Amrit Williams, BigFix CTO, continues his discussion on effectively using cloud computing at the enterprise level with Chris Hoff, Director of Cloud & Virtualization Solutions of the Security Technology Business Unit at Cisco Systems.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter, and today I am joined by Chris Hoff, who leads the Virtualization & Cloud Computing Strategy with Cisco, and has quite a prolific career that I will not be able to repeat here today. So I will simply say, welcome Chris!

Chris Hoff: Thanks man.

Amrit Williams: So what‘s interesting is, when you were talking a little bit about trust, I think this is probably not the first time, but this is the first time we have — again, not the first time, but where we have seen such a large focus on trust in IT, and it almost sounds like cloud computing, not being the only thing, but being a great driver towards trust becoming a commodity, and that people can actually trade in trust.

I don’t know if that’s probably an oversimplistic and naive way to look at it, but a lot of the rationale around why someone would move to cloud, ultimately there’s some element of trust that comes in that, when they accept that that’s the model they are going to take.

So I am very interested in discussing a little bit more about your experience and your exposure to some of the ways that people are overcoming or are being challenged by some of the compliance requirements when they start looking at cloud computing resources.

Chris Hoff: Wow! By the way, that was — trading and trust, I am going to totally steal that, I think that’s a fantastically elegant way of stating, what in some cases might be obvious to some, but is just such a big problem for the market in general.

So how are people — and I guess I have to ask, when you talk about people overcoming their fears or concerns, which people; security, IT, compliance, the business? I mean, I think each of them have a different perspective on what they are “afraid of”

Amrit Williams: Ultimately, I think by people I mean the business itself and I was probably poorly worded, because I think it doesn’t really matter what Joe Admin thinks about if the company is going to do it, he kind of needs to toe the line and do it, what needs to be said. But ultimately, somebody needs to make a decision that we are going to allocate resources and we are going to allocate dollars to an initiative that has to do with cloud computing, and at some point they get exposed to the compliance challenges. So I mean, people is probably the poor word, I meant organizations as a whole.

Chris Hoff: Yeah. So I mean, even breaking that down further, I think in many cases, business people and lines of business, that if they are responsible and own the expenses associated with computing, are very interested in understanding why their company, their IT department, is not moving to cloud, because they read on Page 3 of the ‘Wall Street Journal’ or even Page 1 that, look, it just saves you so much money. And when we talk about cost efficiencies and agility and time to market, these things matter.

Clearly, however, when they ask IT, the folks that are supposed to — if they ask them at all, by the way, right? And I am not sure how much of this is really one of those urban myths. I continue to hear how like these rampant tribes of business people that are just running out with a credit card and spooling up applications on Amazon, which to me appears to be complete bullshit, because you have to still understand and know how infrastructure functions to make that work.

I can see that on the SaaS side, like you just go to Gmail, great, I get that, but I am not sure how much of this, I just ran out and replaced 300 servers with a credit card overnight and I am Bob from Accountemps, I don’t see that happening a lot. But certainly what we are saying is, hey, our email system at work sucks, why don’t we use Gmail; pressure, pressure, pressure. And these are all valid things, right?

So I think on the SaaS side, people can and do make an excellent business case for cost efficiency, especially when something is free. Now, that’s kind of the hard cost. The soft cost is associated with support. What happens when something bad happens is usually not taken into consideration.

But in many cases, the business — and these large organizations, they kind of get the basics of risk management, risk assessment, they know what’s core to their business and what isn’t. They generally know, ooh, this is something I should ask about, in these larger companies. I mean, some people would argue that, that doesn’t happen, but for the most part my experience has been that they have been generally good about looking at the opportunity, gathering data, and then going to IT saying, why can’t we do this? Tell me why it’s a bad idea.

That happens quite a bit with SaaS services. We have seen that with Salesforce, we have seen that with CRM and email solutions. Applications that are used daily, that in a way it’s funny, in many cases people say, well, email is not critical. I was like, yeah, try going without email for three days and tell me how critical that is.

But they talk in group applications and the things like our sensitive financials, email. At some point you could say that to an organization that sells things, your customer lists are pretty darn sensitive.

(00:05:01)

So depending on the model, we have a lot of stuff being pushed into SaaS, and they are overcoming their “fears”, the businesses, because it’s been generally getting more reliable. They pay more attention to security, because they are responsible, as we already talked about, for the entire stack, generally.

