I circled back to the Jericho Cube model after working on a presentation on Cloud Security. This presentation is tailored towards a public cloud operator who wants ideas on how to convince interested customers that they can securely utilize their service. Ideally, the existing enterprise wants to enable collaboration between their internal infrastructure and their new ‘public’ space in a secure fashion. While there is significant growth simply in the new application architecture space for public cloud operators, there is even more space in the decoupling and splitting off of application services to be migrated to the cloud. I am not talking about migrating the whole application, but the parts of it that make sense. Lighting the path to show that this secure collaboration between application services is possible is essential to winning business. This cube model is a great way to frame the transition to customers.
Jericho Cloud Cube Model
The above video states that the most interesting space to be is the upper back right, or Open : External : Deperimeterised. What makes this the most interesting space? By being Open, your data is not locked into one public cloud provider space. By being External, you can take advantage of the economies of scale and expertise only available at a large cloud operator. Open and External are qualities that you obtain by making a financial investment. If you have a application server running windows on a VMWare hyper visor, you could make that open and external by sending a few emails and setting up a vMotion event. Your application would still work after opening some ports and adjusting your firewall, but it would not be secure because your internal security posture is based off of the perimeter model.
By moving towards deperimeterisation of the application, you make the change in your security architecture. To get to that really interesting, cost effective, collaboration and innovation enhancing quadrant of the cube you need look hard at how you are playing the security game, and figure out how to win playing that game with a different strategy. In order to be open and external securely, you need to decouple your security mechanisms from the internal network. This fundamentally changes how you trust identities and data sources within your application. How do you establish trust between distributed application components living in different environments communicating across a labyrinth of networks where you have no control over the path? Answering this question is a must for anyone trying to sell public cloud infrastructure. The Jericho Cloud Model puts it in perspective and gives you context to the solution. While I do not have a total solution , I see the following two steps as critical during this customer conversation. You have to create confidence in the customer that they can establish a secure perimeter within your cloud, although it is public. You have to show them that they can reliably communicate with integrity and confidentiality between their existing perimeter to this new isolated chunk of infrastructure. In effect, connecting two perimeters with a secure channel. Get the customer to the point where they feel they can trust the connection between two secure perimeters. Splitting the perimeter can be the first step towards the ‘deperimeter.’