"Securing the future will be very different to what it’s been like security get past and securing the present,” says Joan Pepin, the CSO of Sumo Logic.
Suddenly, parties are becoming responsible for services that they don’t have competency.
Pepin says we to be ready for the future we need to be fix the problems we have security in the present fixed.
As the number of systems and volume of data and traffic has increased exponentially, we’ve stopped doing the right things, as we’re not able to do all the right things.
“If we think back to Alexander the Great, he could look down, over a battlefield from the top of a hill, and see that there was a chariot commander that he wanted to flank to the west. What would he do? He’d pull out his encoder ring - it was a substitution hash, best practices, get a piece of payers, encrypt a message, roll it up, seal it with a wax seal - therefore authenticating that message and making it tamper-proof. He’d hand that to a messenger and send it to the chariot commander”.
At the other end, the chariot commander could authenticate the validity of the message from the seal, decrypt the message using his decoder ring and he’d kill the messenger.
Pepin used this story to highlight that we have known how to deal with sensitive information in hostile, open public spaces for thousands of years but we’re still not doing it right.
What we need to do now is get better at our fundamentals. We need to go back and do them right. We’re not doing basic access controls, monitoring or encryption. We’ve been outscaled, she says.
“That’s because of the limitations of our architecture and the limitations of out environment which come down to limitations in the way we think”.
Most data centres, says Pepin, are little more than giant PC when you look at them. They have limited computing power, storage and memory which means we can’t analyse all of the data moving in, out and between different applications. At best, we can only carry out deep packet inspection, for example, with a sample of all the traffic that is moving.
“We are a slave to this route,” said Pepin. “These are some of the core reasons why we’re seeing some of these media-worthy breaches”.
Pepin says it is possible to build a secure environment in the cloud. But it takes a new approach. When she joined Sumo Logic, Pepin had a secret agenda to convince them to build an old-fashioned collocated data centre architecture as that was what she had done in the past, flying in the face of the company’s “cloud-first” strategy.
But then she realised that the business’ needs would never be properly met with that infrastructure. One of her colleagues mentioned that while a programmer might make a mistake, software code never made a mistake.
“I had this moment. I saw something that I could never un-see. That was that this cloud was really a huge amorphous blob of power that I could warp to my will using code. That everything I wanted to implement… ”I could do that with APIs on AWS in a way I could never do in a data centre”.
Pepin said the environment she has built with her team at Sumo Logic has complete understanding of every packet of data, user action and application operation that is executed. That’s not a subset. Everything is monitored with alerts in place to notify someone when something unusual is detected.
That covers over 6000 servers in three countries with around 50TB of data ingested every day.
“Everything is as secure as anything I’ve seen in my 17, 18 year career in this business. I would put our security up against any government data centre. And we’re doing it all in the cloud”.
Using the analogy of gambling, Pepin likened the old data centre as being the same as a single card table where the operator built the table with a whole in it for hiding cards, marked the cards and ensured they had a friend in the audience protecting her interests.
Although the dealer at this single table has control of almost everything, there is a limit to the scale of the operation.
In contrast, a casino is able to scale by not exerting all of that deep control. In a casino, there are times a slot machine will pay out or a blackjack dealer will cheat.
“But statistics, math, powers of scale are going to ensure you’re going to win at the end of the day, every day”.
The proof of this approach was demonstrated when Sumo Logic went through PCI/DSS Level 1 certification. The typical cost for the effort of attaining this certification, according to Gartner, is around $750,000 with about $120,000 going on the initial scoping phase. Sumo Logic completed the entire process for $60,000.
The fully software-controlled environment meant Pepin and her team were able to collect all of the required data and prove their compliance in just a few hours through the initial discovery.
“This was simply a validation of everything we were already doing’” she said.
The amount of computing power afforded by Platform as a Service providers delvers a scale and degree of flexibility that Pepin says traditional data centres simply can’t match.
Anthony Caruana travelled to RSA Conference in San Francisco as a guest of Symantec.