Welcome!

@BigDataExpo Authors: Carmen Gonzalez, Pat Romanski, Yeshim Deniz, Liz McMillan, Robin Miller

Related Topics: @CloudExpo, Java IoT, Linux Containers, Containers Expo Blog, Cloud Security, @BigDataExpo

@CloudExpo: Article

Mastering the Balancing Act of #Cloud Security and Business Agility

There are three clear control capability areas needed for IT to effectively manage financial, reputation and legal risk

In 2012, an IDG survey of enterprise cloud computing adoption showed that 70 percent of respondents said security was among their top three concerns, and two years later, not much has changed. The Everest Group Enterprise Cloud Adoption Survey released in March of 2014 shows that 70 percent of enterprises prefer private cloud because it offers higher security - a clear indication that security concerns still weigh heavily on the minds of enterprise leaders. Centralizing cloud resource access could prove to be the path through, addressing security concerns while providing the agility cloud computing promises.

It is understandable how cloud security presents itself as a chief IT concern when you consider that cloud computing transfers control from IT to business users and developers. And that adopting cloud entails replacing numerous IT processes with self-service portals.

While there are innumerous benefits to adopting cloud computing, transferring control away from IT does open the business to risk as it diminishes IT's ability to protect the organization's resources and data against unauthorized access and misuse. It also ties IT's hands when it comes to identifying and resolving security issues, and enforcing compliance with industry regulations. These are critical functions that have direct impact on business risk.

Addressing Business Risk via Security Controls
Cloud computing transforms the way infrastructure is provisioned in an organization. It replaces the centralized IT-controlled infrastructure provisioning model where developers make an infrastructure request that IT reviews and then fulfills, with a new, distributed developer-centric infrastructure provisioning process where developers effectively bypass IT. As a result, enterprises adopting cloud find themselves in a paradoxical situation where IT is responsible for the infrastructure security that developers now control.

There are three clear control capability areas needed for IT to effectively manage financial, reputation and legal risk.

  • Preventive capabilities: IT must be able to prevent insecure provisioning requests from being fulfilled, on both a per-user-role and per-environment basis. For example, IT must be able to enforce specific firewall policies for production infrastructure.

    In order to satisfy developer requirements, it is obvious that IT cannot change the way cloud infrastructure is accessed: provisioning must remain self-service. As a result, IT needs transparent and automated policy enforcement. Provisioning requests made to the organization's cloud need to be inspected in real-time and checked against governance policies that are in place. When approved, requests must be forwarded to the relevant cloud API; when denied, the developer that made the request must be immediately informed. Ideally, the developer should be provided with an explanation and an alternate course of action should be suggested.
  • Detective capabilities: IT must have a centralized view of infrastructure to identify vulnerabilities and intrusions; IT must be able to understand the purpose of every resource provisioned by the business. For example, IT must be able to identify the configuration of every deployed resource and the environment to which it belongs. That knowledge can then be used to decide whether an unusual firewall configuration or activity pattern should trigger an alert.


To satisfy these requirements, IT needs a federated view and understanding of all of the business's cloud resources, ensuring visibility over the organization's cloud resources. To do so, IT must ensure that every provisioning request is associated with a legitimate owner and use case (ideally in an automated fashion); that all provisioned resources remain visible throughout their lifecycle; and that metadata regarding their purpose remains accessible.

  • Corrective capabilities: IT must control access to the business's cloud infrastructure.  For example, IT must be able to revoke access for employees that leave the company, and be able to centrally identify and patch affected resources when a vulnerability is identified.

    To do so, IT needs centralized credential management to govern access to cloud resources. IT must ensure that access to cloud resources is controlled by the organization's existing identity management infrastructure, and not by ad-hoc SSH keys or RDP passwords created by developers. Naturally, in order to not hinder developer productivity, IT must ensure that developers can still access the resources for which they have a legitimate use.

Where the Rubber Meets the Road
Cloud security has been an issue since 2006 when cloud emerged with the release of AWS EC2. Back then, all cloud instances were exposed to the Internet, and access was only available with root keys. To address these respective problems, Amazon announced AWS Virtual Private Cloud and AWS Identity and Access Management. Some AWS competitors have also issued access control management, though they remain somewhat limited. Yet, these controls only address IT's preventive needs, are only available on AWS as of this writing, and are often complex to use.

