Clearing the Cloud Part III || How Do You Solve A Problem Like “A Cloud”? || Cloud Computing Security

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!
This entry is part of a wonderful series, Clearing the cloud»

In the first in this series of “Clearing the Cloud” columns, I explored the dangers of jumping too soon into Cloud Computing. In the second in the series, I defined relevant risks that we must consider when implementing Cloud Computing and promised to show some solutions. In this article, the third in the series, I continue sharing my vision on how to manage and secure cloud-computing solutions.

Clearing the Cloud Part III – How Do You Solve A Problem Like “A Cloud”?

By Ariel Silverstone, CISSP


As I promised, this is not an article meant to state the problems.In the sections that follow I will put forward some ideas on how to resolve issues defined in my two previous articles. I will also attempt to show some of the security related benefits that we can garner from the usage of Cloud Computing, especially those that we could not, or could not easily, do before.

The approach

Part I – A Cloud OS:

In the early days of such companies as NetApp and EMC, one of the largest challenges faced by Hosting Providers, was how to allocate, measure and control, bit/strip/block assignment to a specific user, and how to protect such element from unauthorized access/modification, erasure and disclosure. Sounds familiar? Such concern led, ultimately, to elaborate control systems, and to the concept of the Filers.Today, every large enterprise uses those tools and concept, usually seamlessly, and provides online and near-line service to its users and customers. When I was a wee lad at the fantastic organization called “Global Integrity”, one of my mentors was Anish Bhimani.  Anish since then went to greater things, but, back at Global, for one of my inventions, he has asked me a question. I remember driving (being lost) in Reston, VA, looking for a Sushi place, and having an “ah-a!” moment because of his question:“The solution should be Out Of Band!” So: the Solution we are seeking should be a:

“A globally synchronous operating system, operating on TCP/IP, that has the capability to handle user management, LDAP integration, and out of band bucket control

Caption 1:Ariel’s Cloud Law Number 8: The Need for a Cloud OS

What is bucket control?

Let’s do the following:

  1. Create a bucket numbering and identification system where
    1. Such identification is created on the fly
    2. Such identification has a lifespan that terminates when the utility of such bucket terminates
    3. Such identification is inherited to a backup medium (tapes or other identically copied buckets)
    4. Such identification is done with consideration as to the ownership (process, user, organization, etc) of data in that bucket
    5. Such identification is based on a federated model, where different physical locations, and even Cloud service providers, can understand, accept, and act upon each other’s schemes
    6. Optionally, such identification is tied to a digital certificate scheme
  2. Implement a tethering scheme, a-la DRM, but much more user friendly, to monitor, pull, identify and allow/disallow access to such buckets
  3. Implement an in-bucket modular encryption ability
  4. Apply a monitoring, auditing, measuring and reporting mechanism
  5. And finally … allow relationships and some property inheritance between buckets.

Part II – A Reference Model

For ease of use, let’s adopt the model we all know, and some of us love – the ISO Networking Reference model…but with a twist.What would happen if we took the tower and leaned it on its side?

The ISO Model, on its side

Image 2:The ISO OSI Model, On Its Side

Needing a Presentation model is not something I can discuss here – Cloud Computing is too early a concept to divine whether one will be needed.So let’s start with the others:

Part III – Nifty Things

Ok, so we have a Cloud.   What can we do with that? The following sections are some ideas I am thinking of.If I get response from this article showing interest in these, I will elaborate a lot more on these in a separate tome.

1.  Logging (or how to out-Google Google):

  • What if we are the Cloud service provider (CLaSP) and
  • What if we have logs, for example about intrusion attempts, against a piece of the infrastructure and
  • What if we have the ability to collect such logs, which to us represent potentially a great many customers, and
  • What if we have the smarts to correlate such logs for time, source, destination and other criteria

So far, nothing new, right?

And what if, because of the volume of any specific type of logs, and our correlation, we are able to predict future events probability or even the time-of-day of predicted occurrence?

Predicting the future

Image 3:Predicting the future.

(The Late Night with Johnny Carson)

2. Where Social Media and Clouds Meet

Don’t roll your eyes at me!(  )

Imagine: What if we could enable a PKI-like social trust between not only users, but resources as well.What if we could say: User ASilverstone has secure access to his bits wherever they are in the world, whoever hosts them, at whenever times he needs to? Just how powerful would be secure, ubiquitous information access at any point?

In other words:

“Do we need to know where the data is as long we can access, handle, process, control and remove it?”

Caption 4:Ariel’s Cloud Law Number 9: Caring is Not Sharing

3. OS? We Don’t Need No Stinking OS!

If end users, aka “desktops”, have access to a BOOTP/DHCP/Terminal Server-like secure access and an ever expanding (or contracting) storage and processing element…. Do they need a desktop OS?What if all our desktops were unlimited? What if we paid for what we used instead of an over-bloated OS that includes kitchen sinks that most of us will never use?

Now your turn: What do you think?