So we have had for the most part some reasonably good experiences, business and personally, with SaaS. That is proceeding nicely. It’s when we get into the platform and infrastructure-as-a-service, which is relatively new from the perspective of what cloud and the operational models mean, to where, done improperly, not understanding that in many cases to take advantage of these architectures you have to completely rearchitect your applications, which impacts operational models, support models, security models, risk management models, all of these things change, and this generally happens more on the platform and infrastructure-as-a-service side.

So what’s happening is, to kind of get over that “fear”, this isn’t so much a business person’s reaction, but more like the IT department’s or the app groups that support the business units, they take noncritical apps or test and dev, and they dip their toe in the water and they try it, where they move noncritical, just kind of even noncritical web applications that don’t transit in heavily regulated information, they put those online. Cutting low-hanging fruit of things that would otherwise just cost money, for which you really don’t need to purchase infrastructure.

So as those things progress, people get more comfortable with the benefits of cloud, but it’s still, as soon as you hit that line, that giant four-letter word of compliance, where anything that is heavily regulated or even is regulated, by something that would prevent me doing business, if I got a finding on it, that’s the thing that causes things to come to a screeching halt.

So in many cases, even if IT would agree that it is a perfectly reasonable platform, that I could make just as secure, if not more secure, that I could reduce cost, get better efficiency, help grow the business, focus on running the business instead of building the business, even if IT agreed, and even if security agreed, the day the auditor shows up and says, you fail because we don’t take into consideration, you don’t meet these requirements, because our regulatory compliance frameworks don’t take into consideration this disruptive innovation, that sucks. That’s what’s stopping these folks.

So even when you have an enlightened set of organizations, they are still being stalled today by what they can or can’t do. That happens to me, to be quite frank with you, in interviews with these big customers, more often than not. You have got a bunch of people who want to do the right thing, who want to focus on the things that matter most, and they end up not being able to, which stinks.

Amrit Williams: Also, we have another problem is, we have a lot of precedence here, I mean, when we look at compliance. I mean, we are a common law country and so we always look for the last case that can help guide a decision, and unfortunately, I don’t think there is anything that’s unconstitutional with cloud computing, so we have to look for those cases we can turn to where something happens, and there’s just not a lot of them. So it’s a very, I think — it’s an unknown for a lot of organizations to say, well, what happens when the auditor comes, who do we look to, who has done this successfully, where is the model that I can turn to, to show, look, this is how it worked over there, why can’t that apply to me here.

Chris Hoff: Yeah, totally! What is worrisome about that is, is the spectrum of referential cases that we are looking at can span everywhere from being constitutional nature, down to tort law and below and basic elements associated with eDiscovery and forensics and preservation of — we talked about monitoring and management before, and the legal implications thereof.

Like how do you — I am waiting for the first time, for example, that somebody has something unfortunate happen to them in a public cloud environment, in an environment where multi-tenancy, Coke and Pepsi, right? Somebody gets charged for doing something wrong in a shared multi-tenant environment, and I am waiting for the first time somebody brings on an expert witness that asks for mathematical proof, that the isolate — or just proof, positive, that the isolation capabilities of a piece of software, vis-à-vis the hypervisor, is such that they can prove without any reasonable doubt that there was not corruption of memory, corruption of the networking space, corruption of storage, or leakage between them, that would in any way suggest that this could have been somebody else acting on my behalf or acting in proxy, as it relates to this image.

(00:09:52)

I mean, when we think about the trust model, with both virtualization and cloud, we predicate the entire operational sanctity of these environments on pieces of, albeit modern and thin, but pieces of software, that in many cases have not undergone a lot of public scrutiny and in some cases haven’t undergone any, because of the proprietary nature. And it’s a violation in some cases to even reverse engineer. So it could be a DMCA and other things.

So here we have, essentially, I can imagine the first day at court when somebody says, you know what, it wasn’t me, prove it was me. You can have all the logs you want saying, came from this IP address, and this virtual machine, and that person owned it, but it comes down to somebody saying, the isolation driven by software, and even in part by hardware, that’s why we have things like Common Criteria. With EAL it was up to 7, where people have to do this ridiculous mathematical proof statements, and these hypervisors aren’t certified under things like EAL or Common Criteria, because they just aren’t, for the most part.

I think the most we get up to is 4 and 4 plus for most of the commercially available hypervisor platforms, and some of the ones that are proprietary, like these mass market clouds, aren’t certified at all.

So that’s going to be really, really interesting when we start seeing the first cases of the abuse of these trust models from the perspective of modeling.

Amrit Williams: It’s going to be fascinating once these things happen, because they will happen. I mean, we are certainly going to see one of these big events. I am sort of surprised one hasn’t happened yet, or maybe one has and it hasn’t been made publicly available, I don’t know. But since we really are working at a trust model here, I think something like that will really start shaking up people’s perception of how viable something like this is.

