Sunday, July 26, 2009

The security stack could work, don't worry about the rabbit hole

I attended my first cloud camp and came to the incorrect conclusion that there are those that understand the security issues in the cloud and those who don't understand the cloud.

I say I came to the incorrect conclusion because I realized that the second catgegory is not of the uninformed, but rather because there are those folks that just see the cloud as a utility, a tool, and if the tool works as promised, they don't really care about the inner workings until they faced with a problem.

The challenge tends to come in the form of a compliance person or a security officer being a proud member of the RSFTPB (Royal Society For The Provention of Business). The security or compliance expert starts asking hard questions and the tool user goes "um... they have the lock thing on the browser". Which, to me, is the right (obviously wrong) answer; why should the tool user have a good answer?

The problem arises when the expert tries to investigate the utility and gets at best a high level security whitepaper, at worst at bullet point feature list.

Chris Hoff recently posted of building a standardized security assessment API, a way for cloud providers to express the security state of their environment. Some rebutted with concerns of how do you know if the API is letting you talk to the real target of assessment? Short answer is ofcourse you don't (an evil provider can run the API inside a fully hardened virtual instance or just straight out return false answers)?, but I think that kind of misses the point, for three reasons.

Firstly, it's really about addressing the concerns posed to our tool user population, who don't know to ask these type of questions. As long as the system has the appearance of correctness and provides the right answers, then that's enough for the tool user and should appease the compliance kings (we know this from past experience with nearly total acceptance of the output of vulnerabilit scanners).

Second, if you're going to fake the results, you're going to a lot of effort to build a lying stack that will provide reasonable answers that are consistent, persistent and have an appearance of integrity. I'm fairly certain cost issues would win out and it would be cheaper to buy a stack or assemble from COTS components that craft your own.
Third, lies only work if you don't get caught - while it will be small solace for the first victims, it will also be obvious to everyone that something wasn't right and eventually the truth would come out. Admittedly this is not a desirable, but it would not be dissimilar to the poor practices full disclosure policies were designed to overcome.

I think if you give the tool users real and easily accessible answers, in formats they can use (XML and PDF come to mind), we can make 80% of the cloud naysayers happy.

No comments:

Post a Comment