(ISC)²'s bi-monthly e-newsletter Cloud Security INSIGHTS, delivers timely, must-read original articles for the professional development of infosecurity practitioners focused on cloud security.
Become a leader in cybersecurity with programs from Penn State – online
No matter where you are in your career, or where you would like to go, Penn State has a cybersecurity degree or certificate that can help get you there — delivered 100% online through Penn State World Campus.
MAY CLOUD SECURITY INSIGHTS
Turning to History to Build Trust in the Cloud Era
By PAUL SOUTH
Amin Vahdat, a Google Fellow and technical lead for the company, is a student of history. The internet’s history, to be more precise.
In the early days of distributed systems, trust was implicit, he recalled. Protocols for routing and the like were not built with an adversarial mindset. Malware, phishing scams and state-sponsored cyber threats were rarely considered (at least publicly).
Photo credit: Wavebreak Media/iStock
In short: “The internet was not built for the kinds of things clever people could do to it.”
The reason for such naivete, Vahdat surmised, was the mindset of its creators. Trust was the order of the day. It had to be that way for the internet to blossom globally.
Those days, though, are long gone.
Vahdat, along with Google Vice President for Engineering Suzanne Frey and moderator Quentin Hardy, head of editorial for the Silicon Valley giant, explored the past and present to learn how to build trust in the future during a talk at this year’s RSA Conference in San Francisco.
“[The thinking was], ‘We are in a cooperative world. We’re going to have hundreds, maybe thousands of computers on this global network, and everyone can be trusted.’ This got us a long, long way,” Vahdat said. “But looking at our own infrastructure at Google, even though we are one company, we don’t make any of those assumptions for routing, for congestion control, for naming. We can’t.
“I think, going back to ‘Who do you trust?’, we can’t trust our own code. We certainly can’t trust ourselves not to write buggy code. People make mistakes, it turns out,” he added.
Frey recalled her early days at Google, when she was tasked with retiring first- and second-generation servers, as well as deciding what to do with mountains of data-stuffed disks. In those days, no one was encrypting data, and key questions revolved around repurposing vs. wiping vs. shredding disks.
“Even getting down to how we shred these disks in a manner that the data is gone — these are the types of things that I think a lot of people don’t necessarily think about when they think about security in the cloud,” Frey said. “And these are the things that your cloud providers have to think about. They have to consider every single possible way that data can be accessed and possibly misused.”
The evolution of threats has ignited conversation in the industry about what Frey called “the strange and necessary interdependency between security and privacy.”
“The two must work well together and both are very, very important. In order to do that well, we have to have access to metadata and to IP addresses and things like that, but we also have to protect user content,” she said.
Security and trust in the cloud is a shared responsibility, Frey continued. Consider a lottery ticket, she said. Individuals place higher trust on tickets they purchase themselves, rather than tickets they are given, even though the odds are the same.
“People often conflate the sense of agency — I’m in control — with a sense of security. . . . People think, ‘I’m in control; therefore, I’m secure.’”
Transparency is critical.
“It’s so incumbent on every cloud provider, every large tech provider, to share that responsibility of trust with their users to give them . . . transparency into what the cloud [provider] is doing with their information and to give users control,” Frey said. “The data belongs to the user. It does not belong to the cloud provider.”
She added, “Every single individual — consumer or enterprise — needs to be able to control that information — to take it; to port it elsewhere if they wish; to understand what the cloud provider is doing; and to be sure that what we’re doing is in consent with what the user’s instructions are. At the highest level, trust, like security, is a shared responsibility model.”
Frey called building that trust in security between cloud providers and customers “essential.”
And while the initial investment in cloud security is huge, Vahdat said, the incremental cost is attainable.
It’s also a necessary hedge against disaster.
“It’s like plumbing,” Vahdat said of cloud security. “[Customers] don’t want to know about it.”
As for the future, deep learning and advanced AI will play a huge role.
“Having that sort of security assistant in the cloud will be big for any cloud provider,” Frey said. “I do think sort of balancing that with the privacy side of things will be an interesting discussion for the world as we move forward. It’s just trying to make sure that we classify the kinds of information that are really important to keep everyone secure.”
PAUL SOUTH is an editor for InfoSecurity Professional magazine.