And quite honestly, at the end of the day, this is a fantastic model. I think it’s very exciting to be a part of it, to see it happen, is really phenomenal. I mean, we are going to see things happen in the next 10 or 20 years leveraging this concept.

Chris Hoff: Yup, I agree. Now, you and I can both put on our security hats and issue the but, right? That’s the duality between that consumerized perspective and the IT perspective. Like there are so many awesome things that come out of this. Like I am so incredibly pro-cloud computing, it’s not even funny.

But then, most people disassociate my love for that, and the fact that I run — I happen to have applications that I have written and deployed on multiple clouds. I use it everyday, I use these consumerized service everyday. But that gets overshadowed by the fact that when I put my security hat on and I say guys, again, we are building — those who fail to learn from the past are doomed to build upon it, and we are building on 40 years of evolving, but imprecise and generally as secure as it was needed to be the function sets of infrastructure, metastructure and infrastructure.

And that’s the challenge, right? In general, enterprises don’t get a chance to do a do-over. This is where Amazon and Google and folks that get to start from scratch and build their own hardware, their own software, their own operating systems, and file systems, have been able to make leaps and bounds to where one could say that the operating system as a whole; the infrastructure, the applications, the protocols, all that sort of thing, packaged as a whole, probably are more securely run and operated than an enterprise, because they don’t have 20 plus years of legacy crap to maintain.

It would be great if we could all just kind of reboot. But that’s part of the problem, with, again, the expectations of the enterprise. We don’t just get to rewrite every single application and move it over to take advantage of this stuff. We have got so many — I think the average large enterprise has something like four-and-a-half versions of every app running on their networks, and there is somewhere on average of 600-2,000 applications per a large enterprise. That’s a boatload of anchors from the last 20 years, right? Lot of it custom-written, lot of it on platforms, mainframes even, things that just unfortunately don’t move over so easily or as quickly as we would like.

So I think the thing isn’t existing enterprise model for compute versus cloud, but it’s the messy stuff in between, that when I put on my security hat and maybe you put on yours, is the thing that really just starts driving me nuts.

Amrit Williams: I mean, one of the things we have in security, I mean — I think I was talking to Jeremiah once, and he is like, gosh, I hope we don’t solve this, because then I don’t have a job. And I said, Jeremiah, trust me, you are always going to have a job. Because even if we look at — there’s going to be a day where I can log onto the Internet and I can program my toaster to make sure I have warm toast when I get home, but as soon as that happens, some 15-year-old kid in Scandinavia is going to burn my toast, right?

Chris Hoff: Yes!

Amrit Williams: So there’s always some way that someone is going to figure out a way that will make sure security people have jobs. But what I find fascinating about all this, and I wanted to dig in a little bit in something you said is, a lot of the infrastructure that we use today is fundamentally flawed in terms of security. I mean, whether it’s our routing infrastructure, whether it’s the operating systems themselves, even some of the hardware capabilities that we have are flawed. And it’s because of all this legacy stuff that people are cramming on top of it.

(00:15:02)

You made a statement that a lot of these companies are able to start from scratch. Do you think that they understand the security implications and build out against those requirements as opposed to try and layer it on top later, which is the problem we are currently facing in most infrastructures?

Chris Hoff: In the example of the two companies I mentioned, specifically Google and Amazon, I think that of what I do know, both from the perspective of people that I have spoken to, as well as their general response and how their systems operate, in terms of being a consumer, I think that they have paid quite a bit of attention to security and security models. To the point that in many cases the things that would give you great amounts of concern have been abstracted to the point that they — it’s like rounding off the sharp edges on a table.

A lot of these things have been blunted, such that the attack surface has become much less pointy. Based on lessons that they have learned, and as well as what is required, in many cases, from their target audience which is good enough security, whereby — and it seems kind of counterintuitive, but in many cases, depending upon the service and what’s offered to you, and which delivery model, I think a lot of the new emerging truly cloud providers, and this gets into the technical detail, versus just kind of plain old web apps that have essentially grown out and had the word cloud plastered in front of them, a lot of these vendors like Amazon have really taken this notion of what works, what doesn’t, what do I need in terms of the bare minimum requirements to move traffic and move it as securely as possible?

And they have done a reasonably good job of designing and looking at like software-driven network fabrics, provisioning and governance and orchestration systems, all the automation and really programmatically addressed a lot of the things that we otherwise, with a much richer set of features and functions in an enterprise class product, so many more switches and knobs you can flip and turn, so many more things that, for example, with extra code have been there in bloat to support legacy requirements, I think they have actually done a pretty good job.

