Tactics, tools and teamwork: Effectively managing cloud security
By Cameron McKenzie
Most software professionals are aware of the new challenges that arise when securing data, resources and applications in the cloud. It would appear that basic knowledge of the key issues is more than abundant. But knowing the issues and dealing with the issues are two completely different things. "We talk a lot about strategy, architecture and frameworks," says Mark Nunnikhoven, Vice President of Cloud & Emerging Technologies at Trend Micro. "But we tend to ignore tactics. That's the day-to-day work of actually implementing and running security." Software may be deployed to the cloud, but that doesn't remove the responsibility for organizations to let their guard down when it comes to their on-premise operations. That means applying security correctly, enforcing security procedures, and performing due diligence when it comes to penetration testing, both from an automated and a human standpoint.
Security and the shared responsibility model
Things work differently in the cloud. Under a shared responsibility model like AWS, Amazon obviously takes charge of managing the facilities, along with the physical and infrastructure needs, network, and virtualization layers - that's pretty much what the cloud does. But delegating work to the cloud doesn't minimize the responsibility of on-premise professionals to implement the correct security controls and mechanisms. "Security controls are things that must be done right all the time, every time," said Stephen Schmidt, VP of Security Engineering and CISO at AWS. "I believe really strongly in making those security controls simple. That's the only way one can reliably validate that they are being implemented."
In the cloud, low-level tactical responsibilities include account management, security groups, and network configuration. The basic tooling included in the AWS platform is easy to use but it will allow clients to make bad choices in key security areas. The most common example? It is possible for an account holder to set up super users with unlimited access to the enterprise AWS account. Sure, admins will be warned against performing this action, but IT professionals ignore these warnings and do it anyway. Nunnikhoven's first tactical tip? Don't do that. Always, follow the principle of least privilege, giving users or roles only the rights they need to accomplish their tasks. Most cloud based platforms offer very fine-grained control to make this possible, right down to restricting access to discrete functions and individual rows of data.
Auditing, logging and penetration testing in the cloud
In addition to the various auditing and security based AWS tools that are available, including the newly launched Cloud Trail that logs all API activity, there are a number of third party reporting and security optimization solutions available as well. Trend Micro is one vendor that can assist operations at a tactical level using both tools and teamwork. The firm offers an in-depth vulnerability assessment and penetration service, a solution that inspects cloud-based web applications from all angles to look for vulnerabilities. Clients can also order a top level scan that leverages human intelligence. "It's about connecting the dots among a combination of vulnerabilities," said Nunnikhoven. "Minor security holes caught by the automated scan might each be spitting out a small piece of seemingly innocuous data. A human can connect the dots and see if an application is leaking 2-3 piece of key information that, when used together, provide a whole new level of access within the application."
With mature and well-designed security based tools now available in the cloud, on-premise personnel can invest more effort in improving tactics and learning to get the most out of the technology available. As a result, security teams can confidentially promise to protect new endeavors, resources, and applications because there is now time to analyze and plan both at the strategic and tactical levels. Mark Nunnikhoven sketches a bright future for cloud-enabled security. "It's time for security to embrace the power available in the AWS cloud."
19 May 2014