Attain Embedded Cloud Security With a DevSecOps Approach

December 2, 2019
|
co-authored by Hidde van der Meulen
|
6 min read

In recent years, a high number of security breaches and data leaks have occurred, ranging from minor disruptions to high-impact hacks. Fortunately, organizations seem to be realizing the importance of cybersecurity, which has been confirmed by Gartner research into growing expenditures around security worldwide, including significant contributions to security defenses.

Prevention is often more effective and cheaper than acting after security breaches, and it can help build trust and improve the reputation of the organizations involved. Security should be considered an ongoing process, as the methods that attackers employ are evolving in line with the technologies and infrastructure at modern organizations. Lastly, there is a need for careful evaluations when organizations consider new technologies, such as cloud computing.

Securely Moving to the Cloud

Gartner predicted that cloud data centers will process 92 percent of workloads by 2020. This isn’t surprising, as cloud computing offers many benefits, including reduced costs, fully managed environments, smart geographic distribution of workloads and data, and automatic scaling when the workload increases at peak times. Cloud computing is typically offered by a cloud service provider (CSP) who agrees on the configuration, level of service and cloud management with the customer.

The CSP can offer virtual environments that can be managed at several levels, generally known as software-as-a-service (SaaS), platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS). These levels range from simply preconfigured and managed applications, such as a simple web server (SaaS), to an extensive network of multiple virtual machines and parallel running services, configured and managed by the customer (IaaS). The latter provides the customer with increased freedom and control over the environment, which inherently increases their security control and responsibilities.

Cloud SaaS offerings are fully managed services that come with the least flexibility and responsibility for the customer, while IaaS offerings are least managed by the cloud provider and provide the customer with more freedom in configurations.

Companies can select private cloud solutions, which can be seen as the on-premises infrastructure for running containerized applications without sharing computing resources. By contrast, a public cloud solution is a multitenant environment where server resources are shared with other customers’ containerized environments. These environments can easily and quickly scale to adapt to peaks in application usage, for example.

Organizations typically move to cloud environments gradually, moving over distinct components of their processes, services and resources. Consequently, they can transition through or end up with complex cloud solutions. In practice, hybrid solutions involving private and public cloud elements are common. The complexity of these environments often increases when services from multiple cloud providers are used in parallel for a multicloud solution.

Unique Challenges in Securing the Cloud

The recent surge of security breaches could be explained by the growth of online platforms in conjunction with the large-scale adoption of cloud computing. Moving to the cloud does not mean that websites, applications or other services are automatically secure or that the responsibility is transferred to the CSP. Cloud and traditional security ultimately have the same goal. Yet the implementation and required mindset for securing cloud environments is different.

“Traditional security is not ready for cloud environments, yet organizations often apply those approaches. Because of the speed, agility and scale of the cloud , these traditional security mechanisms don’t always work. An additional challenge is helping clients understand these limitations.” — Richard Hendrick, IBM senior managing consultant and cloud security architect

CSP Service Levels

A number of important factors should be considered when an organization chooses a CSP and the service level. CSPs and their services can adhere to privacy and security frameworks or regulations such as the General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA).

Organizations within certain industries such as the medical or financial sectors are encouraged or obliged to choose CSPs that meet the regulations and frameworks, including strict rules dictating where data can be stored geographically and what type of encryption standards are required when data is processed. CSPs also provide options for security controls to detect or prevent attacks, which need to be considered when an organization is choosing a service. Additionally, CSPs publish compliance and audit reports detailing their data processing and security practices. These reports can provide further guidance during the CSP selection process.

Who Is Responsible for Cloud Security?

When a CSP is chosen and the service is initiated, the CSP and the customer are both responsible for the security of the cloud environment. When using the SaaS and PaaS models, the CSP is often responsible for physical security, patching and configuration management. In the IaaS model, the customers get a higher degree of control over the environment and typically need to manage aspects of security themselves.

