Lower capital expenses, access to the newest technology, and operational efficiency are among some of the most documented benefits of moving to the Cloud. The conversation gets a bit complicated when somebody invariably asks: Is the Cloud secure? Can you trust a platform with limited security controls, new security paradigms, and unfamiliar management techniques?
Those are fair questions. As security practitioners, we have watched the evolution of the Cloud platform closely and regularly work with our customers to implement secure Cloud solutions. Yes – you can use the Cloud securely! Companies like Amazon and Microsoft have been early innovators and adopters of secure Cloud and have made huge strides to improve Cloud security.
Locking Down the Cloud
Amazon is probably the most noticeable (and boisterous) Cloud success story; they were an early adopter of virtualization, developed their own internal Cloud infrastructure, and now offer those services to the world. Amazon Web Services (AWS) releases hundreds of major features each year, many of which are security improvements. The most recent have included the extension of certificate management, API call logging from the WAF, and a security vulnerability assessment service.
Over the past two years, Microsoft has invested heavily in their platform by adding a number of security enhancements. Earlier this year, they released Advanced Threat Detection which looks at network traffic and detects security issues, alerting administrators more quickly than traditional environments. Similarly, Active Directory Identity Protection observes actions by users and detects security events such as brute force attacks, leaked credentials, and sign-ins from unfamiliar locations.
The rest of the field (Google, VMWare, OpenStack) are quickly adding features to match the leaders. This focus on rapid feature release bodes well for security teams tasked with finding a way to protect Cloud environments.
Native isn’t the only way to go either. Additional options are also available for implementing security. Third parties are bolting onto these platforms in order to provide familiar or better security administration. If a third party hasn’t built what you need, you may be able to leverage the platform’s API to script a custom solution.
The list of Cloud-related security deficiencies are quickly being eliminated.
The move back towards centralized computing using virtualization is in its second decade, but we’re just starting to adopt some of the important paradigms that are provided via the Cloud.
Take the idea of “one machine for one purpose in one physical location.” Each part of that architectural concept makes sense, especially for security, when considered separately. When they are combined, however, it becomes quite restrictive. Changes can be made more quickly and efficiently to infrastructures that are virtualized and scalable.
Everyone loves patching, right? Unfortunately, computers rarely become more stable the more you patch. The management of patching an entire environment can be tedious when dealing with physical systems in many physical locations. However, the concept of immutability on Cloud services allows you to begin with a non-deployed image, ensure all security patches and upgrades are applied, and then replace all of your vulnerable compute images with a perfectly good new image whenever new patches are released.
A related subject is the ability to automate pushing new images to production and even creating the logic to react to potentially bad security situations by automatically correcting issues without manual human input. Automation and orchestration (along with a little behavioral analytics/machine learning) will help security teams react quicker to expected situations and leave them able to manage situations that cannot be predicted.
Separation of Duties
The Cloud services are being run and managed by professional Cloud providers. AWS says security is job zero. Azure says security is built in from the ground up. Without security, without trust, the public and hybrid Cloud models will fail. Therefore, they have to invest heavily in platform security.
The benefit is that they can invest once to improve security for all of their customers. And with scale, comes a budget that individual companies will be hard-pressed to match. With the Cloud, you – as their customer – benefit. You can spend your limited budget (and even more limited time) more efficiently and maybe on things that wouldn’t have been touched if you were having to purchase and build your security architecture in a more traditional manner.
So, What are we Waiting for?
The Cloud is not quite perfected. Not yet. All of the introductory criticisms are accurate – the platforms still don’t have as mature of security controls as distributed environments, changing paradigms can provide unknown weaknesses, and trusting your operations and environment to a platform you don’t manage could lead to uncomfortable conversations when things go wrong.
But it’s getting better. Very quickly. For a lot of organizations, the benefits of the Cloud will (if they haven’t already) begin to outweigh any remaining security concerns. The need for customized, flexible, and less traditional business solutions will continue to increase, while the concerns related to the solution’s security model will continue to decrease.
Now is the time to get familiar. Get prepared for managing security in the Cloud. If your adoption schedule is measured in days instead of months, hire a Cloud or secdevops expert. And get ready to acquiesce to the IT/business requests – you finally get to tell them yes!