“I love this old adage that if you’re a little behind you work harder and if you’re much further behind you have to work smarter. The crucible of the hyperscale of cloud forced us to come up with newer and better ways to do things,” said Josh Corman (@joshcorman), director of cyber statecraft initiative at Atlantic Council, in our conversation at the BSides Las Vegas conference.
Thinking about using traditional security tools in a cloud environment is the wrong approach, said Corman, mostly because it’s a completely different compute environment. Scale, velocity of change, and development methodologies are all accelerated.
“It’s less about bringing forward all the old junk that maybe didn’t work so well in your old environment and more about looking at how to preserve the same intent better in these newer IT environments,” Corman said. “We’re very poorly instrumented in our IT environments because security was a bolt on. But in cloud shops and DevOps shops, instrumentation is a design objective.”
It’s physically not possible to use old manpower-intensive monitoring techniques in such a dynamic environment like the cloud. Instead, adopt a philosophy of instrumenting security at project inception, said Corman.
“These cultures that build DevOps hyperscale and hyperspeed they tend to be more willing to work with security minds and bake security into the entire SDL (software development lifecycle) and not just be a tack on after the fact,” noted Corman.
A good example of instrumenting security is in the case of auditing. If you create systems that automatically spit out formatted audited evidence, said Corman, you can take the sting out of a necessary and undesirable process.
“Look at this as an opportunity to maybe do it differently in a way that’s compatible with the modern development process,” advised Corman.