Gluecon 2011 – Impressions of Day 1 – Waste Management Through Security Automation

Gluecon started off with an amazing video / presentation on a mind-nubbingly large screen. It felt like the Oscars of IT. After the usual round of intros led by Eric Norlin, we moved on to the core of the topic: APIs and all their applications today including, of course, within cloud.
Chris Hoff of Cisco started with an analogy with toiletry / plumbing over the centuries pointing out that in the last 10 years, we had seen radical innovation in toilets, a millenium-old technology. Apply that to software dev and cloud, and we should see some serious innovation coming our way. (Side note: the indispensable toilet paper was not invented until quite a few centuries after toilets were. It makes you ponder what they were using before).
Chris’s talk focused on security mainly. He pointed out to a model where he clearly separates concerns between different layers:

  • Infostructure: info security applies here
  • Applistructure: application security applies here
  • Metastructure
  • Infrastructure: physical & network security

The importance of pointing out to these different layers is that it highlights the different security concerns and the different stakeholders. In order for cloud and next-generation IT to function properly, all stakeholders must act together in a coordinated fashion.
It is very true: all too often, we will see a secure system being taken down because of one under-estimated area or because of those boundaries between 2 different secure layers: this goes back to what Theo Dimitrakos, head of Security Architectures at BT, used to repeat to me: the juxtaposition / interconnection of 2 secure systems rarely leads to one global secure system. Attackers will always try to attack the border where the two systems are joined.
And Chris to conclude in his talk that what we really need is:

Kick-aas automated security

(aas = as a service).
This goes through automated / standardized means of communication between different layers and through collaboration between different stakeholders: dev + ops + security = make nice to put it in Chris’s own formula.

More on Gluecon later…