“Policy as a Service” – Critical for Cloud Deployments!

ulrichThe financial ROI of Cloud security and compliance is judged by decision makers in end-user organizations by the same measures as is done for Cloud computing in general, i.e. by how much it cuts up-front capital expenditure and in-house manual maintenance cost.

However, manually translating security policy into technical implementation is difficult, expensive, and error-prone (esp. for the application layer). In order to reduce security related manual maintenance cost at the end-user organization, security tools need to become more automated.

With the emergence of Cloud PaaS, it is therefore logical to move all or parts of the model-driven security architecture into the Cloud to protect and audit Cloud applications and mashups with maximal automation. In particular, policies are provided as a Cloud service to application development and deployment tools (i.e. “Policy as a Service”), and policy automation is embedded into Cloud application deployment and runtime platforms (i.e. automated policy generation/update, enforcement, monitoring).

Different Cloud deployment scenarios are possible, which differ from local non-Cloud deployments where model-driven security is conventionally installed within or alongside a locally installed development tool (e.g. Eclipse). Policy as a Service (see ObjectSecurity OpenPMF) involves five parts:

1. Policy Configuration from the Cloud: Policy configurations are provided as subscription-based Cloud service to application development tools. Offering specification, maintenance, and update of policy models as a Cloud service to application developers and security experts has significant benefits:

Most importantly, instead of having to specify (or buy and install) and maintain the policy models used for model-driven security on an on-going basis, application developers and security specialists can now simply subscribe to the kinds of policy feeds they require without the need to know the details of the models.

The Policy as a Service provider (typically different from the Cloud provider) takes care of policy modeling, maintenance, and update. Other benefits are that the user organization does not need to be a security and compliance expert because the up-to-date policy models will be provided as a feed to them on an on-going basis, that the upfront cost hurdle is minimized thanks to the subscription model, and that there is no need by the end user organization to continually monitor regulations and best practices for changes.

2. Automatic Technical Policy Generation in the Cloud: The automatic policy generation feature of MDS is integrated into the development, deployment, and mashup tools (to get access to functional application information).

It consumes the policy feed described in the previous section. Platform as a Service (PaaS) sometimes includes both Cloud hosted development and mashup tools and a Cloud hosted runtime application platform. In this case, automatic technical policy generation using model-driven security (MDS) can also be moved into the Cloud, so that technical security policies can be automatically be generated for the applications during the Cloud hosted development, deployment and/or mashup process.

This is in particular the case for mashup tools, because those tools are more likely to be Cloud hosted, are often graphical and/or model-driven, and are concerned with interactions and information flows between Cloud services. If the development tools are not hosted on the PaaS Cloud, then the MDS technical policy auto-generation feature needs to be integrated into the local development tools.

3. Automatic Security Policy Enforcement in the Cloud: Policy enforcement should naturally be integrated into the PaaS application platform so that the generated technical policies are automatically enforced whenever Cloud services are accessed.

As described in the previous section, policies are either generated within Cloud using hosted MDS and PaaS development tools, or are uploaded from local MDS and development tools. How policy enforcement points are built into the PaaS application platform depends on whether the PaaS application platform (1) allows the installation of a policy enforcement point (e.g. various open source PaaS platforms, e.g. see case studies below), (2) supports a standards based policy enforcement point (e.g. OASIS XACML), or (3) supports a proprietary policy enforcement point.

4. Automatic Policy Monitoring into the Cloud: Policy enforcement points typically raise security related runtime alerts, especially about incidents related to invocations that have been blocked. The collection, analysis and visual representation of those alerts can also be moved into the Cloud.

This has numerous benefits: Incidents can be centrally analyzed for multiple Cloud services together with other information (e.g. network intrusion detection). Also, an integrated visual representation of the security posture across multiple Cloud services can be provided, integrated incident information can be stored for auditing purposes, and compliance related decision support tools can be offered as a Cloud service.

5. Automatic Updating: The described model-driven approach enables automatic updates of technical security policy enforcement and auditing whenever applications and especially their interactions, change. The same automation is possible when security policy requirements change.

