Amrit Williams, BigFix CTO, discusses the barriers to effectively using cloud computing at the enterprise level with Chris Hoff, Director of Cloud & Virtualization Solutions of the Security Technology Business Unit at Cisco Systems.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPTS

Amrit Williams: Welcome, this is Amrit Williams, your host on “Beyond the Perimeter”; and today I am joined by Chris Hoff, who leads the Virtualization & Cloud Computing Strategy with Cisco and has quite a prolific career that I will not be able to repeat here today. So I will simply say, welcome, Chris.

Chris Hoff: Thanks, man. How are you?

Amrit Williams: I’m good, man, I’m fantastic; how are you?

Chris Hoff: Excellent.

Amrit Williams: Excellent. So just coming off 0:22 Con, I know that was a fantastic event. We won’t drill into that here, but you’ve built up quite a following and put out some fantastic research and some thoughts on cloud computing, especially as it relates to security. So I thought we would dive right into that.

But before we do, because I have a varied audience and I don’t know all of their understanding of the space, maybe you would just give a quick high-level review of what cloud computing means and what it doesn’t mean, because as you know a lot of people argue about that, and we will just get that off the table and then move on.

Chris Hoff: Yeah, awesome. I am just so glad we have six hours to do that. So let me get right on it.

It’s very interesting. I think there are two valid but diametrically opposed perspectives to what cloud computing generally means. And on the one hand, you have a very kind of IT, geeky, empirical Visio/OmniGraffle version of what cloud computing means with lots of boxes and requirements that talk about elasticity and self-provisioning and all of the kind of very technical perspectives on what is or isn’t cloud computing. And it’s interesting and it focuses on infrastructure. For folks in the technology field, it’s a great way to fire up debates on Twitter.

The other perspective, which I think is equally as interesting and valid and in many cases is actually one of the true reasons that cloud computing is so interesting, is the consumerized view, which is that pretty much anything on any platform that interacts with my data using the Internet or, in many cases, any type of ubiquitous network is also cloud computing; so, my Xbox LIVE, Twitter, Gmail, anything that essentially provides me network-based access to applications and content.

So the problem is when you lump everything into one bucket, it becomes very, very difficult to figure out in many cases, depending on the perspective you are coming from, what is or isn’t cloud. The reality is there is — you can’t 2:30 a dead cat without somebody giving you a definition. I am not going to offer one up other than to say that in many cases, it’s the natural evolution of a lot of stuff we have been dealing with for decades with some cool sprinkling of technology with a great confluence of socioeconomic, political and technology happenings converging at the right point in time. And we will just leave it there, right? I mean, I don’t think we need to get any further geeky than that.

Amrit Williams: Well, I think that’s actually a great definition. I even love how you threw in the political thing there, too. That was fantastic, because we all know how much the Federal Government is pushing cloud computing, especially there.

Chris Hoff: Yeah, very much so.

Amrit Williams: So what do you personally focus on, then, in your role?

Chris Hoff: Oh, at Cisco?

Amrit Williams: Yeah.

Chris Hoff: Yeah, so I report into our Security Technology Business Unit, which is responsible for most of the physical as well as cloud-based security offerings everyone knows and loves, everything from the ASA firewalls to Ironport Scan Safe, those sorts of solutions. And my job is to work with our Strategy Team, our Product Teams, Engineers, Marketing and as a vertical within that Business Unit to help build and deliver solutions specific to how we take what we do today and make virtualized and cloud solutions out of them or in conjunction with them. And then since we also leverage those technologies across all the other Business Units in the company also figure out how to make sure we solve those problems for other Business Units so they can take that technology and deploy this part of the  solutions. So that’s what I do internally. I talk to a ton of customers, and I go out and speak a lot.

Amrit Williams: And externally you’ve got a very… probably not a radically different persona than you do internally, I’m sure; but just one that’s probably more vocal.

You focus a lot of attention on the security side of cloud computing, and so I think you gave not a definition but a very broad stroke of what could potentially be termed or fall under the umbrella of cloud computing; but I think ultimately at its core, a lot of organization are looking to take advantage of resources that are provided by third parties that allow them to very quickly bring up or bring down basically computing power.

Chris Hoff: Yep.

Amrit Williams: And that’s pretty powerful, but it also brings up this whole question of what happens when you lose control. And it’s not necessarily that something is insecure because you lose control; but as we know, humans tend to be a irrational. This whole concept of fear of flying versus fear of driving is probably a good representation of a loss of control where one could easily argue that it’s safer to do one over the other, regardless of the level of control.

