Cloud
1/7/2014
11:04 AM
Bankim Tejani
Bankim Tejani
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
50%
50%

How Cloud Security Drives Business Agility

Cloud computing represents a unique opportunity to re-think enterprise security and risk management.

Cloud security has become a divisive topic within many companies. Some see cloud computing as a business necessity, required to keep up with competitors, or a vehicle to transform “old world” IT. Others see daunting and dangerous security risks. To me, cloud computing represents an opportunity to re-think, re-design, and operationalize information security and risk management to drive business agility.

Cloud computing offers a unique change in managing information systems: the use of automation. While most look at automation as the cornerstone of cloud computing’s cost savings and efficiency, automation is equally valuable, if not moreso, for information security and risk management. Looking at today’s security problems, the landscape is littered with methods that are largely manual and disconnected.

  • Business systems are launched and retired faster than security teams can identify, analyze, and track.
  • Risks are implicitly accepted by business sponsors during design, development, and operation, but mitigated only when pressed by security and risk management.
  • Security policies are enforced primarily by manually executed audits and processes.
  • Scaling today’s information security and risk management problems to cloud velocity is untenable, but doing so without refactoring poses an even greater risk to the enterprise.

A successful approach combines the refactoring of existing information security and risk management practices with automation that operates at cloud speed and scale. That automation consists of four key components:

  • An execution engine that reliably deploys virtual systems to data-driven design
  • Lifecycle-centric systems management and operational tools
  • Automated sensory and scanning systems that identify key issues and risks
  • A policy evaluation engine that can drive planned automated responses and notifications

The combination of these powerful automation and refactored information security concepts creates an environment in which security requirements for cloud systems are codified and enforced in a prescriptive and proactive manner.

Flickr by FutUndBeidl
Flickr by FutUndBeidl

One example can be seen in enterprises that engage in routine security system and business application scans. The challenges with these scans begin with identifying the systems to be scanned. This is often the most time-consuming process, but it is also the critical factor to success. Once identified, systems are scheduled for scan, then scanned, and results are analyzed. Then, the security team communicates the issues to the project/development/business team, and they negotiate remediation timelines, risk acceptance, and deferrals.

The IT security team typically manages the entire process, spending more time on bureaucracy than on security. Due to the overhead, these scans are usually performed on production or near-production systems. The processes are considered successful when each application or server in the enterprise is scanned annually.

In cloud-centric operations, a system may be running for hours or days, meaning the existing processes will likely miss the system completely. While this gap may be mitigated by slowing down cloud deployments to fit existing processes, a better strategy is revising the security scanning process for the cloud.

In agile cloud operations, for instance, a cloud management platform will be aware of every system started by business and development teams. Through automation and policy, each system is scanned upon startup and restart. Results can be sent automatically to both system owners and information security. More importantly, scans can be performed during the earlier stages of system development, when it is easier, cheaper, and faster to make system changes. Further improvements are gained by automatically separating results into those that may be immediately acted upon by system owners, and those that require further analysis by security experts.

By adapting security scan processes to the cloud, businesses are able to act more nimbly in a cloud-centric environment while moving to more frequent scans and earlier, cheaper remediation. Such gains would not be available without the solid foundation provided by a cloud management platform.

By deploying a cloud management platform with a rich automated policy infrastructure, IT can be confident that they have established governance, compliance, and security that are configurable, automated, and enforced. In doing so, they are enabling the business to operate with cloud speed and agility, knowing that information security has been part of the journey.

Bankim Tejani is a senior security architect with ServiceMesh, an active member of the Austin Open Web Application Security Project (OWASP), and co-founder of the Agile Austin Security SIG.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Apprentice
1/7/2014 | 1:57:04 PM
New interesting data security method for Cloud data
I agree that "Looking at today's security problems, the landscape is littered with methods that are largely manual and disconnected".

I agree that "Business systems are launched and retired faster than security teams can identify, analyze, and track", but I think that data is more constant.

I agree that "Risks are implicitly accepted by business sponsors during design, development, and operation, but mitigated only when pressed by security and risk management", but I think that security should be built into the data values.

I agree that "Security policies are enforced primarily by manually executed audits and processes", but I think that they should instead be automated.

I agree that "Scaling today's information security and risk management problems to cloud velocity is untenable, but I found interesting new in a report from the Aberdeen Group that "saw a big advantage in performance" and also scalability over traditional security methods.

The report also revealed that "Over the last 12 months, tokenization users had 50% fewer security-related incidents(e.g., unauthorized access, data loss or data exposure than tokenization non-users". Nearly half of the respondents (47%) are currently using tokenization for something other than credit card data. The name of the study, released a few months ago, is "Tokenization Gets Traction". 

I think that the Aberdeen approach based on data tokenization is an interesting data security method for Cloud data.

Ulf Mattsson, CTO Protegrity.
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
1/7/2014 | 1:35:16 PM
Continuous protection is a good idea
Bankim Tejani has come up with an excellent idea. Scanning cloud applications as they start or restart is continuous protection, instead of occasional, manual protection. If there's any suspicion of intrustion, shut it down and restart. And the central idea of automating the task is a core idea of cloud operations. With such a scanning procedure in place, the public clolud would become a more secure scene of operations than most enterprise data centers.
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
1/7/2014 | 1:34:53 PM
Secure begins in VM infancy
A great article, with some really great advice on how to properly secure these environments.  Another point to perhaps bring up is to create a secure VM image that is used to create additional VMs.  This way you can almost guarantee the right security controls are in place as long as they exist in the master image.  This means spinning off new VMs are quicker, more secure and have the right policies in place right from the start.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/7/2014 | 1:07:34 PM
Re: Cloud security -- FedRAMP
Thanks for the heads up about FedRAMP, Wyatt. I notice they have a cloud best practices document with a section devoted to cloud security. To access the link, click here
WKash
50%
50%
WKash,
User Rank: Apprentice
1/7/2014 | 11:31:40 AM
Cloud security
Any enterprise that wants a glimpse of what industrial strength cloud security controls look like should take a closer look at the FedRAMP protocols and controls establshed by the federal government and gaining wider adoption by leading cloud service providers.

Not familiar with FedRAMP? Read more at http://www.informationweek.com/security/risk-management/qanda-fedramp-director-discusses-cloud-security-innovation/d/d-id/1112142 or visit www.fedramp.gov.

 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.