“If you don’t have a metric on something, how do you know what normal looks like?” asked Aaron McKeown, lead security architect and cloud security product owner for Xero in our conversation at the 2016 Black Hat conference in Las Vegas.
McKeown was quoting a well-known adage in the security industry pertaining to getting visibility in the cloud. You have to monitor everything in order to know what you have — and to know when you’re out of a normal sphere.
Falling out of normal happens a lot, said McKeown, because of configuration drift. Unlike your on-premise datacenter, the cloud is always changing. It’s impossible to keep settings static. Nor should you even try. At Xero alone, they have 45 AWS accounts, thousands of servers in the cloud, and hundreds of developers. Things change all the time, even minute by minute. Tracking the configuration of your environment, especially the drift, is very important.
“There’s a new normal in the public cloud,” said McKeown. “It’s not the same as the way things used to be.”
Everything can completely change in a week because AWS could release a new product into the market, and Xero’s developers have the option to use that new product the day it’s released. Being that’s the case, said McKeown, “We need to communicate inside our organization to insure that security is in the DNA of everyone that’s doing work on our platforms, and then we need to start having our different technologies, like CloudPassage and the other solutions that we have, talking to each other so that we can start aggregating that information up to a single pane of glass.”
More Than Just Shared Security. Extended Security.
When the discussion of “shared security” comes up, most think only about the relationship between the company and the cloud provider. But as McKeown points out, the concern and responsibility for security extend to their partners and the development team.
The group that really needs to understand that shared security responsibility relationship is the developers, said McKeown. “They must understand what is their responsibility, and what are those other partners and those vendors like Amazon going to do for them in terms of protecting the assets.”