Cloud security has become a divisive topic within many companies. Some see cloud computing as a business necessity, required to keep up with competitors, or a vehicle to transform “old world” IT. Others see daunting and dangerous security risks. To me, cloud computing represents an opportunity to re-think, re-design, and operationalize information security and risk management to drive business agility.
Cloud computing offers a unique change in managing information systems: the use of automation. While most look at automation as the cornerstone of cloud computing’s cost savings and efficiency, automation is equally valuable, if not moreso, for information security and risk management. Looking at today’s security problems, the landscape is littered with methods that are largely manual and disconnected.
- Business systems are launched and retired faster than security teams can identify, analyze, and track.
- Risks are implicitly accepted by business sponsors during design, development, and operation, but mitigated only when pressed by security and risk management.
- Security policies are enforced primarily by manually executed audits and processes.
- Scaling today’s information security and risk management problems to cloud velocity is untenable, but doing so without refactoring poses an even greater risk to the enterprise.
A successful approach combines the refactoring of existing information security and risk management practices with automation that operates at cloud speed and scale. That automation consists of four key components:
- An execution engine that reliably deploys virtual systems to data-driven design
- Lifecycle-centric systems management and operational tools
- Automated sensory and scanning systems that identify key issues and risks
- A policy evaluation engine that can drive planned automated responses and notifications
The combination of these powerful automation and refactored information security concepts creates an environment in which security requirements for cloud systems are codified and enforced in a prescriptive and proactive manner.
One example can be seen in enterprises that engage in routine security system and business application scans. The challenges with these scans begin with identifying the systems to be scanned. This is often the most time-consuming process, but it is also the critical factor to success. Once identified, systems are scheduled for scan, then scanned, and results are analyzed. Then, the security team communicates the issues to the project/development/business team, and they negotiate remediation timelines, risk acceptance, and deferrals.
The IT security team typically manages the entire process, spending more time on bureaucracy than on security. Due to the overhead, these scans are usually performed on production or near-production systems. The processes are considered successful when each application or server in the enterprise is scanned annually.
In cloud-centric operations, a system may be running for hours or days, meaning the existing processes will likely miss the system completely. While this gap may be mitigated by slowing down cloud deployments to fit existing processes, a better strategy is revising the security scanning process for the cloud.
In agile cloud operations, for instance, a cloud management platform will be aware of every system started by business and development teams. Through automation and policy, each system is scanned upon startup and restart. Results can be sent automatically to both system owners and information security. More importantly, scans can be performed during the earlier stages of system development, when it is easier, cheaper, and faster to make system changes. Further improvements are gained by automatically separating results into those that may be immediately acted upon by system owners, and those that require further analysis by security experts.
By adapting security scan processes to the cloud, businesses are able to act more nimbly in a cloud-centric environment while moving to more frequent scans and earlier, cheaper remediation. Such gains would not be available without the solid foundation provided by a cloud management platform.
By deploying a cloud management platform with a rich automated policy infrastructure, IT can be confident that they have established governance, compliance, and security that are configurable, automated, and enforced. In doing so, they are enabling the business to operate with cloud speed and agility, knowing that information security has been part of the journey.
Bankim Tejani is a senior security architect with ServiceMesh, an active member of the Austin Open Web Application Security Project (OWASP), and co-founder of the Agile Austin Security SIG.