications and services, irrespective of the underlying hardware.
“With SDNs, we can think about security services in ways and mechanisms that heretofore have been impossible,” he said.
“For example: today we still have a security model based on an edge and perimeter view. So you have physical firewalls and virtual firewalls. And the virtual firewalls, with some exceptions, still expect the network topology to look like a physical network, with cables and such - so you’ve got to go through this thing to get to that thing. That means that as your apps scale, you have to scale your virtual appliances - and these are often on the same box, so there’s this tension and tradeoff between security and availability, like when you used to put AV on your computers and they’d immediately eat up 90% of your CPU and RAM. With SDNs, however, instead of having to inject this physical or logical device, you can do the same thing in realtime based on policy flows - redirecting traffic through security services running on dedicated clusters. Security becomes a software based bump in the wire that’s done without the client or the application knowing about it.”
As he sees it, software-defined networking is just another step in what Hoff sees as an ongoing and accelerating evolution. “It started with virtualization, then it developed with cloud, where you had new kinds of operational teams. Now, as networks themselves become more programmatic, security will also,” he said.
The change itself is inexorable. And, ever the Darwinian, Hoff thinks that IT security professionals will have to adapt, like the dinosaurs before them, or die out.
“This is a generational problem, frankly,” he said. “I wonder if we need the current generation of security leaders to just die off. My wife got her ph.D in geophysics and she did her dissertation on what we now know was the Chicxulub crater caused by the meteor strike that led to the K-T extinction level event. I wonder if we need a K-T event for security. But, in the end, it will happen anyway. We have a whole new generation of digital natives coming to work and they’re bringing their own stuff - mobile phones and texting - because that’s just normal, and they’re going to fire stuff up on Amazon, because that’s just the way stuff get done. So, yes, change is accelerating and for all the right reasons.