Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

1/7/2014
11:04 AM
Bankim Tejani
Bankim Tejani
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
50%
50%

How Cloud Security Drives Business Agility

Cloud computing represents a unique opportunity to re-think enterprise security and risk management.

Cloud security has become a divisive topic within many companies. Some see cloud computing as a business necessity, required to keep up with competitors, or a vehicle to transform “old world” IT. Others see daunting and dangerous security risks. To me, cloud computing represents an opportunity to re-think, re-design, and operationalize information security and risk management to drive business agility.

Cloud computing offers a unique change in managing information systems: the use of automation. While most look at automation as the cornerstone of cloud computing’s cost savings and efficiency, automation is equally valuable, if not moreso, for information security and risk management. Looking at today’s security problems, the landscape is littered with methods that are largely manual and disconnected.

  • Business systems are launched and retired faster than security teams can identify, analyze, and track.
  • Risks are implicitly accepted by business sponsors during design, development, and operation, but mitigated only when pressed by security and risk management.
  • Security policies are enforced primarily by manually executed audits and processes.
  • Scaling today’s information security and risk management problems to cloud velocity is untenable, but doing so without refactoring poses an even greater risk to the enterprise.

A successful approach combines the refactoring of existing information security and risk management practices with automation that operates at cloud speed and scale. That automation consists of four key components:

  • An execution engine that reliably deploys virtual systems to data-driven design
  • Lifecycle-centric systems management and operational tools
  • Automated sensory and scanning systems that identify key issues and risks
  • A policy evaluation engine that can drive planned automated responses and notifications

The combination of these powerful automation and refactored information security concepts creates an environment in which security requirements for cloud systems are codified and enforced in a prescriptive and proactive manner.

Flickr by FutUndBeidl
Flickr by FutUndBeidl

One example can be seen in enterprises that engage in routine security system and business application scans. The challenges with these scans begin with identifying the systems to be scanned. This is often the most time-consuming process, but it is also the critical factor to success. Once identified, systems are scheduled for scan, then scanned, and results are analyzed. Then, the security team communicates the issues to the project/development/business team, and they negotiate remediation timelines, risk acceptance, and deferrals.

The IT security team typically manages the entire process, spending more time on bureaucracy than on security. Due to the overhead, these scans are usually performed on production or near-production systems. The processes are considered successful when each application or server in the enterprise is scanned annually.

In cloud-centric operations, a system may be running for hours or days, meaning the existing processes will likely miss the system completely. While this gap may be mitigated by slowing down cloud deployments to fit existing processes, a better strategy is revising the security scanning process for the cloud.

In agile cloud operations, for instance, a cloud management platform will be aware of every system started by business and development teams. Through automation and policy, each system is scanned upon startup and restart. Results can be sent automatically to both system owners and information security. More importantly, scans can be performed during the earlier stages of system development, when it is easier, cheaper, and faster to make system changes. Further improvements are gained by automatically separating results into those that may be immediately acted upon by system owners, and those that require further analysis by security experts.

By adapting security scan processes to the cloud, businesses are able to act more nimbly in a cloud-centric environment while moving to more frequent scans and earlier, cheaper remediation. Such gains would not be available without the solid foundation provided by a cloud management platform.

By deploying a cloud management platform with a rich automated policy infrastructure, IT can be confident that they have established governance, compliance, and security that are configurable, automated, and enforced. In doing so, they are enabling the business to operate with cloud speed and agility, knowing that information security has been part of the journey.

Bankim Tejani is a senior security architect with ServiceMesh, an active member of the Austin Open Web Application Security Project (OWASP), and co-founder of the Agile Austin Security SIG.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Moderator
1/7/2014 | 1:57:04 PM
New interesting data security method for Cloud data
I agree that "Looking at today's security problems, the landscape is littered with methods that are largely manual and disconnected".

I agree that "Business systems are launched and retired faster than security teams can identify, analyze, and track", but I think that data is more constant.

I agree that "Risks are implicitly accepted by business sponsors during design, development, and operation, but mitigated only when pressed by security and risk management", but I think that security should be built into the data values.

I agree that "Security policies are enforced primarily by manually executed audits and processes", but I think that they should instead be automated.

I agree that "Scaling today's information security and risk management problems to cloud velocity is untenable, but I found interesting new in a report from the Aberdeen Group that "saw a big advantage in performance" and also scalability over traditional security methods.

The report also revealed that "Over the last 12 months, tokenization users had 50% fewer security-related incidents(e.g., unauthorized access, data loss or data exposure than tokenization non-users". Nearly half of the respondents (47%) are currently using tokenization for something other than credit card data. The name of the study, released a few months ago, is "Tokenization Gets Traction". 

I think that the Aberdeen approach based on data tokenization is an interesting data security method for Cloud data.

Ulf Mattsson, CTO Protegrity.
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
1/7/2014 | 1:35:16 PM
Continuous protection is a good idea
Bankim Tejani has come up with an excellent idea. Scanning cloud applications as they start or restart is continuous protection, instead of occasional, manual protection. If there's any suspicion of intrustion, shut it down and restart. And the central idea of automating the task is a core idea of cloud operations. With such a scanning procedure in place, the public clolud would become a more secure scene of operations than most enterprise data centers.
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
1/7/2014 | 1:34:53 PM
Secure begins in VM infancy
A great article, with some really great advice on how to properly secure these environments.  Another point to perhaps bring up is to create a secure VM image that is used to create additional VMs.  This way you can almost guarantee the right security controls are in place as long as they exist in the master image.  This means spinning off new VMs are quicker, more secure and have the right policies in place right from the start.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/7/2014 | 1:07:34 PM
Re: Cloud security -- FedRAMP
Thanks for the heads up about FedRAMP, Wyatt. I notice they have a cloud best practices document with a section devoted to cloud security. To access the link, click here
WKash
50%
50%
WKash,
User Rank: Apprentice
1/7/2014 | 11:31:40 AM
Cloud security
Any enterprise that wants a glimpse of what industrial strength cloud security controls look like should take a closer look at the FedRAMP protocols and controls establshed by the federal government and gaining wider adoption by leading cloud service providers.

Not familiar with FedRAMP? Read more at http://www.informationweek.com/security/risk-management/qanda-fedramp-director-discusses-cloud-security-innovation/d/d-id/1112142 or visit www.fedramp.gov.

 
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Deliver a Deadly Counterpunch to Ransomware Attacks: 4 Steps
Mathew Newfield, Chief Information Security Officer at Unisys,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19604
PUBLISHED: 2019-12-11
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
CVE-2019-14861
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permiss...
CVE-2019-14870
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authent...
CVE-2019-14889
PUBLISHED: 2019-12-10
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence...
CVE-2019-1484
PUBLISHED: 2019-12-10
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka 'Windows OLE Remote Code Execution Vulnerability'.