These five broadly defined concepts can be a starting point to expand the developer's thinking on cloud security
Since security is, was, and always will be one of the top concerns of developing and deploying your assets in a cloud environment, I'd like to introduce a few conceptual models that can define how you think about cloud security at a high level. Although they might not be classified as "models" in the traditional computer-technology sense, I like to call these approaches "models" because a model is an architecture you use to pass on sets of experience in order to build a custom result; models are not specific instructions nor are they the end result you're seeking. Models don't tell you what to do -- they make you think about what you're doing.
When it comes to cloud security issues, five models stand out from the noise of the volumes of information in the technosphere:
There are probably dozens more, but these five resonate for me. As you move through the numbers, they go from using existing practices in new ways to using new practices and tools; and maybe along the way, capturing what you learn and developing new methods.
Let's take a look at each in depth.
Existing cloud delivery models can be security tools
According to longtime systems architect and engineer Judith Myerson, you can eliminate many of the difficult tasks of building a cloud vulnerability testbed by using the existing PaaS environment structure as a basis for a security testing model.
To do this, Myerson compares the standard PaaS model with a generic security testing model. She explores the interrelationships among the PaaS model's three lifecycle structures, focusing on their security testing attributes:
Using a generic security model, she identifies three types of security issues of concern:
Then she weaves the two models together to create a new seven-part tool from existing parts that consists of the
Bring programming practices to bear on cloud security
DevOps is the method that responds to the interdependence of application and system software development and IT operations by stressing collaboration among the camps of IT professionals -- developers, adminstrations, integrators, and designers. The DevOps concept brings agile-based iterative and incremental application-development techniques to bear on solving security issues mainly by inserting security (that will integrate into the entire system's security profile) in at every step of every development, deployment, and maintenance process. Due to its iterative and incremental nature, DevOps also brings a certain amount of automation to the security process, especially for the simpler tasks.
Bob Aiello and Leslie Sachs show you how to apply DevOps practices to help mitigate the potential pitfalls and risks associated with cloud-based computing. They identify a few key areas where DevOps can help improve security:
Automation is one of the strongest tools you can use in your fight to ensure cloud security. Using the DevOps principles, automation can help you detect unauthorized changes that are the result of human or malicious intent; automated, integrated security knowledge and threshold triggers help you weed out unauthorized access. Automation can also help you deal with incidents by making it easy to rebuild your systems when necessary.
Think of the network as part of your development plan
Some of you may not be old enough to remember when the network was mostly about moving physical parts in switches and routers, then reconfiguring the software for each of your firewalls. But cloud environments require nimble, more dynamic resource allocation; since clouds already have virtualized applications and storage, why not virtualize the network too? Emerging approaches such as software-defined networking (SDN) do just that and provide the platform to allow network virtualization.
Unfortunately, the great advantages of SDN come with a price: A host of software-related security issues to network protection.
Paul Ashley and Chenta Lee have provided a detailed look at how to deploy network security on software-defined networks. They define SDN as:
... a new architectural approach that aims to provide a highly flexible network suitable for today's dynamic environment. Existing networking technology is inherently static and difficult to change because minor network alterations often require substantial reconfiguration across many switches, routers, and firewalls. This process is time-consuming for administrators and inherently error- prone.
Ashley and Lee explain that the traditional way of thinking about network management is that:
With SDN, though, the control and data planes are separate and the control plane is centrally managed across the network equipment within the enterprise (independent of vendor equipment).
This setup makes it simpler and faster to manage the flow of traffic. But what about security?
Ashley and Lee describe an approach (through real-life examples) that explains how to integrate automated, sophisticated user-based and IP reputation–based application control in an SDN; features that
Judith Myerson also has some advice to control the vulnerabilities that SDN can introduce to the cloud. She says to follow these four steps to mitigate SDN risks:
Chenta Lee blogged an entry on using deployment patterns for security services in a software defined environment (SDE) that offers ideas on how to define the composition of your deployment pattern to match the security levels you want in your deployment.
Stop thinking of security, cloud, etc., as separate entities
Security intelligence is the concept that as the IT security landscape grows increasingly complex, threats become more sophisticated, and new technologies emerge, IT security has to get smarter, faster, and more nimble. Smarter means you think ahead of where your attacker is; faster means you match (and exceed) the speed with which you can respond to threats; nimble means you can apply security methods precisely where they are needed in order not to impede the other main objectives of your business -- innovation, sales, and growth.
How does this translate into secure cloud deployment mechanisms? Ravi Muthukrishnan and Sreekanth Iyer show you a working model of how to build security intelligence into cloud and virtualized environments and create proactive threat protection and detection of anomalies. They will explain such security components as:
Explore an environment designed for cloud deployment
IBM Bluemix is an open-standards, cloud-based platform for building, managing, and running apps of all types, such as web, mobile, big data, and smart devices. As such, integrated security is mostly built in. For example, take a look at these services you can engage to help automate your application security needs:
In fact, Carl Osipov shows you how to secure your IBM BlueMix web app with OAuth 2.0 using the IBM ID Single Sign-on Service.
Finally, Chris Brealey will use the Bluemix platform to demonstrate how to build a mobile app that isn't perfect in order to test to see how the Bluemix Mobile Quality Assurance service performs in "fixing" the app's imperfections. (MQA is a cloud-hosted, multi-tenant service designed to collect and present information about the quality of mobile apps.)