Moving to the Cloud, but Stuck in the Past

It's inevitable. A company decides to move to the cloud, sets a deadline, and then tries to migrate its systems, applications and architecture over one component at a time.

Unfortunately, most information-security teams stick with what they know. Their intuition and reflexes are tuned to dealing with data center environments and technology, so rather than embracing cloud deployment best practices, they try to architect using their data center tools. Instead of building loosely-coupled systems that scale horizontally, they try to design a tightly-coupled system and scale vertically.

As a result, security architectures have become the biggest area of friction when moving to the public cloud.

The problem has grown quickly, as 95 percent of companies have moved some of their workloads to the cloud, according to RightScale’s 2017 State of Cloud Report. It’s no wonder, the cloud delivers the ability to develop applications fast, update them often and scale quickly as your market grows.

Yet, from a security perspective, the cloud can create challenges — at least when it’s treated like a traditional data center. The focus on recreating a data-center environments ends up slowing down adoption, because most of the traditional tools and architectures that are built for data centers don’t translate well, and can be real cloud ‘anti-patterns. 

Take network-security appliances. Security engineers have traditionally instrumented in security controls via these solutions because they consider network packets as the single source of truth. This does not work well in the cloud, because the major cloud providers do not provide customers with many data-center networking services like SPAN ports. 

That leaves traditional-minded security teams with a reduced capability to deploy security controls. Everything that a company does in the data center, where they have central control and the ability to tap into every network flow, becomes an anti-pattern in the cloud. 

Yet, companies embarking on a cloud initiative almost always first attempt to port their data center security tools over to the cloud, rather than working on embracing a different deployment model. To move to the cloud quickly and effectively, companies need to focus on loosely-couple architectures. Here are some recommendations.

Focus on your future, not the past
When companies move to the cloud, they need to focus on solving the cloud-specific security issues. Instead, many times they are trying to solve problems that do not even exist in the cloud. 

Take Web Application Firewalls, for example. In the data center, companies put their application firewall infrastructure in front of all their web properties and applications, and then focus on maintaining a single, monolithic rule set. This is an anti-pattern in the cloud.

Instead, application security should be specific for each application and be deployed along in all staging environments via automation.

This allows each application team to be much more agile and embrace DevOps principals by automating the deployment and configuration of the WAF as part of their normal CI/CD workflows. Tailoring application security has the added benefit of allowing each development team to use the WAF as a vehicle to mitigate zero-day threats targeting their application, giving the application teams time to patch.

Adopt cloud-native tools
A transition to the cloud often means adopting a whole new set of tools and services. Companies, however, need to make sure that their tools work across all cloud environments. No matter if you are using AWS, Google or Microsoft’s public cloud, or any of the other providers, your security needs to work.

This helps companies avoid a situation where products designed to work with a security service specific to on Azure will have to be entirely refactored if the company decides to move to Amazon Web Services. Having to change your tools whenever your cloud provider changes is never ideal.

Because so much of cloud deployment is linked to DevOps and other agile development methodologies, adopting the concept of security as code — and requiring that your tools support this concept — can go a long way toward making a move to cloud faster and easier. Security as Code means that — while security controls are specified by the security team, in conjunction with development and operations — security design and architecture is specified and updated by the development team.

This eliminates the friction between development and security teams, allowing them to collaborate and keeping both teams objectives: move fast AND stay secure.

Licenses can be a sign of problems
One of the most significant issues in moving to the cloud is software license costs. Licenses are a holdover from the days of shrink-wrapped products, and, are often a sign that your company is trying to move the wrong type of technology to the cloud.

Charging for each instance of a web application firewall, for example, makes it prohibitively expensive to deploy a WAF with every application. Customers can now embrace a “license-less” model via the AWS Marketplace metering service; a model that only meters the WAF when it sees production or test traffic.

Moving to the cloud means rethinking how you can instrument in security controls. Rather than blindly bringing over the tools that were purpose-built for the data center, you can now utilize the remarkable API platform services the cloud providers enable, and instrument in security controls that take advantage of the agility and cost benefit the cloud offers.

What’s Hot on Infosecurity Magazine?