Cloud
1/7/2014
11:04 AM
Bankim Tejani
Bankim Tejani
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
50%
50%

How Cloud Security Drives Business Agility

Cloud computing represents a unique opportunity to re-think enterprise security and risk management.

Cloud security has become a divisive topic within many companies. Some see cloud computing as a business necessity, required to keep up with competitors, or a vehicle to transform “old world” IT. Others see daunting and dangerous security risks. To me, cloud computing represents an opportunity to re-think, re-design, and operationalize information security and risk management to drive business agility.

Cloud computing offers a unique change in managing information systems: the use of automation. While most look at automation as the cornerstone of cloud computing’s cost savings and efficiency, automation is equally valuable, if not moreso, for information security and risk management. Looking at today’s security problems, the landscape is littered with methods that are largely manual and disconnected.

  • Business systems are launched and retired faster than security teams can identify, analyze, and track.
  • Risks are implicitly accepted by business sponsors during design, development, and operation, but mitigated only when pressed by security and risk management.
  • Security policies are enforced primarily by manually executed audits and processes.
  • Scaling today’s information security and risk management problems to cloud velocity is untenable, but doing so without refactoring poses an even greater risk to the enterprise.

A successful approach combines the refactoring of existing information security and risk management practices with automation that operates at cloud speed and scale. That automation consists of four key components:

  • An execution engine that reliably deploys virtual systems to data-driven design
  • Lifecycle-centric systems management and operational tools
  • Automated sensory and scanning systems that identify key issues and risks
  • A policy evaluation engine that can drive planned automated responses and notifications

The combination of these powerful automation and refactored information security concepts creates an environment in which security requirements for cloud systems are codified and enforced in a prescriptive and proactive manner.

Flickr by FutUndBeidl
Flickr by FutUndBeidl

One example can be seen in enterprises that engage in routine security system and business application scans. The challenges with these scans begin with identifying the systems to be scanned. This is often the most time-consuming process, but it is also the critical factor to success. Once identified, systems are scheduled for scan, then scanned, and results are analyzed. Then, the security team communicates the issues to the project/development/business team, and they negotiate remediation timelines, risk acceptance, and deferrals.

The IT security team typically manages the entire process, spending more time on bureaucracy than on security. Due to the overhead, these scans are usually performed on production or near-production systems. The processes are considered successful when each application or server in the enterprise is scanned annually.

In cloud-centric operations, a system may be running for hours or days, meaning the existing processes will likely miss the system completely. While this gap may be mitigated by slowing down cloud deployments to fit existing processes, a better strategy is revising the security scanning process for the cloud.

In agile cloud operations, for instance, a cloud management platform will be aware of every system started by business and development teams. Through automation and policy, each system is scanned upon startup and restart. Results can be sent automatically to both system owners and information security. More importantly, scans can be performed during the earlier stages of system development, when it is easier, cheaper, and faster to make system changes. Further improvements are gained by automatically separating results into those that may be immediately acted upon by system owners, and those that require further analysis by security experts.

By adapting security scan processes to the cloud, businesses are able to act more nimbly in a cloud-centric environment while moving to more frequent scans and earlier, cheaper remediation. Such gains would not be available without the solid foundation provided by a cloud management platform.

By deploying a cloud management platform with a rich automated policy infrastructure, IT can be confident that they have established governance, compliance, and security that are configurable, automated, and enforced. In doing so, they are enabling the business to operate with cloud speed and agility, knowing that information security has been part of the journey.

Bankim Tejani is a senior security architect with ServiceMesh, an active member of the Austin Open Web Application Security Project (OWASP), and co-founder of the Agile Austin Security SIG.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Apprentice
1/7/2014 | 1:57:04 PM
New interesting data security method for Cloud data
I agree that "Looking at today's security problems, the landscape is littered with methods that are largely manual and disconnected".

I agree that "Business systems are launched and retired faster than security teams can identify, analyze, and track", but I think that data is more constant.

I agree that "Risks are implicitly accepted by business sponsors during design, development, and operation, but mitigated only when pressed by security and risk management", but I think that security should be built into the data values.

I agree that "Security policies are enforced primarily by manually executed audits and processes", but I think that they should instead be automated.

I agree that "Scaling today's information security and risk management problems to cloud velocity is untenable, but I found interesting new in a report from the Aberdeen Group that "saw a big advantage in performance" and also scalability over traditional security methods.

The report also revealed that "Over the last 12 months, tokenization users had 50% fewer security-related incidents(e.g., unauthorized access, data loss or data exposure than tokenization non-users". Nearly half of the respondents (47%) are currently using tokenization for something other than credit card data. The name of the study, released a few months ago, is "Tokenization Gets Traction". 

I think that the Aberdeen approach based on data tokenization is an interesting data security method for Cloud data.

Ulf Mattsson, CTO Protegrity.
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
1/7/2014 | 1:35:16 PM
Continuous protection is a good idea
Bankim Tejani has come up with an excellent idea. Scanning cloud applications as they start or restart is continuous protection, instead of occasional, manual protection. If there's any suspicion of intrustion, shut it down and restart. And the central idea of automating the task is a core idea of cloud operations. With such a scanning procedure in place, the public clolud would become a more secure scene of operations than most enterprise data centers.
Stratustician
50%
50%
Stratustician,
User Rank: Apprentice
1/7/2014 | 1:34:53 PM
Secure begins in VM infancy
A great article, with some really great advice on how to properly secure these environments.  Another point to perhaps bring up is to create a secure VM image that is used to create additional VMs.  This way you can almost guarantee the right security controls are in place as long as they exist in the master image.  This means spinning off new VMs are quicker, more secure and have the right policies in place right from the start.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/7/2014 | 1:07:34 PM
Re: Cloud security -- FedRAMP
Thanks for the heads up about FedRAMP, Wyatt. I notice they have a cloud best practices document with a section devoted to cloud security. To access the link, click here
WKash
50%
50%
WKash,
User Rank: Apprentice
1/7/2014 | 11:31:40 AM
Cloud security
Any enterprise that wants a glimpse of what industrial strength cloud security controls look like should take a closer look at the FedRAMP protocols and controls establshed by the federal government and gaining wider adoption by leading cloud service providers.

Not familiar with FedRAMP? Read more at http://www.informationweek.com/security/risk-management/qanda-fedramp-director-discusses-cloud-security-innovation/d/d-id/1112142 or visit www.fedramp.gov.

 
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-0889
Published: 2014-07-29
Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite (aka Atlas Policy Suite), as used in Atlas eDiscovery Process Management through 6.0.3, Disposal and Governance Management for IT through 6.0.3, and Global Retention Policy and Schedule Management through 6.0.3, allow remote atta...

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3020
Published: 2014-07-29
install.sh in the Embedded WebSphere Application Server (eWAS) 7.0 before FP33 in IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 sets world-writable permissions for the installRoot directory tree, which allows local users to gain privileges via a Trojan horse program.

Best of the Web
Dark Reading Radio