Information Security, Cloud Computing Final Frontiers...

Space the final frontier. These are the voyages of the starship Enterprise...

Feeling a little nostalgic today, maybe its some new[late] years feeling, I've got myself comparing Star Trek[Yes, yet again i'm a little bit of a geek] with information security in Cloud Computing.

Probably you have heard about the adventures of Cap. James T. Kirk, Leonard "Bones" McCoy and, of course, Commander Spock.

In spite of what the shows presents, this is not a sci-fi show, it is not about the starship Enterprise, the show is about relations and decisions.

Cap. Jim Kirk is instinct, a guy that follows what he believes[emotion], Commander Spock is logical, no matter what, he is the kind of a guy that analyses all available data, processes it and take its decision and the guy that tries to balance this equation, Doctor Bones, Bones is a common sense guy the kind of guy that has always a metaphor to explain his decisions.

And what about Cloud Computing and Information Security? There is no secret that the move to Cloud services has not only increased security in our apps, but in the same pace it has ALSO decreased security.

[Here is a thought, isn't this another sample of Inverted-U?! I have talked about that here]

So, in a quick recap, Inverted-U phenomenon occurs when the logic says that the more you increase Axis-A the more Axis-B will increase, but that is logic, REALITY says different, A will increase as long as you increase B, until a certain point where no matter how much you increase B, you will start to lose in A, creating the Inverted-U. Of course this is not some sort of rule-of-thumb, it has specific cases and scenarios where you can find that.

Now, in terms of Cloud and Security, what the common sense tells us?

Move to the cloud, you will be safe! Come on! Just MOVE! MOOOVE[Zumbi voice]

Ok, so you change[again] your on premises servers to a couple of VMs, you learn about Auto Scaling and Load Balancing and use those services as a Service. Now, you feel a little safer, at least in terms of Availability[AS and LB will take care of that for us] and in terms of physic security right? servers locked in the safest places on earth, that is great. It is time to launch some new configuration to be more in compliance with the Cloud Provider you choose.

[Believe me, every single cloud provider has their own "guide", AWS proposes a shared responsibility model and there is even an association that helps to understand about Cloud Security, the Cloud Security Alliance].

That is it? what about the other services all CSP[Cloud Service Providers] offers?

That is exactly where the inflection on the Inverted-U [may] begins.

So far all you have done was to lift-and-shift, that means you have moved your solutions to the cloud and you are more secure by now.

The next move is to change your application, to make it even more secure by using security services that your CSP provides, let me give you an example, suppose you need to manage several keys [ as in cryptographic keys], you have to securely store those keys, you have to rotate the key from time to time, you have to manage, you have to update algorithms, there are services that does all of that, for instance AWS KMS [Key Manager Service].

At this point, what do we have? Cap. Kirk is willing to do the change, Cmd. Spock is trying to study it and gather more info, and Bones, bones is questioning the adoption itself. I can even hear they saying: "Let's do this", "Let's Study more" and "One does not change a winning team Jim!".

The point is, we have to do it, how? when? what is the appropriate momento for that?

By adopting one of those services, of course you are adding more security to your application, probably with minor changes in your code and architecture.

Conclusion? you are adding new services to automate[or make easier] do something that probably you had to do anyway and you are, also, adding a new complexity that is increasing the numbers of concerns you need to have, therefore, the common sense says that you are more secure but actually you are in the inflection point.

Don't take me wrong here, I'm not saying that to adopt security-related-as-a-service products will CERTAINLY make you more insecure, no, what I'm trying to say is...

adoption by adoption alone will not help, it has to be something well though, architected and, most of all, continuous...

... the challenge is to keep exploring/using/adapting new solutions to new problems getting ready to future new problems.

Just like in our show, its continuing mission: to explore strange new worlds, to seek out new life and new civilizations, to boldly go where no one has gone before...