Cloud Foundry’s Security Strategy: Rotate, Repair, Repave

Most enterprises are addressing security at the wrong tempo: They roll out what they assume are secured applications and infrastructure, and then are slow to make any changes, fretful that reconfigurations might open security holes.
But the threat landscape is an always changing, and the enterprises need to change their security practices to reflect this fluidity, said Justin Smith, a Pivotal security engineer heavily involved Cloud Foundry security, speaking at the opening of the Cloud Foundry Summit, taking place this week in San Francisco.
“To get safer, you have to go faster, and that is the exact opposite of how organizations work today,” Smith said. “Continual change is a concept we have to embrace in enterprise security.”
In his talk, Smith explained how the Cloud Foundry approach differed from the traditional security practices engendered in enterprise software, and how its overall approach could be advantageous to the cyber-attack embattled corporation.
As a stack focused on the data center, Cloud Foundry needs to have a strong security strategy in place, Smith said. In keeping with the Cloud Foundry development style, the software is opinionated on this matter of security, and the opinion it holds is that it should be updated as frequently as possible. He called this approach: “rotate, repair, repave.”
A look at what's new in #CloudFoundry security. pic.twitter.com/zYvXJUtA8n
— The New Stack (@thenewstack) May 24, 2016
Enterprises are pretty much under constant cyberattack, Smith reminded the audience. The yearly Worldwide Threat Assessment, assembled by the U.S. intelligence community, now lists cyberattacks as a greater threat than the traditional concerns, such as weapons of mass destruction, or terrorist attacks.
The intelligence community is less worried about a Cyber-Pearl Harbor massive infrastructure attack, and more about the slow collective energy drain that comes from thousands of company attacks in a “death by a 1,000 paper cuts,” approach, Smith said.
And with these attacks, “There is no one to call,” Smith warned the data center operators. “You are pretty much on your own.”
With this in mind, “What we want out of Cloud Foundry is to be resilient against attacks,” Smith said. “It’s not that attacks won’t happen. You want to be able to survive attacks, give a little bit, and then go back to a normal state. That’s what you want from a security viewpoint in your cloud software.”
Today’s typical “advanced persistent threat,” involves malicious parties surreptitiously roaming about the infrastructure, silently learning how operations work, and eventually purloining sensitive data (or holding it for ransom).
Attackers need a number of ingredients to make this happen. One is unpatched or misconfigured software, which harbors vulnerabilities can be exploited to gain access and control. “Patched software is rare in the enterprise,” Smith said.
Another “important dimension” needed to stage these attacks, Smith pointed out, is time. Probing different components and then figuring out how to use their weaknesses takes time to execute.
Not helping matters any is the sorry state of enterprise software, and even enterprise security software. “We’ve built such sucky software that it resists change at all costs,” Smith said. Firewall configurations, for instance, tend to be complicated, so administrators are loathe to change them once put in place, fearful of unanticipated second-order effects that can create vulnerabilities. The ornery task of rotating security credentials also tends to get punted into the future.
“Software we sell to the enterprise resists change, so the culture naturally resists change,” Smith said.
Monitors can be put in place to highlight potentially vulnerable areas, though their usefulness is questionable to Smith. “Notice the monitor [doesn’t] fix the problem, it just sends up a flag. So you have to deal with a massive number of notifications. There’s a reason security teams inside of enterprises are grumpy.”
To get out of this mire, this perception that we take on how to manage security must change, Smith advised.
#CloudFoundry now has 2,100 contributors, including 130 core core contributors @sramji #CFSummit pic.twitter.com/8qEfA4Bp0L
— The New Stack (@thenewstack) May 23, 2016
The advantage Cloud Foundry systems offers is that thanks its rapid release schedule and preferences for automated upgrades, vulnerabilities scan be quickly patched with no downtime, depriving attackers the time needed to case out a system, Smith argued.
In this year alone, the Pivotal Cloud Foundry stack has gotten 30 updates, all of them fixing vulnerabilities. Smith himself is working on projects that would allow more seamless rotation of credentials, again with the notion that they should be changed often to thwart attacks.
Cloud Foundry is biased towards frequent upgrades. and is geared to making those upgrades as painless as possible, with no downtime. Keeping a server running for years without a reboot should not be a “badge of honor,” Smith said. Instead, we should be thinking of keeping the maximum lifetime of a server, or virtual server, as short as possible.
“What if every server inside my data center had a maximum lifetime of two hours?” Smith said. This approach would frustrate malware writers, Smith noted, because it limits the amount of time to exploit known vulnerabilities before they are patched.
“This is part of our architecture. It is the way we are built,” Smith said.
The Cloud Foundry Foundation is a sponsor of The New Stack.
Images: Lee Calcote