Upload
mark-masterson
View
19.354
Download
0
Embed Size (px)
DESCRIPTION
A polemic on the issues and challenges confronting us in the domains of "security" and risk management, as system architectures move to include the Cloud.Keep an eye on the speaker Notes for each slide -- there's stuff in there.
Citation preview
Mark Masterson | http://jroller.com/MasterMark
Risk and Security in the Enterprise Cloud
Mark Masterson | http://jroller.com/MasterMark
Mark Masterson | http://jroller.com/MasterMark
Do you know what a “zombie” is?
Mark Masterson | http://jroller.com/MasterMark
Really?
Mark Masterson | http://jroller.com/MasterMark
How do YOU know that you are not a zombie?
Mark Masterson | http://jroller.com/MasterMark
Did you know that there is a whole culture of ivory tower folk who
spend their days trying to answer that question?
http://consc.net/neh/papers/dretske2.htmhttp://en.wikipedia.org/wiki/Fred_Dretske
http://philsci-archive.pitt.edu/archive/00002546/01/caatkg.pdf
Mark Masterson | http://jroller.com/MasterMark
Hmm. Interesting. But, so what?
Mark Masterson | http://jroller.com/MasterMark
Do you know what the Principa Mathematica is?
Mark Masterson | http://jroller.com/MasterMark
“It is an attempt to derive all mathematical truths from a well-
defined set of axioms and inference rules in symbolic logic.”
http://en.wikipedia.org/wiki/Principia_Mathematica
Mark Masterson | http://jroller.com/MasterMark
http://en.wikipedia.org/wiki/Bertrand_Russell
Mark Masterson | http://jroller.com/MasterMark
Did Russell succeed?
Mark Masterson | http://jroller.com/MasterMark
No.
Mark Masterson | http://jroller.com/MasterMark
In fact, he not only failed, his failure provoked one of the most profound insights our species has
ever achieved…
Mark Masterson | http://jroller.com/MasterMark
Kurt Gödel’s Incompleteness Theorems
http://en.wikipedia.org/wiki/On_Formally_Undecidable_Propositions_of_Principia_Mathematica_and_Related_Systems
Mark Masterson | http://jroller.com/MasterMark
http://en.wikipedia.org/wiki/Kurt_Gödel
Mark Masterson | http://jroller.com/MasterMark
Right up there with evolution and relativity, on the “wow, this is a big
deal” scale.
Mark Masterson | http://jroller.com/MasterMark
So, what did Gödel figure out?
Mark Masterson | http://jroller.com/MasterMark
No formal system extending basic arithmetic can be used to prove its
own consistency.
Mark Masterson | http://jroller.com/MasterMark
Hmm. Interesting. But, so what?
Mark Masterson | http://jroller.com/MasterMark
No formal system extending basic arithmetic can be used to prove its
own consistency.
Mark Masterson | http://jroller.com/MasterMark
Formal system extending basic arithmetic.
Mark Masterson | http://jroller.com/MasterMark
Umm, dude. That would, eh, be a computer?
Mark Masterson | http://jroller.com/MasterMark
Because computing is a mathematical model…
Mark Masterson | http://jroller.com/MasterMark
Computer people tend to assume that such models are not only
necessary…
Mark Masterson | http://jroller.com/MasterMark
But also sufficient. In other words, they assume that knowing the
model means absolute control over the results.
Mark Masterson | http://jroller.com/MasterMark
http://en.wikipedia.org/wiki/Kurt_Gödel
LOL!
Mark Masterson | http://jroller.com/MasterMark
Consider the classic way of defining “risk”…
Mark Masterson | http://jroller.com/MasterMark
Risk exposure (RE) = probability(loss) * magnitude(loss)
http://books.google.com/books?id=0RfANAwOUdIC&pg=PA800&lpg=PA800&dq=risk+exposure+re+formula&source=web&ots=pENn1no-zn&sig=Xe72BRymob2ftXlp4CciUr-ly-Y&hl=en&ei=QquNSfLdMob00AXB4OGcCw&sa=X&oi=book_result&resnum=5&ct=result
(The Handbook Of Information Security)
Mark Masterson | http://jroller.com/MasterMark
That formula is not wrong, but…
Mark Masterson | http://jroller.com/MasterMark
Some people assume that they can leverage it, and others like it, to
“prove” that a complex system is “secure”.
