Welcome!

@CloudExpo Authors: Liz McMillan, William Schmarzo, Automic Blog, Elizabeth White, Simon Hill

Related Topics: @CloudExpo, Microservices Expo, Cloud Security

@CloudExpo: Article

Dynamic Cloud Security: Test Driving the Benefits

Cloud security represents a spectrum of capabilities that you can tailor to your needs

Many IT organizations assume that security risks increase with a shift to cloud computing. The reality, however, is not so clear-cut. In fact, many of these same organizations will be surprised to learn that adopting cloud operating models with appropriate governance and security controls can actually reduce the level of risk relative to their current IT environments. Here's why:

IT professionals frequently develop unwarranted security concerns regarding cloud computing primarily because cloud environments are dynamic and enable new levels of workload portability that are very different from what they're familiar with. In cloud environments, application workloads can be moved to totally different physical infrastructure or service providers from one deployment to the next. The underlying application data can move even more frequently, depending on the type of instance and persistent storage options you've selected.

This means your security boundaries have to be dynamic too. They have to move with the workload and the data, and self-configure themselves in new environments in a consistent and automated manner.

Taking Cloud Security for a Spin
A simple analogy can be made between securing cloud workloads and securing a car. When you park your car in your home garage, typically you just close the garage door and that's it. You assume your car is safe inside your garage along with your other belongings, so you typically don't worry about locking your car doors or taking other precautions.

However, when you park your car somewhere else, you typically lock the doors to secure it. There are several ways you can do this. The door locks could be activated by a remote, a keypad on the door, or the proximity of an RFID tag in the key fob. You may decide to upgrade your security by adding a factory alarm system, steering wheel lock, LOJACK tracking system, or other security system depending on the car's value. Finally, you can also decide where to park your car depending upon your risk tolerance. For example, you may accept your favorite restaurant's offer of valet parking in a monitored lot instead parking down a secluded street.

The point is that you can create a portable security boundary around your car that can be equal to or even more secure than your garage. Cloud security is similar in concept where portable cloud workloads offer a wide range of options to establish a very effective portable security boundary. In fact, cloud workload security has an additional important benefit over the car analogy, which is that security configurations can be completely automated and policy-driven. Using the car analogy, this means you no longer have to worry about forgetting to lock your door or arming your alarm system in the parking lot, because the car will automatically do it for you.

Under the Hood: Cloud Security Options
This new approach to securing a moving workload is a big departure for many IT groups that are used to working in more static and controlled environments (similar to the home garage). These IT groups are used to working with physical data center infrastructure, traditional firewalls, mostly static networks, and familiar resources that they own and control. The idea of moving workloads in and out of new environments they don't control is a big concern, especially knowing they've expended tremendous time and attention manually configuring their own environment.

However, today a broad range of proven technologies can deliver consistent, automated security for portable cloud workloads. They include virtual private networks, encrypted data storage, host intrusion detection systems, hypervisor-based firewalls, and federated identity management systems. These systems can complement each other to provide an end-to-end security solution that encompasses instances, data, network, and role-based access as desired.

Importantly, these systems can be automatically enforced through security policies that essentially eliminate the risk of human configuration errors (e.g., forgetting to lock the car doors). In other words, you can design a customized level of security into each of your cloud workloads from the beginning, so that they consistently and automatically establish the desired security boundary conditions each and every time they are deployed. These security policies are designed to be abstracted above the cloud implementation layer, and can be enforced across multiple heterogeneous cloud deployment environments.

Benefits That Extend Beyond Security
This leads to important business benefits that extend beyond the typical risk mitigation aspects of providing security. By automating end-to-end security configuration, you can make significant gains in reducing workload provisioning and deployment time. Depending on your current security processes, this can make a very significant impact on improving business agility. Typically, the upfront investment to initially create automated security policies gets paid back in dividends many times over by automating enforcement and enabling more rapid deployment. You can also significantly reduce the complexity of managing and changing your security rules over time since policies can be enforced broadly or fine-grain across your organization, and modifications take effect right away.

