On 6/20/2011, at its Singapore meeting, ICANN approved DNS changes that will accelerate the end of the Internet, as we have known it. Now, for $185,000, anyone can register a new generic top-level domain name, to add to the familiar roster of .com, .org, etc. The Internet will become more of a “wild west” than it already is. While ICANN states that the new DNS system will now “better serve all of mankind”, unfortunately, this change also gives criminals another approach to hide their identities. Yes, an open Internet has advantages and was the original concept, but malicious elements are currently taking advantage of this architecture. Phishing has subverted email and Certificate Authority hacking threatens to subvert SSL based ecommerce. Now, email origins will be harder to track and bad actors will have more ways to hide malicious web sites and their owners. I am sure that the ICANN registration process is very rigorous, but today’s bad actors have become very good at taking advantage of the system.
I see cloud computing replacing the open Internet. This is a return to the original “walled garden” of AOL and CompuServe popular before the rapid growth of open Internet access. Today’s walled gardens will be public/private/hybrid clouds with tighter security controls. One positive security trend is the adoption of the ISO 27001 security standard by cloud providers. This standard was recommended by the Cloud Security Alliance (www.cloudsecurityalliance.org) which stated that vendors should either comply with ISO 27001 or demonstrate alignment with ISO 27002 practices.
My recommendation is to look for this commitment from any cloud vendors you may be considering. It doesn’t guarantee security, but is the best approach available for effective security management. If your vendor is certified, one key question to keep in mind, what is the “scope” of that certification? The scope is the list of assets and processes that are being certified. The vendor can pick its own scope; you want to make sure that your data or services are covered within that scope.
I recently got an announcement that Mozy, the EMC online backup subsidiary, had achieved ISO 27001 certification. Doing my own due diligence, I contacted the CISO to verify that, yes, their certification scope did fully cover the back up process. The only exception was that one data center had not yet been certified, but it was expected to be certified by year end. Keep in mind that the vendor’s software and hardware may change, but unless it gets recertified with the new scope, the new assets will be out of scope; your data may also be out of scope. Continuous monitoring of vendors is mandatory to protect your assets.