The Shift Away From Location Based Security

I know it’s early in the game and skepticism is a healthy thing but the concerns over cloud security seem a bit overblown these days. What appears missing from much of the conversation is discussion about the fundamental shifts taking place.

The issue boils down to the transition from location based security to more identity-based and data driven security.

This will be a long evolution but there are  some excellent examples of the shift toward a more identity-based and data driven approach. Will this trend slow down? No way. Please, explain to me how the speed of this development won’t go into hyper drive. It’s inevitable, right?

Authentication and Pattern Recognition

Two interviews I did at RSA demonstrate the shift in how information security is more data driven.

VeriSign offers an authentication service that provides mobile-based verification for online purchases. The cloud is used to provide a service that online retailers use without installing on their local network.  An authentication is generated for the purchase that the buyer receives on their mobile device.

Blue Coat’s pattern recognition technology puts the intelligence in the cloud to adapt to new threats and prevent attacks without impacting the customer’s on premise equipment.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Optimizing Managed Service Delivery With Secure Application Acceleration
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Federal Government Takes A Leadership Role

The federal government may emerge as the force that moves information security away from location-based models. Last week, they announced, an online storefront for cloud-based applications.

From Unforeseen Benefits:

Moving various government operations to different servers is actually very smart not just from a cost perspective, but from a security perspective. Think about it: if I’m a Chinese hacker and I know that the government has server rooms operating at location X, I’m going to be able to launch some pretty nasty attacks. But if email accounts are spread out all across the cloud, it’s going to be very hard for me to take down the entire government. Sure, I might be able to hit one of the Gmail servers or slow down YouTube, but it’ll be very unlikely that the entire government will be brought to a standstill.

Amazon Web Services and the Virtual Private Cloud

The Amazon Web Services announcement about its Virtual Private Cloud (VPC) is an example of how service providers are making an effort to ovecome the trust issue. As Werner Vogels states, the service allows customers to extend their IT infrastructure into the cloud while maintaining security and isolation of its enterprise management tools.

What’s interesting here is the skepticism about “private clouds,” which is often just a data center using virtualization and automation technology.

Werner Vogels:

Private Cloud is not the Cloud

These CIOs know that what is sometimes dubbed “private cloud” does not meet their goal as it does not give them the benefits of the cloud: true elasticity and capex elimination. Virtualization and increased automation may give them some improvements in utilization, but they would still be holding the capital, and the operational cost would still be significantly higher.

The shift to identity-based and data driven modles is inevitable. It’s just a question of how long it might take to get there.


, , ,

No comments yet.

Leave a Reply