11:04 AM
Bankim Tejani
Bankim Tejani
Connect Directly

How Cloud Security Drives Business Agility

Cloud computing represents a unique opportunity to re-think enterprise security and risk management.

Cloud security has become a divisive topic within many companies. Some see cloud computing as a business necessity, required to keep up with competitors, or a vehicle to transform “old world” IT. Others see daunting and dangerous security risks. To me, cloud computing represents an opportunity to re-think, re-design, and operationalize information security and risk management to drive business agility.

Cloud computing offers a unique change in managing information systems: the use of automation. While most look at automation as the cornerstone of cloud computing’s cost savings and efficiency, automation is equally valuable, if not moreso, for information security and risk management. Looking at today’s security problems, the landscape is littered with methods that are largely manual and disconnected.

  • Business systems are launched and retired faster than security teams can identify, analyze, and track.
  • Risks are implicitly accepted by business sponsors during design, development, and operation, but mitigated only when pressed by security and risk management.
  • Security policies are enforced primarily by manually executed audits and processes.
  • Scaling today’s information security and risk management problems to cloud velocity is untenable, but doing so without refactoring poses an even greater risk to the enterprise.

A successful approach combines the refactoring of existing information security and risk management practices with automation that operates at cloud speed and scale. That automation consists of four key components:

  • An execution engine that reliably deploys virtual systems to data-driven design
  • Lifecycle-centric systems management and operational tools
  • Automated sensory and scanning systems that identify key issues and risks
  • A policy evaluation engine that can drive planned automated responses and notifications

The combination of these powerful automation and refactored information security concepts creates an environment in which security requirements for cloud systems are codified and enforced in a prescriptive and proactive manner.

Flickr by FutUndBeidl
Flickr by FutUndBeidl

One example can be seen in enterprises that engage in routine security system and business application scans. The challenges with these scans begin with identifying the systems to be scanned. This is often the most time-consuming process, but it is also the critical factor to success. Once identified, systems are scheduled for scan, then scanned, and results are analyzed. Then, the security team communicates the issues to the project/development/business team, and they negotiate remediation timelines, risk acceptance, and deferrals.

The IT security team typically manages the entire process, spending more time on bureaucracy than on security. Due to the overhead, these scans are usually performed on production or near-production systems. The processes are considered successful when each application or server in the enterprise is scanned annually.

In cloud-centric operations, a system may be running for hours or days, meaning the existing processes will likely miss the system completely. While this gap may be mitigated by slowing down cloud deployments to fit existing processes, a better strategy is revising the security scanning process for the cloud.

In agile cloud operations, for instance, a cloud management platform will be aware of every system started by business and development teams. Through automation and policy, each system is scanned upon startup and restart. Results can be sent automatically to both system owners and information security. More importantly, scans can be performed during the earlier stages of system development, when it is easier, cheaper, and faster to make system changes. Further improvements are gained by automatically separating results into those that may be immediately acted upon by system owners, and those that require further analysis by security experts.

By adapting security scan processes to the cloud, businesses are able to act more nimbly in a cloud-centric environment while moving to more frequent scans and earlier, cheaper remediation. Such gains would not be available without the solid foundation provided by a cloud management platform.

By deploying a cloud management platform with a rich automated policy infrastructure, IT can be confident that they have established governance, compliance, and security that are configurable, automated, and enforced. In doing so, they are enabling the business to operate with cloud speed and agility, knowing that information security has been part of the journey.

Bankim Tejani is a senior security architect with ServiceMesh, an active member of the Austin Open Web Application Security Project (OWASP), and co-founder of the Agile Austin Security SIG.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ulf Mattsson
Ulf Mattsson,
User Rank: Moderator
1/7/2014 | 1:57:04 PM
New interesting data security method for Cloud data
I agree that "Looking at today's security problems, the landscape is littered with methods that are largely manual and disconnected".

I agree that "Business systems are launched and retired faster than security teams can identify, analyze, and track", but I think that data is more constant.

I agree that "Risks are implicitly accepted by business sponsors during design, development, and operation, but mitigated only when pressed by security and risk management", but I think that security should be built into the data values.

I agree that "Security policies are enforced primarily by manually executed audits and processes", but I think that they should instead be automated.

I agree that "Scaling today's information security and risk management problems to cloud velocity is untenable, but I found interesting new in a report from the Aberdeen Group that "saw a big advantage in performance" and also scalability over traditional security methods.

The report also revealed that "Over the last 12 months, tokenization users had 50% fewer security-related incidents(e.g., unauthorized access, data loss or data exposure than tokenization non-users". Nearly half of the respondents (47%) are currently using tokenization for something other than credit card data. The name of the study, released a few months ago, is "Tokenization Gets Traction". 

I think that the Aberdeen approach based on data tokenization is an interesting data security method for Cloud data.

Ulf Mattsson, CTO Protegrity.
User Rank: Apprentice
1/7/2014 | 1:35:16 PM
Continuous protection is a good idea
Bankim Tejani has come up with an excellent idea. Scanning cloud applications as they start or restart is continuous protection, instead of occasional, manual protection. If there's any suspicion of intrustion, shut it down and restart. And the central idea of automating the task is a core idea of cloud operations. With such a scanning procedure in place, the public clolud would become a more secure scene of operations than most enterprise data centers.
User Rank: Moderator
1/7/2014 | 1:34:53 PM
Secure begins in VM infancy
A great article, with some really great advice on how to properly secure these environments.  Another point to perhaps bring up is to create a secure VM image that is used to create additional VMs.  This way you can almost guarantee the right security controls are in place as long as they exist in the master image.  This means spinning off new VMs are quicker, more secure and have the right policies in place right from the start.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/7/2014 | 1:07:34 PM
Re: Cloud security -- FedRAMP
Thanks for the heads up about FedRAMP, Wyatt. I notice they have a cloud best practices document with a section devoted to cloud security. To access the link, click here
User Rank: Apprentice
1/7/2014 | 11:31:40 AM
Cloud security
Any enterprise that wants a glimpse of what industrial strength cloud security controls look like should take a closer look at the FedRAMP protocols and controls establshed by the federal government and gaining wider adoption by leading cloud service providers.

Not familiar with FedRAMP? Read more at or visit

Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Why Password Management and Security Strategies Fall Short
Steve Zurier, Freelance Writer,  11/7/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-11-13
There is a possible DoS vulnerability in the multipart parser in Rack before 2.0.6. Specially crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size.
PUBLISHED: 2018-11-13
There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value could be vulnerable to a...
PUBLISHED: 2018-11-13
VMware vRealize Log Insight (4.7.x before 4.7.1 and 4.6.x before 4.6.2) contains a vulnerability due to improper authorization in the user registration method. Successful exploitation of this issue may allow Admin users with view only permission to perform certain administrative functions which they...
PUBLISHED: 2018-11-13
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Losant Arduino MQTT Client prior to V2.7. User interaction is not required to exploit this vulnerability. The specific flaw exists within the parsing of MQTT PUBLISH packets. The issue results from th...
PUBLISHED: 2018-11-13
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.