How Cloud Security for CIO is like Dismantling The Wall in Westeros & Fight White Walker

“Winter is coming.”
―Ned Stark, Lord of the Winterfeld

For the people of Westeros (Game of Thrones), this warning means the White Walkers may return in the winter, and that the realm must always be prepared, should the mysterious threat ever rise again. Because they know, The Wall -which was raised to bar White Walkers’ return-, and the Night’s Watch -which was founded to guard it, may not protect them next time [1].

It took enormous amount of time for the Children of the forest, the Giants and other Westeros people to raise the Wall. Similar to my PhD Degree in Software Security (It took almost 12 years) 🙂 During those years, I could clearly see that the security paradigm has shifted drastically in the IT industry.

In this article, I will discuss 4 security perspectives for the modern enterprise with examples from Google Cloud. Please note that both Amazon (AWS) as well as Microsoft (Azure) has similar capabilities, as we recently presented to ITU GATE Startup Acceleration Program participants before they visited Silicon Valley [2].

So, why talk about security, an ancient topic as old as the Westeros? And about cloud security?

Well, from a cloud adoption trends perspective, all the three giant public cloud providers (Google, AWS and Microsoft) have already convinced Fortune 1000 enterprises about high availability and performance of applications in the cloud. Today, one can get four nines of service availability (99.99%) or eleven nines of data durability (99.999999999%) in the public cloud with the right design. This was only possible with extremely complex, tightly-coupled and expensive on-prem telco grade solutions in the past. Nevertheless, the concern for security (maybe not security itself, but the concern) still remains.

Dismantling The Wall in Westeros

I argued above that the security paradigm has shifted drastically in the IT industry [2]:

  • The traditional IT infrastructures focus on big perimeters and think server-centric like building a fence, a wall around data and applications.
  • In public cloud IT infrastructures, the tenants focus on micro-perimeters and think service-centric.
  • The traditional IT infrastructures require an end-to-end ownership and prefer to build it inside the organization.
  • In public cloud infrastructures, enterprises are comfortable with owning just enough, and offloading capabilities beyond core business from other service providers in the cloud.

The paradigm shift in cloud computing is considered in four main security perspectives [3].

1- Directive Security

There are many standards and control frameworks related to cloud. The benefit is that it gives a thirty thousand feet picture and a top down policy to start with for the CIO and his/her enterprise.

Certain enterprises have to adhere to various security related standards and regulations. The major standards to look for are ISMS (Information Security Management System – ISO 27001), Cloud Security (ISO 27017), Cloud Security Alliance STAR (CSA-STAR), Cloud Privacy (ISO 27018), PCI-DSS (if you’re working with payment cards and customer account data). You also should comply with the new EU Data Protection Directives if you’re working with customers in EU.

Regarding certification, both Google, Microsoft and Amazon have been tested, audited and certified for the infrastructure services they provide and you can put a tick on your certification checklist. For services built on top of the IaaS and PaaS layers, one can use the enabling services and APIs from the cloud providers. Google cloud certifications can be found here [4].

Enterprises shall create a program for security, privacy, compliance & risk management. The program should include account governance and data classification (ISO27000 ISMS framework and the Security controls based on Cloud Security Alliance (CSA) CC Matrix are good sources) [2].

2- Detective Security

Know your attack surface, defense it, but handle this with full automation and Infrastructure as Code.

Let’s think about it. Moving your data and applications to cloud will definitely increase your attack surface. It’s like defending against White Walkers without the wall.

If there were no wall in Westeros, the operating model of the Night Watch would be completely different.

Automation of security is similar to putting sensors into every resource in the cloud infrastructure. Whenever a new resource is instantiated all network connections, identity and access management policies, firewall configurations, IDS/IPS configurations, log management, and all other security related configurations etc. should be monitored automatically. Google, Microsoft and AWS have tools for such automation.

Once you set the policies and automation right on the cloud, even when the attack surface is bigger, you will end up in a secure state. 

