Technologies change fast – security gaps don’t!

Technologies are changing extremely fast and people are moving away from platforms that were popular just a few years ago. But security is different! The main building blocks and gaps in cloud security today, are the basic security mechanisms developed in UNIX back in 70s. 

Clouds rely on basic UNIX security

Amazingly, the main threats on modern Cloud and DevOps systems are due to the basic UNIX mechanisms. For example, the recent vulnerabilities of Shellshock and GNU C library are due to bugs in bash and glibc that have been laying there for 26 and 8 years respectively. Furthermore, the main threats on Docker and Linux containers today are improper configurations of kernel modules, iptables as well as Linux permissions and capabilities. These are basic models developed back in 70s! The models of permissions and capabilities were introduced in 1971 in Lampson’s access control matrix, both of which are often mis-configured today, violating the basic security principle of “least privilege” defined by Saltzer and Schroeder  back in 1975. Unfortunately, fulfilling these basic controls in today’s cloud platforms still remains challenging. Even the most advanced container or Platform-as-a-Service solutions contain orchestration components that can be easily tricked to act a “confused deputy” – a problem described by Norm Hardy back in 1988.

Why should we take built-in security controls seriously? 

Most Cloud IaaS, PaaS and DevOps solutions are Linux based and will be using Linux containers as their main building blocks.  If mis-configured, the gaps will be amplified due to the automation and scale, putting at risk even more resources than before.

New trends can help in overcoming old problems

Although new cloud trends surface old problems, there are also benefits in the new ways in which modern software is developed and deployed. Here are some examples on how we can improve our overall security posture:

• Open-source community efforts for better built-in security: As systems go beyond the academic usage of the early days UNIX system, more and more efforts should be placed around the implementation of the build-in security mechanisms which should be part of any Cloud and DevOps project. These should be properly configured and used to address the requirements for security, scalability and agility.
• Security automation services: The automation procedures should go beyond system deployment and should include the configuration and management of the security controls too. As Cloud Platform-as-a-Service (PaaS) solutions evolve we would expect them to provide more and more advanced, built-in, security automation services.
• Cloud security products: To prevent a situation in which one compromised component can take everything down, the built-in security mechanisms should be augmented by external security controls continuously checking the system security and compliance. The magic is to find the right combination of the “built-in” and “external” security solutions that will allow minimizing the number of products intercepting the cloud traffic and maximizing the performance.
  

I am really looking forward to see new technologies that will give better control over the basic Linux security building blocks. These “built-in” security automation procedures should then be augmented by external security controls for advanced run-time defense and threat protection.  

Disclaimer: This post represents my personal opinion and it doesn't in any way reflect opinions of my employer.