Dan Blum
Research VP
19 years at Gartner
33 years IT industry
Dan Blum, a VP and distinguished analyst, covers security architecture, cloud-computing security, endpoint security, cybercrime/threat landscape, and other security technologies. Mr. Blum has written hundreds of research… Read Full Bio
by Dan Blum | April 16, 2012 | Submit a Comment
In a recent “botnet bruhaha” post Brian Krebs found that Microsoft stirred up a hornet’s nest when it moved aggressively through a civil law procedure (rather than the more cumbersome criminal law system) to shut down some Zeus and SpyEye botnets. Microsoft’s side of this is that the company is working to the degrade the criminals’ operations. However, some security researchers argue that Microosft staged an ineffective PR exercise for itself and accomplished nothing more than to compromise ongoing investigations by mis-using information the community had shared in good faith.
I’m not here to say who’s right and who’s wrong in this debate, but I thought I’d share it with you to show how complex the world of threat intelligence and security information sharing can get. Reading through the comments on Krebs’ blog feels more like an exercise in collective dissent than collective defense. It’s sad to think that as a result of a company trying to take action against criminals, members of the security research community may trust each other even less and share even less information than they did in the past.
This quarrle may make the security community look like a lot of squabbling mercenaries, but I don’t think that’s the reality for most of us. Some people at Microsoft probably thought they were doing the right thing but some security researchers may genuinely have been inconvenienced from doing work that they also thought was good. Its possible that both arguments have merit. Perhaps we shouldn’t begrudge Microsoft some PR kudos if it strikes a blow against botnets, and we should also want the security researchers to be rewarded for their work and information sharing.
How can we strike a balance between the need to take quick action to operationally degrade cybercrime, but also continue to chip away at the problem of attribution and longer term investigation, prosecution, and deterrence? This should not be an either-or equation. Both the short term and long term action are needed.
How can we (the security community) establish protocols and networks of trust for sharing to help us work together more effectively in the common cause against cybercrime?
Category: Uncategorized Tags:
by Dan Blum | March 29, 2012 | Submit a Comment
Last week I was closeted in our Cloud Adoption Contextual Research findings consolidation meeting. We were researching cloud adoption by the early adopters. We found a great variety of patterns, in some cases anti-patterns; nterprises are all over the map on risk management, for example. Perhaps this is only what one should expect from the cloud computing phenomena we’ve dubbed “the transformation of IT.”
The security non-findings were interesting. None of the large enterprises from our survey reports breaches. They’ve seen no major disasters. Implementation issues a-plenty, and some outages yes, but no “advanced persistent threat” activity. From the security perspective the migration seems to be proceeding smoothly. Concerns are holding some organizations back, but it’s just concerns. These concerns, implementation issues and architecture changes are extremely interesting in themselves – and you may expect to hear more from me on that – but they aren’t the subject of this particular blog post.
Part of me was looking for breaches, and that dog didn’t bark, at least among the 15 large enterprises we interviewed. I also looked at other information sources to see how enterprises are faring in cloud security. For example, a survey of attacks by Alert Logic reports that enterprises who use both premise-based applications and cloud-based ones are finding fewer attacks in the cloud. Does that mean the cloud is more secure than the enterprise, or just that the other shoe has yet to drop? As I’ve written before, I think some cloud service providers (CSPs) operate with stronger security controls than many enterprises, but they face a potentially more serious threat landscape long term due to the risk that’s aggregated in their volume of services. Thus, CSPs must be more secure than enterprises.
Clearly, the realization of higher cloud risk from the aggregation has yet to materialize for most large end user enterprise customers. (Notice the careful wording to exclude the likes of Sony Playstation Network, which is a service.) But one has to assume that as large amounts of sensitive and valuable IT reach the cloud they will be breached much as they are (continually) on premises. Perhaps breaches of enterprise security objectives will be less frequent in the cloud but when they happen they may be larger and more spectacular.
