Jamey_Heary: The reality is that operating systems and applications will continue to have security vulnerabilities for years to come. The ultimate solution would be for all software companies to produce both secure and bug-free code. Since that will not happen in my lifetime the question moves to 'Is there a way to secure a nonsecure operating system or application?' The utter failure of solely signature-based approaches in this regard leaves us with the main alternatives of behavior- or modeling-based approaches -- modeling being the ability to intercept traffic, run it in a virtual environment, see if it does anything bad, if it does, then drop it before it gets to the actual hosts. The problem with modeling, of course, is performance.
Dave_Kearns: The sun goes nova.
Moderator -- Julie: Dave, short of death to the planet, have you got any ideas?
Dave_Kearns: There aren't any that are realistic. If you allow users access to sensitive data, then hackers will find a way to get to it also. Social hacking is still very effective.
Noah_Schiffman: I have one word that will answer all security questions: crypto.
Jamey_Heary: How can crypto help with an application vulnerability?
Noah_Schiffman: Good question. Depends on the vulnerability.
Jamey_Heary: Let's take cross-site scripting, then.
Noah_Schiffman: I guess we're talking about Web-page and user authentication. Social engineering will always exist, unfortunately. There is no cure.
Andreas_Antonopoulos: Jamey's answer also includes virtualization. We have an overlap. Essentially sandboxing and manual testing both depend on a high-fidelity replica of the production environment. Honeypots, too. We're seeing dramatic improvements in patching because of virtualization -- reduction in time to patch and cost to patch. This is directly from our primary research.
Jamey_Heary: Why does virtualization affect patching, or are you meaning because you can test it first?
Dave_Kearns: Reducing the window of opportunity helps, of course, but isn't a cure.
Andreas_Antonopoulos: Jamey, because you can test it (manually) or sandbox it (automatically).
Jamey_Heary: Bottom line is that the patch-hack-patch cycle will be with us for some time to come.
Andreas_Antonopoulos: Yes, you can only shorten the cycle.
Jamey_Heary: I haven't seen any solution, other than the ones I mentioned initially to help this -- due to the proliferation of attacks that let you jump out of a virtual machine and into another one make patching on VMs of utmost importance. For that matter, it makes host security of VMs especially critical.
Andreas_Antonopoulos: Jamey, indeed, but the ease of maintenance more than makes up for the host security issues (which are minor to non-existent).
Noah_Schiffman: Vulnerability disclosure standards still need to be agreed upon.
Andreas_Antonopoulos: Disclose early, disclose often and disclose fully.
Noah_Schiffman: Andreas, isn't that what we're trying to do? Disclose fully -- like the MIT guys?
Andreas_Antonopoulos: Indeed! At least in the IP world. I was discussing SCADA [Supervisory Control and Data Acquisition] security with an expert, and he was surprised to hear my opinion that 'secrecy' is the reason that SCADA security sucks.
Jamey_Heary: SCADA is a mess.
Andreas_Antonopoulos: SCADA is a mess because they don't dare do disclosure.
Jamey_Heary: The answer has always been to just air-gap the SCADA network, but in reality very few SCADA nets are actually air-gapped.
Noah_Schiffman: What about malicious code that can detect virtual machines and perform [denial-of-service] attacks . . . causing the machine to close or crash?
Andreas_Antonopoulos: Noah, you can make virtual environments more resilient than physical ones. Not that we do -- we can. . . . Perhaps some day we will.
Noah_Schiffman: As long as you're not replicating insecure physical ones. . . . And, yeah, you're right. Hopefully one day we will.
Andreas_Antonopoulos: Indeed. Resurrecting unpatched zombies, all named "Test01."
Jamey_Heary: Andreas, virtual machines have the same host security issues that all other non-virtualized hosts have (which are extensive).
Andreas_Antonopoulos: Jamey, sorry, I thought that by host you meant hypervisor.
Jamey_Heary: Ah, got it.
Moderator -- Julie: Time for Question 3. Steve Bellovin of firewall fame is championing a new model -- where the hard exterior remains, a hard center is added via application firewalls and the authentication role is removed from the Web server. Instead, he wants a new Web SQL language (NewSpeak), which includes no verb that would execute an insecure action. What are your thoughts on his plan?
Dave_Kearns: Not particularly new. This is another form of entitlement management, which is a good approach.
