Cloud computing is upending many assumptions that we make as IT professionals. An important, and often overlooked, one is the death of perimeter security.
As humans, we like borders. We like to know that what’s outside is bad, but we’re safe on the inside. That’s led to terms like the demilitarized zone (DMZ), which describes the no-man’s-land between our internal, soft underbelly and the Wild West of the Internet.
The border’s days are numbered, however. The false sense of security that perimeters offer vanishes when applications move to an on-demand environment like a cloud. We have less control over what lives where—indeed, if we’re designing our cloud architectures properly, then systems come and go according to demand, often running on whatever hardware has just become free.
A more modern way of thinking about security is to consider the behavior of the application. This is something makers of antivirus software and proponents of end-node security have long called for, but with clouds, it’s a necessity. Tomorrow’s application and its security permissions are inextricably linked. The application may even have different security behaviors depending on where it’s running in order to meet compliance requirements.
Cloud providers can hire smarter security professionals than the rest of us. They also represent a disinterested third party which, in theory, cares less about our businesses—and as a result, can do less damage—than internal employees. At the same time, clouds are a shared resource that present tantalizing new weaknesses for attackers.
At Cloud Connect this year, we’re tackling the subject of cloud security in two ways. First, there’s a Monday CloudSec workshop run by Rational Survivability’s Chris Hoff (whose excellent, and refreshingly blunt, blog covers cloud security in detail.) And in our main conference, Intel’s Steve Orrin is running a series of sessions on cloud security. Expanded coverage on security is one of many new additions to this year’s Cloud Connect workshops and conference tracks.