So far the breaches we’ve seen from Amazon, Azure, and others are mostly outages impacting our availability objectives. Bad enough in themselves, but not yet trampling enterprise confidentiality and integrity like Operation Aurora, Shady Rat, Night Dragon, and Zeus did. I mean to say that while we’ve seen forceful browsing or phishing vulnerabilities from Amazon, Google, Microsoft, and Salesforce these are still small potatoes that haven’t caused big losses. But it is inevitable that larger breaches of confidentiality and integrity will.
On the plains of the Serengeti wildebeests conduct their annual migration. Some are pulled down by predators, many survive. An interesting risk management question lies there: what is an acceptable loss rate?
Category: Uncategorized Tags: cloud security, risk management
by Dan Blum | February 29, 2012 | Submit a Comment
Only in San Francisco would Art Coviello end a keynote address to a security audience with those lyrics, which he called “the immortal words of Twisted Sister.” But the feeling of inspiration soon changed into questioning: Amidst information security’s gathering storm, how do we “fight” but still be “right” and “free”?
I found this question woven into the subtext of two RSA Conference presentations (so far) and then in some discussions over dinner last night. It started with calls for the U.S. National Security Agency (NSA) to be given more power to combat cybercrime.
First – Mike McConnell, a former Director of NSA kicked off the Cloud Security Alliance (CSA) Summit by saying that the U.S. has the most to lose from cyber-attacks. At one end of the spectrum is the chilling possibility that fanatic cyberterrorists who can’t be attributed or deterred obtain military-grade cyber-weapons and launch an attack. At the other end of the spectrum is cyber-espionage “where our IP is being taken from us on a regular and consistent basis.”
McConnel said that “NSA is doing better at its mission than ever before.” The agency has a clear picture into global activity except but “the U.S. is a black hole” because by law NSA can’t conduct warrantless electronic monitoring there. Thus, threat actors could cover their tracks by diverting communications through the U.S.
Second – in James Lewis’s panel on active defense – another former NSA director Michael Hayden said “My instinct is that the NSA represents too much capacity to be [on the bench]. I’m comfortable with a dialogue that says, how do we want to get this team on the field?”
But other voices counsel moderation. Lewis asked “How did we get to the point that the best resources we have are in a top secret agency? It’s not too late to reverse course…”
Cut to dinnertime, I’m sitting next to Bob Blakley discussing the panel. We both agreed, by the way, on our respect for the integrity and skill of the people at the NSA.
But I noted my own confused frustration from time to time, that whereas some nations conduct industrial cyber-espionage as a matter of policy, the U.S. does not. Although many nations’ intelligence agencies spy on citizens or visitors if they sense a threat, the U.S. seems to be taking all the flack over the Patriot Act for putting it on the record. And yet former NSA directors are saying they don’t have enough authority. Haven’t NSA and other sponsors of the Patriot Act already gotten us into enough trouble with Allies? Or is the U.S. too idealistic? Some countries would just spy away and cynically deny everything.
But Bob countered: “What I love about this country is its idealism. I don’t want to lose that. I want us to be right.”
It was one of those moments when the scales fall from your eyes. You see that when issues get confusing, one must return to one’s principles. I felt like we can’t just give lip service to “a balance of security and privacy” or something like that. We have to keep on being, in the words of Ronald Reagan, “a shining city upon a hill whose beacon light guides freedom-loving people everywhere.”
So what does that mean? Getting better at catching cybercriminals will require more electronic monitoring, no getting around that. But why can’t monitoring be done with appropriate levels of accountability, transparency, and oversight? No one has shown why due process won’t work if you think outside the box. For example, what if an electronic search warrant could be implemented for electronic searches with fast enough turnaround time but full accountability? What if Patriot Act 2.0 could say that foreign governments, in general, would get notified when their citizens’ data is acquired from a provider via blind administrative subpoena – provided, of course, that government offered reciprocity for us?
We have to “fight” cybercrime and cyber-espionage, but we still need to be “right.”
