Rackspace: does multi-cloud mean multi-threat?

Rackspace continues to try and evidence, validate and clarify the use of its ‘hey, we’re the managed cloud company’ tagline by hosting a series of press-facing debates throughout London in 2016.

Opting for a ‘trendy if you’ve got a beard’ location in Shoreditch just a stone’s throw from London’s glittering Silicon Roundabout, Rackspace gathered some key execs, some arguably worthy security spokespeople and the usual set of unwashed tech trade press cohorts.

What is a multi-cloud cloud?

Debate chair Paul Simmonds (who is chief exec of the Global Identity Foundation) reminded us that, “Multi-cloud describes any environment where applications are deployed across two or more public cloud services.”

Riffing off on this subject were Brian Kelly in his role as chief security officer at Rackspace, ethical hacker Jamie Woodruff and Jason Steer, a solutions architect at Menlo Security Inc.

“I focus on how people make bad choices and how to exploit those decisions,” said ethical hacker @jamie_geek Woodruff. “When I am working as a black hat, I am always looking for weaknesses that are created by the existence of multiple entry points (which could indeed by APIs for applications themselves)… so more attack vectors basically,” he said.

Did the audience think that multi-cloud environments were any more or less secure than traditional IT environments? The live poll stated that the audience were roughly 50:50 on the whole affair.

Where these events start to provide value is when the vendors start to actually explain the specifics of what they are doing to address security. Rackspace’s Kelly detailed how his firm is currently, “Working to ensure the integrity of the chips used in the supply chain.” So in this way we might be able to see that the construction of the cloud is becoming (arguably) more robust.

A whole ‘spectrum of maturity’

Jason Steer at Menlo Security Inc. explained the following ideas.

“When creating an infrastructure it is important to look for areas where we can re-use trusted code to be able to glue our system together… but of course there is a whole ‘spectrum of maturity’ in terms of what principles of architecture a firm wants to implement, so there are many factors affecting how robust a customer is at the outset,” said Steer.

Cloud providers owe it to customers to provide more transparency and control of actual workloads asserted Rackspace’s Kelly.

The panel also argued that a ‘perimeter-ised’ corporate solution may sit in an antagonistic and negative position to fully blown cloud strategies…  and this is not productive.

“Hacking used to be all about hacking in and pasting up some digital graffiti… now hackers will go in and sit and wait silently and plot,” argued hacker Woodruff.

Other commentary notes

Rackspace argues of course that it applies the patches and updates and provides an environment that is inherently more secure.

A follow on argument discussed the reality that we see as consumers adopt the cloud and then release usage data for other users to use in context of other applications, the argument is that a greater level of information share pervades for all.

“If you don’t know what your data is, where it is flowing and what it is being used for then you wont know what an ‘incident’ actually looks like and so you wont know if and when data is being ex-filtrated out of the network….. but you know, it can be tough because inside a managed cloud environment it is down to the cloud providers themselves that could be feeding some of this info back to the customers ( we have already said that we need to provide more transparency back to customers),” said Steer.

Rackpace’s Kelly also said that there are “components of the total workload” that make sense in a public cloud … and other components that work in private, or hybrid.

The full discussion was detailed and played out in social media under the hashtags @rackspaceUK #cloudspiracy