The CIO organization should request full visibility and transparency over the operation using a single logging & monitoring, security testing and change management, centralized in a SOC: Security Operations Center.

3-Preventive Security

This is the most common perspective that comes to one’s mind, when enterprises/CIOs talk about security. The main objective is to protect the infrastructure at the various layers (physical, virtualization, networking and traffic management, IaaS, PaaS, data (data at rest, data in transit) and application layers).

You should create a security architecture and consider IdAM, Infrastructure protection (API GW, WAF, OS hardening), and Data Protection to protect data in transit and data at rest.

Public cloud services have an extensive logging and monitoring capability – much more than one would think. Any event or performance KPIs related the IaaS, PaaS and SaaS layer resources can be logged and centrally monitored. One can store all of the logs for an indefinite amount of time without considering the cost thanks to the cloud object storage technologies (e.g. Google Object Storage, AWS S3 and Microsoft BLOB storage).

Relevant Google services to look for are Cloud IAM, Cloud Security Scanner, Cloud Platform Security, Cloud Interconnect, Managed VPN and various Management Tools (Stackdriver, Logging, Monitoring, Error Reporting, Trace, Debugger, Cloud Endpoints, etc.) [5].

You can also rely on some new technologies such as blockchains to ensure data integrity and authenticity. Some cloud providers have already started offering blockchain as a service to help you with data integrity and authenticity.

Here’s a set of recommendations related to Preventive Security [2]:

  • Enable audit logging and monitoring on all resources
  • Maintain your network firewall rules in programmable scripts/templates
  • Use Service Provider tools (e.g. for Cloud Security Scanner from Google, Trusted Advisor from AWS) to identify most common vulnerabilities for services
  • Create encrypted channels between your on premise equipment and cloud using Cloud Interconnect and managed VPN
  • Implement a centralized IdAM (Identity and Access Management) both for development & operations team targeting both test and production environments.
  • Implement Microsoft Active Directory Integration or OpenID
  • Use IDS, IPS, WAF services from service providers
  • Design to handle for DDoS attacks [5]

4- Responsive Security

Ability to create self-healing security operations is your only magic power in public cloud, provided that you are not Mother of Dragons, the Targaryen 🙂 So design a self-healing service.

Once the system detects a security breach or an attack attempt on the surface, it’s important to take immediate actions. Because taking manual actions is costly, error-prone and slow. These factors increase your operational costs exponentially as your system gets bigger and more complex.

Therefore, it is important to take automatic actions based on the detected security issues by using services. Google, Amazon and Microsoft have several tools that can automatically re-configure your network, change firewall and routing configurations, allow/deny access to cloud resources, scale your system in and out.

Protect workloads and mitigate threats and vulnerabilities management using automated incident response and recovery and via analytics.

By running real time and/or offline analytics on the log streams, it is possible to easily sense thresholds, create alarms and send out notifications. This helps detecting and correcting security related issues immediately without waiting for customer complaints.

I will write another article demonstrating self healing security using Google Cloud.

References:

[1] Wikipedia, Game of Thrones https://en.wikipedia.org/wiki/Game_of_Thrones

[2] I recently gave a seminar to ITU GATE acceleration program startups together with Hasan Basri Akirmak (AWS Perspective) and Engin Polat (Microsoft Perspective) and I led the Google Cloud Perspective. The material is freely available under Creative Commons from here. You are encouraged to check the Security best practices slides and security service examples.

[3] Cloud Adoption Framework Security Perspectives from AWS and from Wikipedia  https://d0.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf ,  https://en.wikipedia.org/wiki/Security_controls

[4] Google Cloud Security Audit and Compliance Reports https://cloud.google.com/security/compliance

[5] Google Cloud Security Whitepaper https://cloud.google.com/security/whitepaper

[6] Image credits: IMDB, Recal Media, Pixabay, Unsplash CC0

published on linkedin

Leave a Reply

Your email address will not be published. Required fields are marked *