Category: Uncategorized Tags: cyberconflict, cybercrime, cybersecurity, cyberwar
by Dan Blum | February 20, 2012 | 1 Comment
Stuxnet. Duku. DigiNotar. Commodo. The names of exploits and breached organizations reel past like dark clouds of a gathering storm. Cybersecurity programs spread ominously around the world. I’ve seen the importance of international cyberweapons control for some time and wondered why more people weren’t talking about it. But recently, a new voice from the other side of the world took up the call for a virtual détente.
I first saw Eugene Kaspersky on the beach in Cancun. Lulled to tranquility by tossing turquoise waves – like someone in a Corona commercial – I observed two individuals speaking Russian setting up microphone stands and cameras in the sand. I watched behind sunglassed anonymity as a few more came, one in a black jacket with bushy gray hair. As he sat on the contrasting white sand and began an interview I realized this must be THE Kaspersky.
Kaspersky’s Proposal
The next morning at his company’s analyst conference Kaspersky spoke about “The Internet as a military-free zone – A Dream or an Opportunity?” He began by saying that cybercrime has worsened, but governments now understand the problem and would solve it in a couple years. “I’m not going to talk about cybercrime,” he said, “I’m going to talk about digital passports, social networks, and cyberwar.”
Unlike some who would have a narrower definition of cyberwar, Kaspersky uses the term expansively. He once forbade his employees from even talking about cyberterror or cyberwar publicly. But after watching Hollywood portray the subject quite accurately in the movie Diehard 4, he decided it’s time to tell the world.
Could Stuxnet’s sabotage of nuclear centrifuges be replicated on a broader scale against power plants and water plants? “I’m afraid yes.” Because so much of our physical infrastructure is Internet-connected and computer-controlled, it’s possible to stop critical equipment from working. Once, Kaspersky told the audience, he toured an Internet-connected experimental nuclear fusion reactor facility.
Cyber-weapons are easier and cheaper to develop than physical ones and cyber-attacks tend to be less attributable. A number of governments have cybersecurity programs and some have announced they are developing cyber-weapons. Still, we’re unprepared for cyberwar consequences and we can’t reasonably harden the physical infrastructure against cyberattacks anytime soon. Kaspersky warns that the major victims of cyberwar will be developed countries.
“We are living in a very dangerous world,” he said. “I do my best to explain this to governments.” The only way to avoid a “cybershima” scenario is to create an international agreement not to develop and not to share cyber-weapons. Nuclear test bans and restrictions on biological or chemical weapons show that treaties can be effective in curtailing arms races.
Time’s not on our side
Over the rest of the meetings in Cancun, I talked with people and explored implications and challenges of cyberweapons control. I’m concerned that the line will blur between well-heeled cyberterrorists and financially-motivated criminals. The subject Kaspersky didn’t talk about – how governments may come to control cybercrime – is interwoven with creating a viable cyber-weapons disarmament protocol. Without a way to greatly deter, attribute, and prosecute cybercrime and cyberterror, it might be too easy for bad actors to sow discord among the nations in the much the same way as extremists on both sides of the Middle East conflict and others conflicts have sabotaged peace efforts.
With multiple countries already developing cyberweapons, time isn’t on our side. What if weapons leak to criminals, or are reverse-engineered? What if cybersecurity programs and institutions grow larger and more lucrative, creating powerful and entrenched interests (like conventional arms dealers and defense industries) for developing yet more cyberweapons and ever fomenting distrust among their nation state customers, if not actual cyberwar?
Do you start to see the complications? There’s so much to do, and so many competing interests, it boggles the mind. It’s enough perhaps to make some proponents of a cyberweapons treaty wish for an actual cybershima (picture cities without power for days, hospital generators failing, people in intensive care dying) that would the foment public outrage to compel a solution.
But I fear the protocol that would emerge from a post-traumatic atmosphere even more than our current state of confused purposes and discussions. What if political support in the wake of cybershima built for retaliatory cyber-weapon programs rather than détente? What if cybershima led to a legislated state of panoptical government surveillance – something many fear is already in the making?
