Seven points to understand about cloud security

By recognising and addressing the specific risks associated with use of cloud solutions, companies can overcome their fears and shift from a strategy built around minimising change to one optimised for change says Gordon Haff.

Gordon Haff, cloud evangelist, Red Hat
Gordon Haff, cloud evangelist, Red Hat

Reflexive fears about a lack of security in public clouds may be naïve. That said, public and hybrid clouds introduce risk and compliance considerations and challenges that are different in degree--and sometimes in kind--from traditional on-premise datacentres.

Users should consider the following seven points:

Shared responsibility

It's important to understand which areas you maintain responsibility for when using public clouds. It differs depending upon the type of service you're using. For example, in the case of Infrastructure-as-a-Service, you need to exercise the same care in sourcing and maintaining your operating system and applications as if you were running it on-premise even though someone else is operating the servers, storage, and network. As you move up the stack to Software-as-a-Service, the provider shoulders more responsibility, but you're still on the hook for properly managing access to both your company's proprietary information and and confidential customer data.

Understand all the areas of potential risk

A variety of frameworks is available to help IT executives and architects evaluate and mitigate risk associated with using public cloud providers. A good example is the Cloud Controls Matrix (CCM) from the Cloud Security Alliance (CSA).

The CSA CCM provides a controls framework across 16 domains including business continuity management and operational resilience, encryption and key management, identity and access management, mobile security, and threat and vulnerability management. CCM v3.0.1 defines 133 controls in total and maps the relationship between each and other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum, and NERC CIP.

Apply existing best IT practices

Service design for delivery through hybrid architectures can also be informed by more traditional IT methodologies. For example, ITIL Service Strategy is one of five ITIL Lifecycle modules and provides guidance for designing, developing, and implementing a service provider strategy that aligns with an organisational strategy. Thus, ITIL practices can be used to help design appropriate end-to-end services for hybrid IT. Although ITIL implementations have an often-deserved reputation for being overly bureaucratic and heavyweight, many of the basic principles apply to modern cloud-native architectures.

Adopt a business-centric approach to security

Security needs to be approached in the context of the business as opposed to just a technology problem. This means, for example, defining the business' risk appetite in terms of loss tolerance. A credit card issuer knows that it's going to have losses due to fraud. The only alternative is to make using credit cards so onerous that hardly anyone will use them. So their goal is instead to put controls in place that make using credit cards a mostly streamlined process while keeping losses to a level that is acceptable as a business outcome.

Manage based on policy

It's important to be able to maintain insight into and control over complex hybrid and heterogeneous environments using tools such as a cloud management platform. For example, real-time monitoring and enforcement of policies can not only address performance and reliability issues before the problems become serious but they can also detect and mitigate potential compliance issues. Automating in this way reduces the amount of sysadmin work that is required to handle them. However, it's also a way to document the processes and to reduce error-prone manual procedures. Human error is consistently cited as a major cause of security breaches and outages.

Have a (well-tested) incident response plan

As with a fire or a car accident, minutes count. Roles, responsibilities, and processes must be well established ahead of time. Technical expertise matters but so does having clear communication plans to share information with those potentially affected by the incident and with broader constituencies such as the press. Much can be learned from the best practices that have evolved over time within emergency services and other life and safety-critical fields.

Build in security

With traditional long-lived application instances, maintaining a secure infrastructure meant analysing and automatically correcting configuration drift to enforce the desired host end-state. This is often still an important requirement. However, with the increased role that large numbers of short-lived “immutable” instances play in many cloud-native environments, it's equally important to focus on building in security in the first place. For example, by establishing and enforcing rule-based policies around enabled services in the layers of a containerised software stack.

Modern security means shifting from a strategy that is built around minimising change to one that is optimised for change. An insight-driven workflow needs to provide visibility into multiple environments, aggregate information, and take remedial action even for assets that may have a lifetime in the order of minutes. And security needs to be enabled as an integral component of carrying change through the software delivery pipeline rather than as a disconnected checkbox.

Contributed by Gordon Haff, cloud evangelist, Red Hat