As a result, IT is frequently opting to deploy a cloud management platform (CMP), an often on-premise, web-based application, that sits between end-users and the multiple cloud platforms that they may use. CMPs are extensible platforms that let IT departments customize the CMP's behavior to fit their organization's workflows and policies.  In turn, CMPs enforce those IT policies in a fully transparent and automated fashion, so that developers aren't slowed down by red tape when getting work done. As a result, CMPs ensure that IT is provided the security capabilities it requires, while ensuring developers retain the agility they need.

Most importantly, CMPs play a critical role in addressing all three control capability areas:

  • Preventive: CMPs can provide IT with governance and role-based access control capabilities, and empower IT to secure and control access to cloud resources on a per-user or per-user-group basis. Using a CMP, these policies can be enforced in real-time, so that developers are not slowed by their enforcement. IT can, for example, ensure that specific firewall rules are automatically added for every single instance that is launched, and that instances are automatically launched in secure networks (e.g. a specific AWS Virtual Private Cloud, or VPC).
  • Detective: Because CMPs are used for the provisioning of all the organization's resources, they may automatically keep a precise account of the resources that were provisioned, by whom, and for what purpose. As a result, resource tracking can be performed automatically, and developers won't have to perform extra effort to comply with IT policies.
  • Corrective: CMPs may centralize the creation and use of CMP-controlled credentials and make those available to dev and IT, or automatically configure cloud resources to leverage the company's existing identity management framework instead. For example, with a CMP, IT can enforce developer use of Active Directory credentials to login to their instances.

While cloud momentum continues to grow, so does concern - rightfully so - for cloud security. While IaaS providers have taken steps to address these concerns within their systems, they do not currently address the spectrum of capabilities needed to fully address business risk. CMPs are an effective option that can be deployed in a way that addresses IT, business, and developer needs.

