From Clean Pipes to Clean Clouds, Policy-based Security in the Hybrid Cloud

A sea change of transformation is emerging in the security industry to address the evolving requirements for Hybrid Cloud Computing. Security MUST be pervasive throughout the Cloud stack, including the Cloud Platform-as-a-Service (PaaS) layer. As we move to a distributed hybrid cloud model, a new security paradigm is needed to effectively fight and protect our systems from Cyber Espionage. Dr. Jim Metzler, a distinguished research fellow from Ashton Metzler and Associates defines the Hybrid Cloud as the following and then goes on to describe associated security threats. 

Like so much of the terminology of cloud computing, there is not a uniformly agreed to definition of the phrase hybrid cloud computing. According to Wikipedia "Hybrid cloud is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together, offering the benefits of multiple deployment models. Briefly it can also be defined as a multiple cloud systems which are connected in a way that allows programs and data to be moved easily from one deployment system to another.” Based on this definition, one form of a hybrid cloud is an n-tier application in which the web tier is implemented within one or more public clouds while the application and database tiers are implemented within a private cloud.

A component of the concerns that IT organization have about security and confidentiality stems from the overall increase in the sophistication of hackers, For example, until relatively recently the majority of security attacks were caused by individual hackers, such as Kevin Mitnick, who served five years in prison in the late 1990s for computer and communications-related hacking crimes. The goal of this class of hacker is usually to gain notoriety for themselves and they often relied on low-technology techniques such as dumpster diving.

However, over the last few years a new class of hacker has emerged and this new class of hacker has the ability in the current environment to rent a botnet or to develop their own R&D lab. This new class includes crime families and hactivists such as Anonymous. In addition, some national governments now look to arm themselves with Cyber Warfare units and achieve their political aims by virtual rather than by physical means. 

With Cloud Computing moving towards “Big Data” hybrid cloud topologies, the security problem intensifies and become much more complex to solve. In order to overcome such complexity and maintain a secure cloud, enterprises must find new cost-effective ways to ensure that their global networks are safe from Cyber threat. Cloud Security needs to be equally as scalable, distributed and autonomic. In 2013, e-commerce and financial services companies will be hit by increasingly sophisticated attackers and attacks. It is estimated that over 95% of enterprises have been affected by a security breach. Targeted firms MUST arm themselves and avoid costly damage (Gartner).  

“With the speed and complexity of the threat landscape constantly evolving and the prevalence of combined threats, organizations need to start moving away from being retrospective and reactive to being proactive and preventative” (Information Security Forum, 2012) 

The first step of the new security paradigm is to automate the protection and handling of your cloud applications and data. Policy hooks should be placed at the network layer, systems layer, and at the services application layer to ensure a pervasive approach to “Policy-based Security”. I think of it as automated and distributed rules systems (policy engine) for security orchestration. Basically we leverage the power of distributed computing across hybrid clouds to enable a dynamic overlay system (a safety umbrella) to protect your services and applications (and their data) in the cloud. Automated Policy-based Security Orchestration must maintain business continuity of your Cloud SaaS application even through a Cyber Espionage security breach: High Availability, Reliability, Self-Healing Resiliency, Elastic Global Scalability, and Security.

Here are some basic best practices a Policy-Based Security Orchestration System should provide:

  
1. If the hybrid cloud gets attacked, break off the attacked or infected cloud and scale up a new replicate cloud somewhere safe. In a sense, if your hand is infected, just cut if off and grow a new one! With Federated Multi-Cloud capabilities including integrated Elastic Scale and Fault tolerance, you can kill off potentially affected virtual machines and scale up new clean ones in their place. In fact keep the infected cloud running on the side and scale up fake honeypot nodes with special analytic modules to make security forensics more effective.

2. Classified data must be categorized upon collection and the appropriate policy protection must follow it EVERYWHERE in the hybrid cloud. I am not sure how people pushing centralized security systems will pull this one off efficiently. Don't leave data lying around in the wrong places. Don’t let certain data get in the public Cloud or cross country borders (some data just needs to be in a private cloud data center with the right physical security in place).  All these “do’s and don’ts”  are implemented in rules within the policy-based security system.

