Locking Down the Cloud: Freeing the Cloud
by Jess Iandiorio
When I started talking to cloud experts about automation and security, I thought that we’d spend most of our time discussing how automation reduces human error (and deliberate malfeasance). And how it frees up IT time for higher value activities.
It does both of those things, of course. But I also discovered a sub-theme that kept bubbling up in my conversations: by automating security, you give a power boost to one of the most appealing features of cloud hosting: rapid elasticity and scalability.
Let’s say that you need to scale up your digital capacity to handle a surge of interest and activity. The cloud lets you do that, fast -- if your security can automatically scale up with it.
But if you are bogged down by manual security processes, you will likely have to hold up the rapid scalability that you should be able to push.
Mark Stanislav, of Duo Security in Ann Arbor, is one of the experts who made this point to me, although it also came with a warning: If your security is not automated, it can lag behind an expansion, exposing your site to opportunistic attackers.
“Both ‘rapid elasticity’ and ‘on-demand self-service’ are mentioned as core tenets of what cloud computing is,” Mark pointed out. “Much of the functionality and power that cloud computing offers to technologists and consumers is related to the availability of scaling resources up or down as needed. If resources can ebb and flow automatically -- and quickly -- not pairing an equal level of automation with security technologies can quickly lead to an unsafe scenario for organizations.”
That’s why automation solutions like Puppet, Chef, and Salt Stack are so important: They provide system administrations the capability to quickly scale their cloud resources, because they enable the configuration of security policies and update software at the same time, automatically. Mark said this same software also enables administrators to deploy security services, such as Duo Security’s two-factor authentication, automatically to each and every server without intervention. He’s seen that work up close, many times.
One tip that Mark shared to keep scalability and security in sync: avoid unicorns.
“The more similarity an organization can have in their resources, he explained, the fewer one-off changes will need to be made -- which often are a limiting factor to scaling.”
For example, if you have a web service that you want to scale from one server to 100 servers, you need to make that server as cookie-cutter as possible. No unicorns! That will allow for easy scaling of the service, and also ensure that security policies and controls can be applied as tightly as possible. When systems are not the same, policy and controls are often made too broad to account for the disparities.
“Uniqueness is the enemy of cloud computing scalability,” Mark said.
Mike Kavis also made a similar point in our conversation.
“First, one of the biggest advantages of cloud computing is its elasticity,” he said. “Being able to scale up and down on demand is a very powerful tool. The only efficient way to be elastic is to eliminate manual processes and allow the system to provision and de-provision resources automatically.
“That’s another reason why automation is so important,” Mike continued. “Because in order to automatically scale as demand increases or decreases, virtual machines and code deployments must be scripted so that no human intervention is required to keep up with demand.”
Mike’s advice: All cloud infrastructure resources should be created from automated scripts to ensure that the latest security patches and controls are automatically in place as resources are created on-demand.
Security automation and cloud services are a natural fit, and, like peanut butter and chocolate, go better together.