Trust was a common theme during the 2011 RSA conference in San Francisco with varied perspectives from presenters and attendees alike. There were discussions of trust in protection, trust in monitoring and response, and trust in forensics. Are we relying a little too heavily on trust?
A large number of sessions, vendor pitches and hallway chatter at the recent RSA conference in San Francisco revolved around "cloud security", everything from securing public cloud environments to securing private cloud virtual machines, and from securing operations and data in the cloud to delivering cloud-based security applications and services. But the common theme appeared to center on that elusive thing called trust.
The suggestion was that, because we've decided to put our information, applications and infrastructures in the hands of cloud providers, we all of a sudden have to worry about trust. The reality is we've always had to worry about trust. Unfortunately, most businesses have opted to blindly trust in the absence of being able to prove that the trust was, and is still, warranted. Have we all conveniently forgotten about the insider threat?
To be fair, some of the sessions in the Cloud Security Alliance (CSA) Summit did speak to the fact that trust was not enough. This group is certainly on the right track, but some of the discussions stopped a bit short as they looked to traditional methods for mitigating the risks related to relying on trust in the cloud; things such as utilizing traditional perimeter-based protection measures, security monitoring processes, working to meet increasingly stringent regulatory guidelines, and relying on newly formed reputation services.
Meanwhile, the "Cloud Trust Authority" vision, as presented by RSA's CTO Bret Hartman, while a great stride forward in terms of removing a lot of the fears associated with moving business processes to the cloud, also requires placing trust in a third party. Certainly this initiative and others like it will help secure the cloud. Will it be enough for organizations to unequivocally prove that the cloud is in fact secure?
Credit must be given to the United States government as Vivek Kundra, the U.S. Federal CIO made it clear that proof of cloud security is paramount to the U.S. government's ongoing IT strategy. During his presentation, Kundra spoke to a number of initiatives geared toward moving large numbers of government systems and applications to the cloud.
"With the number of U.S. government data centers growing from 482 in 1998 to nearly 2,100 in 2010, [moving] in the opposite direction as the rest of the U.S., it is clear that something has to change," Kundra said. "It is anticipated that of the $80 billion spent yearly on IT across various agencies, $20 billion will be invested in moving data centers to the cloud." Kundra was energetic as he called upon the cloud security community to get innovative as the U.S. government braces for the "Cloud First - here comes $20 billion!" initiative.
Turning deeper to security and trust in the government space, Joyent Chief Scientist, Jason Hoffman, referenced an article quoting Debora Plunkett, head of the NSA's Information Assurance Directorate. "We have to build our systems on the assumption that adversaries will get in," Plunkett said. In the same article, Gartner Analyst John Pescatore adds, "Basically, unless the hardware and software was built by NSA and has NSA-approved tamper protection, it can't be trusted. Since even the NSA has to use commercial hardware and software, their own environments can't be trusted!"
There were also discussions around the risks of using trust as a means to measure the security of the cloud environment and its data, with deeper dives into the liability that often comes with relying on trust.
Dave Asprey, vice president of cloud security at Trend Micro, suggested that, as liability becomes more of a means with which trust and insecurity could be measured, the more we will see the re-introduction of insurance policies designed to fill the gap between solid and enforced security measures and the likelihood that something bad could still happen. This resulted in an outcry from some attendees as they pointed out that insurance does nothing when it comes to protecting peoples' lives. Clearly, trust doesn't cut it in these cases.
Numerous references were made at the conference to Forrester's Zero-Trust Model of Information Network, further suggesting that trust alone is not an option.
Hoffman referenced a whitepaper he co-authored with technology partner GuardTime, called "Achieving Integrity in the Cloud", where the two parties claim that the only way to trust the cloud is to remove trust altogether and force it to provide complete transparency in the form of analytics and independent proof of operating and data integrity using keyless signatures.
"Take Joyent's cloud compute stack," Hoffman said. It "offers various security features often not thought of as security features at first glance, but that offer security inherently as they are built directly into the kernel of the operating system; virtual machine security delivered via secured containers. Even with these unique capabilities being used to secure the operating environment from its tenants, its attackers, and even itself, we are still left to trust that these security measures have worked properly. In the end, it all boiled down to trusting the cloud and trusting the cloud provider. This is what led Joyent down the path to finding a way to eliminate the need to trust anyone or anything. Instead, the best design is to deliver proof of security instead."
While some organizations look to 20 year old PKI technologies as a way to ensure security in the form of confidentiality and authenticity of data, Peter Tippett, vice president of Industry Solutions and Security Practices at Verizon Business, cited four reasons why PKI has not been widely adopted as a means to deliver trust: 1) cost ($100 first year per user, $30 to $50 per year per user thereafter), 2) complexity (key management), 3) end user experience, and 4) legal liability.
Apply this same set of challenges to the cloud, and we introduce the additional exposure of the keys residing in memory, thereby forcing the security measures to boil down to trust -- trust of the keys not being compromised and trust in the parties responsible for handling and managing the keys.
There is certainly a place for PKI in the security space, but it is not the only means for ensuring trust between multiple parties, especially when the players are not always known and when the players are operating within what is effectively an untrusted environment, affectionately referred to as the cloud.
It is inevitable that some organizations will face the other side of the protection scorecard where there are legal actions associated with their failure to protect their systems. This is where trust is no longer an option; the courts will demand proof, and the proof must be delivered without repudiation if they are to avoid, or at least win, a potentially long, expensive, and otherwise distracting legal battle.
During his session called "Cloud Investigations and Forensics", host Davi Ottenheimer, president of Flyingpenguin, said that "in order for information to be admissible, it must be authentic, accurate, and complete." Ottenheimer added that, "It is all about the logs; application logs, system logs, and data logs. If an organization is fighting a legal case involving digital assets, they will need to show that the content of the logs proves that the actions in question were someone else's fault and not their own, that the logs are indeed theirs, and that their logs have not been tampered with in any way. This especially holds true as the logs are seized and then duplicated as legal evidence."
It will be interesting to see how this story unfolds over the coming quarters. One thing is for sure, you can trust it will prove to be exhausting trying to keep up with all of the attempts to solve this problem, the changes that come with the attempts, and the messages that follow suit.
Martin is the founder and owner of imsmartin consulting.