How to Combat Security Risks in the Cloud

In his article, How Companies Can Minimize Their Cloud Security Risk for the Wall Street Journal, Robert Plant (@drrobertplant) addressed many hazards that can arise when enterprises move applications and data to the cloud. He states that while the shift to the cloud can improve productivity and efficiency, “executives are increasingly being faced with balancing the benefits of productivity gains with significant concerns around compliance and security.”

Robert explains that a key area of concern is employees’ unsanctioned use of cloud services and applications. Some companies realize and accept this trend is just part of today’s decentralized business structures and need for agile solutions, while others are unaware of what is being used, who is spinning up cloud resources, or what the end cost is to their company.

When employees provision cloud resources to increase efficiency or improve processes on their end, they don’t necessarily realize that they’re opening the enterprise up to various security risks.  This can include data sovereignty and geographic concerns, unencrypted data, ownership claims by cloud service providers, and IP infringement.

While these issues are clearly important, challenges related to cloud computing extend far beyond high-level legal and business risks.  At its most basic level, software defined cloud infrastructure allows developers, engineers and even business people – some who happily run their child’s Minecraft server in the AWS cloud – to programmatically provision cloud resources all over the world. They can open security holes to work with cloud resources from home or Starbucks. This makes data leakage from lax permissions, or “super-user” access by the wrong employees an everyday occurrences in the cloud.

Protecting the Hybrid Cloud

Robert outlines ways to minimize risk, stating that there are strategies to allow employees to explore new tools and resources within safer operational frameworks.  But he doesn’t go beyond improved monitoring, or establishing better procurement policies and education efforts.  While that is good, high-level advice, there are more strategies and tools in the arsenal of today’s CIO and CISO – one of which is advanced cloud automation and dynamic optimization solutions.

IT leaders need to look for three key capabilities when exploring dynamic optimization technologies to help manage today’s cloud (often hybrid-cloud) deployments.

The first is a robust monitoring that senses and consolidates real-time date and state changes across different cloud deployments.  It’s better to pull data directly off your cloud infrastructure using native API’s vs. integration with reporting tools provided by the cloud providers that may limit or “interpret” data within their dashboards.

Second, smart solutions need to understand cloud infrastructure changes in context of dependencies and interconnections between cloud compute, networking, security and storage.  For example, high CPU utilization may mean nothing more than a need to add capacity to keep up with increasing customer usage.  However, high CPU usage combined with new, unknown users on a system, changes to security rules and spiking outbound network traffic could mean that cloud systems have been hijacked to perpetrate a DDOS attack (see my colleague Chris DeRamus’ post on this topic).  Just tracking isolated information about individual cloud resources or applications is not enough. Smart optimization technologies need to understand how cloud infrastructure components work together and draw inferences to potential risks.

Lastly, active policy automation is needed to respond in real-time and self-heal cloud infrastructure into compliance when humans and systems inevitably color outside the lines. The dynamic nature of the cloud quickly outstrips human capacity to manage effectively. By automating policy compliance and responses to the “known-knowns,” the IT team can concentrate on troubleshooting the “unknowns,” conducting deep analysis of risks (security, cost and performance) and planning for continued scalability.

A cloud automation solution with these features allows CISOs to know when changes occur across their diverse cloud infrastructure; understand key interdependencies and potential impact radius; and automatically take action solving issues as they occur and closing vulnerabilities. Furthermore, these same cloud optimization technologies can detect inefficiencies and potential waste, and take automated action to drive savings.

Combined with the guidance from Robert, embracing a cloud automation solution with these capabilities can allow CISO and Enterprise IT departments to deliver the benefits of cloud computing while ensuring compliance with evolving security, cost and performance best practices.