Cloud security harder than 'encrypt everything'
F5's David Holmes talks SSL with The Register
Australia's wildly-enthusiastic adoption of cloud computing is providing the rest of the world a crucible in which a host of security challenges can be cultured, according to F5 security researcher David Holmes.
Speaking to The Register's networking desk while visiting the antipodes, Holmes said that “Australia is becoming the great laboratory” of cloud-first strategies, and along the way, encountering a fair amount of first-adopter security pain.
The pain is especially acute, Holmes said, for a customer that wants to spread the same service across different clouds (which is a sensible resilience strategy).
“Customers want to spin up the same service on different clouds, but at the same time, they want to encrypt everything”, he said.
That's not as easy as it sounds, for example, for a user running SSL/TLS-based encryption: “The certificates are bound to host names, but [the user] wants to move the service between different clouds.
“If you have something that roams around, the hostname has to roam around with it instantaneously, and in such a way that you don't lose any traffic.
“And the certificates have to move around with them.”
Another thing Holms has seen is a desire to host different service components in different clouds – for example, some components running on the Amazon cloud and others on Azure.
That presents a scenario close to crypto-hell: different clouds have inconsistencies in the details of their implementations, Holmes said, and even if they did, performance takes a hit.
A new SSL connection for “every hop in the component tree” is a latency nightmare, given the multiple handshakes needed to set each one up.
All of this means that customers like Australia's financial sector, who are trying to run up these complex models, are “having challenges getting the same services on different clouds to all look the same”.
All of which means that the world is learning that the cloud isn't yet the “drop-in replacement” for in-house IT that everyone was hoping it would be.
The 20 year old infosec industry is still young
Holmes said it's important to remember that the 20-year history of Internet security is pretty much a blink of an eye: the world has been trying to secure its currencies for thousands of years, but we still see new laws and regulations on a regular basis to deal with new attacks on currency.
The IT industry only decided the Internet needed security during the 1990s, when important transactions started migrating to TCP/IP.
“True security for any kind of system could take decades, centuries,” he said.
That's made worse by the complex interdependencies that characterise modern systems – because a zero-trust model (every host treats every other host as untrustworthy) is extremely difficult to put into practice.
Look inside the data centre, for example: it's feasible (but very onerous) to decide that every Ethernet switch port encrypts traffic to every other Ethernet switch port – but that means keys on certificates on every devices, and negotiation for every connection.
And, of course, a bigger attack surface.
“Look at it from this perspective. SSL/TLS protect data in transit, but the breaches happen to data at rest,” Holmes said.
“So you decided to encrypt the giant database at rest – but you have automated queries coming in from other systems, all day.
“All those other systems have copies of the keys – you have copies of the keys all over the place. It's hardly any different to the data not being encrypted.”
Malware and geography
With F5 recently observing the re-emergence of malware based on the relatively-old Gookit, The Register also asked about the curious geographic patterns that emerge in Malware campaigns: why do they seem to localise?
“We don't have hard data on this,” Holmes said. “It might be that new hacking organisations, coming up to speed, attack the brands or businesses closest to them, because those are who they know best.
“Or it could be that they have established a way to launder money, but it's specific to their country – so they try to attack sources closest to that channel.”
Encryption protecting malware
Holmes said the biggest focus for F5's researchers in the next six to twelve months is going to be addressing the growing trend to using encrypted channels to hide malware from systems like FireEye.
The problem here is that an attacker's site can also use SSL/TLS, and if it's a user (who clicks on a phishing link, for example) who initiates the secure session, session establishment it likely to pass through the firewall.
So by the time the attacker starts sending malware back to the victim, it's encrypted.
“People knew this problem was going to come up,” he said, “but the rate of growth of SSL as a percentage of total traffic has climbed much faster than than people thought”, he said.
Protecting that – without breaking legitimate uses of encryption – is going to provide plenty of entertainment for the security industry. ®