Cloud Chivalry: Defense by Design
The concept of historic chivalry is set in stone, but in the cloud, this noble defense is in a state of rapid evolution. To deal with emerging threats and sophisticated attackers flexible, adaptable services are being developed – intended to both protect user data and pierce attackers’ armor.
Dealing with an attack is easier if you know what’s coming. If an encroaching army starts cutting down trees and picking up rocks, chances are they’re building catapults.
You could prepare for an assault by cavalry on the front gate, but you’ll spend time running around in circles while rocks plummet from the sky. The same holds for IT security.
Traditional defense software is able to recognize black-listed code strings, but when confronted by malicious data in the guise of ordinary requests may turn a blind eye, allowing enemies to build siege engines and hurl rocks unopposed.
A heightened form of this risk presents itself when businesses leverage the cloud. With software-as-a-service (SaaS) calls for service, employee requests for access and ongoing efforts by IT to keep up with the virtual Joneses’, it’s possible to unwittingly expose a network to risk.
As a result, new breeds of predictive security measures are being developed, for example, the Umbrella Security Graph. This cloud-based tool researches attack details using data from 45 billion DNS queries, helping to identify – and therefore stop – attacks before they penetrate a system.
In addition to concerns about outside attacks, companies also need to think about user access. It’s easy to shake a stick and tell workers they need a better password, but with employees already responsible for multiple passphrases across numerous systems – each with their own requirements – there’s little wonder easy-to-guess versions like “password1” or “123456” still make the rounds.
To simplify and improve on the standard model, federated access was developed as a way to let third-party services verify a user is who they say they are, but without the need for multiple passwords. Criticisms of this access model stem from the need to ship a user from site to site and service to service, opening the door to potential phishing.
Professor David Chadwick and his team at the University of Kent have developed a potential solution: the Trusted Attribute Aggregation Service (TAAS) framework. When using a cloud service that’s TAAS compatible, any request for access sends a mutlipurpose Internet mail extension (MIME) to the user’s browser, in turn activating a TAAS plugin.
The user is then re-directed to a personal TAAS site, where they enter credentials of their choosing, anything from bank details to employee ID number. This data gets sent to the third-party owner, which sends a unique one-use only number to the service, finally allowing access.
It’s a substantial number of steps, but boils down to letting users choose their own credentials, use only one set for access, and minimize the chance of a breach because it doesn’t require sending employees to multiple sites.
Defense by design is the new form of cloud chivalry. Rather than waiting for an attack, companies and researchers are getting smart, identifying threats before they become problems, and safeguarding credentials while improving ease of use.
Doug Bonderud is a freelance writer, cloud proponent, business technology analyst and a contributor on the Dataprise Cloud Services website.