As we wrote in The Future of Security, we believe the collision of cloud computing and mobility will disrupt and transform security. We started documenting the initial stages of the transformation, so we now turn our attention to how controls will be implemented as the technology space moves to an automated and abstracted reality. That may sound like science fiction, but these technologies are here now, and it is only beginning to become apparent how automation and abstraction will ripple outward, transforming the technology environment.
Change is hard, and we face a distinct lack of control over a number of areas, which is enough to give most security folks a panic attack. From an access standpoint IT can no longer assume ownership and/or the ability to control devices. Consumption occurs on user-owned devices, everywhere, and often not through corporate-controlled networks. This truly democratizes access to critical information. IT organizations must accept no longer controlling the infrastructure either. In fact they don’t even know how the underlying systems are constructed – servers and networks are virtual. Compute, storage, and networking now reside outside the direct control of staff. You cannot just walk down to the data center to figure out what’s going on.
As these two megatrends collide, security folks are caught in the middle. The ways we used to monitor devices and infrastructure no longer work. Not to the same degree, anyway. There are no tap points, and it is now prohibitively inefficient to route traffic through central choke points for inspection. Security monitoring needs to change fundamentally to stay relevant in the cloud age.
Our new blog series, Monitoring the Hybrid Cloud: Evolving to the CloudSOC, we will dig into the new use cases you will need to factor into your security monitoring strategy, and discuss the emerging technologies that can help you cope. Finally we will discuss migration, because you will be dealing with legacy infrastructure for years to come, so your environment will truly be a hybrid.
The Cloud Is Different
For context on this disruptive innovation we borrow from our Future of Security paper to describe how and why the cloud is different. And just in case you think these changes don’t apply to you, forget it. Every major enterprise we talk with today uses cloud services. Even some of the most sensitive and highly regulated industries, including financial services, are exploring more extensive use of public cloud computing. We see no technical, economic, or even regulatory issues seriously slowing this shift. The financial and operational advantages are simply too strong.
Defining ‘Cloud’: Cloud computing is a radically different technology model – it is not simply the latest flavor of outsourcing. The cloud uses a combination of abstraction and automation to achieve previously impossible levels of efficiency and elasticity. This, in turn, creates new business models and alters the economics of technology delivery and consumption.
Cloud computing fundamentally disrupts traditional infrastructure because it is more responsive, more efficient, and potentially more resilient and cost effective than the status quo. Public cloud computing is even more disruptive because it enables organizations to consume only what they need without overhead, while still rapidly adapting to changing needs at effectively infinite scale.
Losing Physical Control: Many of today’s security controls rely on knowing and managing the physical resources that underpin our technology services. This is especially true for security monitoring, but let’s not put the cart before the horse. The cloud breaks this model by virtualizing resources (including entire applications) into resource pools managed over the network. We give up physical control to standard network interfaces, effectively creating a new management plane. The good news is that centralized control is built into the model. The bad news is this is likely to destroy the traditional security controls you rely on. At minimum most of your existing operational processes will change fundamentally.
A New Emphasis on Automation: The cloud enables extreme agility, such as servers that exist only for minutes – automatically provisioned, configured, and destroyed without human interaction. Entire data centers can be spun up and operational with just a few lines of code. Scripts can automate what used to take IT staff weeks to set up physically. Application developers can check in a piece of code, which then runs through a dozen automated checks and is pushed into production on a self-configuring platform that scales to meet demand. Security can leverage these same advantages, but the old bottlenecks and fixed inspection points – including mandated human checks – are gone because a) they cannot keep up and b) architecting them in would slow everthing else down.
The cloud’s elasticity and agility also enable new operational models such as DevOps, which blurs the lines between development and operations, to consolidate historically segregated management functions, in orer to improve efficiency and responsiveness. Developers take a stronger role in managing their own infrastructure through heavy use of programming and automation through easily accessible APIs. DevOps is incredibly agile and powerful, but it contains the seeds of possible disaster for both security and availability, because DevOps condenses and eliminates many application development and operations check points.
Legacy Problems Fade: Some security issues which have plagued practitioners for decades are no longer issues in the cloud. The dynamic nature of cloud servers can reduce the need for traditional patching – you can launch a new fully up-to-date server and shift live traffic to and from it with API calls. Network segmentation becomes the default, as all new instances are in fixed security groups. Centralizing resources improves our ability to audit and control, while still offering ubiquitous access.
Monitoring Needs to Change
The entire concept of monitoring depends on seeing things. We need the ability to pull logs and events from the network and security devices protecting your environment. What happens when you don’t have access to those devices? Or they don’t work like the devices you are familiar with in your traditional data center? You need to reconsider your approach to security monitoring.
Later in this series we will talk about architectures and techniques to address this lack of visibility and device access, but for now suffice it to say that we we will need to instrument the other parts of the technology stack where we do have access.
But the fact is that it will take 10-15 years to fully realize the promise of cloud computing for the masses. We will need to support both traditional infrastructure and cloud-based resources for the foreseeable future. So one of your success criteria moving forward will be an ability to straddle both worlds and provide an end-to-end view of what’s happening – regardless of where the infrastructure and data actually reside.
Throughout this series we will harp on the need for coexistence and consistency to reflect this hybrid reality. You will need to ensure that your monitoring infrastructure supports an elegant migration to the cloud, without compromising your ability to monitor or manage.
This is where the CloudSOC terminology comes into play. We aren’t saying you will move your entire existing SIEM and other monitoring technologies to the cloud now – or perhaps ever. But you will have a monitoring infrastructure component in the cloud sooner than later, so you need to start thinking about how to architect your monitoring environment – to both take advantage of the inherent capabilities of cloud computing, and also monitor the infrastructure that resides in the cloud.
The Age of Analytics
Many of the requirements we identified in our SIEM 2.5 paper are still very much in play. These include detecting advanced malware attacks and figuring out whether mobile devices are accessing the right information within the environment. Those challenges are exacerbated by the need to monitor the hybrid cloud. Cloud systems generate plenty of event data, and technology exists that can perform advanced analytics on vast amounts of information, but these capabilities lag behind the latest threats, so you will need to carefully reconsider how to detect attacks in new environments. The only thing you can count on is that there will be more security data to analyze, so ensure your monitoring environment can scale and provide advanced analytics.
Finally, we need to acknowledge compliance. It is not yet clear how compliance will affect cloud adoption. We don’t think any regulation will be able to derail the cloud juggernaut, but it would be naive to expect assessors to just sign off on protected data being moved into shared environments without proper controls and oversight. That puts security monitoring squarely on the critical path for moving these key functions to the cloud.
So the only clarity is that monitoring needs to be able to provide end-to-end visibility of all protected assets and data… regardless of whether the data resides in a traditional data center, a private cloud, or public cloud infrastructure. So compliance needs to address all these environments. Your assessor couldn’t care less whether you buy and provision servers yourself or spin them up using cloud auto-scaling. If devices can access protected or sensitive data, you need to be able to substantiate controls.
With that we are off and running with Monitoring the Hybrid Cloud. We would like to thank IBM Security Systems as the initial licensee. We wouldn’t be surprised if some other folks come onboard later on as we flesh out this series. Our next post will dig into some key use cases which are impacted by the hybrid cloud