Before delving into the world of cloud security we'd like to remind you of a little basic physics. Today's lesson is on velocity vs. acceleration. Velocity is how fast you are going, and acceleration is how fast velocity increases. They affect our perceptions differently. No one thinks much of driving at 60mph. Ride a motorcycle at 60mph, or plunge down a ski slope at 50mph (not that uncommon), and you get a thrill.
But accelerate from 0mph to 60mph in 2.7 seconds in a sports car (yep, they do that), and you might need new underwear. That's pretty much the cloud security situation right now.
Cloud computing is, still, the most disruptive force hitting all corners of IT, including security. It has pretty well become a force of nature at this point, and we still haven't hit the peak. Don't believe us? That's cool—not believing in that truck barreling towards you is always a good way to ensure you make it into work tomorrow morning.
(Please don't try that—we don't want your family to sue us).
The most surprising cloud security phenomena are how widespread cloud computing has spread, and the increasing involvement of security teams... sort of. Last year we mentioned seeing ever more large organizations dipping their toes into cloud computing, and this year it's hard to find any large organization without some active cloud projects. Including some with regulated data.
Companies that told us they wouldn't use public cloud computing a year or two ago are now running multiple active projects. Not unapproved shadow IT, but honest-to-goodness sanctioned projects. Every one of these cloud consumers also tells us they are planning to move more and more to the cloud over time.
Typically these start as well-defined projects rather than move-everything initiatives. A bunch we are seeing involve either data analysis (where the cloud is perfect for bursty workloads) or new consumer-facing web projects. We call these "cloud native" projects because once the customer digs in, they design the architectures with the cloud in mind.
We also see some demand to move existing systems to the cloud, but frequently those are projects where the architecture isn't going to change, so the customer won't gain the full agility, resiliency, and economic benefits of cloud computing. We call these "cloud tourists" and consider these projects ripe for failure because all they typically end up doing is virtualizing already paid-for hardware, adding the complexity of remote management, and increasing operational costs to manage the cloud environment on top of still managing just as many servers and apps.
Not that we don't like tourists. They spend a lot of money.
One big surprise is that we are seeing security teams engaging more deeply, quickly, and positively than in past years, when they sat still and watched the cloud rush past. There is definitely a skills gap, but we meet many more security pros who are quickly coming up to speed on cloud computing. The profession is moving past denial and anger, through bargaining (for budget, of course), deep into acceptance and...DevOps.
Perhaps we pushed that analogy. But the upshot is that this year we feel comfortable saying cloud security is becoming part of mainstream security. It's the early edge, but the age of denial and willful ignorance is coming to a close.
Wherever You Go, There You Aren't
Okay, you get it, the cloud is happening, security is engaging, and now it's time for some good standards and checklists for us to keep the auditors happy and get those controls in place.
Wait, containers, what? Where did everybody go?
Not only is cloud adoption accelerating, but so is cloud technology. Encryption in the cloud too complex? That's okay—Amazon just launched a simple and cheap key management service, fully integrated through their services. Nailed down your virtual server controls for VMWare? How well do those work with Docker? Okay, with which networking stack you picked for your Docker on AWS deployment, that uses a different management structure than your Docker on VMWare deployment.
Your security vendor finally offers their product as a virtual appliance? Great! How does it work in Microsoft Azure, now that you have moved to a PaaS model where you don't control network flow? You finally got CloudTrail data into your SIEM? Nice job, but your primary competitor now offers live alerts on streaming API data via Lambda. Got those Chef and Puppet security templates set? Darn, the dev team switched everything to custom images and rollouts via autoscaling groups.
None of that make sense? Too bad—those are all real issues from real organizations.
Everything is changing so quickly that even vendors trying to keep up are constantly dancing to fit new deployment and operations models. We are past the worst cloudwashing days, but we will still see companies on the floor struggling to talk about new technologies (especially containers); how they offer value over capabilities Amazon, Microsoft, and other major providers have added to their services, and why their products are still necessary with new architectural models.
The good news is that not everything lives on the bleeding edge. The bad news is that this rate of change won't let up any time soon, and the bleeding edge seems to become early mainstream more quickly than it used to.