The only way forward
Should such worst case scenarios arise, events could spiral out of control. Official responses might take the form of arms race escalation, ride roughshod over civil liberties, or both. We might then see an escalation of conflict, with idealists and hacktivists taking up cyber-arms against the governments who are in turn in conflict with each other. Rather than an open but secure Internet with the transparency so many people are demanding, we might see escalating suppression of free speech and anonymity, growing darknets and chaos, an endless sate of cyber-insecurity.
In my opinion, the protocols for cyberweapons weapons control and law enforcement are linked. Both must operate in a form that enhances human dignity, privacy, and trust between people. It helps to know that problems and aspirations are similar worldwide; in Russia as elsewhere, restive hacktivists are compromising web sites, cracking email accounts, and dumping out embarrassing information. It is encouraging to find a voice from the other side of the world echoing sentiments I’ve long held myself.
Category: Uncategorized Tags: cybercrime, cybersecurity, cyberterror, cyberwar, cyberweapons, foreign policy
by Dan Blum | February 2, 2012 | 1 Comment
Every day it seems that we have less control in the world of information security. Shadow IT rules some enterprises. Applications move to the cloud, IT’s buildings empty out, security staff are reduced to skeleton staff. While a regulatory tide rises across the world in a tower of Babel, employees and contractors in the enterprise embrace mobility by any means necessary. And the information sprawls. BYOD is touted as cost savings by some business executives.
In 2012 Gartner speaks of the nexus of forces – cloud, social, mobile, and information – yet for security staff this could be a dark place to stand like deer in the headlights. Consumerization and compliance are at loggerheads. What happens when an unstoppable force meets an irresistible object? Will it mean the end of confidentiality as we know it?
Before I get into this I must give due credit to my colleagues. What I’ve loved about working at Burton Group and now Gartner is that I stand on the shoulders of giants. This blog post was originally inspired by Bob Blakely’s posts on the the end of secrecy. And I would not even be doing this if another colleague, Eric Maiwald, hadn’t been inspired to take up Bob’s original topic as a potential 2012 Catalyst session.
So what does this perplexing notion actually mean? It can’t be that we just give up and stop data protection efforts. But it does mean that we have to change our paradigms. We should try to centralize data access with server-hosted virtual desktops and enterprise content management systems. But this can only partially hold back strong tides of data dispersion. We can monitor the flow of information with DLP. But malicious users will often evade surveillance – this in an old game of low assurance.
We can attempt some stronger techniques as I advised in my restricted zones blog entry – stop assuming that we can win the futile battle to 100% protect our endpoints and instead get more hard core about building fortresses, or secure zones, around our most critical data. Done correctly, this can reduce the magnitude of worst case consequences but still doesn’t represent a 100% compliance solution.
Yet compliance is a many-sided coin. It needn’t be achieved solely through security technologies. We can change the game by changing business processes; for example, some organizations have stopped storing credit card numbers. Our organizations can also use business process outsourcing, corporate subsidiary structures, and other business approaches to transfer risk or manage it in creative ways.
Creativity will be essential if the nexus of forces coupled with an ever-more challenging threat and regulatory landscape really brings the end of confidentiality as we know it. I recently heard the CISO of a large financial institution muse about “What we would do if all our controls still prove ineffective against the threats?” He spoke of then using business and information management techniques in the realm of espionage – counter-intelligence, deception – consciously and systematically varying the timing, audience, completeness, and accuracy of information flows, watching what happens, and adapting. This is not actionable yet – no more than a thought experiment. But could it represent the shape of things to come in the not too distant future?
Category: Uncategorized Tags:
by Dan Blum | January 13, 2012 | Submit a Comment
Last week Gartner SVP Peter Sondergaard announced I’d won Gartner’s Golden Quill Award (2011): “Dan Blum’s coverage of security topics is deep and engaging: he is a fount of knowledge. His readers are drawn in by a dry sense of humor and attention to detail that shines a light on the many dimensions of security and risk management.”
