A Pragmatic Approach to Scaling Security in the Cloud
Originally posted at https://www.infoq.com/articles/cloud-security-at-scale/.
Security. Cloud. Two words that are almost always together but rarely happily.
For years, vendors and consultants rooted in traditional, data center centric world views hollered from the rooftops that the public cloud was a security disaster in the making. Hyperbole reigned supreme and any dramatic turn of phrase that had vague roots in fear, uncertainty, or doubt was touted as the reason you shouldn’t be moving to the public cloud.
It’s not surprising really. Traditional approaches to information security don’t work well in the cloud.
The only way to stem the inevitable migration to the cloud was to ensure that it became canon that the public cloud was insecure. Fortunately, the business drivers for migration are just too strong.
The key to a successful migration is to understand the model behind cloud security and to adopt a cultural willingness to a new way of doing things.
With the high levels of scrutiny that IT organizations are under these days, that can be a tall order. Each high profile breach brings renewed attention. Information security is quickly becoming a regular topic at the board level.
The pressure is on and no one wants to screw up.
The good news is that if you and your security team take the time to understand the model for security in the cloud and then put the right tools, processes, & people in place you can be more secure in the cloud than in your current environment.
Let’s take a deeper look at the keys to successful security in the cloud…
Sharing The Responsibility
It all starts with two words, “shared responsibility”.
The challenge with the model is that it will have significant impact on the way your security has to approach their roles. The traditional view of being a gatekeeper or even being in complete control has to go. Toss it out the window.
A modern security practice has to be flexible and understand its role within the shared responsibility model. With a solid understand of the model and the partnership it implies, you can start to build a dynamic, successful practice.
The model itself is simple. Your cloud provider is responsible for the security of the following areas:
- Physical infrastructure
- Network infrastructure
- Virtualization layer
You are responsible for the security of:
- The operating system
- Any applications
- Your data
That’s it. That’s all. A nice, clear division of labour.
This clear line is what makes it possible to increase your security by moving to the public cloud. I’ve referred to this possibility a few times. The reason it’s possible to increase your security posture is because this model immediately removes the half of your security workload.
Think about that for a minute. Your limited resources now only have to cover half of the areas they previous had to cover. With the shared responsibility model you can focus on fewer areas which means you can focus more resources on those tasks. That’s a huge win.
Big name organizations have realized this and are now moving sensitive workloads into the cloud. There’s no reason that you shouldn’t be planning to do the same. Sharing the workload lets you deliver high quality security with the same set of resources you have now.
Don’t worry, I won’t tell you boss. You can still ask for more budget to cover the migration. But just think of what you could accomplish with that increase now that you only have to focus on half of the work.
Trust But Verify
Of course it’s not all unicorns and rainbows. From a security perspective, you can’t just assume that everything will work out on the cloud providers side of the model. A little paranoia can be a very healthy thing.
You need to verify that your provider is holding up their end of the deal and providing the security that you expect and rely on.
The good news is that you’re not the only client of the provider in this situation and the providers are waking up to this fact. The information your need to verify and validate the provider’s claims on security is not something that you–as their client–should have to work to track down.
This is why the leaders in the field are adopting a near transparent information sharing policy.
Leading providers have published landing pages or information centers where all of their security and compliance information is posted. Typically anything you need above and beyond this published information is only a support call away.
Under the shared responsibility model (and good ol’ common sense) it’s up to you to read through this information and to understand exactly what your provider is doing to security the facilities, physical infrastructure, network infrastructure, and the virtualization layer.
Also key is to understand what tools–if any–that the provider has created to help you secure your areas of responsibility. Have they provides a robust identity and access control framework? Firewall controls for your virtual machines?
You need to understand what these features are capable of and how to deploy them properly.
Now that you understand the model in theory, you’re probably wondering what it looks like in practice. Let’s take the example of facing a PCI (payment card industry) audit.
Audit’s are about as much fun as they sound but they do an excellent job of highlighting how the shared responsibility model works in practice. If you don’t have to be PCI compliant, don’t worry. Just substitute your favourite compliance framework and the example still holds.
The PCI framework touches nearly every area of information processing. From the facilities where the data is stored to how information is discarded during processing, compliance requires security controls (process or tools) in all areas of the shared responsibility model.
But as we know, we don’t control the security in the facilities, physical infrastructure, network infrastructure, or the virtualization layer. So how do you successfully respond to an audit?
Well an audit response is a shared activity that you lead.
You need your cloud providers help to respond to the audit. You will need validation that their controls are in place and working in order to be successful.
Now you’re not the only client of theirs in this situation so it’s not surprising that most cloud providers already have 3rd party audit evidence available for their clients to assist in audit response.
Simply open a support request and ask for the appropriate documentation.
