The Tangled Mes (Part 2)

Is cloud computing the answer to the tangled mess of IT that I wrote about in September?

Certainly the current enthusiasm for cloud comes in part from business units on the rebound from IT departments with tangled messes, unreasonable costs, and lengthy delays. Cloud, they hope, will cut their IT costs while making them ever so more agile.

And so it might, for green field applications. Cloud computing – as delivered through innovations such as virtualization – can work wonders. But it can’t take a tangled mess of existing legacy systems and bad designs, move them to a cloud computing service, and expect them to get better. A straight migration is not always the answer.

Suppose business units just moved green field applications to the cloud that have no dependencies on legacy IT? While green field applications exist, the business IT landscape is not green, but brown. Applications must integrate with other applications, share data, meet compliance mandates.

Benjamin Franklin once said that the definition of insanity is doing the same thing over and over again but expecting to get different results. So it is with expecting cloud computing to accomplish miracles; IT is littered with the corpses of “next big things” that failed to do that.

Instead of naively or insanely hoping that cloud computing is the quick fix for the tangled mess, we need to think of IT strategically. In an upcoming post, we’ll see whether the use of service-oriented principles in building cloud and “terrestrial IT” applications may offer a path forward.

More cloud mischief as Amazon users get dinged for spam

So many things about this news that Spamhaus has blacklisted or policy-blocked the entire Amazon Elastic Computing (EC2) service is worrisome

• Attackers are wreaking havoc in at least two IaaS environments (yes, Rackspace too)
• Amazon and the users with their virtual machines seem unable to stop the malware from spreading within the multi-tenant environment
• Legitimate users whose VMs are not compromised in effect suffer a denial of service, getting blacklisted or graylisted along with the real spammers
• Once Amazon smooths all this over, in its typical “security by obscurity” fashion the company is unlikely to come clean with customers about the full scope of the vulnerability

While waiting for a fix, users can bounce mail through an authenticated SMTP relay such as the enterprise mail server. Not an ideal situation, but at least a workaround.

Cloud vendors of Amazon’s ilk need to provide filtering services that AMI users can opt into. Receiving an alert that some of your email is being blocked as spam might be occasionally inconvenient if it was a false positive, but should at least as often function as a species of intrusion detection. More than likely Amazon could even charge for it.

The Tangled Mess (Part 1)

I’ve just recently returned from delivering a cloud computing seminar as part of a road trip visiting Burton Group customers with my colleague Anne Thomas Manes.

My job was to deliver the security content and field the security questions. But in a way, the subject matter Anne dealt with was harder. She addressed some difficult fundamental questions that customers have. To paraphrase: “How can we manage all the applications in our complex IT environment and do a better job of developing applications in the future?” Given the obvious relationship between manageability and security I paid close attention.

Repeatedly Anne said: “Our IT systems are a tangled mess.” In the seminar, she used the figure below to amplify this point. In some meetings she used the term “tangled mess” as shorthand for larger discussions.

Source: IBM

That IT is a mess probably isn’t news to you. Personally, I saw my first mess picture in 1993. The fact of the matter is that IT environments comprise multiple generations of technology, one overlaid over the other, customized into strange designs by the unique requirements of organizations, the deployment styles of individuals, and the crazy pressures of costs and deadlines. It is the technology equivalent of the Grand Canyon’s layered and eroded geology.

We are all curators of an IT museum. Many organizations spend almost all of their budget just maintaining the museum.

Organizations are trying to understand and improve the tangled mess of their IT environments by following various processes and maintaining catalogs or repositories, such as:

• Asset management systems support license management, contract, and inventory functions for hardware and software. In security, we often use these systems to inform vulnerability and risk management.

• Configuration management databases (CMDBs), which derive from the ITIL framework, keep track of the configuration of production systems in deployment, and the relationships between those systems.

• Software service registries provides a central point of reference and integration among all managed web services (or similar) application and infrastructure components. A service registry also provides a standard mechanism for advertising and discovering services, service metadata, and service policies.

• Software asset repositories maintain numerous software artifacts and their relationships and dependencies, including code, components, metadata, configuration files, and documentation. These repositories support software development activities as opposed to runtime operations. They are much more common than software service registries.

• Data management systems seek to model, classify, catalog, or actively cleanse, mine, or warehouse data.

Unfortunately, each of these management disciplines is shooting at a moving IT environment target and is itself a moving target. For example, server virtualization (and live migration of virtual machines) has thrown a monkey wrench into existing hardware asset management and CMDB systems as well as complicating data path visualization. Management systems may be provided by multiple vendors and are generally maintained by multiple support groups. Coordination or synchronization amongst repositories is imperfect at best.

