Governments are an important factor in the cloud computing eco-system. This is a feature of Cloud computing that differentiate Cloud Computing from traditional IT. Governments promote standards, regulations and laws which are essential for trust, and Governments can adopt cloud computing for their IT needs and create cloud friendly environment. And they can also damage the trust and eco-system with ungoverned cloud surveillance, as Snowden revealed.
With that said, no wonder that the two opening keynotes at the RSA 2014 Cloud Security Alliance summit were about governments and their policies regarding cloud computing: Richard Clarke, a member of President Obama’s Review Group on Intelligence and Communications Technology, and Professor Udo Helmbrecht, Executive Director, European Union Agency for Network and Information Security (ENISA) – were the two distinguished guests that in turn elaborated on their governments plans and actions for Cloud Computing.
Starting early in the morning, Mr. Clarke gave a very interesting brief about his role in the group that was called by President Obama in order to establish new policy for NSA surveillance. While describing the events behind the scenes, Mr. Clarke elaborated on some of the 46 recommendations that the group handed out to the president: increasing internal security of the data, stop attempts to weaken encryption standards (which were exaggerated according to Mr. Clarke), and appointing a strong oversight committee with real enforcements capabilities.
The NSA is a good force, he complimented; they are working day and night for stopping terror, drugs and mass destruction weapons. But the public good require us to put road blocks in order stop now and then to make sure we are not giving up on too many civil rights in this intensive race of fighting terror.
Similar laws and actions exist outside of the US, Mr. Clarke added, so people who criticize US actions usually doing so for economical profit (to be gained from localizing cloud services) , or they are simply hypocrites, he concluded.
And in order to complete the picture, the next talk was from ENISA Executive Director, Professor Udo Helmbrecht, who reviewed the efforts from the EU commission to increase trust and adoption of cloud computing. The EU commission is investing great efforts in cloud adoption, and ENISA is there to help this process. Cloud computing brings security risks but also opportunities, especially for SMB sectors who are unable to purchase the protection as enterprises do, he explained. ENISA strategy in the EU efforts is to become a cloud security hub and assist in setting standards and laws, creating new business models and help in creating the required trust. And, there is no reason that an e-mail from Germany to other EU country will pass through the US, he added in reference to his preceding speaker criticism about EU efforts for localization of cloud services.
In next sessions, the summit drifted away from governments and espionage affects with two different panels. The first discussing about the perimeter challenges organizations are facing and the second one about managing risks and increasing trust between cloud provider and consumer. Trend Micro and Vodafone shared presentation described a research about critical infrastructure and SCADA protection: During the research, 12 honeypots were placed and configured to look like exposed water or electricity management systems. The presentation described the various attacks attempts and the life cycle of the hacks that involved 74 different attacks, mostly from Russia and China.
As a closing key note, Alan Boehme, Chief of Enterprise Architecture for The Coca-Cola Company, gave a first pick of the software define perimeter concept. The SDP is a concept taken from DoD and some NIST publications, and aims at replacing the traditional physical perimeter with software based one. Utilizing the SDP technology will eliminate many attacks vectors such DDOS, man in the middle and various malwares and other attacks. The idea in SDP is that each server is able to self-protect itself even if it located in an untrusted environment. Several security technologies such as VPN, Identity management, federation, device attestation and strong authentication been grouped into that software component. The result is servers with ability to establish a secure link with users or other servers only after applying certain policy. This interesting concept is still very new and is currently being in the center of hacking contest in order to check its resilience. It will not solve all cloud computing threats, but it can certainly provide efficient mechanism for the open enterprise to eliminate certain attacks. The CSA is investing heavily on the SDP concept hoping it will solve some of the security challenges presented by cyber criminals, insider threats, and governments.
Moshe Ferber www.onlinecloudsec.com
Moshe Ferber is a Cloud Security entrepreneur and lecturer, with over 20 years’ experience in information security. In the past managed the security department for Ness Technologies, a global IT service provider and founder of Cloud7, a Managed Security Services Provider (acquired by Matrix LTD). In the last couple of years, Mr. Ferber has focused on various aspects of cloud technology as entrepreneur, private investor and as co-Chairman for the Cloud Security Alliance, Israeli chapter.