So when you look at security in cloud computing — and I know that you had some work with the Cloud Security Alliance, I believe that was the organization you were involved in — what are the key things or the key aspects of cloud computing that change the dynamic for how IT is approaching security in general?

Chris Hoff: Yeah, and as a speaker I still am involved in Cloud Security Alliance. I am one of the Founding Members and I am also the Technical Advisor. So I spend a lot of time with the various research projects that we do, and one of them is the guidance that is enjoying its current second rev and embarking on a third rev, which basically addresses the very questions you just asked, like what is the difference between what I do today and what we’ve been doing for years versus what both virtualization as an enabler for some elements of cloud computing and then, more specifically, cloud computing, what do these differences look like, what’s the same? What do I have to look out for? What new risks or threats come out of that?

And in many cases the things that people have trouble with emotionally are, as you allude to, kind of the traditional server-hugging approach of loss of control; but in any case when you lose control, that’s not the same thing as potentially not being able to trust the fact that these systems or the things you’re losing control over are, as you said, any more or less secure.

So a lot of this has to do specifically and unfortunately with some of that definitional nuance we went into before, which is when you are talking losing or, as I say, gracefully giving up operational control in many cases in cloud-computing environments, what kind of cloud computing are you referring to? Your expectations differ, based on the delivery and deployment models of the cloud offering you are using. For example, in Infrastructure as a Service, the line of demarcation in responsibility for what you as a, quote/unquote, “consumer” of that service and what a provider is responsible for is very much different than if you were to use a Software as a Service.

The classical example there is if you used Amazon Web Services, anything within the AMI, the virtual-machine bundle, meaning the operating systems, the applications and the content, are up to you to still deal with in terms of security. Compliance, privacy, all those things are still your problem.

The things under the covers, the mechanisms that make all of that work that is abstracted from you, are the responsibility of the provider. All right, so they get to maximize availability — confidential integrity, if you want to use the GQC/SSC definitions of their platform — but anything above that is you.

In Software as a Service, let’s say like Gmail, the reality is your expectation is the security thereof, is the responsibility protecting your confidential integrity privacy short of settings and buttons that you can do in terms of provisioning and giving others access to it, is the responsibility of the provider.

So we have to be a little bit more clinical and specific about when we talk about the differences of models of both security when we talk about the deployment and delivery models of cloud, because they differ and your expectations do. So on one hand, your only option is to RFP or contract it in, stipulate what you expect with remuneration and penalties if something goes wrong on the Software as a Service side. On the Infrastructure as a Service side, in many cases you have to contract chunks of it; but then you have to build in a tremendous amount of it.

So everything that we deal with in non-virtualized, non-cloud environments, we still have to deal in one form or another; it’s just who gets to deal with it, right:  the accountability versus responsibility piece. That’s the thing that’s critical for people to understand.

Amrit Williams: And I appreciate that. So we will break both of those down in a second; but I think a lot of organizations because of just the sophistication of the threats have really fallen back to trying to expand the level of visibility they can get through monitoring. So they will sit there and they will watch ingress and egress traffic to try to determine if there is any anomalies that are present in the network or the traffic, if there is anyone trying to do something to compromise the systems, and then from that try to respond to an incident to limit its impact.

That becomes incredibly difficult when the traffic is not traversing the network — the network that you control as an IT Administrator, for example, and I am a Security Administrator. So you have a corporate asset, for example, that’s outside of your network that’s traveling the world like you and you happen to be somewhere in a hotel and you are accessing corporate resources that are housed by a third party.

And it’s not so much, you’re right; I think it’s not that these problems go away; but they do shift the accountability. Accountability in the SaaS model is really on the provider to tell the consumers of the technology that, “Listen, we are doing the appropriate thing, and you can trust us that we are monitoring that traffic for you”. But they don’t expose that data, and I think that causes some concerns for an organization that has really fallen back on monitoring as being key.

Chris Hoff: Sure. Well, and in many cases, you said an interesting thing, which is depending upon the platform and the level of abstraction that the cloud provider has settled on building their infrastructure on, the ability for you as a consumer to actually gain access to what would normally be described as the network can be incredibly limited.

In the case of many of the mass-market kind of good-enough-is-good-enough cloud providers where you’re dealing with the topic of my backup talk is this kind of notion of omnipotent infrastructure, which is really maximized for scale where homogeneity at the infrastructure layer is critical for operations. The reality is, you get a dumbed-down single virtual interface, right? And the ability for you to plumb in compensating controls or use technologies like even logical or physical taps are an impossibility, given some of these choices.

