Outsourcing critical aspects of our lives is nothing new. We trust banks to safeguard our money, even though many of us do not trust bankers. We trust taxi cab drivers with our lives, even if we do not know their first name. We do this not out of ignorance but because we trust the overall system that these components work within. With the commoditization of IT, Cloud is proving to be a disruptive technology, causing us to outsource, among other things, our information security programs (at least portions of it). Instead of fighting the shift, security professionals must learn to embrace it. As DevOps methodologies allow entire environments to be stood-up in seconds, to be managed more efficiently—it also can allow for better secured systems.
At an initial glance, it may appear that securing constantly changing environments is unmanageable. Particularly as traditional controls, such as patch management, provisioning, and change management become impossible in the Cloud. However, understanding how Cloud is different is the key to empowerment. Cloud Service Providers like Amazon Web Services (AWS) have assisted security professionals by securing a portion of the stack, but as CTO of Juniper Networks, Chris Hoff, points out: “If you suck now, you’ll be pleasantly surprised by the lack of change when you move to Cloud.” What is important to understand is what the vendor is taking care of, and what you as the customer are responsible for – fully understand your shared responsibility model. As IT environments are becoming mechanized, they are beginning to resemble automobile manufacturing plants. For example, opposed to maintaining environments that undergo several major updates annually, Cloud methodologies are enabling organizations to push out multiple updates an hour – providing features (and fixes) to customers quicker than ever before. What does this mean for security? The best example was provided by Amazon Web Services in late 2014, as Cloud inherently allows security professionals to take advantage of constantly refreshed environments. When the Shellshock vulnerably was released late last year, it was rumored that AWS was able to patch all of their Internet-facing load balancers within several days. Any Fortune 500 company can appreciate the difficultly of coordinating and executing such an effort. What this also means is that assurance controls are shifting from tail end of processes, and are now becoming front-loaded instead. Security hardening requirements, logging configurations and security software is installed by default, embedded through Cloud orchestration tools, including Open Stack scripts, Cloud Formation templates and Docker images. Leveraging complete and accurate system baselines within their AWS account, one can bounce that baseline against systems imposing security requirements (think Cloud configuration tools, such as Puppet or Chef) and in real-time obtain notification of any systems not in compliance. There is an underlying transition occurring with the introduction of Cloud and DevOps. Everything as code—infrastructure as code, and yes... security as code.
In my presentation at BSides SLC, I will discuss how the layers of the Cloud stack will be stripped apart and analyzed in detail, providing an in-depth look at the technical, procedural and cultural aspects that can be used to embed key assurance controls, such as encryption-at-rest, the latest updates and management of elastic environments. By embracing constant improvement methodologies, security professionals will learn how to implement security as code, securing Cloud environments by default once and for all. To learn more about BSides SLC, visit https://www.bsidesslc.org/.
About the Author: Josh Danielson is a Sr. Security Manager with Axway, where he is responsible for global governance of the Cloud Services security program. With nearly a decade of experience in both public and private sectors, he has served a variety of industries throughout his security career; from academia and government contracting, to the software space. Josh is an active member of the infosec community where he has participated in multiple volunteer events. Josh has received a Master of Science degree in Information Management from Syracuse University, and currently holds multiple certifications including CISSP-ISSAP and CISM. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interesting in contributing to The State of Security, contact us here.
Resources:
The Executive’s Guide to the Top 20 Critical Security Controls Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required]. Title image courtesy of ShutterStock
