A Real-World Approach to Improving Security in the Cloud
Everybody knows that the cloud -- in particular, the security of cloud deployments -- is a huge pain point industry-wide. And as is the case with any new endeavor with such broad-sweeping impact, there's no shortage of well-meaning advice about how to secure it.
But I confess to finding much of that advice about cloud security somewhat frustrating. Why? Because much of it fails to account for the realities of what drives cloud adoption: Namely, the economics. Consider, for example, a typical cloud deployment: Executives hear about the promise of cloud in terms of dollars saved through things like datacenter consolidation, reduced technology footprint, etc. But addressing the (quite real) security challenges of the cloud requires investment. Once security SMEs start layering on controls, executives see their proposed returns get smaller ... and smaller ... and smaller.
Not only is this a hard conversation to have (and one that doesn't add to the popularity of the security organization, by the way), but chances are you can guess how it'll end: namely, with many of the most effective (but most expensive) security controls stripped away. This leaves security practitioners in a quandary: We need to do something about security in the cloud, but with relatively little budgetary support for new controls. Add to that the fact that cloud is disruptive to many of the security tools we currently have fielded ... well, it's no wonder folks are nervous.
So with that in mind, it behooves security professionals to try to squeeze every bit of value they can from resources they already have. Fortunately, there are a few things that can be done to bolster the security of cloud deployments -- some of them without a huge price tag.
Leverage Industry Resources
Keeping abreast of -- and leveraging -- free industry resources is one solid way to do more with less. For example, if you're not already familiar with it, the GRC Stack from the Cloud Security Alliance (CSA) contains a number of tools that can potentially be folded in to existing security efforts. For example:
- Cloud Controls Matrix (CCM): an indexed list of controls potentially appropriate in a cloud context and how they fit into existing compliance requirements (e.g. HIPAA, PCI, etc.), as well mapped alignment into compliance frameworks (COBIT, ISO/IEC 27001:2005). For compliance-focused shops, fold this tool into existing automated or manual tracking mechanisms; the fact that someone has already done the work of parsing through existing controls and mapping their applicability onto common cloud deployment scenarios represents work you don't have to repeat.
- Consensus Assessments Initiative Questionnaire: a targeted security questionnaire that can be used as part of internal or external service provider evaluation. Building your own vendor selection questionnaire? Why redo that work when you can directly incorporate this tool into your information gathering efforts?
Find Out What You've Already Paid For
Most cloud service providers maintain dedicated security personnel and offer targeted security tools to support existing customers. Surprisingly, these resources very often go under-utilized.
There are a few reasons why this happens. First, technical resources (i.e., the ones who would derive the most benefit from support personnel and tools) are often not aware these resources exist. Consider what happens, for example, when a business unit outsources to a service provider without IT involvement. In that case, the IT security team might not even realize the relationship exists, let alone know how to use the specialized security tools and personnel available to support that relationship.
The second reason is that many times security operations (the area to which these resources are most targeted) tend to be reactive by nature (i.e. overwhelmed by "putting out fires"). For folks already struggling to keep their heads above water, learning how to best make use of vendor security features may be lower down on the priority list than fighting off the "malware du jour."
But because you've already paid for these resources, having a conversation with (both external and internal) service providers to find out what tools and personnel are already purchased -- and leveraging them -- represents capitalization on an investment already made.
In order for activities not to stagnate, assign accountability. It's a tenant of behavioral psychology that individuals tend to assume things are "someone else's job" when responsibility isn't assigned publicly and clearly. Directly assigning an individual to oversight of cloud security (i.e. finding, investigating, and governing service provider relationships) has demonstrable value.
Doing this kills a few birds with one stone: first, it's a morale-booster and show of confidence in the tapped resource (cloud is perceived as "new and interesting" so it's a free way to show recognition to a strong resource). Second, it publicly demonstrates that cloud security is something the security organization is committed to (if you don't care about it, why should staff?). Lastly, it establishes that ownership and accountability feedback loop to increase the likelihood of actually getting something done.
As you ramp up your cloud deployments, the relative importance and support requirements for many of the security controls InfoSec is currently responsible for will change. For example, as you virtualize your environment and traffic shifts from "network-traversing" to "back-plane traversing," current network-IDS systems may lose visibility into that traffic. Does it make more sense to continue your current staffing levels associated with monitoring those tools in light of that shift? Or does it make sense to reallocate those folks somewhere else?
You'll find that cloud efforts can significantly shift resource utilization in many areas of network security operations (your mileage will vary, of course, depending on how and how much you use the cloud). And this isn't just true for IDS. Reporting and response activities may shift or change, along with quite a number of other security support processes. Budget-minded security organizations can and should capitalize on these changes. Ideally, you're one of those mature shops that understand how and where resources spend their time; but for many, the most effective way to respond to these changes requires managerial action.
Cloud is understandably something that's getting a lot of attention from security folks, but organizations that keep one eye on the economics at the same time as they evaluate risks are likely to be most effective. Why? Because economics are much of the driver for why cloud matters in the first place.