Andreas_Antonopoulos: There is no such thing as a hard perimeter. Companies today are not value centers. They are nodes in a value network. What I mean is that much of the value generated by a modern company may lie in the information supply chain, in the partners, in the network, rather than inside the "walls" of the company. As a result, business value cannot be generated through a hard perimeter. The perimeter becomes porous and eroded from all the "trade routes" that are poked through it. In the end, security has to be layered in depth, on every node, every endpoint and every device. You can't maintain a "bubble" approach to security when you generate most of your value by poking holes in the bubble. So, we're seeing companies moving from a perimeter model to a layered model where architecture-centric security (DMZ, perimeter, access) is supplemented by identity-centric, transport-centric and transaction-centric security. The perimeter is still there, but it's only a coarse-grained defense to stop the most obvious and "noisy" attacks.
Jamey_Heary: With the risk of sounding too old-school, I believe that the next-gen security model for enterprises remains a defense-in-depth, collaborative security architecture. The majority of businesses have not moved to this architecture as of yet. This is especially true for the internal areas of networks and data centers. This is due to several reasons. Foremost are the costs, support issues, and complexity involved with implementing a pervasive defense-in-depth security architecture. The newest piece of this security architecture is how to deal with the rapidly expanding virtualization of servers and applications. I see this as the next great hurdle for security architects and vendors.
Noah_Schiffman: I definitely agree with Andreas. If there was truly a hard perimeter, this model wouldn't be needed.
Dave_Kearns: Yes, there is no longer a "frontier."
Andreas_Antonopoulos: It's like the old castle and moat. That model died. But did it die because of gunpowder (as they teach in school)? I say, no, it died because of trade. If you were in a walled city that was in the center of a massive trade-route network, what happened if you shut the gates? Within a week there's a shanty town bazaar outside the walls where all the trading happens.
Noah_Schiffman: Defense in depth will always be a gold standard. What you place in the layers can affect how strong that defense really is.
Jamey_Heary: Agreed. Today's networks are perimeter-less and suffer from ubiquitous access to all it resources. But I find that many customers have yet to catch up to that fact in security -- thus we need defense in depth.
Andreas_Antonopoulos: Exactly. It worked when we had "the firewall" on "the Internet connection." Now we have a mesh -- and that creates a mess.
Noah_Schiffman: Just as there will always be the security hole of a "user," there will also be the problem of the "lazy developer" that fails to write secure code. Stored procedures are another layer, and this [Bellovin] model seems to be another mirror of that kind of security.
Dave_Kearns: Jamey: "Many" customers still think six- or eight-character passwords are enough.
Jamey_Heary: Dave, some think that passwords are enough.
Andreas_Antonopoulos: Take a cue from nature. Nature doesn't do perimeter security, but defense in depth.
Dave_Kearns: "Nature" doesn't do defense at all -- each entity does its own.
Andreas_Antonopoulos: From the cell up, there are layers and layers. Otherwise, the first cut in our finger would give us a fatal infection.
Noah_Schiffman: Does anyone think the five- to 30-second decryption time is a bit long with the NewSpeak model?
Dave_Kearns: Yes, I do.
Jamey_Heary: Dave, entities are what make up nature.
Dave_Kearns: Jamey, then nature is a perimeter.
Andreas_Antonopoulos: Dave, that's what I meant: Each entity carries many layers of defense, not just a single perimeter.
Jamey_Heary: No, nature is the network.
Andreas_Antonopoulos: Nature is the Internet, and you will be bathed in viruses at all times, so you need more than just a "bubble" to protect you.
Noah_Schiffman: Sounds like Microsoft, with the forest trees and leaves. No more nature talk.
Moderator -- Julie: You guys sound ready for Question 4. Does the rise of social networking impact the future of identity management, and what is the solution to managing identity when we each now have dozens or more digital personas out in the wild?
Dave_Kearns: Yes, it does. Just as the rise of personal computing had a profound effect on corporate computing, so too will the rise of personal identity management impact the world of enterprise identity. The enterprise identity -- and all of its attributes -- becomes merely another persona in the entity's base identity.
Jamey_Heary: Online social networking should be viewed as being very similar to social networking in reality. You never really know if the person you are socializing with is telling you the truth or if they are trying to con you. Individual virtual reputations, to continue my previous theme, could help with online social networking. We could issue individual digital certificates, or some equivalent, to each user that wants to participate on a social network site. The enrollment for the digital certificate can be used to verify you are who you say you are. Then we can use this certificate to track your online reputation score. But just like in reality, we have to watch out for people who try and slander others.
