Swim Or Die In The Cloud
Original publication LinkedIn September 18, 2016, also found at Cavirin Blog
Cloud Computing: Where is it? What is it?
Cloud computing, on its own, is a benign concept, identified as having five attributes:
- priced according to recurring subscriptions or usage-based charges, rather than having an up-front cost.
- delivers IT capabilities that scale with demand, rather than being defined by a fixed set of assets.
- is delivered as a well-defined service, instead of as a product that needs system administrators and maintenance.
- is typically based on the open Internet technology, which increases its interoperability.
- enables resources to serve multiple needs for multiple consumers, rather than dedicating resources for individual infrastructure, software, or platforms
- Virtualization: Abstractions compute services away from their physical hardware and allow them to be treated as data. (The technology)
- Cloud: Builds on this abstraction by allowing services to be flexible, sourced from a number of providers and delivered over a number of channels. (The business)
- Asset Efficiency: resulting savings from buying, housing, and supporting fewer devices, (a.k.a benefit of Virtualization)
To some extent, the concept of cloud computing is as old as Generation X, rooted in the simple delivery of computing resources via a global network. There were major milestones that we all can recall, the start of Salesforce.com (a major SaaS), the onset of Web 2.0 (two-Oh!), and the whole exercise of declaring the "Two Oh" of everything. Perhaps nothing impacted us more than the launch of Elastic Compute Cloud, EC2. We gathered by the hundreds of thousands to hear and learn about the emergence of Amazon's S3 storage, the first major infrastructure as a service (IaaS). Very quickly, cloud storage became mainstream to enterprise data centers worldwide, and with it, some of the largest disasters ever known throughout computing history. Despite this, the benefits outweighed the risks.
Unlike any previous evolution in computing, the emergence of cheap functional applications, the SaaS revolution, overran methodical IT Shops. The obvious business benefits ruled the day. Shadow IT met the needs of literally every department. The agility of doing things without the support of IT, however, would more often than not, resoundingly backfire. Clear need for Cloud Governance would fast be overtaken by the threat of cyber attack, and Cybersecurity wins as the leading reason for controls and oversight to align the worlds of virtualization, cloud, and the principles of IT governance, especially security configuration controls.
It is no longer a matter of "if" companies will leverage the cloud, but a matter of how. Data Center Operations has worked to identify types of major risk in the development of Private and Hybrid Cloud infrastructure. The evolution of configuration, equipment, network and site-based risk management has, in fact, been keeping pace.
Things got real when mainstream developers jumped on board. With the capacity to provision development environments on demand, Software Development Lifecycle (SDLC) was turned inside out. The agile revolution meant that in-house shops would begin to build and deploy the way millennials (children) consumed; quickly, without a need for oversight, meeting immediate needs with little consequence for big picture implications. And that was a good thing, really.
Cloud Computing is still, easily the highest rated topic in current technology design, implementation, and control. No successful enterprise will circumvent the use of virtualization. In fact, it is unlikely that any business today can accurately claim to be virtualization free, which makes understanding the risk model all the more critical.
Is the state of cloud computing today closer to the promise of liberation or are we increasingly experiencing less control and freedom as our business model is closer and closer to the life of a shark? Swim or die
BENEFITS IN CLOUD COMPUTING ARE DIRECTLY ASSOCIATED TO THE TYPE OF CLOUD SERVICE, OR VIRTUAL SERVICE, AND WITH THESE OPPORTUNITIES, THERE ARE NEW FACTORS TO BE ADDED IN A COMPANY'S RISK.
The Center for Internet Security – states up to 80% of cyber attacks could be prevented by five simple actions
Maintaining an inventory of authorized and unauthorized devices
Maintaining an inventory of authorized and unauthorized software
Developing and managing secure configurations for all devices
Conducting continuous (automated) vulnerability assessment and remediation
Actively managing and controlling the use of administrative privileges
As identified by ISACA (Information Systems Audit and Control Association) the following attributes of cloud computing should be categorized under Business Impact and Risk:
Applications processed in the cloud have similar implications for the business as traditional outsourcing. These include:
- Loss of business focus
- Solution failing to meet business and/or user requirements; not performing as expected; or not integrating with strategic IT plan, information architecture, and technology direction
- Incorrect solution selected or significant missing requirements
- Contractual discrepancies and gaps between business expectations and service provider capabilities
- Control gaps between processes performed by the service provider and the organization
- Compromised system security and confidentiality
- Invalid transactions or transactions processed incorrectly
- Costly compensating controls
- Reduced system availability and questionable integrity of information
- Poor software quality, inadequate testing and high number of failures
- Failure to respond to relationship issues with optimal and approved decisions
- Insufficient allocation of resources
- Unclear responsibilities and accountabilities
- Inaccurate billings
- Litigation, mediation or termination of the agreement, resulting in added costs and/or business disruption and/or total loss of the organization
- Inability to satisfy audit/assurance charter and requirements of regulators or external auditors
Common infrastructure benefits focus on availability, efficiency, and recovery. Still, with benefits and opportunities, there will also be Technology, Compliance, Licencing and Security Risks.
- The introduction of virtualization brings many changes that need to be reflected in the tools that administrators use to manage systems. Some examples of the types of changes that need to be addressed include:
- Servers and workstations no longer are tied to a particular, known location.
- Releasing software patches is different in a virtual environment.
- Backup and restore - central location as opposed to execution on the machine.
