In the era of cloud technology, online attacks are becoming more sophisticated. The days of drive-by exploitation are passing us by, replaced by attackers who run continuous penetration and vulnerability assessments. As organizations migrate more projects to the cloud, there is a distinct need to incorporate security best practices throughout the lifecycle of their products and infrastructure to counteract these more sophisticated attacks.
Organizations often struggle to identify the right security practices to implement in their agile product pipelines. The reason for this pain is that security behaviors tend to be expensive, laborious, time-intensive and/or technologically invasive.
So how do you adapt your organization to the new realities of cloud security? There are several paths you can take on your journey to a more secure future in the cloud, but keep in mind that these practices are only effective when uniformly applied. Rather than trying to pick and choose where you apply security in the code pipeline (which opens the door for attacks in other places), cloud security requires a consistent approach across all dimensions of your cloud environment: code pipeline, infrastructure, control plane, and more.
Securing the code pipeline
Cloud-based tools and infrastructure include everything from the code repository (GitHub, Visual Studio Online, Bitbucket, SourceForge, etc.) all the way to the elastic resources and operations tools. That’s a lot of ground to cover, especially when you consider that most of your operational functions (infrastructure configuration, deployment templates, etc.) now live as code.
This means that for better cloud security, you need to start by securing your code – by investing in traditional code and binary analysis tools like Veracode, AppScan, or Fortify, all of which will help you identify and prevent code vulnerabilities from migrating to your production environments. Combining these static and dynamic analysis tools with peer code reviews ensures reduction in potential attack surface and vectors in your application. It also helps to get third party code security assessments by professional organizations like Accuvant, Cigital, and Veracode timed in sequence with major codebase reductions, expansions, or rewrites.
Additionally, you need to look for ways to prevent code security issues before the first line of code has even been written. The best security practice in this area is to invest in education and enrichment of your staff. If you educate willing engineers on secure code practices and provide secure coding courses (presented by SANS and other industry organizations), your investment will influence every piece of code written by your team for years to come.
Securing the Infrastructure
The cloud offers some great infrastructure benefits compared with the datacenters of years past. The highly-elastic infrastructure capabilities of the cloud enable organizations to temporarily launch and leverage thousands of servers for short-lived but computationally demanding jobs. The cloud also reduces costs of IT infrastructure, as you only pay for the time you used the computing resources. As a result, your organization will often have only a minimal set of servers and infrastructure operating 24 hours a day, with other resources that appear and disappear as workloads demand them. The transient nature of cloud infrastructure is excellent for agility and flexibility, but it presents a totally new type of security challenge: security threats can appear and disappear before traditional security tools can detect or react to them.
Fortunately there is a new generation of cloud security solutions designed specifically for the cloud. These solutions share a few key ideals:
- Fast Deployments: taking minutes instead of weeks to deliver security insights
- Continuous Security: always scanning, assessing, validating, and protecting your organization’s cloud interests
- Cloud Native: solutions that are built for the cloud, not datacenter tools ported to the cloud
- API-centric: security management happens primarily through the APIs.
These emerging security technologies are often labeled Cloud Security Platforms, and combine capabilities from legacy point solutions into more cohesive user experiences for cloud customers. Often, you can have global security visibility and threat alerting up in less than 15 minutes from the leaders in the Cloud Security Platform space. The most powerful security platforms not only give you the threat data, but also offer guided remediations, removing the need for specialized security staff to tend to every issue. Cloud-savvy organizations won’t need to spend large sums of money on a security solution only to spend equivalent or larger sums on training and staffing to operate it.
Traditional approaches to infrastructure security include using network scanning and traffic analysis tools. But these traditional tools struggle to deliver value in the cloud space because they were architected and designed for static infrastructure. They expect things to not rapidly change or scale, which can wreak havoc on their appliances and computation capabilities. For example, if you deploy a certain Network Intrusion Detection System (NIDS) appliance that can handle 50 nodes worth of traffic, and then you scale to 100 nodes… well, ugly things happen. These tools have their place to do spot-checking and analysis of cloud environments, but are no longer the powerhouses they once were in the datacenter. The new world of cloud infrastructure demands security tools that were designed specifically for the cloud – and a new generation of solutions is rising to meet this demand.
Securing the control plane
The most overlooked and powerful aspect of the cloud is the management APIs, or control plane. This is the singular interface through which an entire datacenter can be created or destroyed in minutes. You can’t perform network scans or code quality scans against it, you can’t proxy it, and you certainly can’t dictate how it can be used to the Cloud Providers like AWS, Google, and Azure. However, you can manage security through it the same way the providers do – with intelligent security automation designed to interact with APIs.
There are Security-as-a-Service solutions out there for platforms like AWS that do this very effectively today. With 43+ services in the cloud, AWS has rich and powerful APIs that can be used to determine security posture, compliance, and threats with speed, presenting clear and evident guidance for protecting your dynamic cloud infrastructure. Combine this API-centric security approach with AWS’s built in CloudTrails and Config data feeds, and you have formidable control over the who/what/when/where/how use cases of your cloud.
Securing the people
Finally, we circle back to the people. One of the most crucial best practices is simply providing ongoing training and support to make your people aware of the security goals and responsibilities of the organization – in compliance, self-governance, or just good corporate citizenship. If you treat your people like adults, realize they will make mistakes, and equip them effectively with training and budget to protect themselves, the rest often takes care of itself. Humans are often seen as the weakest link in the security toolchain. It’s time to make them the strongest link, because they’re the most powerful assets we have in the war on cybercrime.
Security is never “done”
One mistake made by many organizations is assuming that once the budget is spent and the solutions are deployed, security is “done” and can be checked off the “To Do” list. Let’s be clear: security is never “done.” Security in the cloud requires a perpetual commitment by organizations to keep their customers, their customers’ data, and their business protected to the best of their ability. The security world is always evolving, and you must be prepared to be part of it for as long as you work with technology. So grab your shield, your helmet, and your keyboard… we’ve got some securing to do!