Managing security becomes more complicated in hybrid or multicloud scenarios, where orchestration of the various security policies and responsibilities between multiple providers can be a challenge and the boundaries of responsibilities are unclear. A clear division of responsibilities and documentation of policies should be defined and understood by all stakeholders.

What Apps and Services Are Running?

Complex cloud environments also increase the difficulty of tracking which applications and services are running. This can make it challenging to implement adequate security measures, determine if all software is safe and up-to-date and confirm compliance with regulations. Several of the most high-impact breaches over the past few years were related to this problem. To manage this risk, companies often seek specialized tools and expert knowledge.

“Large enterprises struggle to have an asset inventory of what services they have running, especially in multi- and hybrid cloud environments — this is the biggest challenge. Chief information security officers often ask us to discover what they have and what they don’t have as far as security is concerned. Therefore, we start with a discovery and an assessment of what sort of security controls are in place” — Abhijit Chakravorty, IBM partner and cloud security competency leader

Non-Technical Challenges

Moving to the cloud goes beyond technical implementation. There is a need for significant changes in the workflow. For example, cloud environments, services and applications can be quickly updated or changed with a click of a button, and traditional security solutions would lag behind these quick deployments. As a solution, organizations should implement a DevSecOps approach with the aim of adjusting processes and mindsets toward more fast-paced, collaborative and iterative operations with a consistent focus on security at each step.

Similarly, it is recommended that organizations implement a security by design approach, which can result in embedded security throughout processes and products at an early stage. This can support more solid, integral security rather than a system that relies on adding security patches as an afterthought.

“Instead of releasing changes weekly or quarterly, developers of companies are now releasing thousands of code updates a day. Many traditional security mechanisms cannot keep up with this pace. It’s not just moving your workload to the cloud, including your infrastructure and your applications. It is also a change in the way of working.” — Richard Hendrick, IBM senior managing consultant and cloud security architect

The complex nature of cloud environments, the processes around managing the environments and the shared responsibility should not be underestimated and requires a careful approach toward security. Although the challenges above are important, additional technical challenges should also be taken into account. Organizations using or considering cloud solutions are advised to hire appropriate expertise or consider outsourcing their security responsibilities to specialists. Further, it is likely that additional expertise will be required to analyze the case-specific and delicate balance between acceptable risk and cybersecurity expenditures in cloud environments.

Where Is Cloud Security Heading?

With technology developing at what appears to be an ever-increasing pace, the future seems promising with room for technological breakthroughs. Cloud service providers are investing heavily in security innovation. Prominent areas of development include artificial intelligence (AI) and machine learning (ML).

By investing in AI and ML, cloud providers aim to automate their security to minimize human intervention and human error, which were the causes of many security risks in the past. AI and ML are also being implemented to analyze vast amounts of data and security incidents to identify threats and predict potential attacks more accurately — for example, by identifying a cryptojacked container via abnormal patterns in the billing history of that container.

“Much of threat detection is based on AI and ML. Additionally, a lot of automation would be on provisioning preventive security controls, to make sure that as soon as a machine is added to a cloud environment, it is automatically being monitored by a security information and event management (SIEM) system. Hereby, it has an endpoint security configuration that is set to the kind of workload that this machine will be hosting.” — Abhijit Chakravorty, IBM partner and cloud security competency leader

Cloud security is predicted to bring more seamless security, including better security integration among CSPs and their services and applications. There are specialized companies and tools to assist in streamlining the development and deployment of workflows, which can facilitate a DevSecOps approach that integrally embeds security in fast-paced cloud environments. This ensures that there is an overview of the environment and a complete security solution at all times. Given these and other developments, it is important that CSPs, their customers and especially security teams are aware of the latest policies, tools and approaches to stay competitive.

Kim de Vries
Security Consultant, IBM

My multicultural background (Dutch and Brazilian) led me to study in an international environment as an honours student, where I increased my cultural awaren...
read more