The Cloud Security Alliance, an organization that promotes best practices for securing cloud computing, has launched...
the Software Defined Perimeter initiative for securing access to the cloud.
The initiative, launched during the Amazon Web Services (AWS) re: Invent 2013 conference in Las Vegas, promises to open new use cases for securing cloud applications, distributed firewalls, and even power plants and other major facilities, said Junaid Islam, founder of Vidder Inc., a Seattle-based security service firm and leader of the Software Defined Perimeter (SDP) working group.
Previous work by the Cloud Security Alliance (CSA) and the National Institute for Standards and Technology focused on addressing cloud security challenges. The SDP working group's security architecture will extend security to devices and services used to connect with and through the cloud.
The cloud computing security market should reach $4.2 billion by 2016, according to estimates from Stamford, Conn.-based Gartner Inc. "Demand remains high from buyers looking to cloud-based security services to address a lack of staff or skills, reduce costs or comply with security regulations quickly," said Eric Ahlm, a Gartner research director. "This shift in buying behavior from the more traditional on-premises equipment toward cloud-based delivery models offers good opportunities for technology and service providers with cloud delivery capabilities. But those without such capabilities need to act quickly to adapt to this competitive threat."
Work on the SDP is in its early phases. In the short run -- two to three years -- the initiative will allow enterprises to address cloud security challenges by improving the security of different devices used to access the cloud, including personal computers, tablets and mobile devices. It will also create a set of standards to allow interoperability between security services from cloud providers and systems integrators.
New protection from a variety of threats
The standards will make it easier to secure corporate infrastructure against a variety of cloud security challenges, including denial-of-service (DoS) attacks, malware, man-in-the-middle attacks and SQL injection. NIST, the U.S Computer Emergency Readiness Team, and security vendors have put considerable work into improving security against these attack vectors, and various measures for protecting against them are widely published. However, software developers often fail to implement those measures because they're highly complex, Islam noted.
Sophisticated cryptographic measures, such as mutual Transport Layer Security and elliptical cryptography for authentication, have shown great promise in addressing many such vulnerabilities, but implementing them in ways that close back doors is often a complex undertaking. The SDP will open the door for cloud security services that could be called upon in much the same way storage and compute services are used today.
"The big breakthrough is that not only can you have the best processes and procedures for protecting applications in the cloud, you can protect processes and procedures on legacy systems as well," Islam said. "It's a completely new way to think of the cloud. People have tended to think about the cloud for getting cheap compute services, but not for security services."
It's a completely new way to think of the cloud.
Junaid Islam, leader of the Software Defined Perimeter working group, CSA
The development will allow organizations to use NIST's best ideas for securing their infrastructure offered as a service. Furthermore, these services could be automatically updated as new vulnerabilities are discovered and countermeasures are developed by security experts. Expert providers could also update security packages that combine those measures.
Companies would also be able to address cloud security challenges by subscribing to new security services on short notice when attacks occur. For example, a company experiencing a large-scale DoS attack could quickly reroute access to its legacy systems through a cloud service dedicated to addressing such attacks.
The alliance's SDP working group plans to publish information about this security infrastructure in the public domain so security experts can tease it apart, looking for previously unseen vulnerabilities. Organizations would have the option of relying on service providers or incorporating that architecture into their own private cloud infrastructures.
Strong military underpinnings
The SDP is based on military-grade security. It builds on security work developed for the U.S. Department of Defense, and Bob Flores, the former chief technology officer for the CIA, is among the working group members. Among other things, the architecture includes the concept of authentication before access.
A device's integrity is checked first, both to confirm it's authorized to access the specific cloud service, and to ensure malware hasn't compromised the device. This concept can also be applied to cloud services accessing other cloud services. For example, if a hacker had changed one line of code in the first service, that change could be detected by the second one and access would be denied.
Next, the identity of the user or device is authenticated using the appropriate cryptographic key. Upon successful authentication, the location of the device is also evaluated to ensure the connection is coming from an authorized part of the world. For example, an overseas hacker who managed to steal the appropriate credentials would be denied access.
If the device, credentials and location check out, access is granted only to the authorized resources. For instance, a worker in the field might be limited to accessing the customer relationship management systems and wouldn't be able to see other corporate servers containing sensitive documents or credit card data stored on legacy systems.
The SDP's three use cases
The SDP will open three main categories of use cases for securing infrastructure: first-mile, application-to-application and last-mile.
The first-mile use case will make it easier to ensure computers, tablets and mobile devices can securely access information systems. That, in turn, will make it easier for enterprise architects to enable companies to securely access back-end applications, such as financial systems and healthcare applications in bring-your-own-device configurations.
The application-to-application use case will make it easier for enterprise architects to weave together best-of-breed applications that may reside in public or private clouds. This will help isolate security breaches and limit hackers' access to back-end systems when one server is compromised.
The last-mile use case will allow companies to protect legacy systems from security breaches. It could also help to create an additional layer of protection for public infrastructure, such as power grids and gas line control systems, which were designed before many security threats, such as the Stuxnet virus, were widely known.
"Now all of this equipment is being connected to the Internet, and hackers are starting to attack it," Islam explained. "Imagine water pumps connected to the SDP in the cloud. Today, to add security, you have to buy special equipment to protect it. But with the SDP, you could secure this infrastructure using the cloud."
Once the details of the SDP architectures have been worked out, Islam expects to see major cloud providers start offering new types of services intended to address cloud security challenges. "Imagine cloud providers with smart teams of security experts supporting large numbers of users cost effectively," he said. "It is a win for both sides."
The alliance expects to release a white paper along with an overview and demonstration of the framework in December. The group also plans to provide an implementation case study and launch a hacker contest at the RSA Conference, scheduled for Feb. 24-28, 2014, in San Francisco.