This theme is more about what you won't see than what you will. SIEM vendors won't be talking much about how they compete with a cloud-based ELK stack, encryption vendors will struggle to differentiate from Amazon's Key Management Service, AV vendors sure won't be talking about immutable servers, and network security vendors won't really talk about the security value of their product in a properly designed cloud architecture.
On the upside not everyone lives on the leading edge. But if you attend the cloud security sessions, or talk to people actively engaged in cloud projects, you will likely see some really interesting, practical ways of managing security for cloud computing that don't rely on 'traditional' approaches.
Bump in the Cloud
Last year we included a section on emerging SaaS security tools, and boy has that market taken off. We call them Cloud Security Gateways and Gartner calls them Cloud Access and Security Brokers (hint, you only get to have 3-letter acronyms for product categories, even if you're Gartner, or a kitten dies).
There are at least a dozen vendors on the market now, and on the surface most of them look exactly the same. That's because the market has a reasonably clear set of requirements, and there are only so many ways to message that target. You want products to find out what cloud stuff you are using, monitor the stuff you approve, block the stuff you don't, and add security when your cloud provider doesn't meet your needs.
There actually is a fair amount of differentiation between these products, but it is hard to see from the surface. Most if not all of these folks will be on the show floor, and if you manage security for a mid-size or large organization, they are worth a look. But, as always, have an idea of what you need before you go in. Discovery is table stakes for this market, but there are many possible directions to take after that. From DLP, to security analysis and alerts (such as detecting account takeovers), all the way up to encryption and tokenization (often a messy approach, but also likely your only option if you do not trust your cloud provider).
One key question to ask is whether they integrate with cloud provider APIs (when available), and which. The alternative is to proxy all your traffic to the cloud, which is a really crappy way to solve the problem—but often the only option. Fortunately some cloud providers offer robust APIs that reduce or eliminate the need for a CSG (see what I did there?) to sniff the connection. If they say 'yes' then ask for specific examples.
You might see some other vendors pushing their abilities to kinda-sorta do the same thing as a CSG. Odds are you won't be happy with their kludges, so if this is on your list, stick with folks whose houses are on the line if the product doesn't actually work.
Calling Mr. Tufte
One thing you won't see any shortage of is the same damn charts from every damn SIEM and analytics vendor. Seriously—we have been briefed by pretty much all of them, and they all look the same. Down to the color palette.
The upside is that they now include cloud data. Mostly just Amazon CloudTrail, because no other IaaS platform offers management plane data yet (rumor has it Microsoft is coming soon).
We understand there are only so many ways to visualize this data, but the vendors also seem to be struggling to explain how their cloud data and analytics are superior to competitors'. Pretty charts are great, but you look at these things to find actionable information—probably not because you enjoy staring at traffic graphs. Especially now that Amazon allows you to directly set security alerts and review activity in their own consoles.
Cloud Taylor Swift
You have probably noticed that we tend to focus on Amazon Web Services. That isn't bias—simply a reflection of Amazon's significant market dominance. After AWS we see a lot of Microsoft Azure, and then a steep dropoff after that.
The interesting trend is that we see much less demand for information on other providers. Demand has declined from previous years.
So don't be surprised if vendors and sessions skew the same. Amazon really does have a big lead on everyone else, and only Microsoft (and maybe Google) is in the ballpark. That will show through in sessions and on the show floor.
DevOps, Automation, Blah, Blah, Blah
We hate to dump our favorite topics into a side note at the bottom of this section, but we already went long, and are covering those topics... in pretty much every other section of this Guide. DevOps and automation are as disruptive to process as cloud is to infrastructure and architecture.
If you are interested, check out our speaking schedule. Rich is leading off the Cloud and Virtualization track with Chris Hoff Tuesday, and the entire Securosis team is delivering a Learning Lab on Pragmatic SecDevOps Wednesday at 10:20am (bring a laptop—this one is hands-on). We also recommend the pre-conference events by Cloud Security Alliance and DevOps.com if you are in San Francisco Monday.
It's the future of our profession, folks—there is no shortage of things to talk about. Which you probably figured out 500 words ago, about when you stopped reading this drivel.
Check out other posts in the series: Introduction
Theme posts: Change; Internet of Things; Professionalism; Compliance; Big Data; Bonk; DevOps
Coverage Area Deep Dives: Overview; Endpoint Security; Network Security; IAM; Cloud Security; Data Security; Security Management;
Download your copy of RSAC-G