What will happen when we try to move IT functions to the cloud? To be continued…

Not one cloud fits all

During the Catalyst conference, some of us Burton Group analysts covering cloud computing risks got the pushback that our positions are overly cautious. One has to be careful these days not to get caught up in the hype, or the fear. Because “cloud computing” is such a general term, any statement or position one takes gets applied to every type of service and vendor. Yet while many vendors and customers use or provide cloud computing, not all of them agree on what it means.

Burton Group categorizes clouds as internal, private (community), or public. When it comes to internal cloud, the organization runs its own virtualized and/or web-facing IT environment. The primary difference between internal cloud and dedicated IT facilities is architectural. Information protection can be accomplished through familiar internal processes, though details of the technologies change.

The strongest security concerns arise with public, multi-tenant cloud service providers that might process and store the organization’s sensitive data. We’ve expressed concerns about public cloud service providers in the posts Cloud Computing: Who is in Control? and To cloud computing vendors: Stop practicing security by obscurity!

Private (community) clouds fall in between internal cloud services and public cloud services. Some actually deliver software, hardware infrastructure, or both as a service but design and operate the service for customers in a particular vertical industry, such as aerospace, automotive, financial, or health. Some have been around for years and only recently jumped on the cloud computing bandwagon; others are still wondering whether to associate themselves with it. Covisint, Exostar, IntraLinks, SecuritiesHub, and Sentillion are just a few examples of service providers that seem to fit the private (community) mold.

The real question is not whether these and other service providers call themselves cloud, but what value do they deliver and how well do they protect customer interests? Some of them tailor their security measures, audit reports, and contracts to the needs of their vertical industry. A customer in their target industry may be better off with them than with public cloud vendors from a security perspective.

One must also attune security and compliance expectations for service providers to what you’re relying on them for. You have to get past the description of a service and analyze it based on the technical capabilities it’s actually providing. For example, multiple providers may claim to offer “secure collaboration,” but one may be an identity broker that sidesteps liability by not storing any customer data while another actually provides secure document storage. The technical security requirements for these two providers should be different.

The industry is clearly evolving toward a hybrid cloud environment where many different types of cloud offerings (both internal and external) will interact to provide different layers of service. As a customer, you can choose to keep some data and some layers of service under the wing of internal IT facilities; move commodity functions into low cost, public cloud services; or subscribe to vertical industry oriented community services. How you mix and max services and what you rely on them for in the hybrid cloud environment determines your risk and requirements. It’s not one cloud fits all.

And in that light, our guidance to “Be very cautious about putting sensitive data into the cloud” is still good. One needs to be very careful with sensitive data - wherever one puts it!

BYOC and desktop virtualization security

Eric Maiwald recently blogged about BYOC on our Burton Group blog. In the post, he mentioned that I've been working on endpoint virtualization technologies:

- Presentation virtualization
- Application virtualization and streaming
- Full client-hosted or server-hosted desktop virtualization

These technologies all have their cost, functionality, and security tradeoffs which are described in my just-finished Burton Group reports. I'll try and blog more about it later (or let me know in the comments if I should do that sooner :-)

Vendors such as Citrix, Microsoft, and VMware are starting hybridize endpoint virtualization so that their products can move workloads offline or online, migrate data, and loosen or tighten security depending on policies that should vary based on whether the data in sensitive or not, and whether the user is

- an employee, contractor, or in some other relationship to the organization
- stationary in a dedicated facility or a mobile road warrior
- a knowledge worker, task worker, or somewhat in between

What I said in my presentations at Burton Group Catalyst last week was that virtualization can help slay the four horsemen of the traditional thick client (unmanageability, high support costs, public malware epidemic, and information sprawl/exposure) by decoupling data from applications, applications from OS, or OS from device.

We have a brave new world of endpoint and information management ahead of us thanks to virtualization. Not only are the hybrid products from the major vendors emerging, but there are a number of very interesting startup companies including Leostream, Neocleus, Ringcube, and Virtual Computer that I've spoken with, and all of whom are very interesting and creative in adding value to their niches.

Notwithstanding such progress, we're not yet quite ready for wholesale desktop replacement. Even by mid-2010 when many of the security and management enhancements from the major vendors come to fruition, there are still tough licensing, hypervisor commoditization, remote attestation of endpoint health and other questions to resolve. When BYOC means that any user can bring any computer to work (with no centralized configuration management of the OS) it is actually one of the toughest use cases.

However, organizations can get some solid business benefits from various endpoint virtualization use cases immediately and I think we'll see a lot more of it down the road.

