Taming the Cloud - Provisioning and Security

Thursday, September 08, 2011

Rafal Los


While Cloud continues to be the popular buzz-word du jour, the low rate of public or hybrid cloud adoption analysts are reporting may signal more than just fear and paranoia over security. 

The low rates of adoption may actually be business consumers acknowledging their confusion about how exactly security plays when it comes to virtual environments. 

Security, arguably, isn't the single biggest factor in many cloud deployments - but it is consistently mentioned in most surveys as a critical factor for selecting the right vendor and deployment model. 

The problem is ...with the elasticity of IaaS, PaaS and SaaS behind the scenes, provisioning can become a security nightmare if not done deliberately, with a strong governance approach.

One of the things I learned over this past week attending the Defcon 19 Hacker Conference is that people tend to have issues with provisioning images and systems, particularly for re-use and public consumption.

Whether it's ensuring the image you're deploying is appropriately built and patched, or that security-related components are functioning properly like anti-malware and other defenses, or simply ensuring that you haven't left the same administrative password you used to set up the machine available to the next 1,000 systems that are built from your image - all these things must be done appropriately, and closely tied to a sane provisioning process. 

Oh, and let's not forget, the whole goal is to automate the snot of of this thing.

Tools like HP's Cloud Service Automation (CSA) ensure that there is end-to-end sanity in your provisioning and deployment strategy when you're speaking Cloud.  Whether you're talking about automating the deployment of virtual network, datastore, or server components (IaaS), the components of a composite applications (application, database, middleware) for PaaS, or full-on application instances across your cloud environment (SaaS) - provisioning is critical to ensuring your environment is compliant and secure.

Security comes in many forms that security professionals are already used to seeing in their own data centers, and on their desktops, but what makes Cloud provisioning that much more important is not simply that everything is virtual ...but the speed at which everything happens. 

Keep in mind that in modern business it's not just the central IT team that manages the organization's cloud - many times it's the direct line-of-business (LoB) that deploys and manages their own cloud outside the purview of central IT.  This means that in order to rein this type of behavior in, IT Security must work with IT to create some sort of simple way to use the corporate Cloud provisioning strategy to provide self-service to everyone in the business.

So your goal is to automate while keeping security tight...good luck if you're not on the right platform.  Keeping track of component patch-levels with a spreadsheet just won't do like it did for your data center a decade ago (or yesterday for some of you...) and when a rapid change is needed across your virtual environment (the first Tuesday of every month, maybe?) you have to be able to test, deploy, and monitor with lightning-fast speed and deliberate means.  "Hoping it works" isn't an option when your company's Cloud strategy is at your fingertips.

Governance must play a huge role in your provisioning strategy and toolset as well... being able to review your environment against a set of standards (dare I say it, compliance policy) and having knowledge of who, what, when, and where is critical as well. 

When the inevitable happens and catastrophe strikes it will be necessary to have a good way to analyze the damage and assess impact.  If you don't have the right tools you'll be left guessing.  Provisioning properly - the way security approves it - is the right way to go, and tracking successful deployments and access as well as deviations from the standard are hyper-critical as well.

It's not just about passwords, SSL keys, anti-malware and out-of-date browsers anymore, lightning-fast provisioning for today's Cloud requires that your provisioning system natively speaks security and that you can incorporate many of the already established best-practices into your Cloud environment.

Whether you're deploying IaaS, PaaS, or SaaS, provisioning is the key to having a safe, secure, and stable environment.  With the fragility and complexity of today's cloud deployments, you can't afford a single, tiny, sliver of error which could unwind everything in seconds.  I seem to recall this happening to a Cloud vendor recently...

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Cloud Security
Information Security
Cloud Security malware Cloud Computing Governance SaaS IAAS PaaS
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.