Mark Masterson | http://jroller.com/MasterMark
They take comfort in arithmetic.
Mark Masterson | http://jroller.com/MasterMark
http://en.wikipedia.org/wiki/Kurt_Gödel
LOL!
Mark Masterson | http://jroller.com/MasterMark
And recall…
Mark Masterson | http://jroller.com/MasterMark
Mark Masterson | http://jroller.com/MasterMark
What’s “the Cloud” got to do with this?
Mark Masterson | http://jroller.com/MasterMark
It increases the complexity of the overall system.
Mark Masterson | http://jroller.com/MasterMark
Makes an existing problem more urgent.
Mark Masterson | http://jroller.com/MasterMark
Ludwig Wittgenstein, a fierce critic of Principa Mathematica,
conceded that it was useful, but only in the small.
Mark Masterson | http://jroller.com/MasterMark
To the extent that naïve use of the Cloud scales systems up beyond “small”, it forces us to confront a
problem we may have been able to ignore.
Mark Masterson | http://jroller.com/MasterMark
http://www.flickr.com/photos/rachels_secret/220269351/
Mark Masterson | http://jroller.com/MasterMark
So. What to do?
Mark Masterson | http://jroller.com/MasterMark
There are essentially two approaches: 1) try to build out the
existing, Russellian, “defense in depth” techniques.
Mark Masterson | http://jroller.com/MasterMark
http://en.wikipedia.org/wiki/Kurt_Gödel
LOL!
Mark Masterson | http://jroller.com/MasterMark
Or 2) find ways to design systems that cope gracefully with
uncertainty.
Mark Masterson | http://jroller.com/MasterMark
This also implies finding ways of decomposing systems, and
applying techniques to cope with risk and uncertainty, in the small.
Mark Masterson | http://jroller.com/MasterMark
Not this…
Mark Masterson | http://jroller.com/MasterMark
http://www.flickr.com/photos/peterpearson/347124844/
Mark Masterson | http://jroller.com/MasterMark
But this…
Mark Masterson | http://jroller.com/MasterMark
http://www.flickr.com/photos/euthman/2989437967/in/set-72057594114099781/
Mark Masterson | http://jroller.com/MasterMark
I know what I’d bet on.
Mark Masterson | http://jroller.com/MasterMark
Is anybody trying to do this?
Mark Masterson | http://jroller.com/MasterMark
Yes! Good examples abound.
Mark Masterson | http://jroller.com/MasterMark
The U.S. DOE published an excellent report in December: “A
Scientific Research & Development Approach to Cyber Security”.
http://chas.typepad.com/dli/2009/01/cyber-security-rd-needs-for-doe.html
Mark Masterson | http://jroller.com/MasterMark
The Jericho Forum, part of The Open Group, is doing important
work in defining models of security and risk that don’t ignore Gödel’s
LOL.
https://www.opengroup.org/jericho/about.htm
Mark Masterson | http://jroller.com/MasterMark
And, in a shameless plug, CSC’s report on “liquid security” contains lots of information, particularly in
the section on “Living on the Web”.
http://www.csc.com/aboutus/leadingedgeforum/knowledgelibrary/uploads/LEF_2007DigitalTrustVol5.pdf
Mark Masterson | http://jroller.com/MasterMark
So what are you telling me? That everything I thought I knew about
security is wrong?
Mark Masterson | http://jroller.com/MasterMark
No. Not exactly.
Mark Masterson | http://jroller.com/MasterMark
I’m asserting two things…
Mark Masterson | http://jroller.com/MasterMark
1) Many (many!) people in the ICT trade think that things like the
limits of mathematics or cognitive science is irrelevant to their work.