Now you can provide that to your auditor and it should satisfy compliance for the areas of provider responsibility. Now you can focus your audit response on the security you’ve applied to the operating system, applications, and your data.
The audit documentation from your cloud provider is the verification of their side of the model. Add the documentation of the controls you’ve implemented for the operating system, your applications, how you handle your data, and the processes that you use to manage the whole deployment and you’ve got your audit response.
That’s the shared responsibility model in action and it highlights how migrating to the cloud can simplify compliance.
Understanding the overall model is a great first step but it also raises questions along the lines of:
- “What about my intrusion prevention system?”
- “How do I monitor my network?”
- “Can my provider deploy my gateway controls for me?”
When confronted with a new challenge, our instinctive response is to try and map our existing experiences to the new challenge. In this case, trying to figure out how to deploy the same set of security controls in the same manner is a recipe for disaster.
Our previous model of a strong boundary no longer holds water in the cloud.
A traditional data center typically has “big iron” controls deployed at each of the interconnects. Anywhere the data center connects to another environment, security is used to create a choke point.
At each choke point traffic is analyzed, verified, and either permitted to proceed or dropped. We commonly refer to this design as the “zones“ approach and it’s worked well for years.
In effect, this creates a strong wall around your data center much like a medieval castle.
Unfortunately when viewed in the context of a cloud deployment, medieval is an accurate description.
Using this approach is the cloud is a recipe for failure. You’ll quickly hit performance bottlenecks and be strained to maintain a high level of security in a very dynamic environment.
The irony of the public cloud is that while compute and storage resources are available in abundance, bandwidth is typically scarce. All of the traditional methods of deploying these controls are bandwidth intensive. Successful security in the cloud moves these same controls to the virtual machine.
We move from single, large security controls that protect the entire data centre to controls deployed directly on the virtual machine and responsible for only that virtual machine. This allow the use of much smaller rule sets since the control now has the context in which it’s running.
Think of it this way: the traditional method is to have the city guard check everyone at the gate. The guard has to know the business of everyone in the city and then validate whether or not the folks at the gate have a valid reason for being there.
By moving that check to the door of the business someone is visiting, it makes it a lot easier for the guard at the door to do more in-depth checks. The guard at the door only has to keep track of the one business, not the entire city.
Moving controls to the virtual machine allows great context which means we can deploy richer policies to each of these controls. That’s important in a dynamic environment where changes happen minute-to-minute instead of week-to-week.
To stretch the metaphor a bit, you’re probably wondering how the captain of the guard keeps track of which guards are stationed at each business and how well each of them are doing. That’s a valid question and one we need to address in order to be successful.
As we migrate to the cloud, we’ve shifted from a small number of deployed controls (only at the interconnects) to hundreds, thousands, or tends of thousands of controls. This generates two main challenges: deployment, and management.
Even in a traditional data center deployment was a challenge. Nobody really enjoys racking a set of boxes that weigh 15–40 Kgs. In the cloud that physical challenge goes away but how can you rapidly deploy a thousand or more applications?
The good news is that this isn’t a security problem. This is a general operations problem.
The better news is that your organization has probably already solved the issue. It might be with a solid strategy for “gold” images of virtual machines or on-demand orchestration via tools like Chef or Puppet . One way or another, you need to method of simplifying application deployment in the cloud.
Don’t re-invent the wheel. Leverage the existing solution in your organization and use it to deploy the security controls to your virtual machines. This way you only have to prioritize the deployment (security should be the first thing applied to a new machine) instead of creating a new distribution challenge.
That leaves the challenge of managing all of these controls now that they’ve been deployed. Regardless of security technology, vendor, etc. you absolutely have to have a method of managing these controls from a central location.
Operationally it’s not feasible to expect a small team (or even a large one) to manage thousands of controls. Especially when the major of them will be doing the exact same thing.
Your security team should be able to view the security of one web server in the same manner as they can view the security of one hundred web servers.
Centralized, automated management is the only logical method of addressing this challenge. That’s another shift in the way we think about security controls.
If you understand the shared responsibility model for security in the public cloud, you will be successful and at the very least maintain your current levels of security.
But if you take the time to truly understand not only the model but also the nature of cloud deployments you can easily strengthen your security posture. More importantly you can strengthen your security posture without spending more time or budget.
Computer systems are good at repetitive tasks. Take advantage of this by automating the deployment and management of your security controls. This will let your security team focus on doing in-depth analysis and adding value to your organization.
Imagine if you team was viewed as the key piece that enabled your organization to move to the cloud and modernize it’s IT infrastructure. The team that allowed the organization to simplify IT service delivery and really raise the bar on what can be done with modern technology.
Wouldn’t that be a nice position to be in?