Securing the Broker, two new concepts…

clip_image002A big piece of cloud brokerages will the be the puzzle piece that is security. Security is interesting in that 20 years ago security professionals were mostly lumped into the infrastructure team. They have evolved (rightly so) into a significant portion of the organization. With the advent of the broker the opportunity for creating more security depth is now available. The reality of security however is that one mistake can be expensive.

The simple and first security I believe brokers should offer is the virtual directory. Personally I’ve worked with he company Radiant Logic over the years and I believe the concept they have built it is the right answer for cloud brokers to offer. A virtual directory allows you to have one connection to the broker and the broker’s directory and that directory has the federation with the cloud service providers. It means the broker can offer the concept of nearly instant on for new cloud service providers. It also means that the broker can also offer instant off. If a CSP gets broached you can instantly sever your company or organizations connections to that CSP. It also means that you can remove PII from all cloud connections with everyone having the corporate address and corporate phone number.

clip_image004I am not a cyber-security expert. There are many of those available who can go into much greater depth than I can around this topic. The concepts are very complex and very simple when it come so building and implementing a secure broker environment. The virtual directory is the first step in what has to be a many stepped journey. The concepts of defense in depth (or Cyber Kill Chains) have been talked about for many years. The more layers you create the more times the hacker has to guess correctly. The next component of cloud broker security is a merging of two technologies that are available today although they aren’t linked together yet.

The concept of mesh networks and the concept of WAN acceleration are ones that many companies have considered and most likely use. The mesh network, or fabric as it is sometimes called is where there are multiple connections between the server farm and the storage solution. Extending the fabric to the connection between the broker and the organization is the new concept. Basically in this scenario there are two fabric switches one at the broker and one at the organization. Either can be shut off in the case of a penetration. That gives both sides the ability to manage the post attack response. It also gives both sides a number of pathways between the two switches. Randomizing that pathway allows both sides even greater protection. I call this technology on-ramp© as like the on-ramp© to multiple highways at once you have to decide quickly.

clip_image006The last part of this is something I’ve been thinking about for a while. I first thought about this during a conversation at an event where I was speaking. I was speaking with a networking person who was extoling the virtues of WAN acceleration as a vehicle for improving on premise networks. So first off what I am writing is possible it is not currently available. The value of WAN acceleration is that over time the acceleration hardware builds up a library of previously transmitted files and reduces the network requirements for moving the same data over and over. Essentially the cache of the WAN acceleration hardware only transmits the net new or Delta information to the other side. You could given that sometimes the net new information isn’t relevant without the old information use that as a data security system. IE the new information is the only information transmitted but it is encrypted with the old information so if you don’t have both sides you can’t easily open the file. I call this process seatbelt©. One of the big innovations people have talked about in cars for a long time is a car that won’t start or allow you to move to drive without the seatbelt being in the locked position. The same will be true for information. I realize I can’t actually copy right either seatbelt or on-ramp. The copy right is for the concept not the words.

Security is a growing problem. The major companies say that the hackers are ahead and probably will stay ahead. You can’t fix that problem but you can at least make it hard for them to attack you. Sometimes being hard to attack means they move on and attack someone easier. That hopefully will give the broker time to secure your solution even more!

 

.doc

Scott Andersen

IASA Fellow.