Mark Masterson | http://jroller.com/MasterMark
They are wrong.
Mark Masterson | http://jroller.com/MasterMark
Fundamentally, engineering is about knowing and respecting the
limitations of one’s materials.
Mark Masterson | http://jroller.com/MasterMark
ICT systems are built with software being one of the key materials.
Mark Masterson | http://jroller.com/MasterMark
And software is thoughtstuff.
Mark Masterson | http://jroller.com/MasterMark
For an engineer of thoughtstuff, the limitations of mathematics and
cognitive science are the limitations of the material.
Mark Masterson | http://jroller.com/MasterMark
Russellian assumptions underlying “defense in depth” approaches to coping with risk need to be made
explicit, because…
Mark Masterson | http://jroller.com/MasterMark
“Defense in depth” not only will not achieve its stated goals…
Mark Masterson | http://jroller.com/MasterMark
“Defense in depth” cannot achieve its stated goals.
Mark Masterson | http://jroller.com/MasterMark
http://en.wikipedia.org/wiki/Kurt_Gödel
LOL!
Mark Masterson | http://jroller.com/MasterMark
2) Because of that, we ought to study complex systems in Nature,
learn how those systems cope with risk, uncertainty and so on, and
apply those lessons to ICT.
Mark Masterson | http://jroller.com/MasterMark
We need to stop thinking in terms of “security” and start thinking in
terms of “health”.
Mark Masterson | http://jroller.com/MasterMark
This is already true in your enterprise, if your systems
landscape is not “small”
Mark Masterson | http://jroller.com/MasterMark
http://www.flickr.com/photos/rachels_secret/220269351/
Mark Masterson | http://jroller.com/MasterMark
It will become true, at the latest, once you begin to expand your landscape to include the Cloud.
Mark Masterson | http://jroller.com/MasterMark
So is everything we’ve got useless?
Mark Masterson | http://jroller.com/MasterMark
Of course not.
Mark Masterson | http://jroller.com/MasterMark
But we can’t go near the Cloud until we’ve fixed this?
Mark Masterson | http://jroller.com/MasterMark
Fortunately, that’s also not true.
Mark Masterson | http://jroller.com/MasterMark
You can use the Cloud now.
Mark Masterson | http://jroller.com/MasterMark
And that will be just as safe – as healthy – as you already are.
Mark Masterson | http://jroller.com/MasterMark
Like this…
Mark Masterson | http://jroller.com/MasterMark
Mark Masterson | http://jroller.com/MasterMark
You use existing, familiar tools, like VLANs, VPN tunnels, encrypted
data (including storage), IPSec, and the faithful firewall.
Mark Masterson | http://jroller.com/MasterMark
You will likely run into the following problems:
Mark Masterson | http://jroller.com/MasterMark
1) Static, manual configuration and management of your network and
security infrastructure will probably not scale with demand.
Mark Masterson | http://jroller.com/MasterMark
There are tools on the market, available now and emerging, to
meet this demand.
Mark Masterson | http://jroller.com/MasterMark
CohesiveFT VPN-Cubed, Cloudswitch, the next version of
Cassatt, etc.
Mark Masterson | http://jroller.com/MasterMark
2) Static, manual processes to provision and manage VMs will probably not scale to demand.
Mark Masterson | http://jroller.com/MasterMark
You will find yourself wanting to archive (versioned) VMs, ensure VMs have specific attributes, and otherwise maintain governance.
Mark Masterson | http://jroller.com/MasterMark
But you will also need a way to maintain the “self-service” factor,
or risk torpedoing a significant part of the value proposition of the
Cloud.
Mark Masterson | http://jroller.com/MasterMark
Again, there are tools available and emerging that can address some of
these needs…
Mark Masterson | http://jroller.com/MasterMark
CohesiveFT ElsaticServer, rPath, Vmware, Enomalism, Elastra,
3Tera, many others
Mark Masterson | http://jroller.com/MasterMark
These tools have widely divergent solutions to these problems – choosing one involves many
tradeoffs
Mark Masterson | http://jroller.com/MasterMark
You are likely to find that you want a coherent, unified platform to
deal with both build- and run-time aspects.
