Before we jump into the security automation discussion, let’s start with the two key characteristics of Cloud Computing which are closely related to automation and scalability:
- On-demand self-service (as per NIST definition). “A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider”. What this means is, a user or an IT staff member should be able to create and remove their IT infrastructure services such as virtual machines, storage, network functionalities, databases etc. whenever they want and from wherever they want via a management console or API.
- Rapid elasticity (as per NIST definition). “Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time”. It is the capability of the infrastructure services provided by the cloud vendor to automatically scale up and scale down depending on the criteria set by the customer.
As we all know, Information Security is always seen as the challenge with public cloud consumption. According to the “State of Cloud 2014” survey conducted by RightScale (“RightScale is a SaaS based organisation that sells automation and orchestration tools for managing cloud infrastructure.”), Security still remains as the top challenge among organisations starting their Cloud journey, but organisations that have significant experience in using Cloud technologies seem to be confident with the way they manage their security in cloud.
Another major concern, according to the report, is Compliance: achieving compliance in the Shared Responsibility model is always a challenge. In the Cloud Computing world, security is a shared responsibility; in the case of IaaS, the vendors will manage the security up to the virtualisation layer and from OS and above; it is the customer’s responsibility to ensure that they have security tools in place to protect their data and manage compliance.
Whether we are in traditional datacentre world or in a public cloud world, security is often seen as a roadblock for an organisation’s innovation and speed to market. From a security perspective, things become more complicated with the invention of cloud computing. For the product teams and developers it is much easier to build and test their solution without major infrastructure deployment hurdles since the build of the infrastructure can be written as a code and managed by the developers, but bringing the solution to life always seems to be a problem due to the involvement of security. In most cases, product teams/developers are really worried about engaging with security due to the complications involved in explaining the way cloud services work, change management difficulties, firewall rule approvals, security design reviews and security testing. All these security related processes are manual and time consuming, and it will take at least a few weeks for these processes/tasks to be completed. These delays will then lead up to “C” level escalations for security exemptions and sometimes you will find unapproved applications running within the production environment which open up security risks for the organisation.
Things are getting even worse due to the introduction of DevOps, continuous deployment and continuous integration teams in many cloud savvy organisations. Security is still playing catch-up game with DevOps methodologies.
All these security related challenges impact the irresistible benefits such as cost savings, agility and speed to market offered by the Cloud. “C” executives are always interested in achieving these cloud benefits even at the cost of a secure solution.
Is there a way to achieve cloud benefits while meeting the security and compliance requirements?
I would say “Yes”, Security is not something special; it should be part of the continuous deployment model. Security controls and processes should be automated wherever possible in order to maintain the agility and self-service.
Cloud application architecture is different to traditional datacentre or virtualized architecture. In the traditional world, everything is behind the firewall, rate of change is slow, and has limited or no ability to scale up or down, but in the Cloud, you have auto scaling, machines with very short lifespan, continuous automated deployments, often API driven, and the concept of “pets vs cattle”. The Cloud is easy to automate without network and hardware dependencies, distributed environments and is accessible from anywhere.
Let’s discuss a few methods on how you can automate the security controls and processes:
Repeatable Cloud Security Patterns
Security architecture and design patterns provide solutions for repeatable problems. These patterns provide significant benefits such as improved productivity, repeatability, agility, consistent security and quality. They reduce unnecessary document review time intervals since the patterns are pre-approved, only the deviations need to go through the exemption process. Examples of common security patterns are:
a. Identity Federation
b. Encryption for data in transit and data at rest
c. Security logging and monitoring in the cloud.
These pre-approved patterns and the security controls listed in the patterns can be part of the continuous integration process and can be implemented via automation tools.
Leverage of automation tools such as Chef or Puppet to apply security configuration and server hardening at DevOps speed. A hardened OS is the common last line of defense in the event of a security attack. Baseline configurations of your golden image must be security hardened. You should use automation tools to harden your images and to push your secure golden images during the auto scaling process.
Use of Cloud aware security tools – Always select the security tools which support cloud characteristics such as elasticity, self-service and pay per use licensing models. These tools should be able to scale up and down as per business needs. For example, there are quite a lot of security tools available in Amazon Web Services market place which support AWS architecture and cloud characteristics. To name a few: Trend Micro, Sophos, Alert Logic, Imperva, Qualys. These major vendors support cloud automation, scalability and pay per use licensing models.
Logging and Monitoring
One of the prime roles of security operations, or SecOps, is continuous logging and monitoring of security events for incidents. This is not something new for security operations, but in the world of automation and orchestration, most of the communication is happening via APIs. As a SecOps person, you should know who made an API call and what resources or services were consumed in the API call. Also, security operations should ensure that they have a logging and monitoring system in place, which supports API logs and also have the ability to pull and process the logs supplied by the cloud vendors. For example, a public cloud giant Amazon Web Services (AWS) supplies customer with API logs for most of its services and this service is called “CloudTrail”. These logs can be used to:
a. Analyse and detect any change in user behaviour patterns
b. Track the creation, modification and deletion of any AWS resources such as load balancers, NACL’s, security groups, EC2 instance, etc.
c. Identify the most recent actions and who performed those actions.
Most of the major logging and monitoring solution vendors such as Splunk, Alert Logic and SumoLogic support the integration with AWS CloudTrail service which makes the security operations manager’s job much easier.
By automating the security functionalities and processes, you can achieve the following benefits:
- Speed to market with the implementation of your innovative ideas,
- Big time savings in security operations overhead
- Consistency with the implementation of security controls
- Minimal or no human error
- Change in view – from road blocker to business enabler
- Automation makes compliance simple and achievable
- Automatic reconfiguration of security infrastructure during security attacks.
Note, security is not just about perimeter or firewalls and patching, those days are gone in the cloud. It is a shared responsibility between the cloud vendor and the customer. By automating the security, organisations can achieve their cloud benefits and also maintain their security posture.
This article is brought to you by Enex TestLab, content directors for CSO Australia.