Locking Down the Desktop: Client to Cloud
Published: May 24, 2011
Author: Dan Griffin, Microsoft MVP - Enterprise Security and Tom Jones, Software Architect, JW Secure
In the last five years, the number of cloud services has increased considerably. With this increase, users are becoming more accustomed to conducting business on the Internet. The integrity of these types of services requires that both users' computers and the servers hosting the users' data are healthy and secure. This paper is designed to help IT architects and developers assure the appropriate level of protection in computers that attach to cloud services. We focus on establishing claims of computer health, together with user identity, to assure the integrity of IT assets as they migrate into the cloud.
In this article:
A New Model for Distributed System Health
At the 2011 RSA Conference, Scott Charney, Vice President of Trustworthy Computing at Microsoft, stated that computer security on the Internet is "in somewhat of a state of paralysis." He proposed a new way of thinking about security, likening it to the public health system. Charney noted that world health organizations are getting quite good at identifying and eliminating threats to public health. As people have become more mobile, so have disease carriers, and the same change is coming to our computing systems.
Originally, computing systems were in a single location and external data transfer was difficult. However, we now expect to have instant access to all data through a variety of devices, including full featured applications on a smart phone that we carry in a pocket. In the early days of mobile computing, travelling business people had to initiate a secure connection to the enterprise network so that the remote computer could be treated as though it were operating inside of the enterprise perimeter, protected by the enterprise firewall, in order to access any corporate data. Now, though, we expect our employees and partners to be able to work anywhere, at any time, and on any device that allows us to meet our business needs in the most efficient way.
Current State of the Network Perimeter
The traditional enterprise security perimeter is being further eroded by cloud computing. In a traditional enterprise domain, all computer services ran on the enterprise network and could rely on Active Directory Domain Services (AD DS) for authentication of users and machines, authorization of access requests, and management of configuration. Each user was authenticated by AD DS, each computer was managed, and servers were on the premises inside a firewall-protected network perimeter.
As the workforce has become more mobile, and IT falls under increasing pressure to cut costs, organizations have been moving toward supporting employee-owned equipment and for customers to access services from any computer that is attached to the Internet. These changes have driven the creation of richer and more mobile-capable experiences, but have come with challenges. The processes for managing services have had to change as much of the network topography has moved into the cloud and outside of the network perimeter. Managing access control for managed and unmanaged computers in this new environment can be difficult. Authentication and authorization increase in complexity, relying on technologies such as federation, as well as new web-based configuration interfaces exposed by cloud service providers. In addition, unmanaged client computers are more likely to be infected with malware. These uncertainties complicate compliance, and further weaken the security perimeter of the hosted service which the infected computer is accessing.
Locking Down Computers: Don't Discard Your Tools
In addition to compromising the stability of internal systems and enterprise data, infected computers can cause customer data and credentials to be leaked. However, as we become more dependent on cloud services, it's important that we not forget about our usual security tools - they're still useful!
For example, the health of domain-joined computers can be managed by controlling the code that is installed on them. Since the release of User Account Control (UAC) with Windows Vista, fewer applications are granted administrative privileges, ensuring that malware does not get control of many domain-joined computers today. Another example of a feature which can be used for controlling the code that can run on Windows is AppLocker. While features such as AppLocker are best configured and managed using Active Directory, and cloud scenarios do tend to involve some computers and services which are outside the reach of AD, we believe that most medium-sized and larger organizations will continue to use AD to manage client computers, on-premise servers, and IaaS-hosted servers for the foreseeable future.
Another example of a still-useful security technology for the cloud is Network Access Protection (NAP), also known in the industry as Network Access Control (NAC). With NAP, when determining the health level of an internal computer, an organization can measure and enforce the client computer's level of access. As above, NAP is another AD-dependent technology, but it still applies in the off-premise and IaaS scenarios. Indeed, with increasing exposure of enterprise computing resources to the outside world, the NAP quarantine capability is important for keeping malware off the network, and for keeping sensitive data secure.
To digress briefly, the NAP/NAC model is one which can and should be revisited by the major technology vendors and made more cloud-friendly. For example, by extending the NAP client components to issue SAML-compatible health claims, a whole range of federation scenarios - including authentication to cloud services - could be enhanced with client quarantine and remediation capabilities. This is particularly important since many customers are finding that cloud services lack the rich set of authorization controls exposed by on-premise applications which integrate with AD. By mating NAP with health claims, more granular access control of cloud services is afforded based an explicit assertions from the client. Extending Scott Charney's public health analogy further, we see claims-based NAP being complemented by a hosted service which tracks the health history of a computer; this would be useful for estimating the fraud risk of a given transaction, for example.
Returning to the discussion about existing tools, there are plenty of other security technologies to consider in the context of cloud computing.
When exploring the adoption of cloud services, a pain point commonly expressed by customers today is perceived loss of control. In the current cloud services landscape, we believe that loss of control is more than just perception: it's real, and it represents an opportunity for technology providers to provide richer capabilities for customer configuration of their offerings. A good example of a rich configuration capability is fine-grained control of authorization rules. Client health claims and health history, introduced above, should play a role in that capability.
However, IT administrators mustn't abandon their existing skills and tools. Indeed, for the all the hype about how cloud services will cost IT professionals their jobs, we believe the opposite is true: while IT jobs will almost certainly shift, there will be a net gain in demand, since securing the enterprise is getting harder every day, not easier. And while most cloud services available now are new offerings, the same techniques will apply when locking them down.
About the Authors
Dan Griffin is the founder of JW Secure, Inc., a Microsoft Gold Certified Partner and software security consultancy based in Seattle. He has published several articles on Windows security software development and is a frequent conference speaker and security blogger.
Tom Jones is a software architect at JW Secure, Inc. and author specializing in security, reliability and usability for networked solutions for financial and other critical cloud-based enterprises. His innovations in security range from mandatory integrity to encrypting modems.