Best practices for security in an automated cloud environment
Gain a level of consistency and predictability by improving your ability to detect anomalies through automation.
FRB Vault Door (source: Wikipedia)
Cloud computing environments use orchestration software to automate the provisioning of IT services. This includes the deployment and configuration of servers or virtual machines, operating systems, applications, software updates, storage, and network/virtual LANs. Given that automation is used extensively in a cloud environment, there are IT security challenges unique to cloud environments that go beyond traditional IT security practices.
Automation
The first rule for any cloud is to automate “everything.” Plan and design a cloud system with as few manual processes as possible. Manual processes are inherently less consistent and inhibit the ability for rapid provisioning of new services or expanded capacity on demand, which is fundamental to a cloud. So, a core security concept—and this might be contrary to ingrained principles of the past—is to avoid any security processes or policies that delay or prevent automation.
Learn faster. Dig deeper. See farther.
Automation brings operational efficiency, consistent configurations, rapid provisioning on demand, elastic scale up and scale down, and support cost savings. This pursuit of all things automated also improves security. Traditional IT security processes tend to be manual approvals, after-provisioning audits, and slow methodical labor intensive assessments—tendencies that must change when building or operating a cloud environment. The new style of cloud security assess and pre-certifies all cloud services, applications, VM templates, operations system builds, and so on.
Automate asset and operational management; as services are provisioned in an automated fashion, so too must the security and operational systems learn about the new items in real-time, so that scanning and monitoring of these assets can be initiated immediately. As new systems (VMs, applications, etc.) are brought online and added to the asset and configuration management databases, the security management systems should immediately be triggered to launch any system scans and start routine monitoring.
In a dynamically changing and automated cloud, continuous monitoring is best combined with continuous updating of asset and configuration databases. This real-time updating feeds into the security systems when new servers, VMs, and applications are launched. Without automated updating in real-time, it’s almost impossible to keep up (manually or otherwise) with all of the changes.
Pre-certify VM templates
Organizations with strict security accreditation processes often struggle with the idea that cloud services should immediately provision new VMs when ordered. Maintain compliance by making changes in the legacy security process to have IT security pre-certify all images launched within new physical devices or VMs. One of the best ways to control software application deployment and security management is to create and certify automated installation packages.
Scan and assess every image before loading it into platform and giving customers the ability to order it. Many cloud providers charge a fee to assess and import customer images. Customers might push back on this extra cost, so take the time to explain the need for these manually intensive assessments and the ongoing upgrades and support required.
Many cloud services require a default network or virtual network connection as part of the automated configuration. VMs can be configured with multiple virtual network interfaces and connect to one or more production or non-production network segments with your datacenter. These network configurations include the VM configuration when your security team performs its pre-certification.
Offer additional network segmentation, as an option, through the use of virtual firewalls and VLANs to secure or isolate networks. Applications that need to be Internet-facing should be further segmented and firewalled from the rest of the production VMs and applications. Platform as a Service (PaaS) offerings are often configured with multiple tiers of VMs and applications that interact and can have several network zones to protect web-facing front-end servers from middleware and backend databases.
Don’t overdo the default segmentation of networks, because this complicates the environment and increases operational management. Stick with some basic level of network segmentation and allow customers to request additional network segments as needed. Pre-certify several network VLANs, firewall port rules, load balancers, and storage options and make these available to cloud consumers via the self-service control panel. By pre-certifying options, you can offer your customers flexibility and rapid provisioning by having something already vetted and certified by security personnel. Customers will often seek a future VLAN or opening of firewall ports that go behind the pre-certified configuration, so these things can still be handled by a less-than-automated approval or vetting process.
Pre-certify applications
Security pre-certification also extends to all applications and future updates that will be available on the cloud. Configure applications as automated installation packages, where any combination of application packages can be ordered, provisioned, and installed on top of a VM image. Separating the image from packages can reduce the number of image variations and frequency in updating images (compared to fully configured images that include applications).
