Where is security heading to?

I was reviewing my notes about RSA to prepare a series of posts about what I saw there during last week. I've got a sense of disappointment since last Friday that was preventing me from writing anything good about it. I started to think about all this and also about some of the things that I see as key for the evolution of information security, and I end up with some thoughts that should be in a separate post. Another one about the RSA sessions I attended will follow. For now, let's try to solve all security problems :-)  If there is anything that shouldn't be ignored about current security (and IT in general) discussions is "the Cloud". A quick walk around the vendor booths on RSA would show that this is the hot subject of the day. Cloud Computing is the explanation about why things that were hot last year were not so strong this time. NAC and DLP were everywhere in 2008 (Anton noticed they disappeared too), now everything is "cloud based" and virtualization. In fact, when you consider the cloud services model you'll see that the priorities have indeed changed. One of the key concerns from security professionals until a few months ago was Authentication related issues.  Within the cloud, however, it looses some importance. Of course, applications still need to authenticate users, but if you try to authenticate all the IT components that you are interacting with in a cloud model, you are lost. At some point in the near future you'll probably be in a situation where you don't know where you data is being processed and stored (outside your organization - that already happens inside it :-)). So, the hot word today is "Trust", not "Identity". The cloud model is one of the signals that the Jericho Forum is reaching its goals. Now, more than ever, controls need to be on the endpoint and not on the network. And then, when all the security apparatus is on the endpoint, who that endpoint should trust on? A sad conclusion from this new world is that transitive trust is an illusion. Do you trust in the service provider of your service provider? The regulatory maze required to make transitive trust work on the compliance side and the immeasurable complexity required to do that on the technology side have condemned transitive trust in the cloud. We need something different if we really want to have information security commensurate to our risk posture in the cloud. But I'll come back to this later. Most of innovation presented during RSA could be seen as evolutionary innovation. There was no disruptive innovation at all. But I wonder if there is room for disruptive innovation in security at all. The abrupt changes (and disruptive innovations) come from other places, new business models and technologies. It is naive to expect that those new ideas will be born with security "built in" (I'm talking about the concepts, now necessarily the products). Under this perspective, security will always be an afterthought and, as it will be following something instead of defining the way, there won't be no sharp turns. Security will always be essentially evolutionary.Ok, but with those "sharp turns" (Web 2.0, cloud computing) from business and technology, what should we expect from security? Let's use the security cliché of People, Process and Technology to have a better view:

• People and process

Hey guys, time to get your eyes out of the debugger. I mean, there's a lot of great content being produced on the validation/verification side, people confirming those very small chances of exploiting a specific product or technology. In other words all those guys "making the theoretical possible". Don't get me wrong, this kind of research is critical to our field, but it seems that everybody now wants to do it. We need more people that can look into the problems in a different perspective, bringing concepts and ideas from other fields, like psychology (Schneier is doing it), biology (Dan Geer) and economy (Ross Anderson). All these fields have evolved a lot and we can get a lot of new ideas from them to apply to security. We can use them not only to improve technology but mostly to improve our processes, our risk management and assessment methodologies and the way that we think about risk and security. How can we still be discussing "compliance x security"? We had Malcolm Gladwell as keynote last year on RSA presenting the ideas from "Blink" (his book at that time) and I still haven't seen anything created in security using that valuable information about how people think. Just think for a minute how those instintive decisions mentioned on Blink affect things like security awareness and incident response. You'll be amazed about how much we can use from that in our job.

There is also an old discussion about the profile of the security professional. This is one of the favourite topics of my friend Andre Fucs. Although I think it's a very important discussion, I'm not really interested in it right now. As I'm listing things that I believe we should work to improve and I included "People" as a component, it is important to mention that.

• Technology

I'm seeing these days a lot of people bashing Bruce Schneier because he said that there's nothing new in Cloud Computing. Even if I partially agree with the criticisms, I think there is some true in that affirmation too. Yes, there is a lot more flexibility and mobility in the cloud model, but there's nothing new in terms of technology. Almost everything we need to do our jobs have been invented already. We just need to look into our huge toolbox and identify what we need to use under these new conditions.

