Architecting a secure and compliant cloud that doesn’t hinder the “ilities” that justify return on investment is one of the key challenges for InfoSec specialists, developers, and cloud architects. The primary cloud “ilities” are securability, reliability, availability, scalability, recoverability, usability, extensibility, and interoperability. The sum of these drive agility for the organization.
Security and usability are typically at tension with each other. A slider bar control visualizes that tension with one end being security and the other end usability.
In a case where security controls are considered post development, architects, developers, and product managers slide the bar to the right. That’s often because security organizations don’t define requirements in advance, and due to a lack of integration patterns and tools/services for authentication, authorization, audit, and encryption.
Some security organization may not provide the right “hooks” for applications to leverage, such as pre-built services application program interfaces that are based on proper security standards. Examples include Security Assertion Markup Language, Open Authorization, and OpenID Connect.
In addition, organizations that are moving to the cloud need to establish application design patterns like they normally do for on-prem, and should establish certain centralized services that their applications will leverage. System and applications developers should not be left on their own to figure it out.
When these things don’t happen, organizations build a system that is easy to use (and arguably easier to develop). Then when they are forced to consider security controls post development, they have considerable re-work to retrofit the system to meet the security control requirements.
In addition, when security is not considered—or bolted on at the 11th hour—companies risk the loss of intellectual property and potentially expose their customers personal identifiable information (PII). In addition to these risks, companies face potential fines and reputation losses imposed for data breaches that can quickly exceed the costs of meeting applicable regulatory compliance regulations.
However, those detriments are easily avoided, costs are saved, data is protected, and solutions are better when security is considered upfront and included in all iterative phases of the implementation: plan, build, test, deploy, and operate. “Rarely are you going to be able to make an 11th hour fix that’s going to put the system at a stronger point than if you had taken that requirement into account in the beginning,” said Tom Fleming, Sila cybersecurity practice lead and former chief information security officer for a nationwide retailer. “It’s a lot less expensive organizationally if you just do it right, and constantly injecting security and compliance as you move through design, build and test.”
It should also be understood that everything you would do for security on-premise should remain the same when transitioning to the cloud. While cloud providers like Amazon Web Services and Azure provide a cornucopia of security services and capabilities that architects and developers can leverage, it is incumbent upon for an organization’s security team to set guidelines and provide direction on what cloud security services to employ and how to use them to the most advantage.
The same goes for regulatory compliance mandates. They are an important first step in determining security requirements and can help drive a robust cloud architecture design by defining some security requirements. But they are only initial steps that should lead the security team to determine security measures based on the organization’s mission.
“Just because you’re compliant doesn’t mean you’re secure,” said Fleming. “Regulatory compliance gives you a roadmap of security guidelines that you need to meet. Effective organizations use it to secure budgeting and kick start architecting of its systems to meet security guidelines right from the start,” said Fleming.
Other Ways to Inject Security & Compliance
Additional measures to keep security and compliance at the forefront include: improving the security awareness of the organization by incorporating information security training; creating and practicing an incident response process; and deploying comprehensive security monitoring tools at multiple levels to ensure that system meets compliance regulations.
Clarity is also key. Cloud architecture is more effective when you clearly define your requirements for what’s needed around security and regulatory compliance, and when you provide people with knowledge about translating that policy into a true implementable requirement. That often means creating enterprise-wide patterns for building and implementing so there is consistency at the foundation of every system.
Together, these measures—define security requirements in advance, don’t depend on cloud providers or regulatory mandates to provide all the answers regarding security, and have stakeholders include security in all phases—enable organizations to build a secure cloud and still reap the benefits of all the “ilities”.