Click here to close now.

Welcome!

Big Data Journal Authors: Elizabeth White, Carmen Gonzalez, Pat Romanski, Liz McMillan, John Wetherill

Related Topics: Cloud Expo, Java, Linux, Virtualization, Security, Big Data Journal

Cloud Expo: Article

Mastering the Balancing Act of #Cloud Security and Business Agility

There are three clear control capability areas needed for IT to effectively manage financial, reputation and legal risk

In 2012, an IDG survey of enterprise cloud computing adoption showed that 70 percent of respondents said security was among their top three concerns, and two years later, not much has changed. The Everest Group Enterprise Cloud Adoption Survey released in March of 2014 shows that 70 percent of enterprises prefer private cloud because it offers higher security - a clear indication that security concerns still weigh heavily on the minds of enterprise leaders. Centralizing cloud resource access could prove to be the path through, addressing security concerns while providing the agility cloud computing promises.

It is understandable how cloud security presents itself as a chief IT concern when you consider that cloud computing transfers control from IT to business users and developers. And that adopting cloud entails replacing numerous IT processes with self-service portals.

While there are innumerous benefits to adopting cloud computing, transferring control away from IT does open the business to risk as it diminishes IT's ability to protect the organization's resources and data against unauthorized access and misuse. It also ties IT's hands when it comes to identifying and resolving security issues, and enforcing compliance with industry regulations. These are critical functions that have direct impact on business risk.

Addressing Business Risk via Security Controls
Cloud computing transforms the way infrastructure is provisioned in an organization. It replaces the centralized IT-controlled infrastructure provisioning model where developers make an infrastructure request that IT reviews and then fulfills, with a new, distributed developer-centric infrastructure provisioning process where developers effectively bypass IT. As a result, enterprises adopting cloud find themselves in a paradoxical situation where IT is responsible for the infrastructure security that developers now control.

There are three clear control capability areas needed for IT to effectively manage financial, reputation and legal risk.

  • Preventive capabilities: IT must be able to prevent insecure provisioning requests from being fulfilled, on both a per-user-role and per-environment basis. For example, IT must be able to enforce specific firewall policies for production infrastructure.

    In order to satisfy developer requirements, it is obvious that IT cannot change the way cloud infrastructure is accessed: provisioning must remain self-service. As a result, IT needs transparent and automated policy enforcement. Provisioning requests made to the organization's cloud need to be inspected in real-time and checked against governance policies that are in place. When approved, requests must be forwarded to the relevant cloud API; when denied, the developer that made the request must be immediately informed. Ideally, the developer should be provided with an explanation and an alternate course of action should be suggested.
  • Detective capabilities: IT must have a centralized view of infrastructure to identify vulnerabilities and intrusions; IT must be able to understand the purpose of every resource provisioned by the business. For example, IT must be able to identify the configuration of every deployed resource and the environment to which it belongs. That knowledge can then be used to decide whether an unusual firewall configuration or activity pattern should trigger an alert.


To satisfy these requirements, IT needs a federated view and understanding of all of the business's cloud resources, ensuring visibility over the organization's cloud resources. To do so, IT must ensure that every provisioning request is associated with a legitimate owner and use case (ideally in an automated fashion); that all provisioned resources remain visible throughout their lifecycle; and that metadata regarding their purpose remains accessible.

  • Corrective capabilities: IT must control access to the business's cloud infrastructure.  For example, IT must be able to revoke access for employees that leave the company, and be able to centrally identify and patch affected resources when a vulnerability is identified.

    To do so, IT needs centralized credential management to govern access to cloud resources. IT must ensure that access to cloud resources is controlled by the organization's existing identity management infrastructure, and not by ad-hoc SSH keys or RDP passwords created by developers. Naturally, in order to not hinder developer productivity, IT must ensure that developers can still access the resources for which they have a legitimate use.

Where the Rubber Meets the Road
Cloud security has been an issue since 2006 when cloud emerged with the release of AWS EC2. Back then, all cloud instances were exposed to the Internet, and access was only available with root keys. To address these respective problems, Amazon announced AWS Virtual Private Cloud and AWS Identity and Access Management. Some AWS competitors have also issued access control management, though they remain somewhat limited. Yet, these controls only address IT's preventive needs, are only available on AWS as of this writing, and are often complex to use.

As a result, IT is frequently opting to deploy a cloud management platform (CMP), an often on-premise, web-based application, that sits between end-users and the multiple cloud platforms that they may use. CMPs are extensible platforms that let IT departments customize the CMP's behavior to fit their organization's workflows and policies.  In turn, CMPs enforce those IT policies in a fully transparent and automated fashion, so that developers aren't slowed down by red tape when getting work done. As a result, CMPs ensure that IT is provided the security capabilities it requires, while ensuring developers retain the agility they need.

