Tuesday, June 9, 2009

OohRah! here come the security clouds

I'm not sure what to make of this article, at first pass I thought it was somewhere between classic security "re-invited here" and solution seeking a problem, but I reread the article and on the second pass this piece got my attention:
Cloud Computing: The Dawn of Maneuver Warfare in IT Security A theoretical example of how maneuver IT security strategies could be use would be in responding to a denial of service attack launched on DISA datacenter hosted DoD applications. After picking up a grossly abnormal spike in inbound traffic, targeted applications could be immediately transferred to virtual machines hosted in another datacenter.
It's a nice idea of using on-demand infrastructure to outmanoeuvre your attackers (rather than fighting a war of attrition) a concept made great by the USMC, but the articles a little short of real world examples. So it got me thinking, what defensive security activities can be improved by the application of cloud infrastructure (IaaS)? We've got the (simple) use case of rerouting traffic to defend against a dDoS attack - but we already have that in the form of CDN (content distribution networks), although it would probably be noticeably cheaper given it's on-demand nature. What about managing virus outbreaks, patch deployment and vulnerability detection? managing virus outbreaks - If I can scale my security infrastructure rapidly, I can scan my distributed filesystem and workstations, I can hunt down and remove infections - in theory I can scale my cloud rapidly enough to combat warhol-esque worms. patch deployment - if I need to force patches across my environment, I can deploy a swarm of servers that will connect to every server and workstation in my enterprise and force the patch down (after I've spun up a multiple VM's to test/socialise the patch against my standard configurations). vulnerability detection - Scanning a class B sized network can take a while, but what if I can launch a few hundred servers and ask them to scan a less than a class C each, in parallel (note: this idea wasn't mine, credit to Richard at Enomaly) - I can get near-realtime vulnerability intelligence on my environment at relatively low cost. Running a few hundred EC2 servers for less than an hour is pretty cheap, especially if compared against buying a whole bunch of expensive scanning appliances (then again, there's nessus). Here's the rub (actually two) 1) How do I coordinate this on-demand security infrastructure? how do I make sure work is evenyl shared? what about providing (domain) administrator credentials 2) Unless you're a highly distributed organization with multiple points-of-presence, you're biggest constraint for making using of IaaS from external providers (e.g. EC2) is bandwidth - granted, patches, vulnerability scans and virus detection aren't bandwidth intensive on their own, but there a chance your on-demand security infrastructure could overwhelm your not-so-scalable connection infrastructure. So here's my wild thought of the day, today you have peering points between major ISP's, service providers and backbone carriers - how long before enterprises will want to have peering points with EC2 and Savvis to make IaaS almost local? side note: I recently read an article about user provisioned hardware, when you add that to more remote work/work from home - maybe the connectivity problem goes away and the need for highly scalable security IaaS becomes more important - maybe the problem the solution has been looking for is "how to I secure employees working form hundreds of different locations?" update: Jeff Barr from Amazon Web Services pinged me, apparently oeering with EC2 is doable - a little google-fu revealed Amazon uses Equinix for peering.

No comments:

Post a Comment