Thinking about Cloud Security & Vulnerability Research: Three True Outcomes
When opining on security in “the cloud” we, as an industry, speak very much in terms of real and imagined threat actions. And that’s a good thing: trying to anticipate security issues is a natural, prudent task. In Lori McVittie’s blog article, “Risk is not a Synonym for “Lack of Security”, she brings up an example of one of these imagined cloud security issues, a “jailbreak” of the hypervisor. [link to http://devcentral.f5.com/weblogs/macvittie/archive/2010/06/28/risk-is-not-a-synonym-for-ldquolack-of-securityrdquo.aspx no longer works]
And that made me think a bit because essentially, we want to discuss, we want to know, “what will happen not if, but when vulnerabilities in the hypervisor, or cloud api, or some new technology bit of cloud computing actually are discovered and/or begin to be exploited?”
Now in baseball, sabermetricians (those who do big-time baseball analysis) break the game down into three true outcomes – walk, homerun, strikeout. They are called the three true outcomes because they supposedly are the only events that do not involve the defensive team (other than the pitcher and catcher). A player like Mark McGwire, Adam Dunn, or if you’re old-school, Rob Deer are described as three true outcome players because their statistics over-represent those outcomes vs. other probable in-play events (like a double or reach via error or what have you). Rumor has it that Verizon’s Wade “swing for the fences” Baker was a three true outcome player in college.
In Vulnerability research and discovery, I see three true outcomes, as well. Obviously the reality isn’t that an outcome is always one of the three, just as in baseball there are plenty of Ichiro Suzuki or David Eckstein-type players whose play does not lend itself to a propensity towards the three true baseball outcomes. But for the purposes of discussing cloud risk, I see that any new category of vulnerability can be said to be:
1.) Fundamentally unfixable (RFID, for example). If this level of vulnerability is discovered, cloud computing might devolve back into just hosting or SaaS circa 2001 until something is re-engineered.
2.) Addressed but continues to linger due to some fundamental architecture problem that, for reasons of backwards compatibility, cannot be significantly “fixed”, but rather involves patches over and over again on a constant basis.
3.) Addressed and re-engineered so that the probability of similar, future events is dramatically reduced.
Now about a year ago, I said that for the CISO, the move to the cloud was the act of gracefully giving up control. The good news is that in terms of which of the three we see in the future, the CISO really has no ability to affect which outcome will exist. But how cloud security issues are addressed long-term, via technology, information disclosure (actually the entropy of information disclosure), and contract language (how technology and entropy are addressed as part of the SLA) – these are the aspects of control the CISO must seek to impact. Impact that is both contractual and on her part, procedural – expecting one of the three outcomes to eventually happen.
The technology and information disclosure aspects of that contract with the cloud provider, well, they simply must focus on the ability to detect and respond quickly. Chances are your cloud farm won’t be among the first compromised when an eventual exploit occurs. But, especially if the value of what you’ve moved to the cloud has significance to the broader threat community, that doesn’t mean (as Lori says) you simply accept the risk. Developing contingency plans based on the three true outcomes can help assure that the CISO can at least cope with the cloud transition.