Securing services in an ephemeral world


29 May 2016

How do you secure something that could be here today and gone tomorrow? This was one of the posers highlighted in the Cloud Security Alliance’s Annual State of Cloud Security Report, where large cloud customers are polled for their views on the cloud and the problems that they were facing.

The cloud is changing the very nature of information security, said Daniele Catteddu, chief technology officer of Cloud Security Alliance (CSA), as he shared some of the findings during a recent CloudAsia event in Singapore.

“We used to think of servers in a pretty static way, in terms of boxes, and we were able to make reasonable assumptions that if we took certain measures, they would be secure. But now we are starting to think in terms of modular services,” he said. “Some of these micro services are spun up and after one cycle, they are no longer there. But no matter how long or short the lifetime of the service is, we need to be in control of what the service is doing and what kind of data that service is taking care of.”

This is not easy to do, and it is why there is a need for a new approach for security, one that is similar to DevOps for development services, said Mr Catteddu. The DevOps movement emphasises communication, collaboration and integration between software developers and IT operations to improve agility in IT service delivery. DevSecOps adds security into the process.

Automating security

Unlike other conventional software lifecycles that typically run from six months to a year, DevSecOps borrows from Scrum, Agile, and other rapid development lifecycle methodologies that allow development teams to respond faster to changes, said Ryan Flores, senior manager, Forward-Looking Threat Research, Trend Micro, Asia Pacific.

In a white paper on DevSecOps published by the SANS Institute, author Dave Shackleford, founder and principal consultant with Voodoo Security, noted that DevSecOps originally focused primarily on automating code security and testing, but now also encompasses more operations-centric controls. “Security can benefit from automation by incorporating logging and event monitoring, configuration and patch management, user and privilege management, and vulnerability assessment into DevOps processes,” he wrote.

Through a programmable infrastructure, DevSecOps enables security to be weaved directly into the fabric of cloud workloads, which paves the way for a more dynamic approach to security using automation and behaviour modification, said Flores. This is prompting cybersecurity organisations such as Trend Micro to look into building automated response scenarios to increase resiliency against attacks, said Flores.

“Automation in the cloud environment is extremely important as cloud grows rapidly and changes quickly,” he added. With AWS Cloud for example, security professionals can leverage features such as Amazon SNS (Simple Notification Service), AWS Lambda (which runs code in response to events and automatically manages the underlying compute resources), and Auto Scaling to build automated response scenarios, which can be the beginning of creating self-healing workloads.

This helps address the issue of availability, which was one of three areas of information security highlighted by Flores. As he put it, “Security works to ensure that only the people you want (confidentiality) get the correct data (integrity) when they need it (availability).”

Taking steps towards agile security

Outlining some of the key steps towards DevSecOps, Shackleford said one of the first things to do is to assess current security controls for cloud. When planning for DevSecOps, security teams need to perform threat modelling and risk assessment for the deployment types that they envision.

The second step would be to “Insert “Sec” into DevOps” by focusing on key areas which could be adapted to support a DevSecOps practice. An example would be to incorporate security parameters and metrics into development and test qualifications.

Next would be to integrate DevSecOps into the overall security operations. For example, when suspicious behaviour is detected in a particular instance within the cloud environment, the DevSecOps automation engine quarantines the instance by changing the network allocation to cut off Internet connectivity. The instance is copied to a protected forensic storage node in the cloud where the security and operations team can perform a rollback to a known good state.

Removing the security roadblock

Shackleton noted that moving to the cloud is all about speed of service delivery, flexibility and scalability, and that DevOps is making it possible for development and operations teams to build customised software and business functions far more quickly than before.  However, security teams are still often seen as roadblocks to rapid development or operations implementations.

“If organisations are not going to let information security slow down the business, then information security needs to find a way to embed security controls and monitoring into the deployment cycle,” he said.

This would mean companies should take an entirely different approach to cloud security, said Flores. “DevSecOps, with its malleable nature and advanced thinking in terms of building security in the code, will enable them to respond to any security events in a cloud environment quickly and responsibly.”