Adapting to the Cloud Without Compromising Security
By Michael Bouchet, VP-Global Infrastructure Services, RELX Group
Public cloud means many things to different people. Enterprise usage of cloud today ranges across the spectrum-from no cloud movement at all to outsourcing everything to public cloud providers, and every flavor in between.
Some enterprises have embraced the benefits of Agile development by leveraging Data Center as a Service (DaaS) through a public cloud transition, while others have just simplified their IT organizations by leveraging Infrastructure as a Service (IaaS). There is a myriad of Software as a Service (SaaS) providers hoping to take a piece of what cloud brings to the IT industry.
For our company, cloud offers opportunities to improve our agility- getting products to market faster, reduce cost and improve product availability across global time-zones. While these are attractive advantages, security remains the essential yet uncompromisable concern while moving anything to the cloud. Threat trends such as intrusions, denial of service and cyber terrorism continue to evolve our security policies for traditional infrastructure and certainly for the cloud.
In exploring DaaS, IaaS and SaaS options we’ve found each of them carries completely different risks when compared to private infrastructure.
A Matter of Trust
It goes without saying public cloud is disrupting every facet of Enterprise IT today. Information security and risk management are no different. Information security has had decades to mature. Born out of necessity from the internet and developed over the distributed computing years, and coming to maturity in the mobility and consumerization disruptions, information security architecture has always had one fundamental tenant- an internal trusted infrastructure and a public untrusted one.
Certainly, there are many subtle variations on this theme, but this mindset is the foundation of nearly every security technology developed over the past two decades.
On the positive side, enterprises now have greater flexibility, with the option of hosting their applications in one or more cloud providers, having their data residing in another and using the public internet to transport all of the traffic around. However, simply moving data between two applications within the same cloud provider suddenly becomes a much bigger challenge for security than it was inside a private data center.
Classic security policy fails to capture the inherent sweeping change, that cloud computing is introducing. Most security polices rely on one core principle: strict control. Decades of security infrastructure maturity within enterprise tools sets have developed to manage this risk. However, public cloud offerings related to risk management are either very immature or do not exist. Certainly it’s possible to develop some of these over time, but it’s very important not to underestimate the amount of effort (and ultimately cost) involved.
Losing (some) Control
Another interesting aspect of managing cloud providers, and a rather formidable one, is change in control. As a customer, you don’t have any. For organizations like ours that are managing highly sensitive data there may be requirements to prove exactly where your data is at rest, where it moves, who accesses it and when. This level of logging is often not possible in the public cloud. Since an application can be considered as a virtual container in the cloud, some providers can simply move it anywhere without notification or tracking.
By their own terms and conditions, cloud providers can also simply change a particular technical configuration of a service without your permission, thus, completely changing your security posture overnight. Mature enterprise IT organizational security relies on tight change control. It’s simply not enough to monitor, scan and report on infrastructure readiness. Prevention is where security makes the real difference.
Security and Engineering as One Team
While cloud providers with the capability of moving your data around and changing the specifics of their services at will are forcing a new reality in terms of security, While cloud providers with the capability of moving your data around and changing the specifics of their services at will are forcing a new reality in terms of security, other factors are at play too. Agile development shops are releasing new functionality weekly (if not daily); new technologies are appearing on the scene monthly and a growing number of sophisticated threats are emerging across the globe. Security cannot afford to remain a separate siloed organization. The culture of isolation, relying on tough security gates to prevent operational risk, needs to transform.
Security teams, as part of the shift to cloud, need to embed themselves with the architects, engineers, and technicians from the very beginning. This will ensure that requirements for security prevention, detection, and mitigation are entrenched throughout the lifecycle of technology programs.
"Classic security policy fails to capture the inherent sweeping change that cloud computing is introducing"
The new security organization becomes a group of deep technical professionals, not compliance auditors. They are consultative and incentivized to see programs succeed for the sake of the business, not just for the sake of security. They don’t just say no, they work alongside the engineering team to help drive options for the business and ensure strong governance during every migration.
The new security organization also owns the entire customer outcome, not just for security but for the program. What good is it if a new application goes live, but performance falls horribly short of customer expectations, simply because a layer of security was mandated by policy? These walls have existed because the culture and technology of security has grown around the enterprise in this fashion. With agile and cloud, it’s time for the security culture to transform with the very industry it is trying to protect.
Ultimately, the accountability for cloud security remains ours. It’s vital that IT leaders understand the disruptive technologies, implement the tightest controls possible and align the security organization to overall business outcomes to truly benefit from the abundant benefits cloud can provide.