Chris Hoff, the former chief security architect at Unisys and the author of the consistently insightful and funny Rational Survivability blog, is among the most sought-after speakers in the security industry and an authority on cloud computing and virtualization security. In this interview, he talks about the goals of the Cloud Security Alliance, the vague terminology and concepts of cloud computing and why cloud computing will neither save the world nor trigger the apocalypse.
Where did the idea behind the Cloud Security Alliance come from?
The two big ringleaders are Jim Reavis and Nils Puhlmann. We’ve known each other for a while and there are quite a few people participating in this. The notion came about because there is an awful lot of interest as well as confusion as it relates to cloud computing. The idea here was to take a little bit of a different approach to getting the issues out on the table and finding animated ways of dealing with them. Rather than just having a vendor’s perspective or a user’s perspective, we wanted to meet in the middle. The goals are pretty simple at face value, which is to get people to the table at the same time speaking the same language as it relates to cloud computing. so we decided to see if there was any interest and there was a tidal wave of interest. We’re a little overwhelmed actually with the response. So the first thing we tried to do was get our arms around at a 30,000 foot level some of the pressing issues in terms of security and cloud. The first deliverable is trying to summarize these problems. There’s just a ton of stuff. So the point here is to give people a flavor for the kinds of stuff that’s involved. So as we move forward and we get more organized and we get more contributors and we decide how we break these things out into working groups, we’ll get much, much deeper.
So what are the deliverables going to be in the months and years ahead?
A lot of that will come out of the discussions that we have between the working groups themselves and the constituents. So more white papers, the production of tools, carrying the conversation forward to standards bodies, talking about openness and interoperability. The point here is as part of getting our arms around these domains, we’ve done an adequate amount of homework to see who’s already working on these things. It’s kind of silly to spin up another organization with a charter that we’re going to be the one body you come to. We really want to leverage all of the good work that other groups are doing and just make sure that we can contribute our expertise in the security realm to their work.
Are there people out there doing good work on security in the cloud right now?
That’s a very interesting question. I’ll have to answer it from one of many perspectives. I’d have to say that the people doing the most noticeable amount of work are cloud providers. Even that gets nebulous in terms of what that means. That’s really the first domain in talking about cloud architectures. There are lots of companies, especially on the provider side, that have a vested interest in secure cloud computing, who have been doing a good job of security in the cloud, whatever that means. As the cloud and its use cases and deployment models become much more defined, I’ll be able to answer that question much more concisely and clearly.
On your blog and other blogs there’s been a discussion about what the cloud even is. Have you come up with a good definition or seen one from anybody else?
I’ve spent quite a bit of time thinking out loud analyzing the two questions. Number one, what is the cloud? For the most part I think the industry as a whole has settled down in terms of their definition. It’s abstraction of infrastructure, democratization of resources and service-oriented. Terms I think we’re quite familiar with in the IT world. We see models that seem awfully cloud-like already: collocation, hosting, virtual private servers, using virtualization. The difference is generally two things: One, the elasticity and scale and dynamism that you actually can, with very little interaction from the provider themselves, scale up or scale down your resources and it becomes very utility-like. And the thing that comes off of that is an all you can eat, but pay by the bite model of allocation. When you boil it down, cloud computing itself is kind of settling down. The problem is the deployment models and use cases. We’ve taken some old technology, applied some new stuff to it, and the difficulty is when you try to relate that to somebody and explain what cloud computing is, you try to grab something simple that you can make an analogy to that people would understand, and we’ve applied these terms like public and private to use cases of clouds. It’s difficult because in the non-cloud world public means one thing and private means another. Some of it’s still contentious, some of it makes a lot of sense. Right now all of the vendors are talking about something we started talking about a while ago, which is private clouds. Private clouds are the next big battleground for companies that want to sell you something in the cloud. I think actually that private cloud is the most nebulous and ill-defined term.
Do you feel like the cloud providers are doing a better job of addressing security up front than the virtualization providers did a few years ago?
I’m not sure it’s a fair comparison. For the most part, what we’re dealing with is the evolution of virtualization in a much more scalable way. The cloud as we know it has enjoyed the standing on shoulders of giants if you will of seeing those problems emerge and be addressed over a very compressed timeframe in the last few years. At the same time, a lot of cloud has progressed out of hosting and collocation and you could look at it from that perspective and say we’re just adding virtualization on top of it. The use case for secure virtual private hosting, we’ve been doing that for years. The timeframes in terms of the time to get things right has been pretty compressed on the virtualization side. The cloud providers have their own set of problems. How do you apply policy consistently across an infrastructure when you’re dealing with multi-tenancy? It’s the patching problem exploded eleventy billion times. Both camps are coming around to the fact that they need to do a better job of security.
The argument that seems to be ongoing is that the cloud is by definition more secure than traditional computing. Would you like to address that?
I addressed it with a LOL cat in my presentation, “The Frogs Who Desired a King.” It’s a stupid argument to make without context. Security is an enormous problem. If you recall, a couple of years ago the virtualization vendors really foolishly started making statements like that and after six or seven patches in a row they stopped making statements like that. For the most part it still comes down to a monkey pushing a button somewhere and as long as we still have monkeys pushing buttons, we’re at risk. Automation should take a lot of the monkey button pushing out of our lives and let us focus on the things that matter most. In the long term, I think it will help us be more secure, not because it’s in the cloud, but because it makes people think about how they’re doing things.
This is an edited transcript of a podcast I did with Hoff. Listen to the full interview here.