There are other cloud providers that are differentiating based on their ability to expose, via API or direct hooks or virtual tapping capabilities, and give you back some of the capability and plumb in virtual appliances, right? But again, you’re dead-on. A lot of the monitoring, say squeezing the balloon problem or, as I call it in my reference diagrams, the Security Hamster Sine Wave of Pain, right, where we invest and how we invest in the compensating controls is really a function of what is made available to us in terms of speeds and feeds being able to keep up and actually peer inside the data.

So as the definition of the network changes from a physical network that gets abstracted into a logical representation thereof where you only see chunks of it and you can’t really get good coverage, you may have to essentially redeploy things at the host level, which gives you a security-scalability problem from a management perspective, right?

And we’ve been playing this game for a long time, right? Host-based agents, 27 agents, 1 super agent, and then the network speeds and feeds catch up and they do well for a while; but then we encrypt everything we can’t see inside it again, and we go back and forth. That’s kind of what’s happening with cloud, and the notion of baselining what is normal when, as you say, a lot of this traffic doesn’t traverse the, quote/unquote, “network” and it’s external to the things you manage and have visibility for, makes monitoring and management in the traditional sense very, very difficult.

In fact, Rich Bejtlich just brought up a post last night that was talking about monitoring in IDS and, in fact, forensics in the cloud and using things like let’s just say a NetWitness product that does full packet capture and replay. The need to, for example, deploy big, fat reverse proxies that cloud providers are doing in order to capture trends over VPN so you can actually truck that back to a central site to do capture and replay or apply policy is kind of what’s happening again. It’s the reinvention of the inside-out model via overlay VPN. It’s a very interesting dynamic that we’ve seem a couple of times before but is happening because of cloud again.

Amrit Williams: Well, let me — you said something very interesting I want to dig at just a little bit because we, having Security backgrounds that we do and also dealing with infrastructure management, it’s not uncommon for organizations to look at Security in a very different way than we would. And you said that there were a set of providers that were differentiating on providing APIs that would allow folks or hooks into the applications that would allow folks basically to plug in their own virtual appliances so that they could get some level of visibility back.

Do you see that as really becoming quite a prolific requirement, or is this still on a fringe? I mean, clearly guys like Bejtlich, I mean, that’s his life, right? His life is monitoring for the most part. So it’s not — I wouldn’t be surprised if he’s dedicating a lot of time to try and evangelize ways that people can get better monitoring with cloud computing. But do you think the average organization or the average folks within that organization that are infrastructure-management people understand or have the desire to make this a criticality, that this is a critical requirement?

Chris Hoff: I will answer this in the only way I know how, which is in the scope of the customers I’ve talked to, which are for the most part very large enterprises. And the barrier to entry for public –

Amrit Williams: Just to set that prerequisite, I mean, when you say “very large”, I mean, you’re talking about very large organizations anyway; so, people, this is not something you’re — you’re not generally interacting with a small –

Chris Hoff: SMB, yeah, yeah. No, I’m talking like Fortune… there isn’t really success a thing, but Fortune 2000, Fortune 500, Fortune 100, Fortune 50, that kind of size; nation-state government type, that sort of thing too. And I bring that up only because it’s to set context and appropriate levels of comments relating to the question you asked, which is the barrier to entry for using public cloud or private clouds that happen to be managed or hosted offsite from their physical premises. The barrier to entry is trust, and trust in this case I define as security, compliance, control, availability and reliability and privacy. So you kind of take all these pieces up and you look at this and see Enterprise Security Teams look at how they are currently regulated, which compliance frameworks they’re under, what their auditors and/or the compliance services allow them or don’t allow them to do.

And in many cases when they try to match up the readiness and availability of cloud providers against the need to be compliant, they notice a couple of things. They notice for the fact that, for example, if you want to pick — pick anything; but pick, let’s say, PCI, which talks about the need for either a WAF or code review, right? If their answer to that has generally been, “Oh, we’ll deploy a WAF”, well, the ability to do that in a certain cloud provider’s network in ways that don’t require them to completely re-architect their applications, which in many cases you have to do anyway for cloud, or buy a new product that fits in a cloud environment that prevent them in many cases from — this is just one example of what could be hundreds — of actually deploying in that environment. It’s a kind — I’ve kind of dumbed-down the case; but as a counterargument, these other cloud providers who take a platform that looks very much like the same virtualization and/or cloud platform or cloud-like platform is being deployed inside their infrastructure, and if these cloud providers deploy that, which allows them to get flexibility in how much of the network they expose, that the hypervisor exposes APIs to allow them to do virtual introspection, that they can plumb in virtual appliances, the same virtual appliances that they might start deploying internally, then not only do I have the ability to more easily pick up a workload from my internal infrastructure and move it out, but I can also pick up the corresponding compensating security controls or require that the provider deploy one, too.