Mark Masterson | http://jroller.com/MasterMark
And you are going to need to find a way to utilize multiple providers in parallel, if you want to be healthy.
Mark Masterson | http://jroller.com/MasterMark
RAIC – Redundant Array of Independent Cloud Providers
Mark Masterson | http://jroller.com/MasterMark
http://en.wikipedia.org/wiki/RAID
Mark Masterson | http://jroller.com/MasterMark
Mark Masterson | http://jroller.com/MasterMark
RAIC “solves” the problems of data portability and lock-in, whilst
simultaneously increasing reliability, flexibility, and
potentially, performance.
Mark Masterson | http://jroller.com/MasterMark
Diversity = health.
Mark Masterson | http://jroller.com/MasterMark
Mark Masterson | http://jroller.com/MasterMark
Mark Masterson | http://jroller.com/MasterMark
Hmm. What about the orchestrator? Single point of
failure?
Mark Masterson | http://jroller.com/MasterMark
Yes.
Mark Masterson | http://jroller.com/MasterMark
So you have to ensure that it is designed to be healthy.
Mark Masterson | http://jroller.com/MasterMark
Available and emerging things worth considering in the context of
the orchestrator include…
Mark Masterson | http://jroller.com/MasterMark
Eucalyptus: http://eucalyptus.cs.ucsb.edu/
UCI: http://code.google.com/p/unifiedcloud/
Ubuntu: https://wiki.edubuntu.org/UDSJaunty/Report/Server
GridGain API: http://www.gridgain.com/product.html
And also take a look at things like Puppet: http://reductivelabs.com/trac/puppetChef: http://wiki.opscode.com/display/chef/Chef+SoloAMQP: http://en.wikipedia.org/wiki/Advanced_Message_Queuing_ProtocolHadoop: http://en.wikipedia.org/wiki/Hadoop… and so on.
Mark Masterson | http://jroller.com/MasterMark
That’s a lot to digest, but a picture of how to bring the Cloud inside
the firewall emerges from it.
Mark Masterson | http://jroller.com/MasterMark
What about using the Cloud outside the firewall? What about,
for example, collaborating with external partners in the Cloud?
Mark Masterson | http://jroller.com/MasterMark
Well, that’s where we all want to go.
Mark Masterson | http://jroller.com/MasterMark
But we can’t get there – safely and in good health – until certain hard
problems are solved.
Mark Masterson | http://jroller.com/MasterMark
Problems like federated identity, for example.
Mark Masterson | http://jroller.com/MasterMark
Those kinds of problems cannot be solved via Russellian techniques.
Mark Masterson | http://jroller.com/MasterMark
And to the extent that current approaches embody Russellian
assumptions, they cannot succeed.
Mark Masterson | http://jroller.com/MasterMark
So, no collaborative Cloud?
Mark Masterson | http://jroller.com/MasterMark
Not necessarily, but you will have to be aware of the context.
Mark Masterson | http://jroller.com/MasterMark
Think differently.
Mark Masterson | http://jroller.com/MasterMark
For example, concepts like “firewall” embody Russellian
assumptions, and are only useful in the small.
Mark Masterson | http://jroller.com/MasterMark
Instead, consider concepts like quarantine, sterilization chambers
and disinfection, for example.
Mark Masterson | http://jroller.com/MasterMark
Safe = healthy.
Mark Masterson | http://jroller.com/MasterMark
Join the conversation:http://groups.google.com/group/cloud-computing/
http://groups.google.com/group/cloudforumhttp://tech.groups.yahoo.com/group/cloudcomputing-tech/
… and please come talk to us, as well …http://twitter.com/mastermarkhttp://twitter.com/gblnetwkr
http://www.jroller.com/MasterMark/
Thanks!