I think the relation between the cloud and virtualization curious. Virtualization is being pointed as a way to implement the necessary platform independence and resource democratization that characterizes the cloud, but I believe we are just wasting resources by going into that direction. A few years ago Java (or, being more generic, "bytecode" stuff) seemed to be the way to go to achieve that platform independence. So, why put layers over layers of OSes if we can do what is needed using different OSes? Remember the "Write once, run everywhere"? Maybe this is not the best time to talk about java, anyway.

We are also pushing a lot of things to the endpoint. See what is being done with AJAX, all those mashups. And how are we trying to secure the endpoint nightmare? Sandboxes! How will sandboxes work with a technology that requires you to integrate all those things from different sources and trust levels exactly AT the endpoint? I really can't see a sucessful sandbox implementation under Web 2.0 reality.

Why am I talking about virtualization and sandboxing? Because both, when we talk about security, are solutions to a problem that we may know how to solve by better approaches. We are doing that because we are using crappy Operating Systems. I don't want to sound like Ranum and say that we need to write everything from scratch again, but let's assume, for instance, that we have decent Operating Systems; why would I bother to create virtual OS instances when I can put all my applications running above a single (more effective and secure) one? Why should we worry about VMotion when we can just move applications? The mainframe guys are running different applications in the same OS instance for years, being able to secure them against each other and effectively managing resources and performance. Let's learn from those guys before all of them are retired sipping Margheritas in Florida.

Ok, even if we solve the issue inside the same organization, there's still the issue of dealing with multiple entities in the cloud model. Again, the problem is Trust. As I said before, transitive trust is an illusion and if we try to rely on it we will see a whole new generation of security issues arise. I honestly don't know how we will solve it, but one of my bets would be in reputation systems.

In fact, the business model of the cloud is not different from lots of things we do in the "real" world. We trust people and companies without knowing all their employees or all other parts involved in ther business processes. We do that based on reputation. A nice thing about it is that we can leverage some of the cloud characterics to implement huge reputation services. Reputation databases can share, correlate and distribute information just like we do with names on DNS, with small and distributed queries. Let's imagine a new world of possibilities for a moment:

Your dynamic IT provisioning systems constantly gets information about processing costs from cloud services providers. It finds the best prices and acceptable SLAs, triggering the process to transparently move your applications to the best providers, keeping you always at the lowest available "IT utility" cost. Eventually, someone may try to include theirselves in the "providers pool" to receive your data into their premises to abuse it. However, your systems will not only check for prices and SLAs. They check the reputation for each provider, allowing the data to be transfered only to those that match you risk decisions. Just think about a database with reputation from several different providers, like Amazon, Google, GoGrid and McColo.v.2 (!). The  database will be constantly fed with information about breaches, infected/compromised systems on each of those providers, vulnerability scanning results, abuse complaints. Everything mixed by mathematical models that will tell you which one you should trust your data to. That's for the cloud. Reputation can even be used to help end users systems to decide the trust level for each application they run (Panda and other AV companies are going in this direction). Future looks promising.

A good call from one of the RSA keynotes was from Cisco CEO John Chambers. He talked about collaboration and integration. I really was expecting to see that at the Expo floor, but there wasn't anything really special. I was expecting to see more about IF-MAP, didn't see anything even from Juniper. Tipping Point CTO Brian Smith presented how their view of how the integration of different products can improve or, in fact, transform the way that we do firewall rules. Getting tags from different systems (reputation based systems?) and building the rules based on tags, that was awesome. One of the few high points of RSA to me. I was planning to do a review of RSA and end up writing something like "my view of the current and future state of information security". It's probably poorly organized, not well fundamented, but I intentionally decided to keep it this way. I want to make it a "food for thought" stuff. As usual, comments are welcome. Have fun.