- People and process
Hey guys, time to get your eyes out of the debugger. I mean, there's a lot of great content being produced on the validation/verification side, people confirming those very small chances of exploiting a specific product or technology. In other words all those guys "making the theoretical possible". Don't get me wrong, this kind of research is critical to our field, but it seems that everybody now wants to do it. We need more people that can look into the problems in a different perspective, bringing concepts and ideas from other fields, like psychology (Schneier is doing it), biology (Dan Geer) and economy (Ross Anderson). All these fields have evolved a lot and we can get a lot of new ideas from them to apply to security. We can use them not only to improve technology but mostly to improve our processes, our risk management and assessment methodologies and the way that we think about risk and security. How can we still be discussing "compliance x security"? We had Malcolm Gladwell as keynote last year on RSA presenting the ideas from "Blink" (his book at that time) and I still haven't seen anything created in security using that valuable information about how people think. Just think for a minute how those instintive decisions mentioned on Blink affect things like security awareness and incident response. You'll be amazed about how much we can use from that in our job.
There is also an old discussion about the profile of the security professional. This is one of the favourite topics of my friend Andre Fucs. Although I think it's a very important discussion, I'm not really interested in it right now. As I'm listing things that I believe we should work to improve and I included "People" as a component, it is important to mention that.
I'm seeing these days a lot of people bashing Bruce Schneier because he said that there's nothing new in Cloud Computing. Even if I partially agree with the criticisms, I think there is some true in that affirmation too. Yes, there is a lot more flexibility and mobility in the cloud model, but there's nothing new in terms of technology. Almost everything we need to do our jobs have been invented already. We just need to look into our huge toolbox and identify what we need to use under these new conditions.
I think the relation between the cloud and virtualization curious. Virtualization is being pointed as a way to implement the necessary platform independence and resource democratization that characterizes the cloud, but I believe we are just wasting resources by going into that direction. A few years ago Java (or, being more generic, "bytecode" stuff) seemed to be the way to go to achieve that platform independence. So, why put layers over layers of OSes if we can do what is needed using different OSes? Remember the "Write once, run everywhere"? Maybe this is not the best time to talk about java, anyway.
We are also pushing a lot of things to the endpoint. See what is being done with AJAX, all those mashups. And how are we trying to secure the endpoint nightmare? Sandboxes! How will sandboxes work with a technology that requires you to integrate all those things from different sources and trust levels exactly AT the endpoint? I really can't see a sucessful sandbox implementation under Web 2.0 reality.
Why am I talking about virtualization and sandboxing? Because both, when we talk about security, are solutions to a problem that we may know how to solve by better approaches. We are doing that because we are using crappy Operating Systems. I don't want to sound like Ranum and say that we need to write everything from scratch again, but let's assume, for instance, that we have decent Operating Systems; why would I bother to create virtual OS instances when I can put all my applications running above a single (more effective and secure) one? Why should we worry about VMotion when we can just move applications? The mainframe guys are running different applications in the same OS instance for years, being able to secure them against each other and effectively managing resources and performance. Let's learn from those guys before all of them are retired sipping Margheritas in Florida.
Ok, even if we solve the issue inside the same organization, there's still the issue of dealing with multiple entities in the cloud model. Again, the problem is Trust. As I said before, transitive trust is an illusion and if we try to rely on it we will see a whole new generation of security issues arise. I honestly don't know how we will solve it, but one of my bets would be in reputation systems.
In fact, the business model of the cloud is not different from lots of things we do in the "real" world. We trust people and companies without knowing all their employees or all other parts involved in ther business processes. We do that based on reputation. A nice thing about it is that we can leverage some of the cloud characterics to implement huge reputation services. Reputation databases can share, correlate and distribute information just like we do with names on DNS, with small and distributed queries. Let's imagine a new world of possibilities for a moment:
Your dynamic IT provisioning systems constantly gets information about processing costs from cloud services providers. It finds the best prices and acceptable SLAs, triggering the process to transparently move your applications to the best providers, keeping you always at the lowest available "IT utility" cost. Eventually, someone may try to include theirselves in the "providers pool" to receive your data into their premises to abuse it. However, your systems will not only check for prices and SLAs. They check the reputation for each provider, allowing the data to be transfered only to those that match you risk decisions. Just think about a database with reputation from several different providers, like Amazon, Google, GoGrid and McColo.v.2 (!). The database will be constantly fed with information about breaches, infected/compromised systems on each of those providers, vulnerability scanning results, abuse complaints. Everything mixed by mathematical models that will tell you which one you should trust your data to. That's for the cloud. Reputation can even be used to help end users systems to decide the trust level for each application they run (Panda and other AV companies are going in this direction). Future looks promising.
A good call from one of the RSA keynotes was from Cisco CEO John Chambers. He talked about collaboration and integration. I really was expecting to see that at the Expo floor, but there wasn't anything really special. I was expecting to see more about IF-MAP, didn't see anything even from Juniper. Tipping Point CTO Brian Smith presented how their view of how the integration of different products can improve or, in fact, transform the way that we do firewall rules. Getting tags from different systems (reputation based systems?) and building the rules based on tags, that was awesome. One of the few high points of RSA to me. I was planning to do a review of RSA and end up writing something like "my view of the current and future state of information security". It's probably poorly organized, not well fundamented, but I intentionally decided to keep it this way. I want to make it a "food for thought" stuff. As usual, comments are welcome. Have fun.