3. The Policy Engine must be hierarchical, multi-tenant, distributed, scalable, high performance. Hybrid cloud is distributed by nature, so you need the right policy in the right cloud location at the right time to execute without causing a disruptive overhead or latency in your cloud SaaS application. Having a central security system and backhauling everything to one place for off-line analysis is risky. Having a central dashboard is a good approach, but the system itself must be distributed and apply policy to real-time system operations as close to where the transaction, issue, analytics or data operation is occurring. The Policy engine and security system itself must be virtualized and have cloud elastic scale to remain cost efficient yet high performance under peak loads.    

• A side note, Obama and other government officials are pushing for the enterprise to share their data so we can build a more collectively strong line of Cyber defense against Cyber Threat Actors (Cyber Criminals). In a policy-based security system you can implement a service egress policy on a gateway that mandates data must be made anonymous, filtered, and normalized before transporting it to a partner system 
• Policy management must be simple (not a complex security guru task), easy to update and change without the needs of developers and the need to recompile rules. You should not have to take down the security system or reboot to implement updated security policy rules. 
•  A policy-based system should include the capability to implement “policy-wrapped data” to maintain and secure privacy issues surrounding classified data in hybrid cloud applications. 
• You also need a policy system that has another layer of policy to check that the first level security policy executed successfully. If your security policy dies in the middle of execution, you should have another redundant copy that will execute successfully. This is back to the concept of business continuity with a reliable, resilient, highly available security system. 

4. Monitor a limited set of key security metrics to understand if your cloud is healthy and clean, don't go crazy and monitor everything. This is back to a distributed approach to leveraging domain monitoring “services” that can publish events to a distributed event management system. A side note here, the distributed event management system needs a way to maintain “consistency” for event logs in such a way that data is not lost under faulty conditions such as Denial of Service attacks or heavy load conditions. The security policy system must be flexible and easy to implement new monitoring APIs into the policy rules as new cyber threat vectors emerge 

5. It takes a Cloud to fight Cloud Cyber Threats. A new sea change of transformation will be required in cloud security products to address the distributed hybrid cloud market. The marketing guys are back at it again “Cloud Washing” their old security products and telling you they are cloud ready. This will become even worse with “Cyber Washing” because of the emphasis Obama has placed on Cyber Espionage. For those of you that don’t know,  "Cloud washing” (also spelled cloudwashing) is the purposeful and sometimes deceptive attempt by a vendor to rebrand an old product or service by associating the buzzword "cloud" with it. I now see this with companies that have 10+ year old software and labeling it with “Cyber” and “Cloud” to make it appear as if this was designed for Cyber Threat Analytics for the Cloud (even though Cloud was not around 10 years ago). Cloud washing and now Cyber Washing just confuses the market and could build a dangerous set of confidence around their security systems for future hybrid clouds. 

As a side note I wanted to add that some legacy systems are still struggling to be effective with their non-cloud security problems they want to solve. In 2012, Imperva, along with the Technion Israeli Institute of Technology conducted a study of more than 80 malware samples to assess the effectiveness of popular antivirus software. Their published results found that:

• The initial detection rate of a newly created virus is less than 5%. Although vendors try to update their detection mechanisms, the initial detection rate of new viruses is nearly zero. The majority of antivirus products on the market can’t keep up with the rate of virus propagation on the Internet. 
• For certain antivirus vendors, it may take up to four weeks to detect a new virus from the time of the initial scan. However it has been found that if cyber threats can be detected within two hours than 60% of threats can be mitigated successfully (heard this from a GigaOM security webinar). Guess we need another evolution of security technology to achieve this goal.

Policy-based security is just one of the new paradigms emerging in this new generation of cloud-based security products to address the need to secure Cloud Computing from Cyber Espionage. The enterprise will need a number of tools like this in their arsenal to fight Cyber Crime. Hybrid clouds bring new complexity but new orchestration systems will ensure business continuity is maintained, even in the presence of faults from security breaches. Policy-based orchestration also addresses some of the privacy issues around proper handling of classified data.