I learned that the award was based on several documents I produced during 2011; Gartner’s Senior Research Board (SRB), comprised of the Chiefs of Research from all teams, judged the work as outstanding.
I take so much pride in this and the award because enjoy writing. In fact, writing runs in the Blum (and Holmes) family; my mother, father, and at least one grandparent were authors. Already one of my sons is published as well!
Just one question – does this mean I now have to blog more often 
?
These were actually the documents that I wrote for Gartner in 2011 that the SRB may have looked at. I’ll provide a link to them and a brief summary for those who can’t access the Gartner research product.
Malware, APTs, and the Challenges of Defense
Malware is increasingly dangerous, and organizations must be vigilant. Even layered defenses that use the latest anti-malware technologies are not enough to eradicate the risk of APTs or automated malware exposure. Organizations must take proactive measures to operate in an IT environment that’s potentially already compromised.
Application Control and Whitelisting for Endpoints
Application control and whitelisting solutions can put endpoints into a stronger default-deny posture against unknown and potentially malicious software. Solutions come from a variety of market segments and, because they offer a potentially powerful endpoint protection alternative, are gaining mind share and deployment. Going forward, organizations should consider including application control and whitelisting in their endpoint security strategy…but recognize that difficult learning curves for administrators and cultural changes for users may lie ahead. Start with the easier, more static use cases and progress to the more complex, dynamic use cases using more advanced solutions that can handle changes in software, systems, threats, and user needs.
Determining Criteria for Cloud Security Assessment: It’s More than a Checklist
Neither enterprises nor vendors can support many-to-many audits long term. The Cloud Security Alliance (CSA) and other industry organizations are preparing standard cloud security assessment frameworks. Enterprises should demand service providers support the frameworks, but must also choose appropriate criteria to emphasize for given use cases. Gartner’s guidance helps organizations develop these criteria but significant work efforts lie ahead. Enterprises must model risks of specific use cases, factor cloud into security architecture, and specify service provider trust requirements. Also, organizations should instantiate repeatable architecture and process patterns for business adoption, vendor management, compensating controls, and assessment.
Endpoint Protection Platforms: Blending Security, System Management, and Data Protection
Traditional endpoint security markets for point solutions such as anti-malware, encryption, device control, and network access control are being eclipsed by endpoint protection platforms (EPPs). EPPs are available from vendors in the enterprise anti-malware, security suite, security and management, and security-as-a-service market segments. The market for EPPs is being disrupted by consumerization trends, handheld device deployment, and cloud-based delivery. Organizations must carefully consider their strategic direction and prioritize requirements before attempting to rank and select EPP solutions.
2012 Planning Guide: Security and Risk Management
Information security groups face economic volatility, a dangerous threat landscape, compliance and regulatory challenges, and sweeping changes across the IT landscape. Major macro trends in business and IT, as well as powerful security market drivers, are disrupting and transforming the security landscape. IT security professionals must think outside the box and establish versatile security programs that can adapt to trends such as mobility and cloud computing. But many traditional security practices — such as risk management, audit, zoning, and information classification — remain as important as ever.
Category: Uncategorized Tags:
by Dan Blum | December 28, 2011 | Submit a Comment
“I’m sorry if I’m inconveniencing you and the teachers, but I will not allow a networked computer system to be placed on the ship while I’m in command,” said Commander Adama as I watched the first episode of 2004’s re-imagined Battlestar Galactica series. Immediately, I was hooked.
You see, ever since Gartner’s internal email post mortems starting in March 2011 after the RSA SecureID breach I’ve been thinking that organizations should be more hard core about internal network security and administration than most actually are.
To understand why, consider this. The RSA breach followed a familiar pattern: intelligence gathering over social networks -> spear phishing email -> exploitation of Flash vulnerability to compromise a company system -> more intelligence gathering from within -> compromise of additional systems -> access to systems with critical data.
