When NerdWallet's DevOps team makes changes to applications in Amazon Web Services, one mistake can put the company's entire infrastructure at risk.
"We have an obligation to control, detect and remedy any risks," said Bala Sathiamurthy, senior director of security at the personal finance website, which offers banking and insurance decision-making tools.
Like many consumer-facing websites, NerdWallet practices continuous deployment, often pushing code changes multiple times a day. The pressure of moving out new features and applications quickly makes it impossible to set up all the cloud instances and database configurations manually without some risk to the company's security and compliance controls. In the past several months, NerdWallet has used the RedLock Cloud 360 platform to improve cloud visibility and assess risk. "If we make a mistake, RedLock alerts us," Sathiamurthy said.
As organizations move data centers and workloads to public cloud infrastructure, information security has increasingly become a moving target -- security configurations and compliance tasks are met, and suddenly everything changes. The threat of data exposure, as user errors at Dow Jones & Co. and others have shown, is all too real.
Visibility across data centers and other security challenges have emerged, as enterprises migrate infrastructure to Amazon Web Services (AWS), Microsoft Azure and the Google Cloud Platform. Under most public cloud arrangements, the "shared responsibility" model means companies are responsible for encrypting databases, setting up firewall rules and patching operating systems.
"Organizations need a way to track their configurations and discover if changes to public cloud workloads have been made by an authorized person or if the organization was attacked by an external force," said Chris Christiansen, a senior consultant with Hurwitz & Associates. "When organizations lack that visibility, they soon realize that this new environment is out of control -- from a regulatory compliance perspective, security teams often don't know what's going on." (See "Three questions to ask about public cloud migrations.")
Cloud access security brokers, also known as CASBs, offer visibility and control of cloud service usage. These tools sit between on-premises and cloud environments and do a good job parsing web proxy logs to identify unsanctioned software as a service that internal employees are using. Full-featured CASB platforms may run some form of data leak prevention or encrypt sensitive data stored in cloud-based productivity tools, such as Salesforce or Microsoft Office 365. Some on-premises or cloud-hosted CASBs even identify malicious user activity within specific apps.
Three questions to ask about public cloud migrations
Chris Christiansen, a senior consultant at Hurwitz & Associates, offers CISOs key questions to consider when evaluating cloud visibility tools to protect infrastructure and workloads in the public cloud
Where is the organization's risk? Is it with compliance, production applications or intellectual property?
Does the security team understand all the terms and conditions for compliance from the public cloud vendor? Poll the security group and find out if they fully understand that they are still responsible for security.
Has the security team evaluated the cloud visibility tool from an audit standpoint? In addition, has the company done an evaluation from the virtual machine level and also the container level?
New cloud visibility and compliance products claim to be more fine-grained, however, using API-driven monitoring tools to flag anomalies or user configuration errors across multiple cloud vendors. When NerdWallet experiences a security event, Sathiamurthy can go back and use the forensic and auditing capabilities in Cloud 360 to determine where the breach came from. The software takes a snapshot of all configurations, so the security team can pinpoint when and how a configuration resulted in data exposure.
"Along with the change management, forensics and auditing, [the technology] allows us to set policies that enable us to meet our compliance goals," Sathiamurthy said. "All the compliance authorities, be they ISO [the International Organization for Standardization], CIS [the Center for Internet Security], HIPAA or PCI, require a certain set of controls. RedLock lets us hand over the evidence."
New cloud visibility tools -- from vendors such as RedLock, Evident.io and Dome9 -- collect and analyze massive volumes of raw data from public cloud infrastructure providers as well as third-party threat intelligence and apply a layer of automated policy control, according to Christiansen.
Michael York, director of cloud operations for Easterseals in the Bay Area, struggled with a lack of visibility when the nonprofit organization for disability services moved most of its core infrastructure to AWS. He needed a way to manage all of the security policies and configuration changes among the developers and the operations team.
