How security has changed in the World of cloud computing
Technologies come and go, but one concept has remained at the forefront of IT conversations for decades: Security. While security remains a perennial top priority for IT departments, the definition of security and the processes required continue to evolve. Let’s discuss how security, open-source software, and cloud computing can coexist.
Open doesn’t mean insecure or unsafe.
It may seem counterintuitive, but open-source code isn’t inherently less secure than proprietary code. Security by obscurity can be a good practice in some cases (the fewer attackers know about your organization’s IT architecture, the better); however, hiding source code is unlikely to prevent attackers from discovering vulnerabilities.
Access to source code does provide interested parties with more opportunities to identify and address vulnerabilities.
Most organizations have moved beyond fears of open source and have enthusiastically embraced letting developers consume and ship open-source code. We’re the first to applaud that, but with a note of caution.
Trust, but confirm
Developers, for the most part, are not security experts. Organizations require safeguards to effectively consume open source software, to understand the provenance of the code they use, and to enhance its security for cloud computing. They also need to be able to track their deployment and respond when vulnerabilities are found upstream or in a product based on an open-source project.
Organizations need a method for inventorying the use of open-source software in their environment and the ability to assess the security impacts of vulnerabilities. Not to mention, an infrastructure in place that notifies them of vulnerabilities as they are discovered and provides quick access to mitigations or fixes.
It’s also important to know which vulnerabilities matter and which ones have flashy names and logos that, while entertaining and catchy, may not pose a significant threat, despite being beneficial to the security researcher who presented the vulnerability at Black Hat. Just because it’s a named vulnerability doesn’t mean it’s something to worry about.
Security in early
As organizations adopt new technologies, such as transitioning to the public cloud or implementing containers and Kubernetes, it is essential to incorporate security into the conversation from the outset.
The security team should be involved in deciding which cloud technologies to adopt. How to secure a hybrid cloud environment and set up automation to help avoid misconfigurations. Part of mitigating risks is to “shift left” and identify and try to prevent risks early, before they creep into your environment and applications.
Before you stand up applications in the cloud or on-premises, you need to have a strategy for data security. Where is your data, how are you managing it, what are the compliance and governance policies, and so forth? You need to be thoughtful about where sensitive data resides.
Public cloud service or cloud computing providers
Utilize the security tooling provided by public cloud service providers. Public cloud providers offer data tagging and data notification. And key management services that you can use to help better protect your data.
Don’t let the fact that you’re using cloud services distract you from the features of your operating system, either. Utilize features such as access control lists, encryption, and other data security measures, whether your instances reside in the cloud or on-premises.
The perimeter security strategies you have used successfully before may not be applicable now. On-premises solutions, such as those that track IP addresses and other traditional tools, do not make sense in a cloud-native environment with containers that may have a shelf life of minutes or seconds.
Similarly, some of the compliance frameworks created over 20 years ago have security policies that assume. That you are performing security after the server has already been deployed. However, in a cloud-native environment, security is typically implemented before deployment, at the application pipeline level. As a result, auditors may incorrectly advise that you need to install antivirus or other third-party security agent-based software due to an outdated security policy. However, this doesn’t make sense in a containerized environment where the container host itself is immutable.
Management and Automation
Security and automation are closely intertwined. Cloud infrastructure is valuable, in part, because it is automat.
Automation isn’t just valuable for doing things quickly and efficiently; it also enables organizations to streamline their operations and improve their productivity. It’s valuable because you can use automation in application processes. And policies at a broad scale enhanced security and compliance. It’s valuable because you can reduce human errors, such as misconfiguration issues that give attackers a potential toehold into your environment. Misconfiguration issues are one of the top causes of data breaches in the cloud.
Ensure a consistent automation strategy across application development, infrastructure operations, and security to promote repeatability, consistency, and auditability.
Conclusion
Finally, all of the tools in the world won’t help if you don’t have a culture of cross-collaboration and practice of viewing security as a process. Work together to develop and hone your organizational and individual skills, automate “all the things”. And solve security challenges together as a team.
We have the tools to address security across the hybrid cloud. However, we must choose to utilize them and make the most of them in a way that makes sense in the hybrid cloud world. Security should be looked at as a team sport, not something. That is thrown over the wall and done on the 11th hour via panicked pen-testing and security scans. When you tackle security in this panicked, last-minute approach. You will make mistakes, as it is human nature to make mistakes when working under pressure. This is particularly true when tasks are completed early in the application and infrastructure life cycle, which is key to successfully tackling security in the hybrid cloud world.