It’s the last link of the chain at least that I’d like to see our clients try to cut off by putting any systems with critical data (like the RSA token seeds database) into a Restricted Zone. In such a zone, these systems aren’t accessible from the Internet, or even by administrators on the “trusted” internal network using the same endpoints employed in “dirty” email and web surfing environments.
Here I have to stop and give due credit to Gartner colleague Jay Heiser, the first of us to say in one of those internal emails: “As long as people with access to [critical data] are sitting on Internet-routed networks, and are reading email and surfing on the same systems that they use for privileged access, then simple attacks using sophisticated code are going to be commonplace.”
I also have to stop and deal with a few potential objections:
1) “We can’t completely cut off the critical data (e.g. customers lose their account information and call the help desk in a panic.)” Understood, provide a single heavily-restricted query service that the help desk can use from a known machine for heavily-monitored and rate-limited access into the restricted zone.
2) “We’re augmenting our endpoint security and anti-malware filtering. That should be good enough.” It isn’t. Time and again, advanced malware has overcome endpoint security. And security departments are getting pressured to reduce endpoint security in the name of consumerization. Endpoint security is worthy goal but trying to guarantee that every one of thousands of endpoints is malware free is like trying to boil the ocean. Don’t fight this losing battle. Don’t let the systems used for email and web surfing in dirty environments have direct access to critical data.
3) “Administrators need to get in and fix the system during an emergency.” Sorry. It’s only an “emergency” if the organization doesn’t hire and train enough administrators so that someone is always available to actually come into the highly secured building, strongly authenticate, log into the highly-secured dedicated administrative console, and manage the system in a secure way.
Yeah, I admit it, restricted zones may be a bit more expensive, a bit more inconvenient than business as usual. But breaches are even (much) more expensive and inconvenient. To pull a few more choice quotes from the 2004 pilot episode of Battlestar Galactica:
“You’ll see things that look odd or even antiquated to the modern eye. Phones with cords and computers that barely deserve the name. It was all in the face of an enemy who could infiltrate even the basic computer systems. Galactica is a reminder of a time we were so frightened by an enemy that we literally looked backward for protection.”
Maybe our “Adversary” isn’t as dangerous as the Cylons of Battlestar Galactica, but according to the Vanity Fair article Enter the Cyber-Dragon (and countless other articles about countless other breaches that I could go on all day citing) we seem to be a bit outgunned, at least for now. Let’s face this fact and use restricted zones as a starting point for enhancing the defense.
Let it be like “It’s all hands on in Galactica, Commander Adama’s orders.”
Category: Uncategorized Tags:
by Dan Blum | October 30, 2011 | Submit a Comment
I feel that in the what hath we wrought? post I succumbed to the emotionalism around the cyberwar topic. This morning I was even thinking of changing the post to give it a more neutral bent, but I see Marcus Ranum commented on it, and if something draws his attention, it must be a good thing!
Anyway, to carry on with the closing thought in the wrought post, some security professionals seem to consciously or subconsciously avoid covering cyberwar – perhaps because its a difficult, inflammatory, and frustrating subject. Others plunge in for the professional opportunity. We will likely see many more of those.
Gartner analysts haven’t articulated any consensus position on cyberwar yet that I know of. So this one is just my own opinion: Security pros, organizations, and individuals should collaborate together more than ever before to peacefully resist both the threat of cyber-conflict and the regulatory or military over-reaction to it. “We” must resist through good security practice, information sharing, lobbying, and diplomacy.
And maybe the discussions of defintions that used to make me impatient because they didn’t lead to action aren’t such a bad thing after all. Avoiding “over-reaction” needs to be part of the “action.” I’m floating a suggestion in the title of this post: Maybe we should call the problem “cyber-conflict” instead of “cyberwar.” The term is less exciting, but that could be a good thing when we’re in danger of a bit too much excitement.
Category: Uncategorized Tags: cyber-conflict, cyberwar
by Dan Blum | October 29, 2011 | 3 Comments
Rain falls outside an office window on a grey October morning, as if to usher in a moody Saturday with little to do. So my thoughts turn again to cyberwar.
