Like what you see so far?

Sign up for our newsletter and get great content delivered straight to your inbox.

Posted October 24, 2016 in Security

Security & Cloud – Two Groups, One Great Opportunity

Over the last several years, talk about how cloud computing would revolutionize how businesses deliver services to their clients has continued to pick up steam. Even in Canada, where our adoption rate falls far below that of our southern counterpart, the conversation in the executive suite and around technology strategy tables has now become focused on how to take advantage of this shift in computing.

For the most part technologists and executives are rapidly realizing that the speed with which cloud based solutions can be deployed is the biggest advantage, closely followed by the benefits of a “pay for only what you use” model which enables very fast experimentation without the lingering penalty for poorly allocated capital if a project doesn’t succeed in attaining its goals. However, there is a significant benefit that we at Scalar believe the cloud offers to organizations – the opportunity to dramatically improve organizational controls and security posture.

Lets be honest, no organization really willfully has poor security, bad controls, terrible patch management strategies, and a lack of incident and breach response planning or capability. These problems all exist inside many organizations for a series of reasonably common reasons (excuses).

  • Insufficient personnel time and skill to implement all of the controls desired
  • Perception that controls and protection mechanisms slow and get in the way of delivering business projects
  • Insufficient funding for all of the necessary elements inside a comprehensive security strategy
  • Lack of tooling or out-dated security tooling that can’t quickly adapt to the whims of the developer community

Luckily for all of us, the adoption of large scale cloud based solutions can help address each of these elements and open a golden opportunity to significantly improve corporate controls and security standards. Unfortunately, while cloud-based solutions can help on all of these fronts, when poorly executed cloud-based technologies can also exacerbate each of these problems as well. Let’s look at each one of them:

  • Insufficient personnel time and skill to implement all of the desired controls

Cloud technologies beautifully assist in this problem, mainly by reducing the organizational investment needed (both in operating cost and people time) for general “keep the lights on” operations of a data centre and serve/storage systems. With a good adoption of cloud technologies a organization can significantly reduce the amount of time spent on configuring hardware components, managing hardware lifecycles, and in some cases even managing base application and connectivity services such as queuing services, base database configuration, etc. This frees up people, and money to invest in security skills and personnel to work alongside developers and remaining operations staff to help ensure proper controls are in place.

  • Perception that controls and protection mechanisms slow and get in the way of delivering business projects

With the time saved by eliminating daily base infrastructure management tasks, combined with the savings from having a streamlined procurement cycle (approval to instantiation of a resource now measured in minutes or hours, vs. days, weeks or even months!) organizations gain the time, and ability to properly embed security professionals with application teams and development teams so that security architecture and controls become part of the initial design phase, rather than the inevitable “here, we have an architecture for a great new app, now help us secure it….. by next week!” which all too many organizations face today. The power of cloud-based development for organizations is not being able to take an application from ideation to production in days or weeks vs. months and years in a traditional model – it is being able to deliver that application to clients and users both far quicker than before but also much better architected and much more adaptable – both in application design and security design.

  • Insufficient funding for all of the necessary elements inside a comprehensive security strategy

This is probably the most obvious of all the advantages of moving your organization into cloud technologies. While cloud is often touted as saving money (and in many cases this is true) the main benefit is aligning cost of delivering a service with that service itself. In large shared services organizations and data centres peeling the layers of the onion back to figure out if you are spending money on applications driving value, and spending money on security tooling and process to protect materially at-risk elements of the business is near impossible. In a compartmentalized, on-demand environment driven by cloud-based services, you can see and ensure your investments in security are protecting things that need security, and you can ensure your investments in applications and services are proportional to their benefit or your need. Anytime any of these spending metrics falls out of alignment it is immediately visible (to those who look) because of the fine-grained costing associated with cloud services. This allows executive teams and budget owners to have much higher precision and control over spend, ensuring money is there to secure the most valuable applications and data.

Finally, my favourite problem:

  • Lack of tooling or out-dated security tooling that can’t quickly adapt to the whims of the developer community

Who among us hasn’t at one point run into this challenge as we continue to progress our internal or external applications and services for our clients? Being honest, this challenge happens in almost every organization. Investing in new tooling roll-outs and massive evaluation programmes is painful, and for many organizations this is done rarely. If you are lucky, you review your tooling standards every few years. For many organizations that might be twice, or even once a decade. We implement large scale tools and then stick with those investments to drive the value out of the effort put into them. Raising the spectre that tooling or methods might no longer be “best of breed” is typically met with derision and a “just deal with it” attitude from non-security personnel.

Embracing an enterprise-wide approach to cloud opens the possibility of raising the tooling issue anew and being met with less resistance. We all know we must adopt new approaches to be successful in cloud transformation – by extension we all get to adopt new approaches to security in that transformation as well. As architects, we all get to reflect on several decades of security lessons and learning and no longer take a mere incremental approach to improvement. Along with wholesale enterprise transformation of applications and services to support cloud capabilities we can, and should, be considering wholesale security transformation as well. Cloud encourages compartmentalization and microservices. By that very statement we can encourage compartmentalization of data into better classified buckets, we can embrace microservices with a matching set of fine-grained governance and control mechanisms. Leaders in cloud adoption also attribute their success to a broader adoption of automation throughout the enterprise – and this too offers the opportunity to better address security through marrying automation to controls and validation mechanisms – more quickly identifying outlier problems and behaviours, both of which represent security risks.

Overall, while October is Security Awareness month, I would argue that the dramatic increase in interest and adoption of cloud technologies through the remainder of this year and into 2017 represent the greatest opportunity for “Security Architecture Improvement” that I have witnessed in my career. We have the rare opportunity with both technology, and executive support to revolutionize every area of our businesses, turn over every rock, and to not accept anything other than complete transformation. As an industry, lets make the most of it.