Identity 2009: A Market in Upheaval

Bob Blakley kicked the Catalyst 2009 identity discussion off by asking the audience not mourn the coming death of the meta-directory and enterprise identity management (IdM), but celebrate the birth of a new market premised around the holistic, virtual “person” identity.” The millennial generation, as well as externalization, are driving this trend. Many young millennials have had computers all their lives, and they are ready and waiting for personal identity solutions.

The market is still doing well – 6 o6 7 vendor have raised revenue even during the bad economy. The ones that did well offered quick time-to-value compliance fixes (such as Active Directory bridge products.

Mid-tier vendors have done well because they’re products are integrated well, developed organically. Large suites are struggling, however, as customer budgets are tight. Notwithstanding tight budgets, IdM programs not getting cancelled due to their criticality for security and (in many cases) their potential to bring cost reduction.

The Oracle acquisition of Sun has redefined how we think about vendor viability. The acquisition is not necessarily a bad thing for customers; we don’t think Sun customers will be “cut off” or anything like that, But it creates uncertainty. It has also made us dream again about data portability, products interchangeability.

Interest is growing in SaaS providers due to a focus on 3-6 month ROI; lot of vendors coming into this market. We’re hearing about a “new vendor every day, sometimes more.” And there may be some that we haven’t heard about. The rise of SaaS is also driving a resurgence of interest in federated provisioning, in the Service Provisioning Markup (SPML). SPML has lain fallow, still lacks a schema, and this could be an area needing enhancement in the future.

Lori Rowland suggests that provisioning has also been a “beasty” product niche, often too complex and overloaded with unnecessary features. The products are still struggling with role management, compliance, and user experience issues. They have multiple audiences – administrators, business users, and auditors or regulators and not all features are well suited to each audience.

Lori suggests that provisioning needs to be like an “orchestra” - more nimble and flexible. It needs to bring different capabilities to different combinations of issues that customers have. Part of the problem has been terminology, terms like "provisioning" and "entitlements management" are overloaded.

What's hot? Mark Diodati discussed privileged user management, a critical issue that shouldn't be obscured in a cloud of terminology. The accounts used by super-users shouldn't be shared, or used casually. There must be sufficient accountability, audit, and assurance around the use of these accounts. Vendors such as Cyber-Ark create special repositories to check in / check out privileged accounts.

Kevin Kampman and the rest of the team tell us that role management is still hot too. Organizations aren't saying "when" they're saying "how." Or, as Bob cynically puts it "When again?" My own (Dan Blum's) opinion of RBAC is that it is one of the enterprise identity management perennials; though it won't scale to multi-domain environments, it is important for domain compliance. But companies are outrunning their tools.

Federated identity, on the other hand, is coming into its own with cloud computing. If a technology only becomes successful when it is invisibly integrated into other technologies, then federated identity is on its way. Most SaaS products support some federation protocol, but they're not marketed as "federation" products. At the same time, true federation products are flourishing as well as open source tools such as OpenSAML.

Burton Group is hosting a federation interop event tonight, including demos with cloud computing services. Bob noted that Burton Group also has production federation available with at least one customer today.

Identity management is also converging with other security market niches, such as data leakage prevention (DLP) and security information and event management (SIEM). Identity needs to infuse other security policy enforcement, or detection controls. Lori also identified IdM affinities with ITIL and business process management. I've always felt that role management and BPM were long lost cousins.

What's not hot: the market category governance, risk, and compliance (GRC) seems to be getting consigned to the dustbin of bad terminology.

iPhone debased

Wired just came out with a good article on how mass commercialization and convenience is debasing the iPhone.

The original iPhone didn’t store (much?) data locally but this has changed. I’ve just confirmed it for myself – even in airplane mode I can access stored Microsoft Exchange email. And of course anything from the App Store will do whatever it does.

Moreover, banks and other ecommerce sites are enabling riskier mobile functionality. You’ve probably seen TV shows where international criminals and arms dealers wire money from their cell phones. Now if you’re mugged the thugs don’t even have to drag you up to your ATM at gunpoint anymore. I haven’t tested THAT out yet, nor do I intend to!

Skilled hackers are developing exploits and providing them as free, convenient tools for common thieves.

If you compare the data in the National Vulnerability Database for BlackBerry with the data for iPhone the contrast is pretty stark. Is this contrast due to BlackBerry's more closed architecture, or is it that RIM does a better job than Apple, or both? My theory is both. Apple could do a lot to improve, but at the end of day, the convenience and openness of a general purpose OS inevitably debases security.