Publications about this can be found in the ISSA Journal October 2010 and on IBM developerWorks. Contact me if you would like to know more information about Policy as a Service.

It is also important to note that model-driven security (MDS) does not necessarily rely on model-driven development to work – even though it relies on application, system, and interaction models (so-called “functional models”) to achieve significant security policy automation.

The traditional MDS approach is that these functional models ideally come from manually defined application models authored during model-driven development (e.g. UML, BPMN). But this is not necessary. We have designed an additional solution for our OpenPMF where the functional models are in fact obtained from an IT asset management tool that is part of our partner’s (Promia, Inc.) intrusion detection/prevention product Raven. This works well, and enables the use of model-driven security in environments which do not support model-driven development or where model-driven development is not desired.

While this may not sound like a big deal, it is in fact a big deal, because it increases the widespread applicability of model-driven security dramatically, and makes adoption a lot easier.

(note: this was cross-posted from www.modeldrivensecurity.org) by Dr. Ulrich Lang, CEO, ObjectSecurity

Data is the new perimeter for cloud security

By Mike Gault, Ph.D.

The cyber security market in 2012 is estimated at $60 billion, yet adding more and more layers of perimeter security may lead to a false sense of security and be completely useless against a determined system administrator working on the inside. The end result is that your data might be secure or it might not – you simply have no way to prove it.

Shawn Henry, FBI veteran of 24 years and now president of CrowdStrike Services had this to say about integrity at the Black Hat conference this year: “These days, you can’t just protect the information from being viewed. You also need to protect it from being changed or modified.”

This leads to the question: Would you know if an attacker or your own system administrator got to your data?

Traditionally, the ‘integrity’ component of the CIA triad of data security [confidentiality, integrity, availability] has focused on protecting the integrity of data. But proving the integrity of data – knowing you have not been compromised – is equally if not more important.

We have been nibbling around the edges of this with checksums and other one-way hash algorithms but have yet to create truly scalable, rock-solid mechanisms to prove integrity.

It’s as though we have taken a car that holds our most precious cargo (our children) and wrapped it with increasing layers of protection but we fail to create a way to monitor the brakes or onboard computers for tampering or other untoward acts.

Data is the new perimeter

Many experts have come to the conclusion that all networks will eventually be compromised, so security should be focused on protecting data and less about the perimeter – i.e., what is required is a data-centric focus on security.

What is needed is an infrastructure that’s designed to deliver digital signatures for data at scale, ensuring that verification of the signatures does not require trusting any single party.

Donald Rumsfeld famously compared the difference between known unknowns and unknown unknowns. Digital signatures that are essentially ‘keyless’ have the power to convert one unknown — “Is my security working?” – to a known: “I have proof that my applications and data have not been compromised and that proof is independent from the people operating those systems.”

So what is a keyless signature? In a nutshell, a keyless signature is a software-generated tag for electronic data that provides proof of signing time, entity, and data integrity. Once the electronic data is tagged, it means that wherever that data goes, anyone can validate when and where that data was tagged and that not a single bit has changed since that point in time. The tag, or signature, never expires and verification relies only on mathematics – no keys, secrets, certificates, or trusted third parties – just math.

And we can all trust math.

About the Author
Mike Gault is CEO of Guardtime, a developer of digital signatures that algorithmically prove the time, origin and integrity of electronic data. He started his career conducting research in Japan on the computer simulation of quantum effect transistors. He then spent 10 years doing quantitative financial modeling and trading financial derivatives at Credit Suisse and Barclays Capital. Mike received a Ph.D. in Electronic Engineering from the University of Wales and an MBA from the Kellogg-HKUST Executive MBA Program in Hong Kong. You can reach him at Mike.Gault@guardtime.com or visit http://www.guardtime.com.

Rapid Application Development – In Plain English

Enough Already with the Excess Words...

Can we please just speak English?

