CAST workshop on development security

We are holding our yearly security conference in Darmstadt on the 22nd of March – that’s next week – together with our partners from Fraunhofer SIT and CAST. This time, the focus subject will be DevOps and cloud technologies, including both operations and development preparation for the security in the cloud. The speakers are prepared to talk about a range of things from threat modeling and management down to massive tests, so I expect it will be rather interesting. We will also have a couple of presentations from companies talking about how they do things in their own cloud software in practice, so it will not be all theory either.

The conference is as usual mixed in German and English, we may ask the presenters to speak English only when we have people who do not speak German in the audience, so let us know on site. All details of the conference are here: https://www.cast-forum.de/workshops/programm/244

Come over to Darmstadt, join our conference, you will be very welcome!

Cloud security

Let’s talk a little about the very popular subject nowadays – the so-called ‘cloud security’. Let’s determine what it is, what we are talking about, in fact, and see what may be special about it.

Magnificent cumulonimbus clouds

‘Cloud’ – what is it? Basically, the mainframes have been doing ‘cloud’ all along, for decades now. Cloud is simply a remotely accessible computer with shared resources. Typically, what most people ‘get from the cloud’ is either a file server with a certain amount of redundancy and fault tolerance, a web service with some database resources attached, or a virtual machine (VM) to do with as they please. Yes, it is all that simple. Even the most hyped-up services, like Amazon, boil down to these things.

So when you determine the basics, you are then talking about three distinctly different types of operation: a file server, a web/database application and a VM. The three have different security models and can be attacked in completely different ways. So it does not really make sense to speak about ‘cloud security’ as such. It only makes sense to speak about the security of a particular service type. And all three of them have been studied in depth and have the defenses worked out in detail.

Mind you, there is also another type of ‘cloud security’ – the security of the data center itself, where the physical computers accessible through the physical network are. And the security of data centers is an important subject of interest to the operators of those data centers. At the same time, consumers of the services rarely are concerned with that type of security, assuming (sometimes without a good cause) that the data center took good care of its security.

So, from the point of view of the developer or consumer of services it makes sense to talk about three types of security in three different security models that are fairly well understood and were analyzed many times over the decades. Not using that experience of, first, the mainframe developers, and then, of the open systems developers, is at the very least irresponsible.