So in the scope of the customers I am talking to, this is an enormous piece of the puzzle and is an absolute requirement, because they require monitoring, they require VPNs, intrusion prevention detection, firewalls, NTX, WAF, all of that stuff in a virtualized context or in a context where even if it’s not a virtual appliance that the provider has integrated the same capabilities — regardless of technology, the same capabilities — and exposed that via the platform. That’s the difference between today’s maturity of mass-market public cloud providers who claim to be, quote, “enterprise-ready” but don’t actually run any critical or heavily regulated compliance-based applications in their networks from customers who simply can’t or won’t, because those things don’t exist.

So reading between the lines here that this whole public/private cloud battle is really about the need to satisfy compliance requirements associated with how these enterprises are measured, which is whether you are compliant or not, period. I mean, that’s the first hurdle you have to get over. It’s not about is it more or less secure for most — in many cases; it’s do I pass the compliance sniff test first? Then we’ll talk about Security.

Amrit Williams: Yeah, that sounds very similar to how people look at internal security as well, unfortunately (laughing).

Chris Hoff: Yeah, exactly (laughing).

Amrit Williams: So let me before I dig into question I wanted to ask you, I wanted to just take a moment, and for the audience’s sake, could you give a brief description between public and private cloud? And by the way, I know this is another very contentious area of definitions.

Chris Hoff: Oh, I don’t know if I –

Amrit Williams: But at a very high level (laughing), for the purposes of the conversation when you describe a public or private cloud, what are you referring to?

Chris Hoff: Well, let’s see. The great part about this conversation is that, as you say, it engenders lots of fabulous emotion that goes along with the answers; but I am going to make this as non-emotional as possible. So within the scope of how I like to refer to public versus private, I kind of build my definitions off of the NIST model, only because I think ultimately that it’s done the best job of unifying language associated with giving meaningful answers to this question.

So public cloud is really cloud-based infrastructure that is made available to the general public, where the notion of multi-tenancy means that you could have Coke and Pepsi sharing the same physical infrastructure isolated from one another; but you don’t necessarily have separately reserved or carved-off sets of infrastructure.

Private cloud, when we talk about that same level of isolation and control and ultimately ownership, what private cloud really talks about is that the infrastructure is operated solely for a single organization within the construct of how it’s governed, how it’s managed and how it’s carved off. That doesn’t mean that I can’t expand or contract within a known scope of compute network and storage resources — because I can, I can scale up and down — but it generally means that these are sets of infrastructure that is in some way dedicated either by policy, isolation or otherwise from mixing Coke and Pepsi.

So that’s why you can have — people confuse the word “public” and “private” with the words “internal” and “external” all the time. And “internal” and “external” are just adjectives that talk about where the resources are located. The things you should be focusing on are ownership and control, right? Who owns the infrastructure and/or who controls it? And when I mean “control”, I talk about policy, governance, that sort of thing.

So two great examples would be Amazon Web Services’ public cloud. allows anybody basically who meets certain requirements like having a credit card or whatnot to sign up and use shared compute network and storage resources. You don’t know who you are sitting next to, you don’t have to worry about that; but the multi-tenant model is that, is a shared one.

Private cloud could be — a good example would be an enterprise that has been building their highly virtualized infrastructure where the notion of multi-tenancy talks about supporting different business units, and the evolution from just heavily virtualized infrastructure to true private cloud really talks about adding chargeback availability and self-service portals, both of which are now arriving on the scene to give you this true private-cloud capability.

I should also say that you don’t have to locate that infrastructure behind your firewall. It can be located and housed and even owned by somebody else but operated and controlled by you. That’s about as short as I can make it, but I wanted to provide some context for how I arrive at those conclusions.

Amrit Williams: And I think that’s completely fair, and I think the audience gets that.

Thank you for joining me today, Chris; and, everyone, thanks for listening. If you want to get more information from Chris, you can find him on Twitter @Beaker,      B-E-A-K-E-R. You can visit his blog, Rational Survivability. You can also get more information on the Cloud Security Alliance at cloudsecurityalliance.org, and for those interested in working and teaching and learning about how to get kids to hack — and by “hack”, we mean just learn cool stuff — you can visit hackid.org; that’s              H-A-C-K-I-D.org.

Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix, Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening!