Thursday, December 27, 2012

End of teaching

After 8 years, I'm now officially done with teaching security courses at the University of Illinois. It has been an interesting run, but I needed to do something else for a while. I think the academics have it right with the 7 year sabbatical cycle. For me, I need to change things up after 6 to 8 years.

Earlier this fall I gave a talk in the ITI's Trust and Security Seminar series reviewing how the security education program has changed at UIUC during my time. Here's a video of the talk. I forgot to turn on the mike until 2 minutes and 30 seconds in.

Secure in the cloud

Over this summer and fall, I've jumped into the cloud while working with SafelyFiled. As a security person, you must make the obligatory snort about the innate un-trustworthiness of the cloud. But after coming through this experience, I think the cloud offers a couple security benefits.

The problem with the cloud is that it is "out there". I cannot physically secure the server. And coming from a traditional security background, I really want to physically secure things. I cannot be lazy and say, it is ok to leave the network traffic unencrypted because I can see where the wire runs. Once you commit to using infrastructure you don't own, you can no longer be lazy in your security analysis.

Truthfully this analysis has been necessary for quite some time. If you are a small organization, you have been using third party data centers for years now. Disks wander off in such shared data center environments. If you are a part of a large organization, you must worry about the trustworthiness of other elements of your organization. But with increase of virtualization and press coverage, the need to not trust anything becomes more and more apparent. So one good security thing about the move to the cloud, is the (hopefully) increased security paranoia when designing your system architecture.

Another benefit was pointed out by a presenter at the recent AWS developers' conference. This person was presenting on the Virtual Private Cloud (VPC). He was walking through the network ACLs, routing tables, firewall rules, and MAC check rules that are provided by VPC. He made the observation that for someone seeking to verify that a network is set up securely, it is much easier in VPC that it would be in a real physical network with a variety of enforcing devices. Of course this assumes that the VPC is correctly enforcing the rules. But for most people with a moderately complex network, they will have a much weaker understanding of their security stance in a physical network structure than they would in a VPC environment.

So the cloud is by no means making securing the world easier. And a security ignorant individual is going to be just as security ignorant when working in a cloud environment. But for the security savvy, the cloud has its good points.