SUTHERLAND: I think the tools are making progress. We've deployed for customers decentralized protection architectures that allow for the virtual resource instances to protect themselves rather than relying solely on centralized protection architectures. So, for example, utilizing IDPS or intrusion detection/prevention at the instance level, the instance is able to protect himself in-depth against attacks that may originate from inside the perimeter. And then this combined with integrity monitoring at the instance level and in the application layer provides real time reporting on malicious or unexpected changes to configuration system files or data access.
NW: Ammon, you once said identity is becoming the new perimeter. Can you expand on that?
AMMON: All security exploits involve two steps, gaining access and elevating rights/privileges. The combination of both mobility and cloud has resulted in the erosion of the traditional security boundary. Managing risk calls for a more granular approach to the process of granting, controlling and containing access. With identity as the new perimeter, system owners should demand a separation between identification/authentication and authorization. Granting unfettered access to an entire network segment or all features within a cloud management console incurs unnecessary risk. System owners should also take advantage of federating privileged identity to reduce management complexity and improve accountability.
SUTHERLAND: Just to add to that, when you're using shared privileged accounts, being able to separate that authentication authorization in our experience is very important and it is critical to be able monitor and control and perform forensics. So a privileged [accessible] system can allow this policy to be enforced for each user, even when using shared privilege accounts and provide the full attribution of the user activities on the user level or the privileged user level.
ROTHMAN: Right. This is another thing that I don't think the compliance hierarchies and auditors and assessors have clued in on, in terms of common console access. PCI for the last seven or eight years has had this concept of unique ID and kind of being able to control things down to a specific individual to be able to wrap changes back to. But again, cloud breaks that model for a lot of different reasons. So this gets back to the idea that we just don't know what we don't know quite yet.
If identity is a new perimeter and the perimeter has disappeared, then we'll all be kind of zombies in the future, because again, it's very hard to track privileged access back to a unique user, as required by the compliance mandates. This gets back to why consistency is critical. Whether it's happening within your own data center or it's happening out in the cloud data center, whether you've got resources that go back and forth or burst or a lot of what [Kingsberry] was talking about having a set of policies and a control set that can be leveraged consistently, regardless of where your data happens to be. That's really where stuff has to go and we are in early days, like diaper time. We're not even toddlers yet.
Sign up for CIO Asia eNewsletters.