Panel Looks at Next Gen Security
February 27, 2012, Cloud Security Alliance Summit, San Francisco—A panel reviewed the next generation cloud security devices and services. Phillipe Courtot from Qualys moderated the panel whose members included Don Godfrey representing Zscaler, Matt Johansen from WhiteHat Security, David Lingenfelter from Fiberlink, and Patrick Harding from Ping Identity.
What is the current level of comfort with cloud security?
Lingenfelter responded that people are less comfortable with some facets of security on cloud. Consumers are leery of the various issues while the providers may be getting better. We don't know whether or not the government will become involved.
Johansen agreed and added that there are challenges in determining what data exist and the discovery of existing assets.
Existing systems have holes, those moving into the cloud or web apps change this?
Lingenfelter answered that web apps are the front door to all data problems. Clients are unsure of the number of Web apps and tried to manage all entry points to the data. Security is not easily tested at scale so data integrity and security must be monitored all the time. Nascent technology for continuous monitoring is vital.
Enterprises try to catalog applications, or as providers offer a more constrained environment. How do these differences affect the ability to harden apps for all users?
Harding suggested that the cloud doesn't solve security and security as a service applications are fairly hard to develop.
Move to reverse proxy?
Harding continued that the reverse proxy approach for security issues has other problems. It forces all traffic through the IT though so that there are access control, filter control and implementation issues.
Johansen noted that reverse proxy creates a single choke point in serving apps through the firewall.
Identity on the web?
Harding offered for ID in the cloud that passwords are the Achilles' heel of security, and other protection is not very useful after that first hole. New types of threats like malware, spear phishing and other attack vectors are increasing as more apps come online. Part of this is driven by the expanse of login forms and the preference by most users to use their corporate or other identity in public cloud environments. In the future, services will use a login form, but will use IDaaS with strong authentication that will have multiple factors, tokens, etc. This is an economic issue, since it's cheaper to implement an identity broker then have all sites doing identification. The technology exists, standards exist, so we're just waiting for users to adopt these services.
Mobile payments are pushing a requirement for greater security as your ID is now equal to a credit card?
Harding suggested that the phone becomes your ID in the cloud. As a result, we will see chip to cloud authorization where the phone plus biometrics will provide authorization. Within the next five years, we will see this in Europe and Asia.
Godfrey appended the statement that phone-based authentication will depend on whether this is a bring your own device or corporate provided platform.
The price for a massive adoption?
Harding suggested that the phone is not the only set of devices of concern. Biometrics have to be stored on the phone or other local device and not in cloud.
Lingenfelter offered that new technologies will add more multifunction capabilities.
Who is responsible for addressing malware in phone apps?
Johansen offered Web or abilities are a function of the application developer and market provider. The stores should check security just like a supermarket. The ease of developing apps and getting them to market is still a young field and has no overview. Developers need to request only reasonable permissions. Security requires technologies like sand boxing, etc., while apps and extensions outside the sandbox should be allowed necessary permissions only from known providers and not to any rogue providers.
Lingenfelter agreed is a large problem, and changes to a luscious apps versus coding responsibility question. The stores have the responsibility to check, but developers need to be security aware. At the same time, the hosting solutions need to be included. Private app stores can increase security if they wanted to.
Ken mobile be made secure?
Lingenfelter considered they can be made more secure. However, the platform, operating system, and app developers all need to be security aware and deal with security issues. The approaches for security will have to change over time. This is not just a technical problem, it's also a business mindset issue. Business management has to change to define functions before they change policies.
Harding said that Apple changed the game by making the application and the phone connect. Because they control the entire ecosystem, they can leverage services and security. However, bring your own device has evolved into bring your own cloud, which is outside the scope of IT and security management.
Johansen noted that other users bring in new apps into the managed IT environment.
Is technology changing too fast manage?
Lingenfelter observed that mobile is the same as cloud.
Harding opined that the APIs is are the glue and access point to data, and are, therefore, a huge problem.
Harding offered that DNS is not able to scale, and is easy to bypass. The proxy server needs to change. DNS SEC helps, but is not being adopted yet.
Revisiting the reverse proxy question, who has the responsibility to secure the end points, especially as mobile becomes the cloud plus security as a service?
Johansen suggested a hybrid approach where the app cannot address all modes, extensions and permissions. This will change with the end points, while the cloud layer will analyze you.
Harding suggested that a VPN is not sufficient
Security as a service?
Lingenfelter stated that they put an agent on the device and work with the cloud. Accommodation is needed because a G5 to 90% of mobile users are not on an internal net, but on WiFi or some other public carrier. These people need updates to their security.
Identity management and provider proofing?
Harding are opined that proven models may not work, because reputation and policies don't exist for startups. The criteria for accepting a new developer have to include questions on backup, retrieval, storage, identity information, security, etc. There will be regulations in some of these areas. Identities getting is important to check on claims.