In the evolution of cloud computing, at first it was just about moving some workloads to the cloud. Next, companies realized that whatever they move to the cloud needs to be secured. As time went by, it seemed that everything moved to the cloud, including data that not only had to be secured, but also had to be in compliance with one or more regulations.
As more and more workloads migrate to the cloud, so too has the need to protect the data there and keep it in compliance. Today, many organizations have most or all of their workloads in the cloud. So, now it’s not just about security and compliance. It’s also about having the ability to scale security and compliance.
To support scalability in the cloud, you need to make things as hands-off as possible; you need to be able to accommodate all the different kinds of infrastructure — including multiple cloud service providers (CSP) — and you need complete visibility of what’s going on.
In this article we briefly discuss four essential capabilities that meet these objectives and facilitate scalability for cloud security and compliance: 1) agentless discovery; 2) cross-stack references; 3) multi-cloud deployment; and 4) context-aware security.
You can’t scale security and compliance in the cloud if you don’t know what you have there. You’re going to need an up-to-the-minute inventory. As your cloud presence grows, however, you’re faced with two challenges. First, there’s a lot of inventory to discover and second, much of what you need to discover is fleeting — as VMs and containers can get spun up and shut down quickly in response to workload demands. Visibility into your cloud environment is critical for assessing vulnerabilities, detecting threats and identifying risks.
There are two approaches to inventory discovery: agent and agentless. An agent is just a small piece of software that resides on infrastructure such as hosts, servers and endpoints — gathering information about them and relaying them to a database for reporting. Agentless, as the name suggests, performs the same act of discovery as the agent, but without the need to install software on your infrastructure.
When you only have a small inventory of physical infrastructure, installing agents isn’t too much of a burden. But as the inventory grows, and much of it is virtual, the only real way to scale discovery in support of security and compliance is agentless discovery.
As technologies mature, eventually processes move to the template phase. Here the template is used as a starting point for a new deployment, thereby avoiding the need to “start from scratch”. Cloud deployments have matured to the template phase, which aids in the ability to scale security and compliance.
In Amazon Web Services (AWS), these templates are called CloudFormation. A CloudFormation template describes your desired resources and their dependencies so you can launch and configure them together as a stack.
What would make things even more scalable, would be the ability to build a single CloudFormation resource stack and have multiple workloads utilize that stack, rather than having to build a separate stack for each workload. And that’s where cross-stack references come in.
In AWS, cross-stack references let you use a layered or service-oriented architecture. Instead of including all resources in a single stack, you create related AWS resources in separate stacks; then you can refer to required resource outputs from other stacks. In other words, you only have to create a resource once — like a security group — and all the workloads get to take advantage of it. That’s how you scale for security and compliance using cross-stack references.
Most companies operate more than one cloud and there’s a good reason for that. It makes good business sense. Rarely does one cloud service provider (CSP) excel at everything. And even if they did, it’s frequently more cost effective to assign different workloads to different clouds just based on unique CSP pricing. Ultimately, multi-cloud maximizes the opportunity to optimize for performance.
The implication here is that scaling security and compliance must address multi-cloud. That means security assessments must be multi-cloud and compliance audits must be multi-cloud. And implicit in multi-cloud is the necessity of taking a more holistic approach to security. It’s important to not only consider the severity of the risk, but also its potential impact on accessibility and the business itself.
Multi-cloud deployments also mean that the tools and strategies you use to assess and manage your clouds must be chosen for their flexibility to work in different cloud environments. This is especially important as you scale, because misconfiguration of cloud services is the number one risk for security and compliance.
Context-aware security is the use of supplemental information to improve security decisions at the time they are made, resulting in more accurate security decisions capable of supporting dynamic business and IT environments. Important context information to security and compliance includes IP address, device type, URL and threat context, among others.
You cannot respond to every alert, especially in a multi-cloud environment, so it’s helpful to be able to filter on only the most critical security risks. The idea is to take advantage of metadata, typically by using APIs, to create a more context-aware vulnerability assessment which encompasses all your clouds.
In large cloud or multi-cloud environments, it is neither advisable nor practical to consider workloads in a vacuum. By combining all the work loads in all your clouds and analyzing the threats, vulnerabilities and risks in a context-aware manner, you produce more meaningful and actionable insights. which ultimately drive better business decisions.
If it’s even possible, cloud adoption is accelerating. And security and compliance need to keep up. The key to scalability is to take advantage of scalable technologies. The four capabilities detailed here all do that.
Agentless discovery eliminates the need to manually install agents in infrastructure. Cross-stack references eliminate the need to create redundant resource stacks. Multi-cloud accommodates scalability by optimizing cloud infrastructure. And security context awareness reduces the need for security and compliance professionals. Incorporate these four essentials to properly scale your cloud security and compliance.
If you’d like to learn more about securing your cloud networks and applications, please request a demo to learn how to get started.