Why automation and scalability in security is important for the success of your Cloud Journey

Before we jump into the security automation discussion, let’s start with the two key characteristics of Cloud Computing which are closely related to automation and scalability:

  1. On-demand self-service (as per NIST definition). “A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider”. What this means is, a user or an IT staff member should be able to create and remove their IT infrastructure services such as virtual machines, storage, network functionalities, databases etc. whenever they want and from wherever they want via a management console or API.
  2. Rapid elasticity (as per NIST definition). “Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time”. It is the capability of the infrastructure services provided by the cloud vendor to automatically scale up and scale down depending on the criteria set by the customer.

As we all know, Information Security is always seen as the challenge with public cloud consumption. According to the “State of Cloud 2014” survey conducted by RightScale (“RightScale is a SaaS based organisation that sells automation and orchestration tools for managing cloud infrastructure.”), Security still remains as the top challenge among organisations starting their Cloud journey, but organisations that have significant experience in using Cloud technologies seem to be confident with the way they manage their security in cloud.

Another major concern, according to the report, is Compliance: achieving compliance in the Shared Responsibility model is always a challenge. In the Cloud Computing world, security is a shared responsibility; in the case of IaaS, the vendors will manage the security up to the virtualisation layer and from OS and above; it is the customer’s responsibility to ensure that they have security tools in place to protect their data and manage compliance.

Whether we are in traditional datacentre world or in a public cloud world, security is often seen as a roadblock for an organisation’s innovation and speed to market. From a security perspective, things become more complicated with the invention of cloud computing. For the product teams and  developers it is much easier to build and test their solution without major infrastructure deployment hurdles since the build of the infrastructure can be written as a code and managed by the developers, but bringing the solution to life always seems to be a problem due to the involvement of security. In most cases, product teams/developers are really worried about engaging with security due to the complications involved in explaining the way cloud services work, change management difficulties, firewall rule approvals, security design reviews and security testing. All these security related processes are manual and time consuming, and it will take at least a few weeks for these processes/tasks to be completed. These delays will then lead up to “C” level escalations for security exemptions and sometimes you will find unapproved applications running within the production environment which open up security risks for the organisation.

Things are getting even worse due to the introduction of DevOps, continuous deployment and continuous integration teams in many cloud savvy organisations. Security is still playing catch-up game with DevOps methodologies.

All these security related challenges impact the irresistible benefits such as cost savings, agility and speed to market offered by the Cloud. “C” executives are always interested in achieving these cloud benefits even at the cost of a secure solution.

Is there a way to achieve cloud benefits while meeting the security and compliance requirements?

I would say “Yes”, Security is not something special; it should be part of the continuous deployment model. Security controls and processes should be automated wherever possible in order to maintain the agility and self-service.

Cloud application architecture is different to traditional datacentre or virtualized architecture. In the traditional world, everything is behind the firewall, rate of change is slow, and has limited or no ability to scale up or down, but in the Cloud, you have auto scaling, machines with very short lifespan, continuous automated deployments, often API driven, and the concept of “pets vs cattle”. The Cloud is easy to automate without network and hardware dependencies, distributed environments and is accessible from anywhere.

Let’s discuss a few methods on how you can automate the security controls and processes:

  • Repeatable Cloud Security Patterns
    Security architecture and design patterns provide solutions for repeatable problems. These patterns provide significant benefits such as improved productivity, repeatability, agility, consistent security and quality. They reduce unnecessary document review time intervals since the patterns are pre-approved, only the deviations need to go through the exemption process. Examples of common security patterns are: 
    a. Identity Federation
    b. Encryption for data in transit and data at rest
    c. Security logging and monitoring in the cloud.

These pre-approved patterns and the security controls listed in the patterns can be part of the continuous integration process and can be implemented via automation tools.

  • Leverage of automation tools such as Chef or Puppet to apply security configuration and server hardening at DevOps speed. A hardened OS is the common last line of defense in the event of a security attack. Baseline configurations of your golden image must be security hardened.  You should use automation tools to harden your images and to push your secure golden images during the auto scaling process.
  • Use of Cloud aware security tools – Always select the security tools which support cloud characteristics such as elasticity, self-service and pay per use licensing models.  These tools should be able to scale up and down as per business needs. For example, there are quite a lot of security tools available in Amazon Web Services market place which support AWS architecture and cloud characteristics. To name a few: Trend Micro, Sophos, Alert Logic, Imperva, Qualys. These major vendors support cloud automation, scalability and pay per use licensing models.
  • Logging and Monitoring
    One of the prime roles of security operations, or SecOps, is continuous logging and monitoring of security events for incidents. This is not something new for security operations, but in the world of automation and orchestration, most of the communication is happening via APIs.  As a SecOps person, you should know who made an API call and what resources or services were consumed in the API call. Also, security operations should ensure that they have a logging and monitoring system in place, which supports API logs and also have the ability to pull and process the logs supplied by the cloud vendors. For example, a public cloud giant Amazon Web Services (AWS) supplies customer with API logs for most of its services and this service is called “CloudTrail”. These logs can be used to:
    a. Analyse and detect any change in user behaviour patterns
    b. Track the creation, modification and deletion of any AWS resources such as load balancers, NACL’s, security groups, EC2 instance, etc.
    c. Identify the most recent actions and who performed those actions.

Most of the major logging and monitoring solution vendors such as Splunk, Alert Logic and SumoLogic support the integration with AWS CloudTrail service which makes the security operations manager’s job much easier.

By automating the security functionalities and processes, you can achieve the following benefits:

  • Speed to market with the implementation of your innovative ideas,
  • Big time savings in security operations overhead
  • Consistency with the implementation of security controls
  • Minimal or no human error
  • Change in view – from road blocker to business enabler
  • Automation makes compliance simple and achievable
  • Automatic reconfiguration of security infrastructure during security attacks.

Note, security is not just about perimeter or firewalls and patching, those days are gone in the cloud. It is a shared responsibility between the cloud vendor and the customer. By automating the security, organisations can achieve their cloud benefits and also maintain their security posture.


This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags datacentreautomationDevopscloud securityscalability in securityNIST definitionCloud JourneyCSO AustraliaEnex TestLabinformation securityAWS CloudTrail

More about Amazon Web ServicesAWSCSOEnex TestLabImpervaQualysSophosSpeedSplunk

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Magesh Dhanasekaran

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place