Closing Keynote – State of the Union
Chris Hoff, who is the author of the Rational Survivability blog, gave a great closing keynote covering the last few years via his previous presentation titles and content. I can recommend reading / viewing the mentioned presentations. This was followed by a brief overview of current issues and trends, and then coverage of upcoming / very new areas of focus we all need to be aware of.
2008 – Platforms dictate capabilities (security) and operations – Read ‘The four horsemen of the virtualisation security apocalypse’
– Monolithic security vendor virtual appliances are the virtualisation version of the UTM argument.
– Virtualised security can seriously impact performance, resiliency and scalability
– Replicating many highly-available security applications and network topologies in virtual switches don’t work
– Virtualising security will not save you money. It will cost you more.
2009 – Realities of hybrid cloud, interesting attacks, changing security models – Read – ‘The frogs who desired a king – A virtualisation and cloud computing fable set to interpretive dance’
– Cloud is actually something to be really happy about; people who would not ordinarily think about security are doing so
– While we’re scrambling to adapt, we’re turning over rocks and shining lights in dark crevices
– Sure bad things will happen, but really smart people are engaging in meaningful dialogue and starting to work on solutions
– You’ll find that much of what you have works.. Perhaps just differently; setting expectations is critical
2010 – Turtles all the way down – Read – ‘Cloudifornication – Indiscriminate information intercourse involving internet infrastructure’
– Security becomes a question of scale
– Attacks on and attacks using large-scale public cloud providers are coming and cloud services are already being used for $evil
– Hybrid security solutions (and more of them) are needed
– Service transparency, assurance and auditability is key
– Providers have the chance to make security better. Be transparent.
2010 – Public cloud platform dependencies will liberate of kill you – Read ‘Cloudinomicon – Idempotent infrastructure, survivable systems and the return of information centricity’
– Not all cloud offerings are created equal or for the same reasons
– Differentiation based upon PLATFORM: Networking security, Transparency/visibility and forensics
– Apps in clouds can most definitely be deployed as securely or even more securely than in an enterprise
– However this often required profound architectural, operational, technology, security and compliance model changes
– What makes cloud platforms tick matters in the long term
2011 – Security Automation FTW – Read ‘Commode computing – from squat pots to cloud bots – better waste management through security automation’
– Don’t just sit there: it wont automate itself
– Recognise, accept and move on: The DMZ design pattern is dead
– Make use of existing / new services: you don’t have to do it all yourself
– Demand and use programmatic interfaces from security solutions
– Encourage networks / security wonks to use tools / learn to program / use automation
– Squash audit inefficiency and maximise efficacy
– DevOps and security need to make nice
– AppSec and SDLC are huge
– Automate data protection
2012 – Keepin it real with respect to challenges and changing landscape – Read – ‘The 7 dirty words of Cloud Security’
2012 – DevOps, continual deployment, platforms – Read – ‘Sh*t my Cloud evangelist says …Just not to my CSO’
– [Missing] Instrumentation that is inclusive of security
– [Missing] Intelligence and context shared between infrastructure and application layers
– [Missing] Maturity of “Automation Mechanics” and frameworks
– [Missing} Standard interfaces, precise syntactical representation of elemental security constructs
– [Missing] An operational methodology that ensures and commone understanding of outcomes and ‘agile’ culture in general
– [Missing] Sanitary application security practices
– Mobility, Internet of Things, Consumerisation
– New application architecture and platforms (Azure, Cloud foundry, NoSQL, Cassandra, Hadoop etc.)
– APIs – everything connected by APIs
– DevOps – Need to understand how this works and who owns security
– Programmatic (virtualised) Networking and SDN (Software Defined Network)
– Advanced adversaries and tactics (APTs, organised crime, nation states, using cloud and virtualisation benefits to attack us etc.)
– Security analytics and intelligence – security data is becoming ‘big data – Volume. Velocity. Variety. Veracity.
– AppSec Reloaded – APIs. REST. PaaS. DevOps. – On top of all the existing AppSec issues – how long has the OWASP top threats remained largely unchanged??
– Security as a Service 2.0 – “Cloud.” SDN. Virtualised.
– Offensive security – Cyber. Cyber. Cyber. Cyber… Instead of just being purely defensive, do things more proactive – not necessarily actually attacking them, can mean deceiving them to honeypots / honynets, fingerprinting the attack, tracking back the connections etc. all the way up to actually striking back.
– Public clouds are marching onward; Platforms are maturing… Getting simpler to deploy and operate and the platform level, but have heavy impact on application architecture
– Private clouds are getting more complex(as expected) and the use case differences between the two are obvious; more exposed infrastructure connected knobs and dials
– Hybrid clouds are emerging, hypervisors commoditised and orchestration / provisioning systems differentiate as ecosystem and corporate interests emerge
– Mobility (workload and consuming devices) and APIs are everywhere
– Network models are being abstracted even further (Physical > Virtual > Overlay) and that creates more ‘simplexity’
– Application and information ‘ETL sprawl’ is a force to be reckoned with
– Security is getting much more interesting!
This was a great wrap up highlighting the last few years’ issues, how many of these have we really fixed? Along with where we are now, and a nice wrap up of what’s coming up. Are you up to speed with all the current and outstanding issues you need to be aware of? How prepared are you and your organisation for what’s coming up? Don’t be like the 3 monkeys.. 😉
While the picture is complex and we have loads of work to do, Chris’s last point aptly sums up why I love security and working in the security field!
Lastly, have a look at Chris’s blog; http://www.rationalsurvivability.com/blog/ which has loads of interesting content.