Although securing cloud workloads is important, it doesn't stop there. You'll also need to revisit the people, processes, and management systems used to govern workload deployments. Insufficient control over who can provision a workload, where it can be deployed, for how long, and at what cost or capacity can be a recipe for disaster, even if the workload itself is secure. Beyond obvious cost and capacity management concerns are additional risks associated with regulatory violations and inadvertently deploying assets to the wrong environment.

Governance Rides Shotgun
For these reasons, cloud security and cloud governance need to work hand-in-hand. Enterprise cloud governance often gets complicated very quickly due to the many-to-many relationships that exist among workloads, user groups, deployment environments, departmental usage policies, industry regulations, geographic restrictions, and other attributes that exist in a large enterprise. As a result, policy-driven governance platforms are critical to managing and controlling all these permutations in a transparent and automated manner.

Effective governance requires several key capabilities, including a policy framework that is extensible, so that organizations can customize their own industry- or company-specific policies when needed. It also requires a governance platform integrated with your cloud provisioning and implementation layer, so that governance is consistent and enforceable across all of your workloads and all of your internal and external cloud environments.

Tackling the Security Challenge
Addressing cloud security is an important milestone you'll face as you embark on your cloud strategy. At times, security challenges may seem too complex or insurmountable, so here are a few tips to help make those initial projects more manageable.

First, realize that cloud security represents a spectrum of capabilities that you can tailor to your needs. You probably don't want to implement all of it right away, so screen initial projects and workloads based on security sensitivity and their target cloud deployment environments to lower the initial security risks and requirements.

Also realize that there's a broad range of cloud tradeoffs you can make to lower your risk/security exposure in exchange for partial sacrifices in economic and agility benefits in the short term. For example, some organizations set up their first external private clouds at their current hosting providers with dedicated hardware in a locked cage using an existing dedicated network link. This approach may cost a bit more, but you can start with this conservative security approach and still prove out aspects of your cloud operating model while building trust and security experience over time at a comfortable pace.