Most importantly, CMPs play a critical role in addressing all three control capability areas:

  • Preventive: CMPs can provide IT with governance and role-based access control capabilities, and empower IT to secure and control access to cloud resources on a per-user or per-user-group basis. Using a CMP, these policies can be enforced in real-time, so that developers are not slowed by their enforcement. IT can, for example, ensure that specific firewall rules are automatically added for every single instance that is launched, and that instances are automatically launched in secure networks (e.g. a specific AWS Virtual Private Cloud, or VPC).
  • Detective: Because CMPs are used for the provisioning of all the organization's resources, they may automatically keep a precise account of the resources that were provisioned, by whom, and for what purpose. As a result, resource tracking can be performed automatically, and developers won't have to perform extra effort to comply with IT policies.
  • Corrective: CMPs may centralize the creation and use of CMP-controlled credentials and make those available to dev and IT, or automatically configure cloud resources to leverage the company's existing identity management framework instead. For example, with a CMP, IT can enforce developer use of Active Directory credentials to login to their instances.

While cloud momentum continues to grow, so does concern - rightfully so - for cloud security. While IaaS providers have taken steps to address these concerns within their systems, they do not currently address the spectrum of capabilities needed to fully address business risk. CMPs are an effective option that can be deployed in a way that addresses IT, business, and developer needs.

