Cloud Security

Last week I attended SecureCloud 2010 in Barcelona, a conference dedicated to cloud computing and security, organised by the Cloud Security Alliance, ENISA, ISACA and IEEE.

This proved to be an excellent opportunity for deep dive conversations with others heavily involved with cloud security, both providers and users.

The conference was well run – particularly for a first time out. The presentations were a mixed bunch, which I felt reflected:

• the on-going open interpretation of the term “cloud” (and a few who insisted on muddying the waters by referring to traditional web hosting providers as “cloud providers” – eek!)
• the different stages that people are at with their understanding of cloud computing and security and
• the wide diversity of speakers present (a healthy thing in my book)..

I’m very glad I attended and was able to present the kick-off to Project Skylab.

A number of readers asked if the presentations would be recorded and made available to non-attendees. Unfortunately, they were not, so I’ve recorded the “home edition” version of my talk and make it available here.

The Skylab Project is aimed at IT and IT security professionals that are “cloud curious” and want to get their hands dirty in a relatively safe way (i.e. no business data involved). You could say its for the hobbyist security geek. This talk sets out the concept, design goals and plans for Project Skylab. Hence, this presentation is not about “cloud security” per se or “securing the cloud”. At most its about delivering a security related service (an demand security test lab) from the cloud. Check out my other cloud computing and security presentations if you’re looking for coverage of cloud security challenges.

Important notes:

• this is the “kick-off” of Skylab – not the “solution” stage (!)
• if you’re an old hand with IaaS services (including cloud overlay networks), I doubt you’ll learn anything new about cloud.

I plan to develop Skylab on an on-going basis. I’m also encouraging others to contibute their ideas (with full credit of course).

Finally, I’ve applied to speak at Brucon 2010 in September. If my application is successful I will present the first tried and tested incarnation of Skylab.

Please let me know if you enjoy this video (or not!) as this is the first time I’ve tried this. I welcome your feedback.

I’d like to thank Jim Reavis and his team for the excellent logistical support throughout the conference, along with the SecureCloud presentation committee for inviting me to speak.

Cheers,
Craig

P.S cloudsecurity.org now has a forum dedicated to discussions about cloud computing and security. There is also a dedicated board for Project Skylab communication.

Thanks to those that requested a copy of my RSA Europe 2009 presentation, “What Everyone Ought To Know About Cloud Security”.  RSA gave me the go-ahead to post it on my blog so here it is.

Whilst at RSA, Mirko from Help Net Security asked me to talk on a 5 minute podcast about Cloud Security from a technical perspective (thanks Mirko!).

This was my last high level presentation on Cloud Security issues - there’s lots of chewy cloud goodness to dive into hence future presentations will be more technical in nature.

I’ve received some requests for the slides I presented at BruCON, so here they are.  As the slides are mostly devoid of text, I’ve included the speaker notes.  The notes are not polished, hence treat accordingly ;-).  To view in “Full Screen” mode click on the icon at the bottom right of the slideshare embed below and click “Fit to Height” to see the notes.

P.S If you weren’t at BruCON, you missed an excellent security conference - strong content, excellent organisation and facilities, friendly crowd.  Thanks to Benny & crew for being excellent hosts!

The slides from my talk at Black Hat Europe 2009 are now available [PDF].

From comments I received afterwards, I got positive feedback despite running out of time (my fault entirely).  I’ve been pleasantly surprised by the number of people asking for copies of the slides, but do bear in mind the slides are somewhat ‘terse’ as they are primarily talking points for me to bounce off of (as it were).

Should anything not be clear, feel free to leave a comment below and I’ll do my best to clarify.

I’d also like to take this chance to thank Jeff Moss, Ping and the rest of the Black Hat crew for doing such a professional job running the conference - it was confidence inspiring to be in such capable hands.

Shortly before the holiday break, I presented my take on Cloud Computing and Security at the IGT2008 World Cloud Computing Summit in Tel Aviv, Israel.

This was a great conference for me personally as it was an opportunity to meet face to face with some very smart people that are passionate about the Cloud.  It also provided an even greater insight into the steamroller that is the Cloud - company after company lining up to either “Clouderize” their current offerings or in most cases, “doing something new”.  I met a few startups looking to solve some tricky problem including a stealth mode security outfit looking to provide enhanced security for SaaS (I can’t say more right now but watch this space).

The main thrust of my talk was that there needs to be a deeper conversation about the security implications of Cloud Computing and Cloud Services in general.  That’s not because I think there is anything innately insecure about Cloud offerings, more that we are venturing into the great unknown with layers of offerings, greater trust transitivity and new (and old) technologies meshed together in ways we frankly don’t understand.  We need to progress the dialogue beyond crying out that the ‘Cloud is insecure’ or just saying ‘the biggest Cloud issue is security’ and get into the nitty gritty details.  But my argument is we can only do that if the providers engage in that conversation.  It’s one of the reasons I encourage Cloud providers to reach out and talk security - most large enterprises have responsibilities that mean they cannot treat the Cloud as a black box.

The 25 minute talk is split into 2 parts:

• after a brief intro - I believe I was the only one there not representing a company - I laid out what I mean by ’security’.  As this wasn’t an information security conference and there was a wide range of people present, I wanted to lay out what I mean by “information security” to provide context for what was to follow.  If you’ve been “doing” enterprise security for years, you can safely skip the first 10 minutes (unless you want to critique me!).
• the second half focused on the need for a new risk model that better represents the ebb and flow of risk in Cloud environments - especially with Cloud Stacks (if someone has a better term, let me know) followed by the Enterprise Cloud Security version of “Hot or Not” - complete with audience voting.  Given that some of the providers I’d included in the game were sitting in the audience, this sparked some decent conversations later that evening.  If you are a Cloud provider featured in the presentation and you didn’t catch my talk, feel free to contact me to discuss your “hotness” ;-).

The videos are now online (IE only), along with the slides.  My talk was on Day 2 in the afternoon (halfway down the right hand side).  I welcome your feedback - feel free to leave comments or ask questions.

You also want to check out the Security Panel on Day 1 hosted by Sam Bercovici.  Professor Barton P. Miller and Alexis Richardson from CohesiveFT and myself.