Cloud Governance: Don’t bring a knife to a gun fight
This cloud governance article is written for executives, directors, managers, auditors and others who are being forced to understand cloud services because their company has engaged cloud services but expects everyone “just gets it” because it’s more of the same, just different. It isn’t. It isn’t even remotely close to what you are used to working with today. I’m writing this article based on feedback I received from a student whose boss was quite upset that his CCSK teacher (that would be me) said they weren’t going to get access to a datacenter in order to “pull a power plug to test failover”. If this boss of a NYSE traded firm that’s been operating in AWS for years didn’t quite understand this critical concept of cloud, I figured others could benefit by covering some critical concepts of cloud computing.
5 General Cloud Concepts
1: You are 1 of over a million clients. Everything the Cloud Service Provider (CSP) does is based on scalability. Because of this?
2: Your company is not special. You are not getting physical access to CSP datacenters and you’re reliant on non-negotiated contracts in a split responsibility model. Because of this?
3: Governance, Risk Management and Compliance will change. This is because?
4: The Infrastructure as a Service (e.g. AWS, Microsoft Azure, Google Cloud) environment your company built up is 100% virtual as far as you are concerned. You simply cannot take what you did in the past and use it in cloud. (p.s. even if you could, you wouldn’t want to). Your architectural options are unlike anything you’ve ever had access to before. Because of this?
5: Development, Operations, Security, Incident Response, Forensics, etc. will change.
Now here you are trying to figure this all out. I have some great news to start off with. All of this has to do with the virtual infrastructure and has nothing to do with the applications and the data they store. If you are moving an application out to the cloud and are worried about SOX compliance surrounding the application, nothing changes regarding application security for a migrated application, so there’s a quick win. Also, the Operating Systems aren’t new and your capability in this area remains, so there’s another quick win.
Now, let’s get to that whole bringing a knife to a gunfight discussion. To do this, I’m going to discuss some ways cloud changes the information technology we are accustomed to.
A Disaster Recovery Example – Virtual is not Physical
As mentioned, everything your company does in a cloud environment is virtual. It is a virtual infrastructure built in someone else’s physical infrastructure (again, an infrastructure you are not getting access to). As a result, your tools and processes need to be virtual, not physical.
Since this concept of this article started with a misunderstanding of Disaster Recovery testing, I’m going to start with the alternative to pulling the plug to test failover. It’s called Chaos Engineering and it’s practised in a cloud environment by companies such as Netflix. In a nutshell, you pull a virtual plug to test resiliency. Be warned though, chances are very high that your company culture has to change in order to properly embrace 24/7 Chaos Engineering like Netflix.
The site www.principlesofchaos.org details some main principles of chaos engineering. The Netflix Simian Army blog discusses how Netflix uses chaos engineering to “pull the virtual plug” on server instances, even availability zones to test resiliency (located at: https://medium.com/netflix-techblog/the-netflix-simian-army-16e57fbab116).
Server Maintenance – Everything You Knew Has Changed
From a server perspective, servers are virtual instances that are built from images. Images can be created by your company and be used to rebuild instances as needed. When is a rebuild needed? How about when a patch is released? Patch the image and then replace the running instance with the newly patched image. This is what the Cloud Security Alliance calls an “Immutable Infrastructure” and it is common in a mature cloud environment. It can also be used to dramatically increase the security of your server instances. I refer to this as the “Vegas model” where casinos constantly rotate their staff to ensure there is no inside collusion. Think about what we already know of how attackers operate. They breach a server, install backdoors and then perform their reconnaissance and future breaches. When using an immutable approach, the initial attack vector is likely shut down by a patch and any backdoor is eliminated. From an audit perspective, In this model, no changes are ever done on the running instance, so remote administration can (and should) be removed. We can now assess images themselves and not the running instances in production anymore.
Infrastructure – That Too Has Changed
Talking about immutable infrastructure, we should also cover infrastructure as code. Same principle here applies in that nobody actually modifies the virtual infrastructure itself, rather they update code and execute that code to change the environment. This can lead to very tight control over any changes. In fact, we can make it so any deviations from what is expected can be automatically rolled back. Did someone change a firewall ruleset? You have virtual tools at your disposal to change it back automatically.
Finally, how about removing network paths by leveraging vendor services? By leveraging CSP services you can literally remove the ability for an attacker to jump from one server to another because there’s a CSP service in between two instances or the cloud environment and your data center.
You are now dealing with a cyber supply chain that depends on contracts and SLAs and a pay-as-you-go billing model that has the potential of significant spend on wasted resources. You may also be dealing with 4th parties that also need to undergo risk assessments to maintain compliance. I have seen too many cloud deployments that have been pet projects of the IT department and have little governance in place. Simply put, this is a disaster in the making. There are plenty of examples of companies being surprised by having millions of records leaked on the internet due to the most basic security principles being missed (more on this in the next section).
A brand new underlying virtual environment that is likely to be underestimated by IT staff (it’s just a server and I’ve been using VMWare for years is the common misconception) and will likely lead to suboptimal security measures in place. I mean who wants to be bored with basics, right? Want to challenge this? How many S3 buckets have been ‘compromised’ by IT staff setting permissions as public having read permissions? How many millions of records again? I stopped counting at a quarter billion myself. It’s not rocket science, but it is indicative of a lack of governance and lack of time to do things properly. Don’t think this is something that wouldn’t happen to you. There are some leading technology firms that have been caught cheating like this.
Cloud is completely foreign to all other groups outside of the direct cloud team (e.g. Audit, Risk Management, Incident Response, etc). They simply have no understanding of the changes associated with cloud and what they need to work in this virtual infrastructure. There are three types of training that will be required for your staff.
General Cloud Security Training
Offerings such as the CCSK by the Cloud Security Alliance and the CCSP by the ISC2. This should be attended by everyone who is involved in IT, ranging from leadership through legal, procurement, risk management, audit, information security, incident response, development and operations teams.
Platform Specific Training
All technical staff should have access to platform specific technical training such as the AWS Architect certification training.
Any tools that will be leveraged by your organization should have training arranged with the particular vendor for operational staff.
Access control and authentication being split across two environments (one of which is not in your control). Simply stated, if your company uses any cloud service (especially Software as a Service) and you’re not using federation to maintain authentication you have lost control of the most basic principle of security despite what anyone says otherwise. There are numerous options available to you on this front ranging from Active Directory Federation Services (ADFS) that can be installed on a domain controller to outsourcing this potential headache to a Security as a Service provider such as OKTA, Ping or a number of other providers.
In conclusion, there are so many new possibilities in a cloud environment that we never had access to in a traditional environment. You’re looking at a brand-new world that will require new governance to steer your company correctly, a retooling (training) of your staff across all areas of IT to drive the new processes that will take advantage of the new technology at your disposal. Two industry leading training offerings surrounding cloud security are the Cloud Security Alliance’s CCSK training and the ISC2 CCSP offerings. Yes, we offer them both and are damn good at doing it.