Whenever a new technology appears, there is a short period of time where every body with an idea about branding want’s to “coin a phrase” or be the “first” to use a term.  As much fun as I am sure all that may be, the problem is that when the technology leaves it’s infancy and begins to stand on it’s own, we are left with a great many terms that we do not fully understand in our race to agree on the terms that we do.  One of the things I would like to do is provide you with a working understanding of certain development lingo, so that you do not find yourself in agreement with a salesperson who is selling you something very different than what you think you are buying. Such is often the case with Rapid Application Development.

According to Wikipedia, Rapid application development (RAD) is a software development methodology that uses minimal planning in favor of rapid prototyping. The “planning” of software developed using RAD is interleaved with writing the software itself. The lack of extensive pre-planning generally allows software to be written much faster, and makes it easier to change requirements.  James Martin’s Book, “Rapid Application Development”, makes reference to the need to make it up as you go along.  As far back as 1995 the term was being used by Ellen Gottesdeiner in “Application Development Trends” August Issue.  This is not a new concept.  Despite this fact, the cloud has brought it fully back into focus like never before.

What is important is to understand that Rapids Application Development is a process, not a tool.  A Tool that can assist in the process of Rapid Application Development is called a RAD Tool.  If you combine a RAD Tool with other RAD Tools, you end up with a RAD Suite.  They come in different flavors depending on where you are developing the application for.  As a Google Apps re-seller, I am predisposed to Google Apps, and the Google App Engine.  This is by no means the only way to go, it just happens to be the one I am most familiar with.

Now, to use the Google App Engine, you will need to write a program.  This can be done in Java, Python, or if you have a Linux Environment, you can even download the Go language SDK and write it in Native Go code.  Let’s assume you want the robust capabilities of Java.  We can also just say you have a Windows box and have no choice…either way works for this example.

You have two choices…you can start from scratch and build the entire thing from the ground up…or you can go get RAD.  Let’s imagine we have two companies.  We will call one “Alpha Soda Distributors”.  We will refer to the other as “Beta Drink Company”.  Both of these companies are competing bottlers, who have moved to Goggle Apps and have decided to develop an online application that will run on Google App Engine and be available to all devices and all users.  They have selected this platform because they are expecting expansive growth, and do not wish to be forced to scale their organizations software a third and fourth time.  Alpha Soda decides to use Giffy.  Beta Drinks decides to use the Java SDK with Eclipse.  Both start out just fine.  They plan, they chat, they bring in consultants to get the right information, and they are off and running.

Funny thing.  Three months have now gone by, and something odd is taking place.  Alpha Soda is using their application, and Beta drinks is still trying to work through the class structure!  Both are using the professional services of experts in their design, so why is one taking so much longer?  Because of the tools selected.

A Development Suite starts from a sheet of White Paper and allows you to do almost anything, but you have to decide how anything will be done.  A RAD Suite has a set of predetermined tools you can simply use-as-is to make the act of developing your application that much faster.  One specific example is that you rid yourself of writing boiler plate code for CRUD (CREATE, RETRIEVE, UPDATE, DELETE records in a normal Relational Database Management System application) operations which consume most of the time.  If you are going to write a stable application for Google App Engine, you need to keep in mind that Google App Engine DOES NOT support RDBMS operations, only access to the APIs, and you will have to fend for yourself and your data. This is where the time is lost.   In Giffy you create a Entity Kind deploy, configure the rules and start using “deploy to Appengine”.  This speeds things along, without sacrificing stability.

It is not impossible to do any of these things in Eclipse with the Java 6 SDK.  But while Beta Drinks runs into scheduling and cost overruns on their Google App Engine Development, and management starts doubting the validity of Google Apps and the competency of their IT Manager, Alpha Soda is reading their second quarter reports in Google of the information collected from the first quarter, complete with integration to Google Maps to show where their customers are, and Google Contacts to show who there customers are.

In short, knowing the difference between these two can not only save you a great deal of time, but a lot of money of those pesky scope-changing modifications that always seem to come from management at the least convenient times. If you happen to be a programmer writing an application for fun out on the appspot, then more power to you.  Grab the SDK and have at it!  If however, you are an enterprise with serious concerns about scalability, stability and development cycle costs…You might want to consider a tool like Giffy.