Kurt Roemer shared some time with Dave Vellante and John Furrier on theCube at the Citrix Synergy 2011 event yesterday. As the Chief Security Officer of Citrix, his insight into that state of the cloud and enterprise is one of leadership and reveals cutting-edge perspective. Starting with a basic definition of cloud security, on to a bit of Sony PSN hack analysis, and finally with a peek at forthcoming government cloud security objectives, Kurt’s interview had very significant points that will certainly be heard around the industry.
Roemer offers that we are early in the “cloud security game”, the second in nine innings. Applications have existed previous to having been known as cloud applications, such as SalesForce, GoTo Meeting, and other SAAS applications. These applications were never called that before. So it’s very early in this game. Organizations are still looking for guidance, understanding, examples, and best practices as they adopt these technologies. Great efforts is being done in the work by NIST, FedRamp, Cloud First Initiative, Tech America, PCI council, and the Cloud 2 Commission – they offer guidance on how to use virtualization and clouds effectively.
The cloud and applying security of it can be a do-over and should be for many organizations. Some organizations have approached security in the right way, thinking out what set goals they are trying to achieve with security objectives. Interestingly, Roemer states that some of the best-secured organizations have thought about security last. That being security has been a result of coming in with their business goals and risk management in mind and said “What is our risk posture?” and “What’s acceptable risk? What’s unacceptable?” Touching on the challenge of mobility, he continues with the introduction of the iPad into corporate environments and the challenge of acceptance of those risks. From the perspective that the iPad is a consumer-grade device, classically not the type of device to be allowed into an enterprise, the shift to these devices and the micro-applications and cloud applications they bring in beg for a different security model to support them.
On the vision of security in the cloud and its proposition to business, Roemer addresses the value across the board. For small and medium sized businesses, the introduction of cloud technology automatically enjoys a better security posture than could previously be gained. Due to the affordability of talent, resources, equipment, and applications in the traditional models, the inherent level of security would certainly rank lower versus the cloud model. For larger organizations, some have approached security incredibly well, while others have not done it as well across the board. Cloud services and the security therein automatically provides a better security stance for the latter type of organization. Roemer states:
“Any organization who still thinks that they have end to end ownership of everything and are still trying to manage their networks and all of their end users from that perspective – those organizations are delusional.”
“If you step back and say “Hey – We’re moving to the cloud. We’ve got this any-to-any model. How do we architect security to really protect what is important to us?. How take our crown jewels and make sure they are protected at all times? – Those are the organizations that are really going to do cloud security the right way and will innovate and will end up with a better security posture because the cloud forced them to recognize issues they have already been facing.”
Roemer shared thoughts on the Sony PSN issue:
“It shows that as organizations grow and mature, you have to have process, active and passive defenses in place. Consider the internet as a very hostile environment.”
Having processes in place was reflected on as the main critical aspect for protection, along with the ability to react quickly, partitioning of networks.
“So it’s not just break into the perimeter and anything goes. Make it difficult to go from Point A to Point Z. A WebApp Firewall would have helped.”
The Webapp firewall is a product that is a layer-7 focused defense technology that goes beyond the capabilities of a traditional firewall. With abilities to look into application for protection, it can look for vectors such as Cross-site scripting (XSS), SQL injection, Parameter manipulation, and other common tampering attacks. It acts as an active defense that can be put in front of any web-based application or service that Roemer describes as a necessity for today’s critical web. In all however, Roemer feels that without particular knowledge of the attack, but a combination of bad security practices and lack of processes probably contributed to this compromise.
On Citrix and open-source, Roemer stated that their relationship with the community and “crowdsourcing” was a benefit that helps the company and community be better able to respond to and protect from vulnerabilities. Citrix is not a company that immediately pops up in consumer’s minds as a security company- however Citrix is a security company by design and in fact was awarded as Security Organization of the Year for 2011 by the ISSA. Part of this winning approach is security realized by design and mentality- partitioning off the environment provides security and virtualization makes that happen by its very design. There is not a one-size fits all model to security and open standards to that point are incredibly helpful. Also helpful to Citrix are the numerous partner technologies and practitioners that introduce other tools like different firewalls, DLP and more. These all help built a successful security strategy.
The conversation turned to security and privacy. Does one guarantee the other? Roemer states the two are much related, but also very separate entities. They are often associated with each other and certainly bad practices in security can produce privacy issues.
“We need to look beyond strong security, and look at what it means to protect data subject to legislation”
From a business perspective, he notes that businesses are still dealing with this in breaking fashion, reviewing employee contracts and policies and of course, addressing security as a whole.
“Security protects privacy, but privacy trumps security”
Dave Vellante mentioned the notion of incentive to provide information voluntarily, such as on mobile devices and participation in discount, services, and so on. Roemer reflects that we have dealt with this for some and refers to customer loyalty cards from your supermarket. It’s an interesting world of questions around these issues and much still to be determined.
Finally, in regards to Roemer’s April appointment as Chief Security Strategist to the United States Federal Cloud Computing Commission, he shares the goals and mission:
“Cloud 2 Commission which was pulled together by Tech America, to look at the public sector, as well as enterprise”
The commission is slated to produce thirty page recommendation statement at the end of July and a cloud buying guide. The goal is to cover what aspects are important when looking at cloud services. Emphasizing that the goal is not to cover government intervention, “big brother”, politics, or who is running the cloud, Roemer focuses on what the goal is:
“How to increase agility responsiveness, increasing transparency of government, understanding data sovereignty, border issues, interoperability, as clouds build out, we have ability to take environments from one cloud provider to the next and not have lock-in”
The goal is to have increased ability for government to serve us, lowered costs, and makes it easy to innovate.
“These government efforts do not mean more government regulation – fact that industry members form this opinion this shows that government is learning from best practices, learning from industry, so that solutions can be used across government , industry and can be useful to by citizens.”
Catch the interview here at SiliconAngle for more details.
Watch live video from SiliconANGLE.com on Justin.tv