Security lessons from the Cloud

In the last few months I’ve had an opportunity for a project to spend a big chunk of time talking to DevOps leaders, cloud security firms and individuals at Amazon Web Services. What I’ve learned is not only do you need to take a fundamentally different approach to security in the cloud, but that there are lessons learned from that approach which should be considered for more traditional environments.

 

DevOps/DevSecOps

One key difference in the cloud is the integration of application and infrastructure development and security and operations. In the cloud, increasingly, infrastructure is code. This means not only do you need to consider your SDLC carefully, but it also provides opportunities in terms of secure templates. 

Lesson to be learned: the integration between development, security and operations here is a best practice - it is a literal destruction of the fiefdoms and silos that have caused animosity between these groups in countless organizations, for the betterment of all - speed to market, improved security and availability.

 

Automation and non-persistence

On average, an instance in AWS lasts less than an hour, and my guess is this will only decline further. Microservice architecture, automated deployment and transparent scaling, lambda functions, are re-imagining the traditional rack and stack infrastructure. This brings interesting management and security challenges - if your IPs and hosts are constantly changing, how do you monitor? Many DevOps take a ‘nuke and reinitiate’ approach when it comes to compromised hosts, but learnings from years of incident response have shown us that this often leaves you short of critical information to prevent the next breach and know what has been lost. 

Lesson to be learned: traditional rack and stack security is slow and one of the constant frustrations of project teams is learning that they need to add security on the end and experiencing delays to their projects. The ‘minimum’ footprint approach of microservices aligns beautifully with least privilege security principals, and a ton can be gained through security automation and integration.

 

Try and buy

Frictionless is the name of the game in the cloud. Easy, cheap, rapid to deploy technologies win out. Pull out your credit card, spin up an instance, try the features out, see if it meets your needs, if it does, scale. This massively changes the sales and proof-of-concept dynamic, and causes rapid evaporation of marchitecture, slide ware and sales pitches with the cold, hard light of ‘does it work’. 

Lessons to be learned: the security industry is filled with vapourware - products promising to solve big security problems but really only dealing with a small slice of the problem. Making your technology easy to evaluate without the hand holding of a implementation team or sales engineer, waking up to the reality of technically minded, self-driven evaluators trying to solve specific, measurable business problems, will help the security industry mature and develop true business returns.

 

Shared Responsibility Models

Most of the cloud providers (Amazon, Microsoft, Google) have a shared responsibility model where they take ownership of ‘security of the cloud’ - hypervisors, data centres, servers, and you are responsible for ‘security in the cloud’ - applications, data, virtual networks. 

Lessons to be learned: the shared responsibility model developed by these cloud providers are clear and explicit, which many of the SaaS providers and 3rd party services that businesses use could really benefit from. Learning how to apply shared responsibility models with your partners and service providers more broadly is a critical success factor for the modern business that most likely has more data in their Shadow and Cloud IT than their traditional IT environments.

 

Closing thoughts

Many people I talk to seem to ‘pooh-pooh’ the cloud - statements like ‘the cloud is just running on other people’s servers’, or comparisons to traditional client/server architectures - are common refrains. Infrastructure as code. Spot instances. Lambda functions. Serverless architectures. The pace of innovation here is incredible, the scale immense and the impact to IT transformational - if you’re in IT you should take some time to learn more about what is happening in this market, or get left behind.