Jericho Forum: Cloud computing

Jericho Forum: Cloud computing

Date: Apr 02, 2010

In part two of the interview, Bob West and Paul Simmonds, Jericho Forum board members, discuss the the threats that cloud computing present to the enterprise, and how to mitigate them.

Watch part one: The Jericho Forum's self-assessment guide


Read the full transcript from this video below:  

Jericho Forum: Cloud computing

Eric Parizo: Hi. I'm Eric Parizo. It's great to have you with us. We're here with
Bob West and Paul Simmons, both members of the Jericho Forum Board of
Management. Gentlemen, thank you so much for being with us today.

Bob West: Thank you.

Paul Simmons: Thank you.

Eric Parizo: As Cloud computing has become more prevalent, I know the Jericho
Forum has emphasized the security and integrity of data over the security
and integrity of networks themselves. Tell us a little bit about why that
change is so important.

Bob West: As I was saying earlier, most organizations historically have looked
at their computer networks and thought that there were very clear borders,
and cloud computing, I think, is one of the longest extensions of the
principle that says my data and information may not necessarily reside
within my infrastructure and so going back and understanding, so if I'm using a
cloud model, what applications am I putting in the cloud and what
information is sitting there? So if I have something that's a mission
critical system or something that has customer information in it, I need to
understand where does it sit and what are the controls that I need to put
around it, Paul?

Paul Simmons: Yeah, I mean the Jericho Forum principle is the closer you can get to
the asset at risk, the easier it is to protect it. So that's, again, a
motherhood and apple pie statement. But if you think about it, I mean, you
don't protect the President of the United States by beefing up the border
guards at the airport. Secret Service does close protection. The principles
are exactly the same with computing. The closer I can get to protecting it,
so, if I'm going to protect a server in the middle of my organization,
actually I should be putting the protection around it, rather than beefing
up my perimeter security because I've got this huge multitude of sins that
comes through my perimeter.

Bob West: Yeah, so I mean, the server irrespective of where it sits, whether
it's within the organization or in the cloud, you're going to protect it the
same way; it's functioning at a principle level.

Paul Simmons: Yeah, so again, you know, if you then look at how I'm going to
architect, with my rule for architecture, it's pretty straightforward.
Actually I architect for my worst possible case which is, can I run this
server on the raw Internet. And if I can make it work on the raw Internet,
it's just going to work better when it's back inside my organization, but
the principle is exactly the same. I architect the worst case, and the
crazy thing is, you look at Victorian engineering. When they built bridges,
it was really simple. They looked at the worst possible thing that could
happen, the worst possible weather conditions, the worst possible
everything, loads that went over it. They doubled it and then built their
bridge.
With computing, of course, we go, "Well, that's probably about right." You
know, we've forgotten those basic engineering principles of design for
worst case. And we just need to get back to them.

Eric Parizo: Jericho has said that identity and access management technology has
to change in order to successfully secure cloud computing. What needs to
happen in both the short and the long term in order to make that a success?

Paul Simmons: OK. The quick answer is a lot. The longer answer is we need to move
to an identity-based structure. The concept of "I know which IP address
you're coming from" or "Because you reside inside my organization I can
therefore control you" actually just doesn't work in a de-perimeterized
or a cloud environment because you're coming from a public IP address
on a bit of network that I don't control. The actual network level controls
become totally irrelevant and therefore actually things like border
firewalls becoming increasingly irrelevant. They're great for keeping out
scripts and the lumps on the Internet, but they're useless at
doing any kind of user level access control.

So, in terms of what we need to do, we need to start moving all our
applications to actually proper user level access control. And that means
being able to need to prove who I am. Now, if I own everybody in my
organization, that's really easy because I'm running probably active
directory if you're in a large corporate or something like that.
So, I control those people. The trouble is, that was a great model for five
or ten years ago when you employed staff or you didn't employ staff, but
now we employ people umpteen different ways, contractors, temporary staff,
staff on fixed term contracts, you name it, and of course, we're working in
partnerships with so many companies that we need to be able to federate.
Because I can't, you know, if I've got 6,000, 8,000, 10,000 staff who
aren't full time on payroll, I've got to manage them somehow.