More Stories By Derick Townsend

Derick Townsend, VP of Product Marketing for ServiceMesh, has nearly 20 years of marketing experience across a wide range of high tech products and services. Prior to ServiceMesh, Derick led marketing for enterprise software startups including iTKO (acquired by CA) and Webify (acquired by IBM). While at IBM, he was responsible for Business Process Management marketing and messaging across IBM’s Software Group. He also held key sales, marketing, and technical roles in other companies including United Technologies, Sterling Information Group, Momentum SI, and HotLink Incorporated which he also co-founded. Derick holds an MBA from the University of Texas at Austin and an engineering degree from the University of Arizona.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@CloudExpo Stories
"We're focused on how to get some of the attributes that you would expect from an Amazon, Azure, Google, and doing that on-prem. We believe today that you can actually get those types of things done with certain architectures available in the market today," explained Steve Conner, VP of Sales at Cloudistics, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
It is of utmost importance for the future success of WebRTC to ensure that interoperability is operational between web browsers and any WebRTC-compliant client. To be guaranteed as operational and effective, interoperability must be tested extensively by establishing WebRTC data and media connections between different web browsers running on different devices and operating systems. In his session at WebRTC Summit at @ThingsExpo, Dr. Alex Gouaillard, CEO and Founder of CoSMo Software, presented ...
Enterprises are adopting Kubernetes to accelerate the development and the delivery of cloud-native applications. However, sharing a Kubernetes cluster between members of the same team can be challenging. And, sharing clusters across multiple teams is even harder. Kubernetes offers several constructs to help implement segmentation and isolation. However, these primitives can be complex to understand and apply. As a result, it’s becoming common for enterprises to end up with several clusters. Thi...
"There's plenty of bandwidth out there but it's never in the right place. So what Cedexis does is uses data to work out the best pathways to get data from the origin to the person who wants to get it," explained Simon Jones, Evangelist and Head of Marketing at Cedexis, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
WebRTC is great technology to build your own communication tools. It will be even more exciting experience it with advanced devices, such as a 360 Camera, 360 microphone, and a depth sensor camera. In his session at @ThingsExpo, Masashi Ganeko, a manager at INFOCOM Corporation, introduced two experimental projects from his team and what they learned from them. "Shotoku Tamago" uses the robot audition software HARK to track speakers in 360 video of a remote party. "Virtual Teleport" uses a multip...
"We work around really protecting the confidentiality of information, and by doing so we've developed implementations of encryption through a patented process that is known as superencipherment," explained Richard Blech, CEO of Secure Channels Inc., in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
High-velocity engineering teams are applying not only continuous delivery processes, but also lessons in experimentation from established leaders like Amazon, Netflix, and Facebook. These companies have made experimentation a foundation for their release processes, allowing them to try out major feature releases and redesigns within smaller groups before making them broadly available. In his session at 21st Cloud Expo, Brian Lucas, Senior Staff Engineer at Optimizely, discussed how by using ne...
The question before companies today is not whether to become intelligent, it’s a question of how and how fast. The key is to adopt and deploy an intelligent application strategy while simultaneously preparing to scale that intelligence. In her session at 21st Cloud Expo, Sangeeta Chakraborty, Chief Customer Officer at Ayasdi, provided a tactical framework to become a truly intelligent enterprise, including how to identify the right applications for AI, how to build a Center of Excellence to oper...
"IBM is really all in on blockchain. We take a look at sort of the history of blockchain ledger technologies. It started out with bitcoin, Ethereum, and IBM evaluated these particular blockchain technologies and found they were anonymous and permissionless and that many companies were looking for permissioned blockchain," stated René Bostic, Technical VP of the IBM Cloud Unit in North America, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventi...
In his session at 21st Cloud Expo, James Henry, Co-CEO/CTO of Calgary Scientific Inc., introduced you to the challenges, solutions and benefits of training AI systems to solve visual problems with an emphasis on improving AIs with continuous training in the field. He explored applications in several industries and discussed technologies that allow the deployment of advanced visualization solutions to the cloud.
Gemini is Yahoo’s native and search advertising platform. To ensure the quality of a complex distributed system that spans multiple products and components and across various desktop websites and mobile app and web experiences – both Yahoo owned and operated and third-party syndication (supply), with complex interaction with more than a billion users and numerous advertisers globally (demand) – it becomes imperative to automate a set of end-to-end tests 24x7 to detect bugs and regression. In th...
SYS-CON Events announced today that Telecom Reseller has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
"We're developing a software that is based on the cloud environment and we are providing those services to corporations and the general public," explained Seungmin Kim, CEO/CTO of SM Systems Inc., in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Enterprises are moving to the cloud faster than most of us in security expected. CIOs are going from 0 to 100 in cloud adoption and leaving security teams in the dust. Once cloud is part of an enterprise stack, it’s unclear who has responsibility for the protection of applications, services, and data. When cloud breaches occur, whether active compromise or a publicly accessible database, the blame must fall on both service providers and users. In his session at 21st Cloud Expo, Ben Johnson, C...
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
"Infoblox does DNS, DHCP and IP address management for not only enterprise networks but cloud networks as well. Customers are looking for a single platform that can extend not only in their private enterprise environment but private cloud, public cloud, tracking all the IP space and everything that is going on in that environment," explained Steve Salo, Principal Systems Engineer at Infoblox, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventio...
Agile has finally jumped the technology shark, expanding outside the software world. Enterprises are now increasingly adopting Agile practices across their organizations in order to successfully navigate the disruptive waters that threaten to drown them. In our quest for establishing change as a core competency in our organizations, this business-centric notion of Agile is an essential component of Agile Digital Transformation. In the years since the publication of the Agile Manifesto, the conn...
"Codigm is based on the cloud and we are here to explore marketing opportunities in America. Our mission is to make an ecosystem of the SW environment that anyone can understand, learn, teach, and develop the SW on the cloud," explained Sung Tae Ryu, CEO of Codigm, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"MobiDev is a software development company and we do complex, custom software development for everybody from entrepreneurs to large enterprises," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.