- Monitoring tools that are used to correlating hardware and software events may no longer understand where dependencies lie.
- In addition, each virtual platform has its own management tools, which need to be integrated into operations.
WHAT COULD GO WRONG?
The mismanagement of recommended configuration is both in and beyond our locus of control, however, cloud breaches impact everyone’s brand. Laws put increasing responsibility for all consumers of the cloud to increase accountable oversight to their providers of cloud services, i.e dependency responsibilities
- Reputation is a new target for cyber attacks
- Criminals value our information – financial, health, critical infrastructure
- Cyber risk is challenging to understand and address, increased regulation imposed
- The changing pace of technology increases unknown dependency on third parties and shadow IT
- We cannot trace or control our data – data exfiltration occurs
- The role of government and information custody is often misunderstood
How an Elastic Security Compliance Platform Can help
COMPLIANCE IN ANY ENVIRONMENT
- Cloud Native platform supporting 12-factor patterns (things like port binding, logs, concurrency…)
- A “hyperplane” of integrated “risk assessment” amongst segmented vulnerability domains-
- Works with Private, Hybrid, and Public Clouds
- Support AWS, Azure, GCP (Google Cloud Platform)
- Manages thousands of out-of-box policies, well curated and certified (SCAP, XCCDF, OVAL)
- Supports current compliance authority (PCI DSS, HIPAA, NIST, SOC 2, FedRamp, CIS Benchmark, DISA, CIS CSC, CSF)
- Is CIS Certified security content (Multiple OS, Docker, AWS Cloud)
- Complies with DISA standards in all aspects of delivery and reported results
- Know the critical assets and who’s responsible for them
- Get everyone involved in cyber-resilience
- Assure they have the knowledge and autonomy to make good decisions
- Be prepared for both unsuccessful AND successful attack
- Prevent a cloud-enabled cyber-attack from throwing your organization into complete chaos.
All things being equal, cloud service environments put tremendous control in the hands of the consumer. This can make for a very bad cloud.
Cavirin offers industry-leading Automated Assessment & Reporting (AAR); Automated Risk Analysis Platform (ARAP) and Compliance as a Service. ARAP together with AAR offers continuous risk visibility through scanning of a corporate network, signaling issues and automatically discovering new IT assets. Effective auto discovery in On-Premise, Cloud, and containerized infrastructures is the cornerstone of asset risk assessment. The auto – asset discovery ensures round the clock analysis, risk identification and reporting, greatly reducing the need for additional manned resources. Cavirin’s ARAP, AAR augments the standard GRC tool by replacing the manual and tedious process of information security baselines and through automated industry expert qualified interpretation and remediation guidance. Cavirin’s solution ties out the gap between written corporate policy and the configuration necessary to prove system policy alignment.
SERVICE LEVEL FACTORS CONTROLLED VIA CAVIRIN ARAP AND AAR - BETTER CLOUD
INFORMATION FACTORS CONTROLLED VIA CAVIRIN ARAP AND AAR - AND EVEN BETTER CLOUD
SOFTWARE AS A SERVICE FACTORS CONTROLLED VIA CAVIRIN ARAP AND AAR - NOT SO BAD CLOUD
PLATFORM AND INFRASTRUCTURE AS A SERVICE FACTORS CONTROLLED VIA CAVIRIN ARAP AND AAR - ACTUALLY, PRETTY GOOD CLOUD
ABOUT EnterpriseGRC Solutions
EnterpriseGRC Solutions is empowered to implement governance, security, risk, and compliance automation products and programs, emphasizing system based policies specific to security settings for secure configuration management. EnterpriseGRC is a women-owned small business offering compliance readiness, Security & GRC tools, Enterprise Security Architecture, Cybersecurity Risk Assessment, and a wide variety of resources for security and GRC technology support. Founded October of 2002 as Phoenix Business and Systems Process, and rebranded in 2011 as EnterpriseGRC Solution, the company is positioned to solve an organization's greatest cloud security and cyber challenges. True to its tagline "Simple Solutions to Complex Problems" the company offers pragmatic, remote and on-site web-enabled compliance implementation, training, strategy, management consulting, security and risk management services.
Cavirin is transforming the way IT security manages risk. Founded in 2012, Cavirin’s platform is a purpose-built agent-less solution that deploys quickly to on-premises, cloud, and containerized infrastructures, helping organizations reduce complexity, become agile, and drive dramatic increases in efficiency with their risk and compliance programs. Leveraging continuous visibility and automated assessments, companies are empowered to make the right decisions faster. Cavirin’s Automated Risk Analysis Platform (ARAP) is a security and compliance fabric that provides continuous configuration evaluation with recommendations for alignment to industry standards and best practices, prioritizing systems and risk remediation efforts across complex hybrid IT infrastructures. Offering up-to-the-minute compliance assessments, Cavirin supplies audit ready evidence as measured by every major regulatory, and security best practice framework.
ABOUT CENTER FOR INTERNET SECURITY
The Center for Internet Security, Inc. (CIS) is a 501c3 nonprofit organization focused on enhancing the cyber security readiness and response of public and private sector entities, with a commitment to excellence through collaboration. CIS provides resources that help partners achieve security goals through expert guidance and cost-effective solutions.
DISA, a Combat Support Agency, provides, operates, and assures command and control, information sharing capabilities, and a globally accessible enterprise information infrastructure in direct support to joint warfighters, national level leaders, and other mission and coalition partners across the full spectrum of operations.