Today what we can do is we can federate, we can extend our individual
authentication systems out into the Internet, but actually in the future
that isn't going to scale. We have to move to a claims-based system. So,
where the future is going, if this is going to work, certainly in cloud or
anything outside of your organization, it's got to be claims based.
For example, let's say I want to offer drug information out to a German
doctor. Now, the German health authorities publish who's a doctor, and
there is an organization out there called Doc Check which you can subscribe
to which basically says, so I have someone coming into a system that I own
and the condition of giving them the information is "are they a German
doctor?"

So they make a claim that says "I am a German doctor," and we can test that
claim against Doc Check in Germany, and therefore if they pass that claim,
that's it, we give them the document. We don't need to know their name. We
don't need to know anything else about them. We don't need to know their
age or where they live or whatever. They make a claim, we check the claim,
we give them the document if it passes the check, end of story. And that's
the way it's got to work in the future if this is truly going to be
extensible.

Eric Parizo: Now, going back to your example though, are you saying that you're
conducting the check, or are you essentially trusting someone else to
conduct that check for you?

Paul Simmons: Ultimately, no, it's about trusting the third parties that are going
to provide that check. So ultimately, the same ways we trust, for example,
an SSL certificate today, so the padlock on the bottom of the browser, when
I go to a secure site, I trust that there is, when it comes up with the
padlock and the green bar at the top of my browser, that actually that is a
chain of custody effectively, that goes back to some root authority that we
trust.

Just as we trust that for our padlock and our green bar on our browsers,
that is exactly the same. It's my organization trusts this checking
organization. It might be, "Am I 18" because I've got to be an adult to
check this site. So, maybe the claim is "I am an adult" and you go off to
whichever site it is. It might be a government site. It might be a third-
party site. It doesn't really matter. You, as an organization, say, "If
I'm going to give this information out I then trust the organization that
is validating the claim."

Bob West: So, in the United States, an example people might relate to would be
if someone is getting credit extended to them by a financial institution,
the financial institution is going to go to one of the credit bureaus to
understand, "Is Bob worthy of having credit extended to him?" and people
trust the entities, the Experians and Equifaxes of the world to say they
have accurate information about Bob, and so it works the same way in terms
of principles, in terms of what Paul's describing in the computing
infrastructure world.

Paul Simmons: Yeah.

Eric Parizo: Finally, what's your best advice for organizations that are
considering cloud computing and are concerned about cloud computing
security?

Bob West: One of the things I think that most organizations are doing right now
is they are looking at cloud computing as the Holy Grail and "My
competition is moving to cloud computing; therefore, I should" without
understanding the risks associated with cloud computing. And so, I think
using something like the self-assessment scheme is something that can
really be a valid way to say, "Does this make sense for me?" I mean, "Is
it, in fact, something that's going to help solve a fundamental business
problem?" At the end of the day, as Paul was saying earlier, the basic
premise is to help address business functions, and if you're looking at it
that way then I think organizations can be successful in terms of moving to
a cloud model that makes sense for them.

Paul Simmons: I'd say four things, or four pieces of information or resources to
use. One is get the CSA document. Two is get the Jericho Forum documents
on what we call the "Cloud Cube Model". That allows you to understand where
the vendor is playing in the cloud space because every man's clouds
actually are very unequal. Take that, mix it with the commandments, and
then use the self-assessment document. If you take those four pieces of
information, you should end up with a much better solution than you would
have otherwise had.

Eric Parizo: Bob West and Paul Simmons of the Jericho Forum. Thank you both so
much for joining us today.

Bob West: Thank you.

Paul Simmons: Thank you.

Eric Parizo: And thank you for joining us as well. A reminder, you can find more
of our videos at SearchSecurity.TechTarget.co.uk. I'm Eric Parizo. Stay
safe out there.

More on Security for Cloud Computing and Hosted Services