A lot of people think of the cloud as a place to store or host stuff, but the cloud isn't a hard drive or a processor, it's a programming language. Actually, it's a collection of programs and platforms all connected together through the magic of application programming interfaces (APIs). The real visionaries of the cloud know it isn't merely a new consumption or delivery model, but instead a new glue that turns the entire Internet into one big programming platform.
The fundamental concept of cloud computing is taking a collection of physical resources, pooling them together, and then consuming (or delivering) only what we need. We provision resources, use them, then deprovision them and send them back to the pool. This is true for the entire cloud stack: IaaS, PaaS and SaaS. To meet this objective, we need some degree of automated orchestration and management. And if we want automation, that means we need APIs to design, implement and manage it.
For example, when you use that fancy Web interface to provision a new instance (virtual machine) on your cloud platform, it makes API calls to the cloud controller to provision the resources and spin it up. The cloud controller also does most of this through API calls to the various components. For a simple instance on most platforms, this means calls to a compute node to host the instance, a volume controller (and nodes) to supply storage, a network node for IP addresses, the scheduler and/or message server to coordinate
There are some very cool tools and technologies being built in and around this API-driven modality, but one of the big laggards is security. Few security tools support API management for essential functions, which dramatically limits their usefulness in cloud computing and security. Let's walk through one potential scenario to show how powerful security automation could be.
Cloud computing and security: An automation scenario
A common problem in IT departments I work with is tracking assets -- making sure they are securely configured and properly protected on the network -- while keeping an eye on the users and data. We use a host of tools and processes, many of them manual, to hopefully reduce the amount of things that inevitably slip through the cracks.
But imagine if we could automate nearly all those functions. A user connects to the cloud Web portal and checks the box for a new departmental Sharepoint stack of x size and configuration. The cloud controller first runs through the non-security policies to make sure the user and department are authorized for the requested resources and then starts the provisioning process.
As the instance spins up, it's firewalled off from the outside world and automatically patched to the latest levels and configured to the current security and operations standards. The instance and the cloud controller then make a series of API calls to a suite of security tools.
The cloud controller registers the instance with the vulnerability management tool, which automatically registers it, performs an assessment, and keeps it isolated if anything fails.
As part of the configuration scripts, various security agents are installed and the new instance registers itself with the log management, SIEM, antivirus and other core security and compliance tools. Based on the attributes of the instance, the tools then send various configuration parameters back to the agents.
Based, again, on the attributes of the instance, appropriate network firewalls and IDS/IPS rules are established. Since we can't trust that the instance will always stay where we put it, some of those same rules are implemented by a network security agent in the host itself.
The storage for the instance then signs up for periodic DLP scans, which will add it to the proper policy groups, depending on the user and business unit. Or maybe the DLP scans the instance on its schedule, and if sensitive data is detected, it reconfigures other security parameters such as firewall/IPS rules, access controls, and so on by communicating with those tools.
I could do this all day, but you get the idea. Instead of manually managing all this, we embed functionality into our cloud and security fabric so a high degree of it is automated. We already see this strategy being used successfully today with configuration and systems management tools like Chef and Puppet.
For the most part, when it comes to security, the majority of automation is limited to security functions built into the cloud platforms (with identity and access management being the most mature). Over time this will change as more and more clients demand better automation support from their security vendors.
The example above is pretty simple; I stuck with tried and true security functions we are most familiar with. Hopefully you can see that this really is just the beginning, and over time the cloud may improve security more than it hurts it.
About the author:
Rich Mogull has nearly 20 years’ experience in information security, physical security, and risk management. Prior to founding independent information security consulting firm Securosis, he spent seven years at Gartner Inc., most recently as a vice president, where he advised thousands of clients, authored dozens of reports and was consistently rated as one of Gartner's top international speakers. He is one of the world's premier authorities on data security technologies, including DLP, and has covered issues ranging from vulnerabilities and threats, to risk management frameworks, to major application security.
This was first published in December 2011