Skip to main content

Security in Cloud : why is it important?


With the entry of Cloud with a promise of reducing infrastructure cost, enhancing security by leveraging shared infrastructure, etc, organizations are slowly moving to Cloud to get the advantages of it. With multi-fold advantages, one big concern stays as-is - “Security”. Security in on-prem world is of multiple layers - Network Security, Infrastructure Security, and Application Security. However, in Cloud the security is of multiple layers but with multiple dynamic moving parts. Also, because of the nature of Cloud the regulatory bodies are strict on ensuring regulatory compliances and bringing in additional regulatory requirements. 

There are multiple challenges in the cloud - 
  1. Slowly the penetration and the attack surface is changing, particularly in cloud environment. The various workloads have different needs - some are public facing in a public subnet and remaining are in private subnet with a strict firewall for inter subnet communication. 
  2. Earlier, the penetration point was only on the perimeter network. Organizations used to secure the perimeter only and claim the security. Now the hackers if get into the network, then they can spread from workload to workload or within the workload it can move east-west. 
  3. When such workload changes its position, the attack surface also changes and the threat also moves along with the workload. 
  4. So, it has become extremely important that security is built as part of application. 
  5. A business application changes its position and so, the security model so that application owners won’t have to worry about security. 
  6. So, organizations also looking for programmable security as an integral part of applications as hiring and building security experts is one of the major challenges 
  7. Security should be programmable so that application developers, DevOps and Ops can understand the security requirements and from time to time can change the configurations required and continuously monitor to ensure the application is secure 
With Cloud, the security needs become multi-fold because of following reasons - 
  1. Deployment of Business Applications are not static and they change their positions in the network or expand with business demand. For e.g. the workload for an e-retail store will need to add more web servers during the peak demand and considering the demand and region, the web servers may need to be added to a separate subnet. 
  2. As the application changes its configuration, the threat landscape associated with it changes along with the change in the application’s position in the network. 
  3. New threat vectors emerge as the application position changes or the kind of softwares associated with the application changes.
    • For e.g. the application moves from a private subnet to a public subnet and hence, the threat landscape changes
    • The application adds application server layer as a new application layer or changes messaging layer from RabbitMQ to Kafka and the threats associated with it change. 
  4. Because of the nature of cloud, new threat vectors always keep on emerging. 
Public cloud vendors like AWS, Azure, Google Cloud’s protection is mainly for underlying infrastructure, but not necessarily for the business applications running on it, the access granted to those applications, the data managed by those applications, and the connections from those systems other systems in the same public cloud or similar or to their private cloud running in their premise. Attackers do not care where their target is located - whether public cloud infrastructure, private cloud or in a closed private network . Their only objective is to gain access to the network; navigate to a target, be it data, servers or network; and then execute their end goal. So, from attacker's perspective there is no difference between public cloud or private cloud/on-prem managed systems. From customer's perspective, the public cloud deployment is nothing but an extension of your data center, and the steps to protect it should be no different than those you take to protect your own private data center/cloud or own managed private network of computer systems. The speed of the public cloud deployment and managed by the cloud provider is sometimes leading to security shortcuts where little to no security is being used. Generally, it is believed that the use of native security solutions or point security solutions are sufficient to address the security needs in public cloud as these cloud providers have certified their infrastructure from security point of view. The reality is that these point security products only act on specific issues, more in a reactive mode than preventive mode. Considering the dynamism and agility associated with cloud, public cloud should not be treated with the same security needs as on-prem data center. I hope, as public cloud deployments increase in volume and scope, more diligence is needed to the security model around business applications running on public cloud. It should include complete visibility and control at the individual instance level, business application level and the prevention of known and unknown threats & vulnerabilities, with an objective to alert customers/users about security issues in a more reactive manner. As you go through my next set of articles on usage of Machine Learning/Deep Learning, BigData Analytics and Security Intelligence, you will realize that such frameworks will need to be leveraged by Information Security or Cloud Security teams for implementing predictive security postures across public, private and SaaS cloud infrastructures. 

So, Security for Cloud should be 
  1. Dynamic 
  2. Built along with the application 
  3. Programmable Security 
  4. Easy to understand for Developers, DevOps and Ops 
  5. Completely automated 
Components of Cloud Security - 
  1. Automated recommendations for various applications 
  2. Automated configured or built 
  3. Configurable or programmable security 
  4. Automated security configurations based on network model 
  5. Security Analytics 
  6. Anomaly detection 
  7. Security events for developers, DevOps and Ops
Labels:

Comments

  1. jonathanSeptember 24, 2017 at 5:31 AM

    Thanks for sharing informative informative blog on application security requirements. I found this blog very useful.

    ReplyDelete

Post a Comment

Popular posts from this blog

Office 2013 Installation Error : Code 1603

Wanted to share one error that I got while installing Microsoft Office Professional 2013 for which I had to spend almost 3 days to find the root cause. I also googled and found that many people have also faced the same issue but did not get if anyone had the solution. Sharing the solution that worked for me. Thanks to Dhaval Metrani, my colleague, who also helped me with this. If you get the following error in the log file (in the %temp% folder) while installing Office 2013 Failed to install product OSMMUI.msi ErrorCode: 1603  and the detail log shows ERROR: The network address is invalid then the same is because of Task Scheduler service is not enabled on the machine. 1603 is a generic error and some people have mentioned that the same could be related to deleting/renaming  %programdata% /Microsoft Help but the solution seemed to be related to Task Scheduler when the exact error was related to 'Network address invalid'. By default in Windows 7 and Windows Vista ...
6 comments
Read more

Navigating the Data Landscape: Unraveling Data Mesh and Data Fabric

In today’s rapidly evolving tech landscape, data strategy is the cornerstone of business strategy. As organizations gather an ever-increasing amount of data, the need for efficient data management strategies becomes paramount.  Two prominent approaches that have gained traction in recent times are Data Mesh and Data Fabric . Both concepts aim to address the same very goal of Data Democratization while ensuring scalability, accessibility, and usability. In this blog, we’ll delve into the nuances of Data Mesh and Data Fabric, and provide recommendations for organizations seeking to fortify their data landscape. Data Mesh vs Data Fabric: Unpacking the Concepts Data Mesh is a domain-driven architectural approach to data management. It proposes treating data as a product and recommends a decentralized approach to data ownership with domain experts. Earlier, the Enterprise Data Lake approach focused on centralized data management and ownership whereas the Data Mesh architecture fo...
Post a Comment
Read more

The fast-paced lifestyle of developers...

When we talk about software world, what’s the first thing that comes to your mind? Programming - right? Developers play a very important role in turning technology ideas into reality. It’s ultimately the code that runs on the computer providing an interface to the end users or systems. Empowerment of developers has evolved over the last few decades from assembly level programming to more sophisticated software programming. It continues to evolve and provide enormous opportunities to transform the life of a developer which in turn transforms the business that relies on technology.   When I started my professional career in late 90s, the technology world was limited but fascinating. Computer technology was something that every technologist wanted to be associated with. We had only a few options to choose from and I was fortunate to work on programming languages such as Java, Visual C++, etc. My first programming language Fortran (as part of my undergraduate course) was really di...
1 comment
Read more