Sorting through the Security-in-the-cloud Debate

There’s a lot of talk these days about security-in-the-cloud.  Security-in-the-cloud is generally defined as protection provided by Internet Service Providers (ISP) that results in only “clean” packets arriving at a subscriber’s perimeter.  Positions on the topic range from “it’s a bad idea” to “give everything over to a managed service provider.”  Based on my experience as a Director of Security, I have sort of a middle-of-the-road position.  In this article, I explore both sides of the managed services debate.  I’ll also explain why I believe the most effective solution lies somewhere between the two extremes.


Definition of Security-in-the-cloud
Before we dive into the debate, let’s take a closer look at what it means to provide clean traffic to a subscriber’s perimeter.  Figure 1 is a logical view of Internet service delivery.

In the Cloud Security

Figure 1

Data flowing from the Internet is filled with malware and packets intended to lure users into unknowing participation in criminal activities.  The security-in-the-cloud model places all filtering and defensive solutions at the ISP.  As the data, or packets, flow through the ISP’s cleansing process, bad packets are dropped and only good packets are delivered to the subscriber.  A subscriber can be a business or a home user.  In some cases, the argument has been made to move defensive solutions to the Telcos (i.e. AT&T, Verizon, etc.)

Position 1: “Give everything over to a Managed Security Service Provider (MSSP).”
This is the extreme outsourcing position.  Most advocates of this approach make the assumption that preventing bad things from entering through the perimeter will prevent bad things from happening to information assets.  In other words, ISPs fighting dangerous packets on a distant battlefield is better than the subscriber dealing with them at the castle gate.

Another argument in favor of the MSSP approach has to do with resources.  The assertion is that small/medium business and home users don’t have the resources to effectively deal with network and Internet security issues.  This includes challenges associated with day-to-day monitoring and maintaining a level of protection commensurate with the changing nature of Internet threats.

Position 2: “It’s a bad idea.”

Advocates of this position maintain that only the organization that owns the assets to be protected should manage the perimeter defensive layers.  And even if an MSSP is used to provide a security-in-the-cloud layer, it’s just that; one layer in a defense-in-depth strategy.

As far as resources are concerned, proponents of the do-it-yourself model contend that the right tools and the right vendor relationships eliminate all resource constraint challenges.  Besides, they don’t want no outsider taking care of THEIR data.

My Position
Although I lean somewhat toward Position 2, I believe the right answer lies somewhere between these two extremes.  Yes, it’s a good idea to keep bad packets as far away from the perimeter as possible.  But I don’t want to make the ISP or Telco responsible for protecting my network assets.  In today’s litigious environment, any provider would have to protect itself by strict packet filtering rules.  This may seem like a good idea, but what happens when your CEO calls to ask why she’s having trouble communicating with a known trusted source; a source that’s packet flow is seen by the provider’s filtering systems as dangerous.

Another argument against only deploying a security-in-the-cloud solution has to do with attacks from inside the network.  Protecting the perimeter doesn’t protect information assets from the traveling user who just connected his worm-infected notebook computer to a conference room network jack.  Only internal intrusion defense systems, like IDS/IPS and an effective patch management process can stop the spread of that kind of threat.

On the other hand, trying to deal with every worm, virus, trojan, phishing/pharming ploy, and cracker attack on the Internet with internal resources only makes little sense.  Doesn’t the provider have some responsibility to provide a safe Internet computing environment?

Applying the principle of defense-in-depth seems like the right answer.  The right combination of MSSP services and in-house intrusion defense infrastructure reduces information asset risk to acceptable levels.  The right balance is subscriber dependent, but internal defense should never be ignored because an ISP, for example, is claiming full protection of the perimeter.  

Finally, I want to address the issue of provider and Telco protection for a fee.  This is one of my buttons.  The international infrastructure that comprises the global network known as the Internet is an important asset to businesses, governments, and individuals around the world.  Each of those entities is entitled to a safe environment in which to live and work.  In my opinion, this includes use of the Internet.  Governments and owners of the commercial components of the Internet must accept a fiduciary role in protecting global users from criminal elements in cyberspace.  How is this any different from protecting a nation’s citizens from street criminals?  And shouldn’t the owners of the infrastructure have some level of responsibility for assisting with security efforts to facilitate safe delivery of their services?  Don’t the taxes we pay to our government and the service fees we pay to providers entitle us to some level of due diligence?

Author:  Tom Olzak

Listen to our Podcasts:

add to my PodNova 

Your email:  
subscribe unsubscribe  



Leave a Reply

You must be logged in to post a comment.