But again, I want to be really specific about the difference between somebody who utilizes technology and operational and infrastructure models that are truly cloud computing in nature, that were built from the ground-up, for scale, for extensibility, agility, self-service, those sorts of things, versus a service that has been around for 8, 10, 15 years, that started out as hosting or as an application ASP, that to be convenient from a marketing perspective has none of the characteristics of cloud computing from the perspective of how you might go through NIST’s definition; no measured service, no rapid elasticity, no resource pooling, not on demand. Doesn’t reflect any of the true kind of definitions on the technical side of cloud, but rather just had the word cloud splattered in front of it, because it was a good marketing term.

I divorce the latter examples from my answer and say that, no, they deal with all of the problems that automation brings and all the crap that they had to maintain with their legacy hardware, at least the newer guys do not.

Amrit Williams: And it also looks — I mean, some of the stuff I have looked at shows an abstraction of what was previously very interconnected elements in two disparate units, which I think is really good. And then taking those disparate units and isolating them from each other, so they are limiting the ability for sort of this cross viral infection type of thing that we have seen a lot of lately.

So that’s exciting, and I think that’s something that will hopefully get adopted into regular commercial practices as well, and not just offered by the cloud computing guys. Because that is a model that, unfortunately, I think we need right now. Everything is so interconnected, even just at the operating system level, that this ability to isolate abstract and try to segment things off from each other, it’s sort of key to how, when you go back to what you were talking about with multi-tenancy and trust, those things become really key, and so hopefully we will see that better adopted as well inside of just commercial practices.

Chris Hoff: Yeah. I mean, we have a lot to thank at the infrastructure and platform level. We have a lot to thank virtualization for in that regard, in the last four or five years has really taken the lessons we have learned with virtualization from the past and made a lot of this stuff a reality.

The counterpoint to that is, when you look at some of the Software-as-a-Service models, they are not actually based on, or they don’t utilize virtualization, their definition of multi-tenancy is something done at the application or database layer.

(00:19:54)

So again, I think I agree that ultimately this isolation is a good thing. How it’s done and how transparent the methodology and technology used to implement that stuff, I mean, a great example is Joanna Rutkowska; somebody that originally had a hard time accepting the way in which some of the research was marketed. But I kind of looked at ultimately the evolution over time of what the message was supposed to be, which is, look, even when we start trusting hypervisors or even the chipsets that do some of the extended virtualization capabilities, her research, and her team’s research, that kind of introduced the notion of reasonable doubt relating to your trust and how these isolation mechanisms are deployed, ought to give us pause, even when we look at how good one of these new style cloud providers may be in terms of their ability to isolate, they still have to deal with the laws of physics, and they still have to deal with the fact that in many cases they are using commodity hardware, and software in some cases, to deploy their services.

So I am not writing a blank check saying, by default they are more secure. I am saying, they have done I think a better job in threat modeling, in understanding what has worked and what hasn’t in the past, and what has introduced security problems. And most of these providers who are staking their business on the fact that they have to maintain integrity and availability, and in most cases confidentiality too of the stuff running on them, their entire business model is based on that.

Could you imagine? I mean, all it would take today to set the entire cloud market back, and I mean that holistically, in that one ugly bucket of everything cloud, and I pray this never happens, but if Amazon Web Services were to suffer, for example, an attack, or even just suffered from a vulnerability, not even maliciously exploded, but one that’s accidentally exploded, whereby the isolation provided, which is the entire core tenet of why you should trust doing business with them, but if they suffered a breach or an issue there, that allowed or exposed one customer to talk to another or vice versa, the entire premise for why you should trust any amount of cloud or virtualization would be set back ten years.

So for all of us, from the perspective of using and consuming, as well as securing and providing cloud-based services, I hope they have done a very, very good job. But we, in some of these cases, don’t know, because they are not — these companies operate in a very nontransparent, non-communicative way, which unfortunately, for the security community is the worst thing you can do, right? Not talking to us, not telling us how you do things, and just pointing me at a SAS 70 Certificate, that’s not going to help your cause.

Amrit Williams: Thanks for joining me today Chris. And everyone, thanks for listening. If you want to get more information from Chris, you can find him on Twitter at Beaker. You can visit his blog, Rational Survivability. You can also get more information on the Cloud Security Alliance at cloudsecurityalliance.org. And for those interested in working and teaching and learning about how to get kids to hack, and by hack we mean just learn cool stuff, you can visit hackid.org.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.