Cloud security loomed over the RSA Conference this week as a major concern of business, but worry about the threat of cyberwar was also strong, with officials from the White House and FBI weighing in to encourage private participation in government efforts to defend information and communications networks.
During the highest profile panel at the conference, a former technical director of the National Security Agency bluntly said he doesn't trust cloud services.
Speaking for himself and not the agency, Brian Snow said cloud infrastructure can deliver services that customers can access securely, but the shared nature of the cloud leaves doubts about attack channels through other users in the cloud. "You don't know what else is cuddling up next to it," he said.
In his keynote address, Art Coviello, the president of RSA, the security arm of EMC, agreed that customers need to be assured the cloud is safe.
Coviello told the 4,000 attendees gathered for his talk that cloud services will inevitably be adopted widely because of the huge financial benefits they offer. "But you won't want any part of that unless service providers can demonstrate their ability to effectively enforce policy, prove compliance and manage multi- tenancy," he said.
The big problem is trust, he said. His own company announced at the show a partnership with Intel and VMware to improve trust by enabling measurement of cloud providers' security. The effort would let customers of cloud infrastructure services weigh the security of the service and get metrics to deliver to auditors who are sent to determine whether businesses comply with government and industry security standards. "Service providers should be able to tell compliance officers and auditors just about anything they need to know -- with verifiable metrics," Coviello said.
But warnings about other cloud threats came through loud and clear. At the Cloud Security Alliance (CSA) Summit held earlier in the conference, for example, the CSA announced a report on its top concerns about cloud security, and they were major, including documented use of cloud infrastructure-as-a-platform to launch botnets.
CSA, an industry consortium of users and vendors, also highlighted vulnerabilities in the means given to cloud customers to access and manage the services they buy. These APIs are not necessarily secure and could offer attackers a chink through which they could infiltrate cloud networks and the corporate content entrusted to them. The answer: "Ensure strong authentication and access controls are implemented in concert with encrypted transmission," CSA said. CSA's report details 10 threats as well as fixes, but stands as a warning about embracing cloud services without carefully weighing the downsides.
While Coviello touted the ability to give auditors and compliance officials the data they need to assure businesses meet security regulations, the validity of such regulations was questioned by the top White House cybersecurity adviser during his keynote address. Cybersecurity coordinator Howard Schmidt told the conference that security compliance under the Federal Information Security Management Act is flawed. "You can be [Federal Information Security Management Act] compliant but still not be secure," he said. "We agree that work needs to be done on that."
He said the government is addressing it with recommendations from the federal budget watchdog agency, the Office of Management and the Budget, due out next month. Rather than meeting a set of regulations, agencies will have to meet performance metrics. "These new metrics begin to move us from a static compliance-based metrics program to a continuous monitoring capability," Schmidt said.
Meanwhile, US Secretary of Homeland Security Janet Napolitano came to the conference as a recruiter, using her keynote address to acknowledge that government talent alone cannot address the threats the country faces. She announced that her department is seeking to fill top cybersecurity posts with candidates from outside government. "In fact, we may be trying to recruit some of you for your talent right now," she said. "We need it."
Napolitano also tried to interest conference attendees in a contest to create a national cybersecurity-awareness program for educating the general public in cyber threats they face and how they can contribute to help improve security. She said she wants the programs to include social networking and to be as effective as past government campaigns to reduce smoking and litter.
Government can't do the job itself because the vast majority of the US cyber infrastructure is privately owned. "I ask you to redouble the efforts that you are making to increase security, to increase reliability and to increase the quality of the products that you have that enter the global supply chain," Napolitano said.
She issued a call for automated security, and said that the government is working on an intrusion-prevention system (IPS) to protect US agency networks. She said the government is upgrading its intrusion-detection platform, Einstein 2, to an IPS, called Einstein 3. Einstein 2 is deployed in nine federal agencies as well as in the networks of carriers AT&T, Qwest and Sprint. Verizon is on the list to get it, too.
But Einstein 3 would automatically detect malicious activity and disable attempted intrusions before they can do harm, Napolitano said. She didn't give a timetable for when it will be deployable.
Meanwhile RSA Conference ploughed ahead with its traditional business of educating attendees about threats and the means for countering them. For instance, Jeremiah Grossman, CTO of White Hat Security, warned about an undetectable browser exploit that bares corporate networks to attackers.
That topped his list of the most effective new attacks that have been devised by researchers over the past year. Called DNS rebinding, attackers turn victims' browsers into Web proxies that do the attackers' bidding, he said.
The attack works by tricking browsers into seeking internal servers on the victim's network under the direction of the attacker, who can direct it to find and send corporate data, Grossman said. The browser exhibits no behaviour out of the ordinary, so the attacks go unnoticed.
And the conference named Altor Networks as winner of its Innovation Sandbox competition for most innovative product from a vendor with less than $5 million per year in business. Altor makes a virtual firewall platform for protecting VMware virtual machines that includes firewall and intrusion detection. It operates from within the hypervisor and the virtual switch, enabling examination of packets between virtual machines on the same physical host. The software includes an API for automated provisioning.