Key take-away: Use a combination of security-approved images and application installation packages. Reduce the quantity of VM image variations and frequency of updates by separating the OS image from the applications.
Pre-certifying everything to facilitate automation can eliminate manual security assessments in the provisioning process. This pre-certification is an ongoing effort as new applications and updates are continuously introduced. Finally, more complex multi-tier applications will require significantly more security assessment and involvement in the initial application design process. If security experts are not involved with the initial application design, then trying to map production-ready application tiers to automated and pre-certified network segments will be a nightmare.
Asset and configuration management
Many organizations have a mature asset and configuration management systems in place; however, in a private cloud environment that uses automated provisioning, the key to success is to automate the updating of asset and configuration databases. This means configuring the cloud management platform, which controls and initiates automation, to immediately log the new VM, application, or software upgrades into the asset/configuration database(s). Because this is done through automation, there is little chance that updating the asset or configuration databases is skipped and the accuracy of the data will be improved when compared to legacy manual update procedures.
Some organizations have very formal configuration control approval procedures and committees in place. Although the need for these is understood, the concept of a manual approval process and committee are contrary to the tenets of cloud automation and rapid provisioning (which includes routine software updates). Maintain compliance by including pre-approved application patches, upgrades, and images to allow the cloud automation system to perform its rapid provisioning responsibilities. As new systems are deployed in an automated manner, so to will the configuration log and database be updated in real-time. These automated configuration changes, which are based on pre-approved packages or configurations, should be marked as “automatically approved” in the change control log.
Customer visibility into security and operations
In a public cloud, customers no longer need to allocate precious staff, funds, or time to work on routine system administration and upkeep of the network. This includes security operations, continuous monitoring, and responding to security events and threats; however, some customers still want visibility into their hosted cloud.
Public providers were initially reluctant to grant much visibility into what was considered internal operations. As customers have adopted cloud services, customers quickly realized that they were effectively blind to the operations that could affect their data and cloud-based systems. Customers want more visibility into events, alerts, threats, and remediation activities relating to their data and cloud services. A private cloud model and management system is far more customizable and therefore capable of integrating with existing or new security software to provide a real-time dashboard with statistics, event alerts, and mitigation data.
Enterprise customers often want to be aware of security events and remediation, whereas others just want visibility, but still remain hands off to the hosted cloud-based activities. The challenge is that most network monitoring and security systems are focused on consolidating triggers, alerts, and critical system events. The data is aggregated and then correlations of multiple related events found, which leads to earlier and more complete detection of the overall event or threat. In a multi-tenant cloud environment, these same advanced aggregation, analytics, and correlation tools are not perfectly suited to separating the data for distribution to individual tenants or consuming organizations. This is a primary reason why visibility and real-time access to security monitoring and events is challenging for many cloud providers. In a private cloud deployment, multi-tenancy is not as much of an issue, so there are more options for presenting monitoring to the consuming organization.
Customers don’t want to depend solely on a monthly report showing past events, threats, or vulnerabilities. Real-time monitoring and visibility into systems and security operations are clearly desired by consumers.
Conclusion
I am often asked if cloud environments are more or less secure than traditional IT data centers. While every system is unique, cloud environments on average are more secure than traditional server farms, data centers, and applications because of the centralized and concentrated (i.e. focused) professional expertise. The level of skilled security employees and continuous monitoring in a cloud environment is often beyond what any single customer or data center can afford to maintain. That being said, the impact of a security breach in a cloud environment may affect more systems and customers, so this is also the reason security is a primary concern of all cloud providers and customers. Carefully assess all of your applications and data for data sensitivity and risk to help determine which cloud provider or cloud deployment model (e.g. public, private, etc.) are most suitable to your needs.
When processes are automated—service provisioning, system updates, configuration/asset tracking, and security scans—you gain a level of consistency and predictability that improve the ability to detect anomalies.