Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/15/2017
02:30 PM
Daniel Mellen
Daniel Mellen
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Climbing the Security Maturity Ladder in Cloud

These five steps will insure that you achieve the broadest coverage for onboarding your most sensitive workloads.

Astute CIOs are actively migrating to public cloud to take advantage of scalability, flexibility and inherent security at a lower cost. As Rob Alexander, CIO Capital One, said at the AWS re:Invent 2015 conference in Las Vegas, "We can provide higher security with AWS than with our own data centers."

But as companies begin onboarding more sensitive workloads to the cloud, such as confidential or regulation-protected data sets, they will require broader security services coverage. That’s why it’s imperative for CIOs and CISOs to evaluate where their security capability falls on the security maturity ladder for cloud—and set goals to reach the top.

Image Source: Accenture
Image Source: Accenture

Beginning with the baseline rung, the levels to assess are:

EXTEND—Native, incremental and third-party security control sets. New-to-cloud companies often use existing on-premise security tools and processes and apply them in the cloud, but this can present drawbacks. It can mean replicating the segmented network architecture of legacy environments, which can cause exponential cost increases because virtual security appliances must be provisioned, configured and managed within each of these virtual private networks. 

A better approach is to augment a cloud provider’s built-in, certified security features with incremental or third-party security packages designed specifically for cloud, such as CloudPassage, Trend Micro or Evident.IO.

To be fair, on-premise security providers are adapting to cloud, but the process is complicated. Products must be re-engineered to address the lack of access to physical switch infrastructure, auto-scaling of resources, and license/compute models such as PaaS and SaaS.

In addition, on-premise security tools may lack APIs, which allow for programmatic management and automation capabilities—a key to enabling the cloud’s infrastructure-as-code efficiencies. Without options to integrate with other vendors or export data into a centralized security dashboard, it becomes increasingly costly and complex to manage disparate security products in cloud.

DESIGN & ARCHITECT—Security pre-baked into architectures and design patterns, aligned to approved technology stacks. Companies need a blueprint for how security tools will work in the cloud, and how to apply them consistently and effectively. In some cases, industry-specific requirements for security will apply when spinning up an environment.

One example is the healthcare sector. Supporting use cases for personal healthcare information data in the cloud requires not only a different architecture, but also different data flows, firewall rules and security protocols—all built and managed using verifiable processes and templates for compliance.

AWS, Microsoft and Google all offer templates to support a secure configuration directly in the technology stack, as well as automation-ready, pre-configured environment deployment capabilities  for different data sets and one-click deployment to meet standards such PCI DSS and NIST. These templates can be tailored for individual companies, pre-approved by architecture and security teams, and re-utilized to update or re-create an environment.

PACKAGE—Standardized approach through security function abstraction. As companies onboard and manage applications in the cloud, and possibly across clouds, they can reduce the number of implementation patterns and streamline testing/auditing efforts by taking a unified approach to security by providing security functions via an abstraction layer.

The AWS Encryption SDK, for example, offers a framework for native AWS encryption in application development. Providing a security service abstraction layer via a security SDK or security microservices, developers on AWS (and other clouds) can develop and re-use pre-built, packaged routines to manage encryption across multiple platforms. This reduces implementation variations; promotes code re-use, which lowers development costs; and increases portability of an application portfolio. Using standard, pre-tested and approved SDKs, data protection libraries, and logging/monitoring routines also reduces development and testing time, lowers security testing findings and decreases the overall cost of remediation. 

EXPOSE—Pre-configured for security operation center (SOC)/managed security services. Cloud environments are generally a whitespace for security operations teams due to tooling and knowledge constraints. Developing SOC capabilities that have explicit cloud-aware instrumentation, procedures and skilled resources performing operational processes in a cloud environment is key. 

By designing with the end in mind, companies can more easily integrate SOC monitoring directly into critical application data and infrastructure hosted in cloud with pre-provisioned hooks for these services. Security routines and code libraries can either be imaged onto a technology stack or accessed from available security microservices.

Newer provider service offerings are another managed security integration point to consider: Microsoft Operations Management Suite (OMS), for example, provides a cloud-native service to perform security assessments, evaluate an environment’s security configuration and identify baseline drift. Additional services such as AWS Config provide inventory, state change and custom processing using AWS Lambda functions for a continuous security monitoring capability. 

AUTOMATE & INTEGRATE—Shift security left through DevSecOps. Companies can further speed delivery and lower costs by automating security integration and testing. Instead of simply moving security testing to earlier in the process, DevSecOps is a holistic methodology for ensuring that security consistency is achieved from design through operations. For instance, companies could automate the design review and verify secure code patterns/SDK are integrated earlier in the lifecycle. 

Consider the benefits of this DevSecOps scenario: Each time a developer submits code for commit/deploy, a series of static and dynamic tests evaluate for possible security issues. When the time is right, identified vulnerabilities generate an alert to the security team and the developer to remediate and verify the fix. Using pre-built secure code in this manner would dramatically lower the findings in the testing phase, and limit common security routines to a one-time fix. 

Which of these rungs characterize your company’s security posture in cloud? To climb to the top, make an action plan to extend security control sets, design and architect for cloud security, package a security code library to support a security SDK, expose the right application and infrastructure hooks for managed services, and integrate and automate to shift security processes left through a DevSecOps approach. 

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Related Content: 

 

Dan Mellen joined Accenture's security technologies organization in 1999. During his tenure, he has worked with clients in public service, retail, financial services, utilities, pharmaceuticals, communications, and high tech to find security solutions to meet their business ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10100
PUBLISHED: 2019-07-16
NASA CFITSIO prior to 3.43 is affected by: Buffer Overflow. The impact is: arbitrary code execution. The component is: over 40 source code files were changed. The attack vector is: remote unauthenticated attacker. The fixed version is: 3.43.
CVE-2019-10100
PUBLISHED: 2019-07-16
BigTree-CMS commit b2eff67e45b90ca26a62e971e8f0d5d0d70f23e6 and earlier is affected by: Improper Neutralization of Script-Related HTML Tags in a Web Page. The impact is: Any Javascript code can be executed. The component is: users management page. The attack vector is: Insert payload into users' pro...
CVE-2019-10100
PUBLISHED: 2019-07-16
PluckCMS 4.7.4 and earlier is affected by: CWE-434 Unrestricted Upload of File with Dangerous Type. The impact is: get webshell. The component is: data/inc/images.php line36. The attack vector is: modify the MIME TYPE on HTTP request to upload a php file. The fixed version is: after commit 09f0ab871...
CVE-2019-13612
PUBLISHED: 2019-07-16
MDaemon Email Server 19 skips SpamAssassin checks by default for e-mail messages larger than 2 MB (and limits checks to 10 MB even with special configuration), which is arguably inconsistent with currently popular message sizes. This might interfere with risk management for malicious e-mail, if a cu...
CVE-2019-10100
PUBLISHED: 2019-07-16
Zammad GmbH Zammad 2.3.0 and earlier is affected by: Cross Site Scripting (XSS) - CWE-80. The impact is: Execute java script code on users browser. The component is: web app. The attack vector is: the victim must open a ticket. The fixed version is: 2.3.1, 2.2.2 and 2.1.3.