Tackling the Big Issues in Zurich: Day 1

Securing the cloud, or any data for that matter, continues to be a challenging and frustrating issue for the world’s CSO’s. That was the message to come from the first day of the three day long Second Workshop on Cyber Security & Global Affairs and Security Confabulation IV being held at ETH in Zurich, Switzerland.

In an event modeled after the TED Conferences, some of the world’s information security thought leaders worked through a tightly packed day of 18 minute presentations followed by group Q&A sessions that allowed the group to dive into the content and explore the opportunities and challenges posed by each speaker. Through 12 sessions on topics ranging from Cloud security to an inside look at the motivations behind malicious online behavior, information security experts tried to advance the thinking around the most critical information security issues that business and governments face. The event was organized by Arun Sood of George Mason University, Jerry Archer, CSO of Sallie Mae, and Dave Cullinane, CISO of eBay.

Using a mashup model that delivers lots of different issues and potential solutions, the different presentations initiate discussions that develop different approaches to solve existing and emerging problems.

In the opening sessions, speakers were focused on what is clearly the largest, overarching issue they are encountering today: the cloud. But beyond just the usual overview of the security challenges that the cloud poses, the speakers took new looks at this issue, questioning the standard challenges, risks and solutions. Is regulation really an impediment to cloud adoption? Not as much as you might think. Won’t strong SLAs reduce the risk of moving to the cloud? Not likely. Do existing trust models work in this new environment? Probably not. But all agreed that businesses and governments are moving quickly to the Cloud…private for now, but public in the long term…and most businesses just aren’t ready for it.

While the first reaction of many IT security teams is to put the brakes on their move to the Cloud, that’s really just falling back to where security was five years ago. Rather, they should think about how they can enable the move to the Cloud by evaluating the risks and putting into place the best controls and enabling technologies like single sign-on, attestation & certification, information controls like DLP, and transparency to enable proper auditing. Only put those things in the Cloud that risk dictates. As you develop better controls you can move more to the Cloud.

Also presented was a new model to control malware and attacks in virtualized environments. Known as Self Cleaning Intrusion Tolerance (SCIT) it utilizes virtualization to recover systems after an attack and operates without signatures.

One of the over-riding themes to emerge from Day 1 was the impediment to sharing of information due to legal concerns, regulatory restrictions, and lack of trust.

The evening keynote came from Scott Borg, Director & Chief Economist at the U.S. Cyber Consequences Unit, who went into great detail on the cyber threats faced by the U.S. and other nations. It’s clear, Borg discussed, that many attacks believed to be tied to nation-states like Russia and China, while collaborative, were not directed by those governments. For example, attacks against Georgian websites which have been attributed to Russian organized crime and that occurred in conjunction with Russian military action, were likely undertaken not under orders from the Russian government or military, but rather unilaterally to garner favor with the Russian government.

Stay tuned for my report on Day 2.

Copyright © 2010 IDG Communications, Inc.

21 best free security tools to make your job easier