In an earlier post I wrote I was “fascinated with cyberwar”. As one might be fascinated with a dangerous animal…
Yesterday three articles flew like ill-omened ravens into my browser and email inboxes:
- Schneier on Three Emerging Cyber Threats: The Rise of Big Data, Ill-Conceived Regulations, and the Cyberwar Arms Race. Bruce focuses like a laser; his last point captures exactly my fear that an arms race would create a proliferation of weapons ultimately worse than the imagined war they were built for and perhaps ultimately caused.
- Brian Krebs – in Who Else Was Hit by the RSA Attackers? – lists 650 organizations attacked, points the finger at China, and notes Congressional interest in the matter. Law enforcement is key to protecting against cyberattacks, but we must be careful what we ask for. It’s best to wish the issue doesn’t become overly inflamed and for cooler, more deliberative counsel and diplomacy to prevail.
- On Techdirt, the “The Non-Existent ‘Cyber War’ Is Nothing More Than A Push For More Government Control” post forecasts a money grab, endless “faux” war, and loss of civil liberties.
The last post inspired my “what hath we wrought?” mood. Shall I now join some of my colleagues who seem to consciously or subconsciously avoid covering cyberwar because of its most ominous connotations?
Category: Uncategorized Tags: cyberwar
by Dan Blum | October 7, 2011 | Submit a Comment
The Cloud Security Alliance (CSA) announced in late September that the Security as a Service working group has published its first white paper, “Defined Categories of Service 2011”. The purpose of this group’s research is to identify consensus definitions of what Security as a Service means, to categorize the different types of Security as a Service and to provide guidance to organizations on reasonable implementation practices.
The white paper covers 10 categories of service including:
• Identity and Access Management
• Data Loss Prevention
• Web Security
• Email Security
• Security Assessments
• Intrusion Management
• Security Information and Event Management
• Encryption
• Business Continuity and Disaster Recovery
• Network Security
I took a look at the white paper yesterday and found it interesting as a starting point that describes the category and provides a non-exhaustive list of “cloud” and “non-cloud” vendors in the space. It doesn’t yet, however, provide much discussion of how these services would actually provided as “cloud” and how that would differ from premise-based implementations.
Future versions of the white paper need to add more discussion of what it means to provide these services in the cloud. This has to cover the use cases because many of these categories are pretty big. For example, what does it mean to provide web security in the cloud? A non-exhaustive off the top of my head list is:
• Secure web gateway
• Web application firewall
• Reputation database accessible from browser plug-ins
But that’s an easy one. Identity, or IAM, is harder. Here we have myriad use cases in including multi-protocol federation gateways, attribute authorities, entitlement brokers, claims transformers, and many types many identity provider (IDP) services ranging from Open ID consumer services to high assurance IDPs.
These use cases need to be broken out and addressed individually before the cloud security service working group can really provide implementation guidance. In addition to use cases, the working group must consider architecture. What does it mean to provide data loss prevention (DLP) in the cloud? A secure web gateway service (see above) that acts as a proxy for mobile, roaming users could provide channel DLP for the web as part of its service. An “email security” service might cover another channel. But to really protect cloud-hosted data at the source, the DLP security service would have to integrate with major CSPs like Amazon, Google, and Salesforce. Then it would have to provide a common policy management and data discovery capability. Whew! Is this one service or bits of DLP capability strewn through many services one has to ask, and these would be radically different implementations.
Fortunately, not all categories are hard as to pin down as DLP. The working group has an opportunity to identify, divide, and conquer important use cases. There’s even to opportunity to recommend assessment criteria (based on the Cloud Security Alliance Cloud Control Matrix) that providers could build to and customers could use to evaluate the services. Ultimately, that’s what I hope this group will start doing.
All this is a lot of work, but that’s the type of challenge an organization like CSA with thousands of members can take on. If you read this and you’re interested, know that you can get involved. The working group is open to new participants and it has a wiki through which volunteers can collaborate.
Category: Uncategorized Tags: cloud computing, cloud security
