Developing Security

During a panel session at the RSA conference, Eva Chen (CEO of Trend Micro) and Jay Chaudhry (CEO of Zscaler) had a lively debate about the role of Cloud computing in providing Security as a Service. Trend Micro recently released the Smart Protection Network, which uses an end-point agent that works closely with a Cloud service to provide web, email and file reputation services. Zscaler by contrast, proxies all web traffic through the service requiring no end-point agent. The debate really focused around how much of the security service should be located externally. There were a lot of points debated including latency, bandwidth, and reliability but one of the most contentious issues was that of data privacy.

Before I elaborate, it's important to mention why an organization would want to consider a Cloud offering for outsourcing aspects of security. One of the earliest Security as a Service offerings was Postini in early 2000 (acquired by Google in 2007). Moving Anti-Spam and Email Anti-Malware outside of the organization was a simple matter of changing the MX record. Organizations could rapidly acquire these services without the costs and complexities of a physical appliance or software solution, and the per user pricing ensured a fair cost for organizations of all sizes.

So clearly, cost (both OPEX and CAPEX) was an initial motivator but over time providers have utilized the central nature to provide significant benefits other than cost. The providers can be much more responsive with real time services replacing staged updates, and multi-tenant data correlation enhances everyone's service. The central infrastructure also proves more fault tolerant than individual appliances or software solutions for the most part, though when service provider failures do occur they have a much broader impact. In short, moving to the Cloud enhances security providing for much bigger and more intangible benefits.

Recently a new generation of Security as a Service Anti-Malware offerings have emerged. Trend Micro, Panda Security and McAfee have all recently released Cloud-based services. They all use a driver at the end points which instead of scanning against a set of signatures, creates a hash of the file. The hash is looked up in the Cloud and the service returns a result of good, bad or unknown. In the case of unknown files, the contents are then fully scanned (either locally or uploaded to the Cloud depending on the provider and circumstance). A local cache of hashes allows future full scans to determine safe files much faster than signature matches. The collective nature means that 99.9% of the files on your system have likely already been scanned and the hash categorized by someone. There is actually a lot of overlap here with another type of security control: File Integrity Monitoring, but I'll leave that for another day. These capabilities are augmented by other reputation and URL blocking services to create a strong shield against web threats. As with Cloud-based email proxies, because hashes (and sometime content) are being sent to the Cloud, there is a measure of trust required in the provider.

Zscaler, Purewire and others offload all of the work to the Cloud by providing the various security services (URL Filtering, Anti-Malware, DLP, etc.) as a web proxy/gateway. The advantage, of course is the lack of end-point agents to deploy and maintain as well as platform neutral protection for many devices. Though I suspect for many organizations the idea of all of their web traffic going through an external provider may be a barrier.

Other Cloud-based scanning services, like Qualys' Vulnerability Scanner or HP's Application Security do not deal with raw data from an organization, though the findings from there are still very sensitive.  

Clearly, the architecture of the solution is important. The more of the stack we move to the Cloud the less there is to deploy and manage locally, but the more trust we have to put in the provider and the more reliant we are on Internet connectivity and availability of the provider. The axiom "Trust but verify" is hard to apply in these environments because of the lack of visibility into the data end-to-end. The Cloud Security Alliance is working hard to address the complex issues of shifting layers of the stack to providers in all areas of Cloud computing.

As much as organizations may hesitate on Security as a Service, it is too important of an advancement to simply ignore. The enhanced security services and significant cost savings are going to inevitably pull us closer to the Cloud. It is key to evaluate the architecture and determine the acceptable risk level. Trusting a provider's service quality, up time or ROI is nothing new, but trusting a provider with our precious data does require a new level of something else usually associated with the sky... Faith. If we put the faith in the providers we can realize significant benefits in return. Other SaaS offerings like CRM giant SalesForce.com have done a good job of instilling the level of trust needed to be successful and I suspect the Security as a Service market will do the same.

I'm interested to see where this goes and how many of our current 'point solutions' end up in the Cloud (or partially in the Cloud). I'm also interested to see how this impacts how the Cloud itself is secured. It seems only a natural fit that Security as a Service will ultimately have a large role in other SaaS, PaaS and IaaS offerings both external and internal to the organization.