Amazon's, Google's and Microsoft’s experiences with building massive infrastructures for the world allows for some fascinating insights into the future of IT security at scale. As a result, when Google published The CISO’s Guide to Cloud Security Transformation earlier this year, I was curious about what priorities they saw in cloud security. It’s a short read, and it's well worth the time invested in downloading a copy.
I want to share my observations on some of the most interesting points that align with my own experiences and thinking.
Cultures of Security
The six core “cultures” are categorized to succinctly capture several important perspectives on security: Security by Default, Responsibility, Awareness, Inevitability, Review and Sustainability. In the mode of traditional security thinking, concepts such as responsibility, awareness and review are very well-known and understood, but the idea of Security by Default and Inevitability offer an almost nihilistic view that too few in the sector have embraced.
The idea that you have to act with security in mind all the time yet still expect it to fail sometimes is something that requires acknowledgment in the same way we approach health and safety in the “real world.” For instance, we build mechanisms to provide safety at all times whilst still including additional methods of reducing the negative effects when something does go wrong. As a more concrete example, we have long accepted the idea that we should have fire-resistant and fire-retardant materials in our homes and offices, but that doesn’t mean we forgo having fire extinguishers and escape plans as additional precautions to reduce the damage in the event that the protections fail to prevent every fire.
On the subject of scale, the concept of reduced surface area versus the massive scale of online operations also shows how it’s important to reevaluate some traditional processes. For too long, we have taken an approach to IT security that depends on maintaining small, manageable infrastructures that simply don’t reflect the level of demand on today’s IT systems. As we have outgrown these “single server” solutions, in many cases our methods for managing and securing the new infrastructure sprawl has not proportionally scaled-up, with poorly matched manual methods taking up lots of human resources and thus proving inadequate to protect these larger infrastructures regardless of whether they are on-premises or cloud-based. The shift to an always-secure cloud that's constantly updated by the vendor with security features enabled by default thus makes a great deal of sense, especially when trying to reflect a world with not just massive variations between the scale of deployed server infrastructure but also a diverse variety of threats operating against small-, medium-, and enterprise-sized businesses.
As a result of the challenges posed by scale, the idea of deploying and managing infrastructure as code makes a lot more sense, too. Adopting decades of refinements of smart approaches to testing, compartmentalizing components and other methodologies that have made software development more robust than ever before becomes a logical way of managing infrastructure. When this approach for deploying infrastructure becomes the norm, so too can the idea of baking security into every deployment activity. With a solid model in place, getting security in early ensures not just a “security by default” stance but also improved recognition and acceptance of security from the start.
Roles and Responsibilities
Finally, the idea of further refining the roles of security in the cloud is one that should be seriously explored. From Policy and Risk Management to Security Assurance, it’s important to recognize that cloud infrastructure can bring about a number of significant changes to the roles of those involved with security, which in turn requires additional time investments within organizations.
Going beyond the security specific roles, security within application and infrastructure engineering interfaces also need to be adjusted when adopting or expanding in the cloud. As such, it’s heartening to see the Google whitepaper stressing the importance of education to ensure everyone can play a part, thus further strengthening the commitment to enable people to work with security by default.
There’s more security insights in the whitepaper than I’ve covered here, including some useful remarks around designing your security operating model. Together, these insights make it a valuable piece of reading. For me, I will be keeping an eye out for the six “cultures” in the coming weeks, months and years ahead.