To explore the complex and sometimes confusing topic of cloud security more deeply, we recently hosted a webinar in which Vikram Varakantam, Threat Stack Director of Product Strategy, and Ilya Kalinin, senior DevOps engineer at AdRoll, talked through some of the top issues that need to be considered when organizations are scaling cloud infrastructure securely (up or down).
As a trend, cloud is now mainstream. And it’s not an exaggeration to say that every successful company has already adopted it or is in the process of adoption, with the goal of benefitting from the agility, flexibility, and speed made possible by the cloud.
While many organizations have fully embraced the cloud, not all of them have completely or accurately identified, evaluated, and addressed the critical security implications of scaling rapidly in the cloud.
To ensure success, organizations need to develop and implement a cloud security strategy that guides them before, during, and after cloud adoption. In part, this means they need to identify appropriate tools and processes. It also means that DevOps and security teams must know how to make their processes work together from the outset to ensure that they can continue to build and operate at cloud speed — while they simultaneously maintain security and compliance (if required).
In case you missed the webinar, here is a quick recap:
Guidelines for Success: 3 Key Practices for Scaling With Confidence
It’s critical to make security an integral part of running cloud-native applications that operate at scale to manage risk across an organization’s cloud environment. But this isn’t always easy. To offer guidance in this area, we’ve recommended three key practices that can help organizations achieve security at scale within cloud environments.
1. Develop and Maintain Visibility
Fast-growing companies are increasingly relying on modern infrastructure (read public, private, and hybrid cloud) to fuel business scale.
Many, however, find themselves scaling with limited visibility into what is happening from a risk perspective inside their cloud infrastructures, and in particular inside their workloads and cloud services, where applications are running and business-critical data resides.
Although the debate continues as to whether migration to the public cloud is more or less secure than the traditional enterprise data center approach, one fact remains clear: Adoption of public cloud is here today and is not going away anytime soon.
So the only legitimate question is: Will you scale blindly or with confidence?
To maintain visibility, you must ensure that you have a window into the workload, both in real-time and historically. The workload is the center of your cloud infrastructure, it holds the single source of truth of what’s happening in your infrastructure, and therefore, it’s essential that you have visibility into it. You also need to integrate seamless visibility into existing security, development, and operations workflows to ensure that monitoring is automated right from the outset.
2. Trust But Verify
We’ve talked about the “trust but verify” model many times, but it bears repeating. Today, a lot of organizations trust, but they aren’t verifying.
Trust is essential because everyone must have access to your infrastructure if you are going to move and build quickly. But it’s essential that you also monitor and audit continuously so you can verify business-critical activity and manage risk effectively.
3. Use Policy-Based Behavioral Monitoring and Investigate With Context
Establish policies to encourage positive security processes and hygiene. This means designing rules that are based on behaviors, rather than explicit directives. A good security process, for example, would allow developers to access the production environment — but only if they are logging in via jumphosts via VPN. This type of behavioral monitoring strengthens your security by helping to find unexpected security events, while enabling productivity.
Policy-based behavioral monitoring also allows your security systems to learn new patterns and adapt policies as needed, while investigating exceptions with the right context for accurately weighing security risk vs. anomaly.
Straight From the Trenches: 3 Tried-and-True Tips From a Threat Stack Customer
At Threat Stack we place a lot of importance on hearing how our customers are thinking about and applying security principles and tools in the real world.
AdRoll is one of the largest online ad retargeting platforms today, with over 25,000 customers. The AdRoll team manages a large AWS cloud infrastructure deployment (spanning thousands of servers) to support this massive and complex environment. With a deep background in cloud infrastructure, DevOps workflows, automation, and cloud security, senior DevOps engineer, Ilya Kalinin, is a great source for wisdom and real-world experience on the topic of cloud security.
Here are Ilya’s top three tips for making the journey to the cloud easier and more successful, regardless of your organization’s size or IT requirements.
1. Be Patient
It’s easy to become overwhelmed with the complexities of cloud security, so Ilya recommends taking a step back to get some perspective. It’s critical to do cloud security right, and it can take time. So try to have patience with the process and focus on getting it done right (rather than just getting it done).
2. Talk to Your Suppliers
Cloud security is a complex topic, and it can be extremely helpful when you add an outside perspective to the mix. Ilya suggests using your suppliers and vendors as resources. They may be able to add context to something you are seeing in your environment because they’ve encountered it before with other customers. We’ve often been able to help our customers take a step back and see the broader picture by sharing insights gained from our customers. So if you get stuck and aren’t sure what to do, talk to your suppliers. Most, like us, will be more than happy to help.
3. Decide Whether to Build or Buy
You might be surprised at how expensive it can be to “roll your own” cloud security — whether that means cobbling together point solutions or starting right from scratch. If you’re thinking about building your own solution, be sure to sit down and do the numbers. Ask yourself questions like these:
- How many man-hours will it take?
- Will the effort drain resources that we need to run our business?
- What are the maintenance requirements and costs (short-term and long-term)?
- How does this compare to an off-the-shelf SaaS product (cost- and feature-wise)?
- Do we have enough expertise in security to home-build a system?
Putting It All Together
Visibility is a key component for running security within public cloud infrastructures. It should start at the workload with a low overhead and extend to infrastructure and external areas like the network and software. As you work to achieve this visibility, remember to establish a “trust but verify” paradigm that lets you run fast and keep your risks in check. Also, establish ground rules, monitor for behaviors, and investigate with context before you make any remediation decisions. Finally, while you’re making your migration to the cloud, be patient with the process, don’t be shy about asking for external input, and make smart choices about whether to build or buy.
With Threat Stack’s proven best practices and Ilya’s operational experience-based tips guiding you, we think you’ll be ready to succeed in the cloud — whatever you encounter along the way.