More Stories By Sebastian Stadil

Sebastian Stadil is founder and CEO of Scalr. He has been a Cloud developer since 2004, starting with web services for e-commerce and then for computational resources. He founded the Silicon Valley Cloud Computing Group, a user group of over 8000 members that meets monthly to present the latest developments in the industry. As if that weren't enough, Sebastian founded Scalr as an open source project in 2007. Sebastian is a frequent lecturer on cloud computing at Carnegie Mellon University, and sits on the Google Cloud Advisory Board. When he is not working on Scalr, Sebastian likes to make sushi and play rugby.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@BigDataExpo Stories
Big Data is amazing, it's life changing and yes it is changing how we see our world. Big Data, however, can sometimes be too big. Organizations that are not amassing massive amounts of information and feeding into their decision buckets, smaller data that feeds in from customer buying patterns, buying decisions and buying influences can be more useful when used in the right way. In their session at Big Data Expo, Ermanno Bonifazi, CEO & Founder of Solgenia, and Ian Khan, Global Strategic Positi...
More organizations are embracing DevOps to realize compelling business benefits such as more frequent feature releases, increased application stability, and more productive resource utilization. However, security and compliance monitoring tools have not kept up and often represent the single largest remaining hurdle to continuous delivery. In their session at DevOps Summit, Justin Criswell, Senior Sales Engineer at Alert Logic, Ricardo Lupo, a Solution Architect with Chef, will discuss how to ...
One of the biggest impacts of the Internet of Things is and will continue to be on data; specifically data volume, management and usage. Companies are scrambling to adapt to this new and unpredictable data reality with legacy infrastructure that cannot handle the speed and volume of data. In his session at @ThingsExpo, Don DeLoach, CEO and president of Infobright, will discuss how companies need to rethink their data infrastructure to participate in the IoT, including: Data storage: Understand...
17th Cloud Expo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Meanwhile, 94% of enterprises a...
Over the last few years the healthcare ecosystem has revolved around innovations in Electronic Health Record (HER) based systems. This evolution has helped us achieve much desired interoperability. Now the focus is shifting to other equally important aspects - scalability and performance. While applying cloud computing environments to the EHR systems, a special consideration needs to be given to the cloud enablement of Veterans Health Information Systems and Technology Architecture (VistA), i.e....
The truth is, today’s databases are anything but agile – they are effectively static repositories that are cumbersome to work with, difficult to change, and cannot keep pace with application demands. Performance suffers as a result, and it takes far longer than it should to deliver new features and capabilities needed to make your organization competitive. As your application and business needs change, data repositories and structures get outmoded rapidly, resulting in increased work for applica...
The Workspace-as-a-Service (WaaS) market will grow to $6.4B by 2018. In his session at 16th Cloud Expo, Seth Bostock, CEO of IndependenceIT, will begin by walking the audience through the evolution of Workspace as-a-Service, where it is now vs. where it going. To look beyond the desktop we must understand exactly what WaaS is, who the users are, and where it is going in the future. IT departments, ISVs and service providers must look to workflow and automation capabilities to adapt to growing ...
The Internet of Things (IoT) promises to evolve the way the world does business; however, understanding how to apply it to your company can be a mystery. Most people struggle with understanding the potential business uses or tend to get caught up in the technology, resulting in solutions that fail to meet even minimum business goals. In his session at @ThingsExpo, Jesse Shiah, CEO / President / Co-Founder of AgilePoint Inc., showed what is needed to leverage the IoT to transform your business. ...
In his session at DevOps Summit, Tapabrata Pal, Director of Enterprise Architecture at Capital One, will tell a story about how Capital One has embraced Agile and DevOps Security practices across the Enterprise – driven by Enterprise Architecture; bringing in Development, Operations and Information Security organizations together. Capital Ones DevOpsSec practice is based upon three "pillars" – Shift-Left, Automate Everything, Dashboard Everything. Within about three years, from 100% waterfall, C...
With the arrival of the Big Data revolution, a data professional is expected to master a broad spectrum of complex domains including data processing, mathematics, programming languages, machine learning techniques, and business knowledge. While this mastery is undoubtedly important, this narrow focus on tool usage has divorced many from the imagination required to solve real-world problems. As the demand for analysis increases, the data science community must transform from tool experts to "data...
Thanks to Docker, it becomes very easy to leverage containers to build, ship, and run any Linux application on any kind of infrastructure. Docker is particularly helpful for microservice architectures because their successful implementation relies on a fast, efficient deployment mechanism – which is precisely one of the features of Docker. Microservice architectures are therefore becoming more popular, and are increasingly seen as an interesting option even for smaller projects, instead of bein...
DevOps tends to focus on the relationship between Dev and Ops, putting an emphasis on the ops and application infrastructure. But that’s changing with microservices architectures. In her session at DevOps Summit, Lori MacVittie, Evangelist for F5 Networks, will focus on how microservices are changing the underlying architectures needed to scale, secure and deliver applications based on highly distributed (micro) services and why that means an expansion into “the network” for DevOps.
The 3rd International @ThingsExpo, co-located with the 16th International Cloud Expo – to be held June 9-11, 2015, at the Javits Center in New York City, NY – is now accepting Hackathon proposals. Hackathon sponsorship benefits include general brand exposure and increasing engagement with the developer ecosystem. At Cloud Expo 2014 Silicon Valley, IBM held the Bluemix Developer Playground on November 5 and ElasticBox held the DevOps Hackathon on November 6. Both events took place on the expo fl...
We’re no longer looking to the future for the IoT wave. It’s no longer a distant dream but a reality that has arrived. It’s now time to make sure the industry is in alignment to meet the IoT growing pains – cooperate and collaborate as well as innovate. In his session at @ThingsExpo, Jim Hunter, Chief Scientist & Technology Evangelist at Greenwave Systems, will examine the key ingredients to IoT success and identify solutions to challenges the industry is facing. The deep industry expertise be...
In his session at DevOps Summit, Tapabrata Pal, Director of Enterprise Architecture at Capital One, will tell a story about how Capital One has embraced Agile and DevOps Security practices across the Enterprise – driven by Enterprise Architecture; bringing in Development, Operations and Information Security organizations together. Capital Ones DevOpsSec practice is based upon three "pillars" – Shift-Left, Automate Everything, Dashboard Everything. Within about three years, from 100% waterfall, C...
As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. Enterprises must protect their data from (i) system administrators who don't need to see the data in the clear and (ii) adversaries who become system administrators from stolen credentials. In short, enterprises must take control of their data: The best way to do this is by using advanced encryption, centralized key management and...
A new definition of Big Data & the practical applications of the defined components & associated technical architecture models This presentation introduces a new definition of Big Data, along with the practical applications of the defined components and associated technical architecture models. In his session at Big Data Expo, Tony Shan will start with looking into the concept of Big Data and tracing back the first definition by Doug Laney, and then he will dive deep into the description of 3V...
SYS-CON Events announced today that Gridstore™, the leader in hyper-converged infrastructure purpose-built to optimize Microsoft workloads, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Gridstore™ is the leader in hyper-converged infrastructure purpose-built for Microsoft workloads and designed to accelerate applications in virtualized environments. Gridstore’s hyper-converged infrastructure is the ...
Cryptography has become one of the most underappreciated, misunderstood components of technology. It’s too easy for salespeople to dismiss concerns with three letters that nobody wants to question. ‘Yes, of course, we use AES.’ But what exactly are you trusting to be the ultimate guardian of your data? Let’s face it – you probably don’t know. An organic, grass-fed Kobe steak is a far cry from a Big Mac, but they’re both beef, right? Not exactly. Crypto is the same way. The US government require...
of cloud, colocation, managed services and disaster recovery solutions, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. TierPoint, LLC, is a leading national provider of information technology and data center services, including cloud, colocation, disaster recovery and managed IT services, with corporate headquarters in St. Louis, MO. TierPoint was formed through the strategic combination of some of t...