It's time for applications in the cloud to defend themselves. And a technique I'll call cloud-based data defense may be the most effective approach.
Let's start from the top: Both business and technical people love the promise of cloud computing. But the things that make cloud computing so attractive alarm security people. For instance, from the cloud customer's viewpoint, everything is virtual, making it easy to buy infrastructure, applications, and tools as needed. From the security standpoint, the risk is that customers don't know where their data is really located. Further, cloud customers can buy services just in time and all over the world -- sometimes through chains of providers. That presents an enormous number of entry points to the network.
So far, the emerging cloud security industry has primarily tried to adapt traditional, pre-cloud data defense: restricting physical access and monitoring the network with freestanding software. IBM's SmartCloud offers a typical physical defense: A secured server is the customer's sole access to the cloud. The necessary loss of speed and flexibility is mitigated by providing a wide, fast channel to and from the secured server.
The virtual-monitoring line of defense might be exemplified by McAfee Cloud Security. McAfee leaves the where and when of physical access up to the customer, but it installs virtual monitors in every virtual machine used by the application. In effect, everything that goes out into the cloud takes a separate, vigilant bodyguard or "helicopter mommy" with it. Thus, wherever the customer pays to operate its own software, it necessarily also pays to operate McAfee's; the customer pays to run two programs everywhere when it really needs to run only one.
Rather than sacrificing the freedom and swift adaptability of the cloud by locking the point of access behind a physical barrier or limiting every cloud app to the speed at which a monitoring program can follow it, what if the cloud itself provided the security?
What if cloud security were based on a high standard of shared, built-in security and responsibility for monitoring? It's a bit like the Wild West. Every program in the cloud needs to be responsible for calling up a posse of other programs when it sees a threat, and it must be able to join such posses effectively.
An exhibition poster from 1899.
(Source: Public domain via Wikimedia Commons)
In true cloud-based security, software cannot be "little, fast, and dumb," as some theorists have advocated. It must be sophisticated enough to identify attacks contextually without a virtual monitor on its shoulder; fend off unauthorized approaches (and expect them, because it's out in the cloud); and sound an alarm to customers, some central clearinghouse, and (if possible) the intended victims, even if they include a competitor. Two ranchers can hate each other but still cooperate against rustlers.
In the longer run, a grooming standard might be developed, so that two programs running on the same virtual machine, even if they're working for different customers, automatically recognize and check each other for damage or exploits, passing reports to each other and to common security points.
In cloud-based security, smart prey discourage predators and team up against them. That's good for everyone -- except predators.
Elements of true cloud-based security are emerging. Marc Bouchard's whitepaper for the IT research firm AimPoint advocates creating programs that are contextually sensitive to security issues, and Trend Micro has begun implementation. The software provider Bromium's recently announced Micro-Virtualization specifically pounces on high-vulnerability applications and moves them inside secured hardware.
Programs in the cloud are learning to defend themselves. The next step is ganging up on attackers. The Cloud Security Alliance's new Open Certification Framework might be the next step in cooperative security.
Will the alliance take this step? Culturally, it flies in the face of IT's traditional individualist, go-it-alone ethos. But then again, whether cloud software gangs up or just toughens up, it will make the cloud tougher for criminals. Collective security can work even if not everyone wants to play.
â€” John Barnes is a science fiction writer, teacher, and consultant based in Denver.