Monday, February 20, 2006

Security in the Cloud

A blog reader recently asked me to comment on this Security in the Cloud debate. First, a word on the opposing sides. The Yes proponent, Brad Miller, is CEO of Perimeter Internetworking. His company looks like a managed security services firm, except they are latched onto Gartner's security in the cloud idea. That is derived from MCI's (now Verizon's) concept of filtering traffic on its backbones. I find it odd that a company like Perimeter Internetworking can ride the cloud bandwagon when they are not in the cloud!

The No proponent is Bruce Schneier, CTO of Counterpane. He is not exactly saying no to the idea though:

[A] choice between implementing network security in the middle of the network - in the cloud - or at the endpoints is a false dichotomy. No single security system is a panacea, and it's far better to do both...

I'm all in favor of security in the cloud. If we could build a new Internet today from scratch, we would embed a lot of security functionality in the cloud. But even that wouldn't substitute for security at the endpoints. Defense in-depth beats a single point of failure, and security in the cloud is only part of a layered approach.

So perhaps the argument should have been framed "security only in the cloud"? In that respect, Bruce would obviously disagree because (1) it is a bad idea, due to the security necessity of layered defenses; and (2) as a MSSP, Counterpane would lose business. Counterpane will lose business anyway, since ISPs like Verizon, Sprint, and at&t are offering cloud-based security services. Mr. Miller foolishly favors the abolition of end-user , or "CPE" (Customer Premise Equipment) security:

The bottom line is that the superior protection, economics and speed of deployment of security in the cloud will further marginalize CPE-based managed security. Large carriers will embrace security in the cloud and will obviate the need for CPE systems.

This statement demonstrates Mr. Miller has no concept of security principles.

In any case, I see fewer ISPs offering unfiltered, "clean" pipes, even though the term "clean" seems at odds with carrying "dirty" DoS traffic, spam, and the like. ISPs are already filtering common Microsoft Windows ports. This trend will only continue.


Pete Hewitt said...

We seem to see a lot of this lately - "(Insert security-buzzword-solution-of-the-moment here) will completely eliminate security risk and render all other safeguards (such as defense-in-depth) obsolete." Almost amusing until you realize that some CIOs are buying into it. Their sense of security will be fine right up until some employee walks in with a CD he got off the street and hits Install.

jbmoore said...


I'm currently working for a major telco in Network Security. We are completely in bed with Microsoft (at least with my group). The IDSes are not tuned. Our signatures are mostly canned vendor signatures. We just lost one of our team to NEC because he was being underutilized. There are power politics from the systems admin group who maintain our servers which I find abhorrent as a former systems admin. Our migration to a reserved private network has been difficult and less than flawless in execution. In short, it's a miracle we are able to do our jobs and find any security threats to our "clients". Just because the telcos say they are doing X doesn't mean they are executing it perfectly or even competently. Now admittedly, I am a small cog in a very big wheel, but Bruce will probably have a secure job for some time to come the way things are going.



Richard Bejtlich said...


I forgot to mention that I do not think that security in the cloud will be done well, or in a manner that addresses all of a customer's concerns. I only think that services with that label are being offered and will continue to be offered. Hence, the need to continue to do premise security -- which is why Bruce is right and Brad is wrong.

Anonymous said...

Richard's books all make a point about networks being architected to minimize the diversity of traffic, thereby allowing anomalies to be more readily identified. The idea of putting security in the cloud conjures up visions of much greater traffic diversity and much greater difficulty in finding anything besides the most basic, common, well-known and easily identified attacks. Am I missing something?

Anonymous said...

Nice Blog! I liked it


Anonymous said...

The next logical step when security in the cloud doesn't work will be to build private networks to which companies will subscribe. They will post security requirements and admission criteria. Companies will review this against their policy, subscribe so that they can feel safe communicating with other companies that are members. When the people working in those companies infiltrate other private network members, we will re-visit CPE security as a breakthrough idea. Then the marketing and product people will plow billions in to developing cool technologies like firewalls and IDSs.