These days, whatever industry you’re in, you’re working with data and content in the cloud daily, often multiple times a day. Maybe you don’t even know it. More than a million individual businesses use cloud provider AWS to store data and deliver flexible, scalable services, usually without you even noticing. Services and websites like Dropbox, Facebook, and Gmail, all household names, all use the cloud to function. Even government services, who hold some of our most sensitive data, are regular users of the cloud. So how can you manage your company’s use of cloud technology? Do you know what, when, and where you’re using, let alone how to secure it and keep your data safe?
What’s the big deal about cloud security?
Cloud security has undergone massive changes over recent times and continues to evolve at a fast pace. In comparison, endpoint technology hasn’t really changed over the same period, or even longer. Whether the user has a desktop, laptop, or perhaps a hybrid, the bones of the technology have remained the same. In comparison, the way that applications and services are provided and managed in the cloud have undergone huge changes. A common setup used to be one physical hardware server, sitting on racks in a datacentre, where you knew the physical location, the actual perimeters of the room, and who had access to it. Then along came VMWare and all of a sudden you could have multiple servers running on the same piece of hardware. Now, we rent virtual servers from third party companies such as Amazon or Google for months, days, or even just minutes. We know none of what we used to for physical servers but we still need to protect it and fend off attackers.
What’s the first step in setting up security for the cloud?
The first thing to think about when it comes to securing cloud services and information is visibility. Staff can fire up a virtual server on a cloud provider in seconds and without any technical skill. How do you know that server is there and that you need to protect it? Shadow IT, also known as stealth IT, are systems that are built and used without official permission and deployed by departments other than IT. To make sure all your cloud systems are protected, tools and software that keep track of and monitor all cloud usage in your organisation are extremely important. You can’t protect what you can’t see. Even working with hybrid cloud services, having a tool that works in all environments is extremely important.
Take, for example, the charity Movember. Once a year, they have a huge surge in traffic and resources. Sure, they also have IT requirements for the rest of the year, but that pales in comparison to the massive peak once a year when they’re dealing with millions of requests for their website and data. They’re a perfect example of how cloud services need to burst in response to the needs of clients and things can go from quiet to busy in a moment. Your security systems need to react just as fast or you’ll be leaving a gaping hole in your organisation. Agility is no longer optional and this changes both how you deploy and pay for your security. The very flexibility that makes the cloud so appealing also makes security more difficult. Scaling services up and down rapidly and mixing up consumption models while still maintaining application control, malware scanners, and vulnerability detection can be extremely difficult. These are not new ideas, but the cloud adds a complexity that we’re not used to with traditional security. And it’s not just something you can figure out later. Studies have shown that adding in security to cloud implementations after the fact can be up to thirty times more expensive than to integrate it properly during development. But how do you do this? The not-so-simple answer is DevOps.
So, what is DevOps? It can mean different things to different people but put simply, it’s a set of rules and principles that help decide how IT systems are designed in the current climate. It’s a set of practices designed to reduce time in development while still maintaining high-quality code and secure systems. This goes for not just apps, but also infrastructure and security. Everything is written around lines of commands that can be run as many times as you like and always give the same result, giving you the benefits of automation and removes human error. This means you can provide applications and systems with fewer engineers that give bigger results in less time with fewer mistakes. But how do you keep all this secure? After visibility, the next step is communication and cooperation.
How do I ensure everyone is on the same page?
Think of cloud security in this way. Everyone knows where the front door to your house is and what type of key you need. Malicious third parties are constantly scanning the big providers and know exactly which IP addresses belong to them, and what format your public and private keys should be in. Every single day, automated scanners find public code where developers have included their private keys, accidental or not, meaning that essentially anyone can unlock your virtual front door.
As well as virtual servers, many developers now use containers to enhance security. Unlike standard virtual machines, containers share services, operating systems, libraries, and often more. However, this also comes with a risk. Instead of everyone knowing where your front door is, now they know the location of an entire apartment block. If one is compromised, they are then all vulnerable. This means that the line between security teams, development, testing, the infrastructure team, and more are all becoming blurred. Everyone needs to understand the requirements and actions of every other group to keep them all secure.
What’s the best-practice techniques?
So, you know everything that the staff in your organisation are doing in the cloud and everyone is on the same page. Now what? Security needs to run the same way cloud apps do; fast, anywhere, and with friction-free security. The way we use the cloud isn’t going anywhere and so approaching security the same way helps you keep everything under control. The apps and companies that really benefit from cloud security are the ones that make everything automated. Everything should be drivable with code and it should all be reproducible with many small components that can only do what they need to do and nothing more. By locking down functionality only to what each small process must do you limit any container’s ability to run malware as it’s outside the scope of what that service or process has been set up to do. By using containers with microprocessors, you can also help contain the blast radius if something is compromised. A hacker may get access to one individual small part, but the rest of the infrastructure is still protected.
In the end, the same principles apply for cloud security that has existed for IT security for many years, just applied and managed in new ways. There are three broad challenges: how do you identify and protect your key data, how do you limit what a malicious party can get access to, and how will you gather data and report to stop similar attacks in the future? Like it or not, a sea change is upon us. People want to be able to develop things faster and deploy them anywhere and security staff need to work in a friction-free way to become part of the standard workflow. By making sure you have visibility of absolutely everything in your infrastructure and network, ensure that different departments are communicating and are fully aware of what each other are doing, and then making sure your reporting can gather and send telemetry automatically across all systems, including on-prem, hybrid, and end users, you’ll be setting your cloud security up right from the beginning.
This article was written after an interview with Mick McCluney for Content Security's Podcast: Safe in Space.
Subscribe to Safe in Space: A Cybersecurity Podcast Helping you Play Defense in the Digital Universe