One of the most frequently used tools to fight forest fires is … more fire! At first blush, this approach is counter-intuitive. But, the use of “back burns” to reduce the amount of flammable material and ultimately control the fire itself is a well-known and effective technique. The irony of “fighting fire with fire” lies at the heart of this month’s (May 2010) question on the Mitre cloud computing blog:

“How could a government system be more resilient to attack if hosted on a public cloud computing model versus a private one, and what are the added vulnerabilities the government would need to consider?”

And, since the issue is equally relevant for both government and industry, let’s restate the question as, “Can we use cloud processing to help solve the security and availability problems normally aggravated by cloud processing?”

Once again, at first blush the answer would be “No.” The security issues of cloud processing are well-advertised, and those issues continue to be the number one stumbling block to greater industry and government use of cloud processing of all types. The lack of transparency (especially in public clouds) is the root of most anxiety about cloud usage, and thus represents the biggest restraint on enterprise use of public cloud processing. Even if the contradiction of “fighting fire with fire” in the cloud can be successfully applied, this lack of transparency will still need to be overcome before industry and government are liberated to use public cloud processing for important mission functions.

Yet, there are some features of cloud processing that do suggest we can fight cloud insecurity with cloud characteristics! Consider, for example, the superior scalability, flexibility, adaptability, and redundancy of the public cloud. Then, imagine using those characteristics to deploy threat and vulnerability countermeasures in thousands of locations, many of which are dynamically placed closer to the threat source than any conventional static system. Such a dynamic operating characteristic would provide a new dimension for a classic “defense in depth” architecture, and could result in greatly improved resilience to attack.

In particular, resistance to Distributed-Denial-of-Service (DDoS) attacks could be enhanced with use of a public cloud. This very same architectural model for public cloud usage has already demonstrated its effectiveness against one of the largest DDoS attacks against the U.S. government. The use of Akamai’s EdgePlatform (as a public cloud firewall of sorts) prevented a huge DDoS attack in July 2009 from disrupting operations of protected locations.

No doubt, we could imagine other examples of how certain cloud characteristics can be used to improve some security capabilities in some circumstances. Certainly, protection against DDoS is one good example. But, not every security need can be improved by such an ironic application of the cloud. (After all, we don’t save drowning people by pouring more water on them!) And, every use of a cloud brings with it the issues of lost transparency for the cloud consumer (e.g., configurations unseen, vulnerabilities unmeasured, control processes unknown, accesses unreported, data and processing unanchored, etc.).

So, the cloud can improve security in certain important ways. But, all fire, no matter how ironically used, is hot and dangerous. The cloud is no different. Unless and until we can reclaim for cloud consumers the transparency that is sacrificed in pursuit of the elastic benefits of cloud processing we will be on a constant hunt for clouds that are “less bad” than other clouds, rather than clouds that exhibit properties of digital trust through restored transparency.

Reclaiming transparency in cloud processing! That’s even better than “fighting fire with fire.” That’s fighting darkness with light!

Editor’s Note: This is an expanded version of Knode’s response to a poll on the monthly MITRE blog poll. Follow the link to read more responses to the notion of cloud pilot studies in government from more industry experts.

Ron Knode is Director of Global Security Solutions at CSC and a Research Associate with the Leading Edge Forum.