We know that "the enemy's gate is down." Many of us know the lessons from Vauban. We draw our computer security metaphors from the physical world, and it mostly works. Traditional security analogies talk about defense-in-depth, locks & surveillance, active defense, mitigation & response, and many other clever comparisons. Then came the cloud. While it's true that security fundamentals still apply, several things dramatically change when defense moves into the cloud.
Scale - A single IT admin can reasonably expect to manage between 100 and 250 physical assets. We expect cloud admins to scale up to 25,000 instances and beyond. The same scale that makes using the cloud attractive for business makes managing the cloud a Gordian Knot. Think about that scale in terms of security alerts, real and false positives.
Control - We can simply go over and troubleshoot in safe mode when an on-prem asset misbehaves. When the cloud instance misbehaves, the cloud provider might just reboot it for you. Even worse, your asset might get rebooted if somebody else on the same hardware misbehaves. Cloud providers give a different granularity of control.
Transience - This represents the biggest paradigm shift for the cloud. Where previous admins bragged about uptime, long-running servers become a liability in the cloud. Attackers can surround an asset, only to find the asset has disappeared. That idea sounds like a nightmare for most admins too, but the right tooling and mindset turns it into a strength.
We can leverage scale, control and transience away from liabilities and into strengths. Traditional physical defense metaphors do not capture the paradigm shift, so we need to make sure we abandon those when appropriate. Cloud security is different.
Delivered at SOURCE Conference Boston 2016 on May 18, 2016
13. @ncooprider
13
“Late last year, US bank Capital One said it was
reducing the number of its own data centres from
eight to three by 2018 and moving a lot of its
processes and product development to AWS.
And Towergate Insurance recently announced that it
was migrating its IT infrastructure to the public cloud
as well.”
http://www.bbc.com/news/business-36151754
Cloud adoption
17. @ncooprider
17
“While AWS manages security of the cloud, security in
the cloud is the responsibility of the customer.”
https://aws.amazon.com/compliance/shared-responsibility-model/
“As with any new technology, there are new risks. It is our
responsibility to educate our businesses and customers
and we can also develop tools and processes to mitigate
risk. But it is also a shared responsibility of cloud users”
Mark Russinovich, Microsoft Azure CTO
Security TOS and SLAs
18. @ncooprider
18
• Security fundamentals still apply
• Good security hygiene
• Constant vigilance
• No silver bullet
• Dramatic changes occur in the cloud
• Scale
• Control
• Transcience
Defend the cloud
34. @ncooprider
34
• Remember: the enemy’s gate is down
• Update our security metaphors
• The Twinkie speech
• To the cloud
• Don’t get left behind
• Reasons for hesitancy going away
• Leverage the new environment
• Scale, control, and transience
• Become secure
Conclusion