All of this has security implications of colossal proportions. Today's fundamentally "static" security models have to evolve into "dynamic" security models adapted to the needs of cloud services, because this trend has no turning back. It is not that we think if the security of "cloud" services is better or worse, it is about designing security services appropriate to this reality, which like everything has positive aspects and negative aspects.
We won on some things. One of our weak points in security has always been availability and business continuity. In this case, in the cloud, with complicated claims scenarios such as the fall of a datacenter due to a natural disaster, the solution seems within the reach of anyone and RTOs seem acceptable for any type of business. Clearly, there are many things to redesign in cloud security services.
Take the case of Google that had, in 2008, 36 locations for its data centers with virtualized environments that allows them to change these locations in a way, let's say, "agile". One of its objectives is, logically, to minimize the cost of hosting your infrastructure and since we can assume that in a datacenter 50% of the cost is the energy cost of cooling, we will understand that Google infrastructure managers are looking for increasingly better terms of energy efficiency. From what we have read the PUE factor (Power use efficency) reached by Google is impressive: 1.21 on average. This means that every useful watt that reaches a machine that serves its customers needs 1.2 watts of actual consumption. Obviously this can be achieved by making use of datacenters that require little energy use to cool the machines and therefore taking, for example, the systems to cold locations that use ambient air to cool the technical rooms. All this can also be complicated using "follow the moon" type strategies through which we look for night rates of energy consumption and therefore economic rates that, in short, allow to reduce the cost of electricity supply of the machine and directly the cost of the service.
If in this environment we begin to think about security, the first reaction is that of stupefaction. If it is already difficult to achieve an adequate level of security in static environments from the physical point of view, if the logical environment, with virtualization, is a highly changing environment and also the physical one too, the result is directly an insane asylum specialized in the practice of torture, as a therapeutic measure, for security professionals.
Obviously, this scenario that comes our way is not compatible with the current security practices of most companies specialized in this type of service. This scenario is crying out for us to adapt policies, procedures, controls, security monitoring and management systems to these environments that change at a devilish speed.
Consider, for example, a traditional risk analysis. In our opinion, traditional risk analyses are already not very useful, especially if they make use of heavy and complex methodologies such as some methodologies that we all know ;-). Go ahead that they are very valuable methodologies and that they make up a good theoretical starting point, but that in my opinion cannot be used in a practical way without the relevant nuances. Why? Basically because we face ever-changing environments. When these types of methodologies were designed, they were made thinking about manageable infrastructures, with calm evolutions, and in which reviewing the risk analysis periodically once a year could be enough. These are not the starting hypotheses that we face today and therefore these methodologies do not work when we apply them as they were designed.
We face changing environments from the logical point of view, with continuous variations that have very clear impacts on the security strategy and as if that were not enough, by virtue of what was discussed in the introduction of this entry, we also face changing physical environments. In these circumstances the threats are variable, their probabilities also and therefore the risks too. In short, within the framework of dynamic security services to which we have referred, we will have to design agile methodologies for risk analysis in real time.
We will have to work hard to define a global framework of dynamic security products and services in this new environment, and much has to be said by regular readers of this blog in this matter... spend in any case, whether passed by water or not, a good weekend.
Author: José Rosell
Source: Security ArtWork
Authors: Computer Security News