Andreas_Antonopoulos: We always had a dozen identities. We just pretended they were all unified. Now we're embracing our multifaceted nature and expressing it with multiple contextualized identities -- that is, we can be different things to different people. I can be a parent, a teacher, a colleague, a patient or a dwarf warrior. It depends on the context of the interaction I am having -- and I 'want' to keep my identities separate.
Dave_Kearns: Andreas, it depends on the relationship.
Andreas_Antonopoulos: I don't want my PTA group seeing my patient records. What I'm saying is that multiple identities are better for privacy since each identity is limited and contained.
Jamey_Heary: I agree, Andreas, but it would be nice to have a common reputation score for all of them.
Dave_Kearns: Multiple personas or multiple roles -- but you really only have one identity.
Andreas_Antonopoulos: Yes, practically.
Moderator -- Julie: When it comes to protecting our identities and our enterprise data, what can be done if we all have 100 social or digital identities?
Noah_Schiffman: Once again this is a threat that is very susceptible to social engineering. Limiting your identities will limit the number of threats. You can always encrypt your identities, but then your friends will only be cryptographers.
Dave_Kearns: Did we mention better training for users?
Andreas_Antonopoulos: Julie, we use identity federation and use whichever identity is relevant for the transaction.
Moderator -- Julie: An enterprise can't limit the identities of its employees. I personally have about six of them, four of which I use for work.
Andreas_Antonopoulos: Can they all be tied to a root identity that uses strong authentication? Sure.
Noah_Schiffman: Andreas, I agree. Appropriate identity usage is important. But if that root identity is compromised or impersonated, the implications could be significant.
Andreas_Antonopoulos: We can't limit identities -- neither do we want to. Part of the reason identity theft is so much more prevalent in the U.S. is that you have a unifying index key: the SSN. Fragmented identities are more secure because you can't compromise them all in one go. In Europe they don't see our identity-theft problems.
Jamey_Heary: Great point, Andreas. We need to move away from the ultimate control an SSN provides.
Andreas_Antonopoulos: Right, Noah, which is why I don't even see the need for root identity. I'd rather have several OpenID URIs with different levels of authentication. Social OpenID URI: user name and password. Banking OpenID URI: fingerprint and token. Healthcare URI: challenge response or whatever.
Dave_Kearns: It's not a question of "need," Andreas. You have an identity -- and you can't dispose of it.
Andreas_Antonopoulos: But I don't necessarily want all my personas tied to my root identity using a single identifier. There's no need for it.
Dave_Kearns: But they do tie to you -- no matter what the identifier is.
Noah_Schiffman: As long as OpenID is built on the Web, there will be inherent problems.
Andreas_Antonopoulos: Noah, all my apps are on the Web, so that's where my identity is today.
Jamey_Heary: We all need a digital certificate that we can call our own.
Dave_Kearns: Or two or three.
Andreas_Antonopoulos: Jamey, we all need multiple independent digital certificates, not one. One is too dangerous.
Jamey_Heary: The thought being that if the PKI infrastructure goes down, then everything else burns, so it matters not.
Andreas_Antonopoulos: I don't want the same certificate to open my hospital record and my fluffybunny34@facebook identity.
Jamey_Heary: Why not? You are not ever giving them your private key. It is a public key infrastructure, so it doesn't matter. That's the beauty of PKI.
Andreas_Antonopoulos: That assumes I can keep my private, private. Most can't, so . . .
Dave_Kearns: Andreas, have all the certs you like -- they still tie to you.
Andreas_Antonopoulos: I'd rather have them separate.
Jamey_Heary: Most won't even know where their private key is or how to get it.
Moderator -- Julie: Jamey, it will be a fingerprint on the cell phone, that you left in the cab, right?
Noah_Schiffman: Jamey, I'm pretty good at finding private keys.
Dave_Kearns: Jamey, security through obscurity?
Noah_Schiffman: Trying to get people to adopt OpenID will be more difficult than e-mail. OpenID, being a URL, will be a hard concept for people to accept.
Andreas_Antonopoulos: You already have OpenID most likely, from Yahoo or AOL or somewhere else.
Noah_Schiffman: Andreas: My OpenID is currently ClosedID.
Moderator -- Beth: And with that said, and our time limit reached -- thanks, everybody, for joining us today.
< Previous story: Why San Diego city workers expect apps up and running in 30 minutes or less | Return to main page: The Best of the New Data Center