Michael Yorkdirector of cloud operations, Easterseals Bay Area
"By automating the configuration process with Evident.io, I didn't have to hire a high-priced knowledge worker to make all the changes to the configurations," York said. "I feel like it's like having an invisible wingman by my side."
The agentless, API-driven technology continually scans AWS resources and generates statistics and reports based on automated validations of security best practices or signatures. This information alerts York if a configuration doesn't have the appropriate permissions or if a developer made an API change the security team wasn't aware of. Signatures can also be customized. If the security team wants a password to be 16 characters rather than the standard 14, the software lets them set it up that way.
"It's a tool that lets us see behind the curtains," York said. "Sure, it's possible to build a tool yourself, but we're not in business to build tools. Plus, it's a really effective counterweight to the DevOps team, which typically doesn't look at the operational side of AWS." Like most software in this category, the Evident Security Platform offers custom-API or native integration with DevOps tools.
For now, Easterseals is in the process of implementing a cloud security and compliance strategy to manage 700 people in the Bay Area. The organization plans to roll out this capability to its 74 affiliates throughout the country in the months ahead.
Responding to cloud first
RWE Supply & Trading GmbH initiated a cloud-first policy in 2016 and today runs 100 applications and 500 instances on AWS. The European energy trader, based in Essen, Germany, runs analytics on power consumption and weather forecasts -- the impact of the weather on solar energy, for example -- in a hybrid environment with a mix of legacy technology and cloud platforms, according to Ralf Buchroth, network operations expert.
The energy trader found that it needed a way to gain visibility and control over this new cloud traffic. An audit of RWE's former network security vendor found that the outsourcer had not matched policy changes to the firewall configurations. The auditors said that every firewall rule needed to be documented, which is when RWE started using Tufin SecureChange to create an auditable workflow. Hybrid traffic that runs across network firewalls and AWS can now be monitored using a dashboard.
"We need to know who wanted to make the change, what the change was, when it was made and why," Buchroth said. "Now, with Tufin, we have a proper change process that can manage 100 complex changes a month at any given time and gives us good reporting; the information is not stored in documents within Excel or on faxes."
Looking at the clouds
Many CISOs are at a point where they are migrating core infrastructure and workloads out to the cloud, and solving the lack of visibility issue is the next task on their list.
"As we move to the public cloud, visibility is the biggest concern," said Mark Tomallo, CISO at Ascena Retail Group, based in Mahwah, N.J., who manages security for the company's 70,000 employees.
The women's clothing retailer, which owns Ann Taylor, Dressbarn, Lane Bryant, Loft and other brands, has been moving infrastructure out to Rackspace and has also been evaluating moves to AWS and Microsoft Azure. Tomallo started in the CASB space, but now he will be looking at cloud visibility tools in the months ahead.
Talvis Love, CISO of Cardinal Health, a Fortune 500 pharmaceuticals and medical supplier based in Dublin, Ohio, has also had discussions with the cloud visibility providers but has not moved on a solution yet. Cardinal Health is in the early stages of moving workloads to AWS, having recently run a pilot of its e-commerce application in a test environment.
"It's fairly early for us," he said. "We're at a point where we're building our strategies."
There's no getting around it: As organizations migrate more applications to public cloud infrastructure, CISOs will inevitably face the lack of consistent security configurations and other vulnerabilities that may expose sensitive data. And, when they do, they will find a fragmented market of cloud security and compliance providers. It's too early to tell which vendor will emerge as the dominant platform or if the major providers such as AWS and Microsoft Azure will start offering more of these capabilities as yet another service.
"Whatever we do, the tool will have to satisfy regulatory requirements such as PCI, SOX [the Sarbanes-Oxley Act], HIPAA and other federal regulations," Tomallo said. "We are only six months into this, but it has to be done in a way that ensures the data in the cloud is protected."
How to achieve safe cloud backup
What to consider before implementing a CASB platform
Issues to watch out for with cloud DLP