Cloud

6/15/2017
02:30 PM
Daniel Mellen
Daniel Mellen
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Climbing the Security Maturity Ladder in Cloud

These five steps will insure that you achieve the broadest coverage for onboarding your most sensitive workloads.

Astute CIOs are actively migrating to public cloud to take advantage of scalability, flexibility and inherent security at a lower cost. As Rob Alexander, CIO Capital One, said at the AWS re:Invent 2015 conference in Las Vegas, "We can provide higher security with AWS than with our own data centers."

But as companies begin onboarding more sensitive workloads to the cloud, such as confidential or regulation-protected data sets, they will require broader security services coverage. That’s why it’s imperative for CIOs and CISOs to evaluate where their security capability falls on the security maturity ladder for cloud—and set goals to reach the top.

Image Source: Accenture
Image Source: Accenture

Beginning with the baseline rung, the levels to assess are:

EXTEND—Native, incremental and third-party security control sets. New-to-cloud companies often use existing on-premise security tools and processes and apply them in the cloud, but this can present drawbacks. It can mean replicating the segmented network architecture of legacy environments, which can cause exponential cost increases because virtual security appliances must be provisioned, configured and managed within each of these virtual private networks. 

A better approach is to augment a cloud provider’s built-in, certified security features with incremental or third-party security packages designed specifically for cloud, such as CloudPassage, Trend Micro or Evident.IO.

To be fair, on-premise security providers are adapting to cloud, but the process is complicated. Products must be re-engineered to address the lack of access to physical switch infrastructure, auto-scaling of resources, and license/compute models such as PaaS and SaaS.

In addition, on-premise security tools may lack APIs, which allow for programmatic management and automation capabilities—a key to enabling the cloud’s infrastructure-as-code efficiencies. Without options to integrate with other vendors or export data into a centralized security dashboard, it becomes increasingly costly and complex to manage disparate security products in cloud.

DESIGN & ARCHITECT—Security pre-baked into architectures and design patterns, aligned to approved technology stacks. Companies need a blueprint for how security tools will work in the cloud, and how to apply them consistently and effectively. In some cases, industry-specific requirements for security will apply when spinning up an environment.

One example is the healthcare sector. Supporting use cases for personal healthcare information data in the cloud requires not only a different architecture, but also different data flows, firewall rules and security protocols—all built and managed using verifiable processes and templates for compliance.

AWS, Microsoft and Google all offer templates to support a secure configuration directly in the technology stack, as well as automation-ready, pre-configured environment deployment capabilities  for different data sets and one-click deployment to meet standards such PCI DSS and NIST. These templates can be tailored for individual companies, pre-approved by architecture and security teams, and re-utilized to update or re-create an environment.

PACKAGE—Standardized approach through security function abstraction. As companies onboard and manage applications in the cloud, and possibly across clouds, they can reduce the number of implementation patterns and streamline testing/auditing efforts by taking a unified approach to security by providing security functions via an abstraction layer.

The AWS Encryption SDK, for example, offers a framework for native AWS encryption in application development. Providing a security service abstraction layer via a security SDK or security microservices, developers on AWS (and other clouds) can develop and re-use pre-built, packaged routines to manage encryption across multiple platforms. This reduces implementation variations; promotes code re-use, which lowers development costs; and increases portability of an application portfolio. Using standard, pre-tested and approved SDKs, data protection libraries, and logging/monitoring routines also reduces development and testing time, lowers security testing findings and decreases the overall cost of remediation. 

EXPOSE—Pre-configured for security operation center (SOC)/managed security services. Cloud environments are generally a whitespace for security operations teams due to tooling and knowledge constraints. Developing SOC capabilities that have explicit cloud-aware instrumentation, procedures and skilled resources performing operational processes in a cloud environment is key. 

By designing with the end in mind, companies can more easily integrate SOC monitoring directly into critical application data and infrastructure hosted in cloud with pre-provisioned hooks for these services. Security routines and code libraries can either be imaged onto a technology stack or accessed from available security microservices.

Newer provider service offerings are another managed security integration point to consider: Microsoft Operations Management Suite (OMS), for example, provides a cloud-native service to perform security assessments, evaluate an environment’s security configuration and identify baseline drift. Additional services such as AWS Config provide inventory, state change and custom processing using AWS Lambda functions for a continuous security monitoring capability. 

AUTOMATE & INTEGRATE—Shift security left through DevSecOps. Companies can further speed delivery and lower costs by automating security integration and testing. Instead of simply moving security testing to earlier in the process, DevSecOps is a holistic methodology for ensuring that security consistency is achieved from design through operations. For instance, companies could automate the design review and verify secure code patterns/SDK are integrated earlier in the lifecycle. 

Consider the benefits of this DevSecOps scenario: Each time a developer submits code for commit/deploy, a series of static and dynamic tests evaluate for possible security issues. When the time is right, identified vulnerabilities generate an alert to the security team and the developer to remediate and verify the fix. Using pre-built secure code in this manner would dramatically lower the findings in the testing phase, and limit common security routines to a one-time fix. 

Which of these rungs characterize your company’s security posture in cloud? To climb to the top, make an action plan to extend security control sets, design and architect for cloud security, package a security code library to support a security SDK, expose the right application and infrastructure hooks for managed services, and integrate and automate to shift security processes left through a DevSecOps approach. 

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Related Content: 

 

Dan Mellen joined Accenture's security technologies organization in 1999. During his tenure, he has worked with clients in public service, retail, financial services, utilities, pharmaceuticals, communications, and high tech to find security solutions to meet their business ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
Why Enterprises Can't Ignore Third-Party IoT-Related Risks
Charlie Miller, Senior Vice President, The Santa Fe Group,  5/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11232
PUBLISHED: 2018-05-18
The etm_setup_aux function in drivers/hwtracing/coresight/coresight-etm-perf.c in the Linux kernel before 4.10.2 allows attackers to cause a denial of service (panic) because a parameter is incorrectly used as a local variable.
CVE-2017-15855
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, the camera application triggers "user-memory-access" issue as the Camera CPP module Linux driver directly accesses the application provided buffer, which resides in u...
CVE-2018-3567
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing the HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP messages.
CVE-2018-3568
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, in __wlan_hdd_cfg80211_vendor_scan(), a buffer overwrite can potentially occur.
CVE-2018-5827
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing an extscan hotlist event.