A blog reader recently asked me to comment on this Security in the Cloud debate. First, a word on the opposing sides. The Yes proponent, Brad Miller, is CEO of Perimeter Internetworking. His company looks like a managed security services firm, except they are latched onto Gartner's security in the cloud idea. That is derived from MCI's (now Verizon's) concept of filtering traffic on its backbones. I find it odd that a company like Perimeter Internetworking can ride the cloud bandwagon when they are not in the cloud!
The No proponent is Bruce Schneier, CTO of Counterpane. He is not exactly saying no to the idea though:
[A] choice between implementing network security in the middle of the network - in the cloud - or at the endpoints is a false dichotomy. No single security system is a panacea, and it's far better to do both...
I'm all in favor of security in the cloud. If we could build a new Internet today from scratch, we would embed a lot of security functionality in the cloud. But even that wouldn't substitute for security at the endpoints. Defense in-depth beats a single point of failure, and security in the cloud is only part of a layered approach.
So perhaps the argument should have been framed "security only in the cloud"? In that respect, Bruce would obviously disagree because (1) it is a bad idea, due to the security necessity of layered defenses; and (2) as a MSSP, Counterpane would lose business. Counterpane will lose business anyway, since ISPs like Verizon, Sprint, and at&t are offering cloud-based security services. Mr. Miller foolishly favors the abolition of end-user , or "CPE" (Customer Premise Equipment) security:
The bottom line is that the superior protection, economics and speed of deployment of security in the cloud will further marginalize CPE-based managed security. Large carriers will embrace security in the cloud and will obviate the need for CPE systems.
This statement demonstrates Mr. Miller has no concept of security principles.
In any case, I see fewer ISPs offering unfiltered, "clean" pipes, even though the term "clean" seems at odds with carrying "dirty" DoS traffic, spam, and the like. ISPs are already filtering common Microsoft Windows ports. This trend will only continue.