Juniper's Hoff Outlines Cloud Security Automation Challenges

In a presentation Monday at the United Security Summit in San Francisco, entitled "Commode Computing: Relevant Advances In Toiletry & I.T. – From Squat Pots to Cloud Bots – Waste Management Through Security Automation," Hoff discussed how operational issues are impeding automation and flexibility of cloud security and putting a crimp on innovation in this space.

Hoff pointed to the innovation that has taken place in toilet technology through the centuries, from the first drainage systems in 2500 B.C., to Sir John Harrington's invention of the flushing toilet in 1596 and Joseph Gayetty's 1857 invention of toilet paper. Absent a similar flurry of creative thinking in cloud security, the IT industry is facing an inelegant future that Hoff jokingly described as "commode computing."

Getting security to scale in infrastructure-as-a-service and cloud environments is a tough challenge that has slowed the pace of automation, Hoff said. "Security fundamentally by design doesn't scale. It's generally not automated because there's a person in the loop, or a policy," he said.

However, attackers are well acquainted with leveraging cloud automation, as evidenced by the efficient functioning of botnets, which have cloud-like underpinnings, Hoff said. "The challenge is we don’t play by same sets of rules," he said. "The reason organizations don’t automate is that they're afraid if a change gets pushed and something goes wrong, they'll lose control."

Another problem is that security professionals, developers, network administrators and systems administrators aren't leveraging a common set of tools for cloud security. What's needed, Hoff said, is automated security that's designed for scale. "We need more intelligence shared between the infrastructure and application layer," he said.

Mobility is another stressor or for cloud security, because policies haven't been adjusted to account for the movement of virtual machines within a cloud environment, Hoff said.

Hoff disagrees with the idea that the network perimeter is disappearing, though. "Virtual machines move, so we are trying to apply policy to each device, which becomes its own perimeter. With the cloud, we have thousands of 'micro-perimeters.' The virtual machine is the de facto perimeter," he said.

It's unrealistic to expect cloud and virtualization vendors to provide all the necessary tools for securing cloud environments, so there are steps organizations can take today on their own, Hoff said. Cloud computing providers can use CloudAudit.org to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure-as-a-service, (IaaS), platform-as-a-service (PaaS) and (SaaS) environments.

Companies can also get their staff up to speed on programming languages such as CFEngine, Puppet, Ruby and Python, Hoff added. "These guys have enormous libraries that automate existing physical and virtual security controls," he said.

In the future, better cloud security will depend on developers, operational and security staff to work more closely than they've done in the past and embrace things like application security and the secure development lifecycle, according to Hoff.

Automating data protection is also going to become even more critical. VMware's 5 bundling of low level data leak prevention in vShield, which scans virtual environments for PCI data, is an example of where things are going, Hoff noted.

"To leverage cloud computing, security must scale at same pace as the workloads security is supposed to protect," Hoff said. "It's never too late to automate."