Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
8/21/2017
09:00 AM
Tim Prendergast
Tim Prendergast
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

5 Factors to Secure & Streamline Your Cloud Deployment

How a Midwestern credit union overcame the challenges of speed, cost, security, compliance and automation to grow its footprint in the cloud.

Cloud computing promises significant costs savings and more streamlined management of mission-critical information technology, data processing and storage needs. But is it secure?

Vibrant Credit Union (VCU), a Midwestern-based full service financial services credit union that offers both online services and storefront branches, continues to grow their footprint in the cloud. As their needs grow, so does their emphasis on security. Steve McAtee, Vibrant's CIO, was tasked with migrating securely to the cloud without inflating the credit union’s IT budget. Like most well-managed organizations, Vibrant relentlessly pursued a strategy of doing more without increasing costs, and avoiding any compromise in its security posture.

McAtee’s strategy to improve his company's security capabilities involves continuously monitoring and automating its cloud security for vulnerabilities in its Amazon Web Services (AWS) environment. Additionally, the company is able to use this new, continuous approach to eliminates the pain of annual regulatory compliance audits. This successful path to the cloud includes five key factors:

Image Source: Evident.io
Image Source: Evident.io

Factor 1: Speed
Moving to the cloud enables VCU to spin up resources and shut them down dynamically in an on-demand basis. The elasticity of cloud computing enables continuous development, allowing organizations to release software as rapidly as they can. But be warned: the speed of continuous development will increase the volume of vulnerabilities in your environment if it’s not well aligned with the security practices of your organization.

Factor 2: Cost
The advent of the cloud will forever change the landscape of IT budgets. No longer are you responsible for housing, powering, and maintaining a farm of depreciating hardware assets. Vibrant was able to convert the capital expense associated with provisioning data centers into a more flexible consumption-based operating expense. They are no longer tied down to physical data centers, but rather are able to move elastically in the cloud based on the needs of the business.

Factor 3: Security
While it is true that in the cloud, it’s easier to rebuild servers, it’s much more painful to do so if you haven’t properly protected your data. The speed and agility of the cloud works to the hackers’ advantage because in the cloud, more data is moved, processed, stored and accessed globally (including by mobile devices). This increases the data’s vulnerability to security breaches and the corresponding adverse legal, regulatory and business consequences.

An automated attack runs 24/7/365 waiting to find vulnerabilities – the attackers way in. Attackers are doing things in a programmatic fashion. Vibrant found that automation is great for detecting and exploiting the risk, but you also need to be armed with automation and visibility so you can identify vulnerabilities before an attacker leveraging automation can detect them.

Factor 4: Compliance
Migrating to the cloud does not relieve an organization of its legal and regulatory responsibility for the data that is put into the cloud. In fact, moving to the cloud now has its own collection of industry-specific laws, regulations and compliance standards.

Compliance with these regulations is imperative. Failure to comply will result in administrative orders and penalties with the potential to damage your business and brand reputation. While some framework controls are met by the cloud providers themselves, organizations need to be able to validate and prove that security standards are met. Even with a small cloud environment, manual monitoring would be extremely burdensome, if not impossible. Many organizations combine the skills of their compliance and security experts into one team. Those teams are supported by the use of security automation tools, lik, for example, the Evident Security Platform (ESP) that can continuously monitor and manage the security and compliance risks and vulnerabilities in an Amazon Web Services (AWS) environment.

Factor 5: Automation
If you were to manually audit your cloud infrastructure, it can consume several hours, even weeks of your most valuable resources, security experts. Adding up all the discovery, auditing, remediation, and training time required to deploy and protect cloud accounts without leveraging automation, equates to losing at least one staff member to these activities -- and that’s just to maintain the existing security state. If you wish to move the ball forward and implement advanced security controls or compliance frameworks, you can expect to consume up to 3 full-time bodies just to achieve baseline security practice.

These were all motivating factors in Vibrant Credit Union’s own move to continuous cloud monitoring and compliance. Operating in the cloud represents a different reality than what you may have worried about just a few years ago, when the introduction of the cloud and the use of cloud services in the supply chain would actually increase security vulnerabilities. McAtee and his small team moved to the cloud to enforce compliance and security policy and instead of causing a security problem, the move helped them leverage security automation and improve how they get things get done. 

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...