Not for the first time, I have found a post by Gunnar Peterson to be very useful and insightful. This time, I followed his lead to a post by Chris Hoff.  It’s a piece called “Cloud Providers and Security ‘Edge’ Services – Where’s The Beef?“. I highly recommend the whole of both posts. Mr Hoff’s post is a discussion of what it might mean to integrate security services to the edge of the cloud, and his questioning about what the edge of the cloud could mean. The common answer is that it is securing from services in the cloud to the edge of an enterprise, location, or … something. Something inside a boundary that can be surrounded by some model of security that happens at the network level. Which leads to this statement:

None of the models are especially friendly to integrating network-based controls not otherwise supplied by the provider due to what should be pretty obvious reasons — the network is abstracted.

Chris Hoff, Gunnar and others have been decrying for years that network level security is insufficient. Sometimes the recognition that network level security is insufficient (and often counter productive) has pushed people to make a goal of ‘deperimeterization’, which is a cool word but certainly has not helped move the industry from it’s predilection for network level security. It is much more likely that the term that will finally precipitate a movement from network level security to identity-based security will be “Cloud Computing”.

In Mr Hoff’s post he emphasizes this point:

So here’s the rub, if MSSP’s/ISP’s/ASP’s-cum-Cloud operators want to woo mature enterprise customers to use their services, they are leaving money on the table and not fulfilling customer needs by failing to roll out complimentary security capabilities which lessen the compliance and security burdens of their prospective customers.

Gunnar’s commentary on Mr Hoff’s post makes some equally insightful points:

For access control purposes, security is fairly straightforward, its a game of subjects (like users, user agents, claims, and web services), objects (like resources, URIs, data, and service providers) and what Hoff calls metastructures (like identity and policy). Security is a word that is meaningless by itself, you always have to qualify it: data security, application security, network security and so on. So when people talk about “edge” security, what is it they propose to “secure” an edge device? That’s fine as far as it goes, but its important to note that providing security services to device on the edge doesn’t do much of anything to either side of the edge. Too often people assume that securing the edge means everything “inside” the edge is also “secure” but this is smoke and mirrors for auditors not security for your enterprise assets.

I think of that type of security (with subjects and objects) as identity-based security. An identity is what you apply policy to — it is the subject or object of an access control policy. It’s the base type of the concepts of subjects and objects. The metastractures are processes of authentication and authorization based on those identities. It’s much higher level than SSL and the network layer, but it’s much closer to what’s necessary for business processes and security needs in the cloud.

Gunnar concludes:

Whenever you evaluate security and especially Cloud security, its important to enumerate the subjects, objects and metastructures that you are extending security services to, instead of just describing some security service in the abstract. This problem is a pandemic in information security the whole point of SOAP is that it was a firewall friendly protocol designed to go through the firewall, that was 10 years ago, yet today information security still relies on SSL and network firewalls as primary protection mechanisms (what are they protecting?).

Indeed, what are they protecting? While network level security can enable a secure transmission of data from point A to point B, it does not prevent the vast leakages of passwords and personal information that have become common. Perhaps the growth of Cloud Computing will finally push the industry to systems in which users don’t have passwords, or at least systems which can securely serve their users without receiving their password or storing personal information. If a SaaS application doesn’t have the information, there’s one less place that it needs to be secured. Such identity services have been viable for some time, but have needed a push to get broader adoption. Cloud Computing.

We appear to be on the edge of a nervous breakthrough.