More Stories By Sebastian Stadil

Sebastian Stadil is founder and CEO of Scalr. He has been a Cloud developer since 2004, starting with web services for e-commerce and then for computational resources. He founded the Silicon Valley Cloud Computing Group, a user group of over 8000 members that meets monthly to present the latest developments in the industry. As if that weren't enough, Sebastian founded Scalr as an open source project in 2007. Sebastian is a frequent lecturer on cloud computing at Carnegie Mellon University, and sits on the Google Cloud Advisory Board. When he is not working on Scalr, Sebastian likes to make sushi and play rugby.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@BigDataExpo Stories
The age of Digital Disruption is evolving into the next era – Digital Cohesion, an age in which applications securely self-assemble and deliver predictive services that continuously adapt to user behavior. Information from devices, sensors and applications around us will drive services seamlessly across mobile and fixed devices/infrastructure. This evolution is happening now in software defined services and secure networking. Four key drivers – Performance, Economics, Interoperability and Trust ...
Data is an unusual currency; it is not restricted by the same transactional limitations as money or people. In fact, the more that you leverage your data across multiple business use cases, the more valuable it becomes to the organization. And the same can be said about the organization’s analytics. In his session at 19th Cloud Expo, Bill Schmarzo, CTO for the Big Data Practice at Dell EMC, introduced a methodology for capturing, enriching and sharing data (and analytics) across the organization...
SYS-CON Events announced today that T-Mobile will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. As America's Un-carrier, T-Mobile US, Inc., is redefining the way consumers and businesses buy wireless services through leading product and service innovation. The Company's advanced nationwide 4G LTE network delivers outstanding wireless experiences to 67.4 million customers who are unwilling to compromise on ...
The explosion of new web/cloud/IoT-based applications and the data they generate are transforming our world right before our eyes. In this rush to adopt these new technologies, organizations are often ignoring fundamental questions concerning who owns the data and failing to ask for permission to conduct invasive surveillance of their customers. Organizations that are not transparent about how their systems gather data telemetry without offering shared data ownership risk product rejection, regu...
Bert Loomis was a visionary. This general session will highlight how Bert Loomis and people like him inspire us to build great things with small inventions. In their general session at 19th Cloud Expo, Harold Hannon, Architect at IBM Bluemix, and Michael O'Neill, Strategic Business Development at Nvidia, discussed the accelerating pace of AI development and how IBM Cloud and NVIDIA are partnering to bring AI capabilities to "every day," on-demand. They also reviewed two "free infrastructure" pr...
New competitors, disruptive technologies, and growing expectations are pushing every business to both adopt and deliver new digital services. This ‘Digital Transformation’ demands rapid delivery and continuous iteration of new competitive services via multiple channels, which in turn demands new service delivery techniques – including DevOps. In this power panel at @DevOpsSummit 20th Cloud Expo, moderated by DevOps Conference Co-Chair Andi Mann, panelists will examine how DevOps helps to meet th...
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place June 6-8, 2017, at the Javits Center in New York City, New York, is co-located with 20th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry p...
With billions of sensors deployed worldwide, the amount of machine-generated data will soon exceed what our networks can handle. But consumers and businesses will expect seamless experiences and real-time responsiveness. What does this mean for IoT devices and the infrastructure that supports them? More of the data will need to be handled at - or closer to - the devices themselves.
Grape Up is a software company, specialized in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market across the USA and Europe, we work with a variety of customers from emerging startups to Fortune 1000 companies.
Financial Technology has become a topic of intense interest throughout the cloud developer and enterprise IT communities. Accordingly, attendees at the upcoming 20th Cloud Expo at the Javits Center in New York, June 6-8, 2017, will find fresh new content in a new track called FinTech.
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm.
Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more business becomes digital the more stakeholders are interested in this data including how it relates to business. Some of these people have never used a monitoring tool before. They have a question on their mind like “How is my application doing” but no id...
SYS-CON Events announced today that Interoute, owner-operator of one of Europe's largest networks and a global cloud services platform, has been named “Bronze Sponsor” of SYS-CON's 20th Cloud Expo, which will take place on June 6-8, 2017 at the Javits Center in New York, New York. Interoute is the owner-operator of one of Europe's largest networks and a global cloud services platform which encompasses 12 data centers, 14 virtual data centers and 31 colocation centers, with connections to 195 add...
SYS-CON Events announced today that Juniper Networks (NYSE: JNPR), an industry leader in automated, scalable and secure networks, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Juniper Networks challenges the status quo with products, solutions and services that transform the economics of networking. The company co-innovates with customers and partners to deliver automated, scalable and secure network...
The age of Digital Disruption is evolving into the next era – Digital Cohesion, an age in which applications securely self-assemble and deliver predictive services that continuously adapt to user behavior. Information from devices, sensors and applications around us will drive services seamlessly across mobile and fixed devices/infrastructure. This evolution is happening now in software defined services and secure networking. Four key drivers – Performance, Economics, Interoperability and Trust ...
@GonzalezCarmen has been ranked the Number One Influencer and @ThingsExpo has been named the Number One Brand in the “M2M 2016: Top 100 Influencers and Brands” by Analytic. Onalytica analyzed tweets over the last 6 months mentioning the keywords M2M OR “Machine to Machine.” They then identified the top 100 most influential brands and individuals leading the discussion on Twitter.
Automation is enabling enterprises to design, deploy, and manage more complex, hybrid cloud environments. Yet the people who manage these environments must be trained in and understanding these environments better than ever before. A new era of analytics and cognitive computing is adding intelligence, but also more complexity, to these cloud environments. How smart is your cloud? How smart should it be? In this power panel at 20th Cloud Expo, moderated by Conference Chair Roger Strukhoff, pane...
@ThingsExpo has been named the Most Influential ‘Smart Cities - IIoT' Account and @BigDataExpo has been named fourteenth by Right Relevance (RR), which provides curated information and intelligence on approximately 50,000 topics. In addition, Right Relevance provides an Insights offering that combines the above Topics and Influencers information with real time conversations to provide actionable intelligence with visualizations to enable decision making. The Insights service is applicable to eve...
Multiple data types are pouring into IoT deployments. Data is coming in small packages as well as enormous files and data streams of many sizes. Widespread use of mobile devices adds to the total. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists will look at the tools and environments that are being put to use in IoT deployments, as well as the team skills a modern enterprise IT shop needs to keep things running, get a handle on all this data, and deli...
SYS-CON Events announced today that Grape Up will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Grape Up is a software company specializing in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market across the U.S. and Europe, Grape Up works with a variety of customers from emergi...