Monitoring the Hybrid Cloud: Evolving to the CloudSOC [New Series]
As we wrote in The Future of Security, we believe the collision of cloud computing and mobility will disrupt and transform security. We started documenting the initial stages of the transformation, so we now turn our attention to how controls will be implemented as the technology space moves to an automated and abstracted reality. That may sound like science fiction, but these technologies are here now, and it is only beginning to become apparent how automation and abstraction will ripple outward, transforming the technology environment. Change is hard, and we face a distinct lack of control over a number of areas, which is enough to give most security folks a panic attack. From an access standpoint IT can no longer assume ownership and/or the ability to control devices. Consumption occurs on user-owned devices, everywhere, and often not through corporate-controlled networks. This truly democratizes access to critical information. IT organizations must accept no longer controlling the infrastructure either. In fact they don’t even know how the underlying systems are constructed – servers and networks are virtual. Compute, storage, and networking now reside outside the direct control of staff. You cannot just walk down to the data center to figure out what’s going on. As these two megatrends collide, security folks are caught in the middle. The ways we used to monitor devices and infrastructure no longer work. Not to the same degree, anyway. There are no tap points, and it is now prohibitively inefficient to route traffic through central choke points for inspection. Security monitoring needs to change fundamentally to stay relevant in the cloud age. Our new blog series, Monitoring the Hybrid Cloud: Evolving to the CloudSOC, we will dig into the new use cases you will need to factor into your security monitoring strategy, and discuss the emerging technologies that can help you cope. Finally we will discuss migration, because you will be dealing with legacy infrastructure for years to come, so your environment will truly be a hybrid. The Cloud Is Different For context on this disruptive innovation we borrow from our Future of Security paper to describe how and why the cloud is different. And just in case you think these changes don’t apply to you, forget it. Every major enterprise we talk with today uses cloud services. Even some of the most sensitive and highly regulated industries, including financial services, are exploring more extensive use of public cloud computing. We see no technical, economic, or even regulatory issues seriously slowing this shift. The financial and operational advantages are simply too strong. Defining ‘Cloud’: Cloud computing is a radically different technology model – it is not simply the latest flavor of outsourcing. The cloud uses a combination of abstraction and automation to achieve previously impossible levels of efficiency and elasticity. This, in turn, creates new business models and alters the economics of technology delivery and consumption. Cloud computing fundamentally disrupts traditional infrastructure because it is more responsive, more efficient, and potentially more resilient and cost effective than the status quo. Public cloud computing is even more disruptive because it enables organizations to consume only what they need without overhead, while still rapidly adapting to changing needs at effectively infinite scale. Losing Physical Control: Many of today’s security controls rely on knowing and managing the physical resources that underpin our technology services. This is especially true for security monitoring, but let’s not put the cart before the horse. The cloud breaks this model by virtualizing resources (including entire applications) into resource pools managed over the network. We give up physical control to standard network interfaces, effectively creating a new management plane. The good news is that centralized control is built into the model. The bad news is this is likely to destroy the traditional security controls you rely on. At minimum most of your existing operational processes will change fundamentally. A New Emphasis on Automation: The cloud enables extreme agility, such as servers that exist only for minutes – automatically provisioned, configured, and destroyed without human interaction. Entire data centers can be spun up and operational with just a few lines of code. Scripts can automate what used to take IT staff weeks to set up physically. Application developers can check in a piece of code, which then runs through a dozen automated checks and is pushed into production on a self-configuring platform that scales to meet demand. Security can leverage these same advantages, but the old bottlenecks and fixed inspection points – including mandated human checks – are gone because a) they cannot keep up and b) architecting them in would slow everthing else down. The cloud’s elasticity and agility also enable new operational models such as DevOps, which blurs the lines between development and operations, to consolidate historically segregated management functions, in orer to improve efficiency and responsiveness. Developers take a stronger role in managing their own infrastructure through heavy use of programming and automation through easily accessible APIs. DevOps is incredibly agile and powerful, but it contains the seeds of possible disaster for both security and availability, because DevOps condenses and eliminates many application development and operations check points. Legacy Problems Fade: Some security issues which have plagued practitioners for decades are no longer issues in the cloud. The dynamic nature of cloud servers can reduce the need for traditional patching – you can launch a new fully up-to-date server and shift live traffic to and from it with API calls. Network segmentation becomes the default, as all new instances are in fixed security groups. Centralizing resources improves our ability to audit and control, while still offering ubiquitous access. Monitoring Needs to Change The entire concept of monitoring depends on seeing things. We need the ability to pull logs and events from the network and security devices protecting your environment. What happens when you don’t have access to those devices? Or they don’t work like the devices you are familiar with in your traditional data center? You need to reconsider your approach to security monitoring.