A few things in the news today that ought to serve as food for thought for any SP targeting enterprise IT workloads.
For starters, I'd encourage you to read up on advanced persistent threats (APTs). These are organized attacks using a combination of social engineering and traditional hacking techniques.
In a scarily prescient post, I talked a bit about APTs during the run-up to the recent RSA Conference. Then the unthinkable happened: EMC's RSA division got hit pretty hard.
How they did it is no longer a mystery. Who did it, and why they did it, is currently a matter of an ongoing investigation, so not much will be said about that for the time being.
If you think it's isolated cases, feel free to scan the headlines on any given day, and you'll hear about the most recent breach. This morning, it was Epslion's service that got dinged.
In related news, EMC's RSA division announced the acquisition of NetWitness, a key technology player in this space.
So, how does this apply to service providers?
Concentration Of Economic Value
These APT gangs are cleary targeting specific, high-value information. Specific, individual companies can house this sort of attractive digital wealth.
So can an SP aggregator -- across a wide range of SP models, if you think about it.
Concentration of value means concentration of risk. Ultimately, SPs have to be better at preventing, detecting and responding to APT attacks than the clients they serve.
Where Standard Secure Multi-tenancy Models Can Go Wrong
A while back, one of EMC's competitors announced their "secure multitenancy solution" for service providers. Of course, I was curious, but about ten minutes into the reading, I spotted the key flaw in their thinking -- almost fatal, in retrospect.
100% of their effort was focused on protecting tenants from each other. One could argue as to how well they achieved that result (still very debatable to this day), but my argument was very different -- how do you protect tenants from the SP?
In that particular solution, the proposed architecture was pretty clear that the SP system administrator had potentially complete visibility and access to all tenant information -- whether primary data or ancillary metadata.
Imagine this unpleasant scenario: an APT gang realizes that a service provider has a high-value information target: either through one of its tenants, or a collection of tenants, or -- perhaps -- in providing a supporting service to tenants (think backup, or security as a service, or collaboration as a service as examples).
APT gang uses social engineering techniques to penetrate the SP's defenses, and can basically operate freely as a trusted insider within the SP organization. Perhaps masquerading as a system administrator, for example.
APT gang now has unfettered access to all the SP's client's information. Or, more scary, a secure and trusted access path into the client's IT organization.
Could that be actually happening today? Perhaps yes, perhaps no.
Problems Are Opportunities In Disguise
I've long argued that -- ultimately -- SP organizations have to be better at what they do than the clients they serve. So, in that respect, any "challenge" can also be viewed as an opportunity.
When it comes to APTs, it's pretty clear from where I sit. It's the new threat, and requires a different response model than all threats that have preceded it. Enterprise IT organizations will be targets, as well as the SPs that serve them.
At a minimum, many of the SPs I work with will have to understand the new style of threat, and make the required investment to sustain their business operations. One bad day can put you out of business when it comes to APTs.
A few SPs may go further, and recognize -- like other IT disciplines -- that getting really good at APTs is actually a highly differentiated service that others will want to consume: not only enterprise IT organizations, but the SPs that serve them.