RSA 2016: There Is No Cloud Security Stack Yet
Here at The New Stack, we’ve been reporting on how containers enable a “baked-in” approach to security. they give developers greater opportunity than before to fuse security practices into their code. But during a summit session of the Cloud Security Alliance Monday morning at the RSA 2016 security conference in San Francisco, we heard the first legitimate argument about the downside of such an approach.
Mark Nunnikhoven is vice president of cloud research at security provider Trend Micro, which is a provider of firewalls and access control systems for cloud-based systems, including when enterprises are hosting multiple SaaS applications on public cloud providers. In Nunnikhoven’s line of work, customer organizations have a habit of subscribing to SaaS apps on an ad hoc basis. But more and more, some of these customers are adopting containerization, and building more of their applications in-house.
And that’s the problem: Container-based apps are being spun up very quickly. Even when they so enable best security practices, such as traffic monitoring and data access control, Nunnikhoven said they tend to do so in different ways.
Too Many Checkpoints, Too Little Checking
“Let’s say this is your organization,” he told a packed audience of about 1,500, many of them information security professionals. He had made a chart of the familiar various cloud classes.
“Your security team is at the bottom. And across the middle, you’ve got Infrastructure-as-a-Service. You’ve got virtual machine instances running in the cloud somewhere. You also have Platform-as-a-Service, maybe an ERP system out there, something along those lines where you’ve done a lot of custom business logic development on top of that platform. Then you have a couple of SaaS platforms that you’re using as well, so maybe something for collaboration and a couple for file services.
“Ideally, you would have security controls for each of these,” the Trend Micro vice president continued. “Unfortunately, they tend to be unique security controls, so it’s not like you have one security platform or product that you’re using to protect all of these. And unfortunately, it is very rare that you have one type of [service] delivery.
“So you end up with almost a one-to-one ratio for cloud services, and a security tool to defend that cloud service,” Nunnikhoven said.
That seems simple enough until you realize that SaaS accounts are numbering in the hundreds. Plus, apparently rather than orchestrating multiple container-based applications in a single scheduler like Mesosphere, organizations are evidently continuing to float container environments inside of conventional VMs. That makes them co-exist more easily with classic, or “legacy,” server applications, but it makes life harder for the security engineer who has to manage separate controls for each one.
In the security world, a control is a specific technical security measure or safeguard that can be automated, but might not necessarily be. Think of it like a pipeline in a Jenkins CI/CD system. It may make sense to customize the development process of a specific application. But once it’s in production, its relative state of security often depends on how well it interoperates with other applications. So keeping these one-to-one ratios doesn’t do anyone any good.
“This is the reality that we have built,” said Nunnikhoven. “When you talk to a particular vendor — and I’ve worked for vendors who were guilty of this as well — they will frame the problem very narrowly around what they have designed the solution to solve. It makes sense: I have a problem with Office 365; I need a solution there. I have a problem with Google Docs; I need a solution there. Salesforce, solution there,” Nunnikhoven said.
“The challenge I have as an organization that is using cloud services, is I have that problem multiplied by lots,” he added. “We have lots of services in use; I am spinning up individual controls for almost every single one of these services. That is not a good thing; it’s not sustainable.”
Too Many Controls, Not Enough Control
Last July, The Cloud Security Alliance (CSA) set about to resolve this issue through the creation of an open source security API that could apply to most any application: the Cloud Security Open API. The goal of the architecture is to replace, and eventually eliminate, gatekeeper-style controls that security teams end up bolting onto applications — gatekeepers that rely upon synchronous processes that make these apps non-scalable.
“The Cloud Security Open APIs provide a layer of abstraction via which cloud users and third party technology providers can access and integrate with the core functions of cloud services,” stated the CSA’s announcement for the API, issued last July. “This common layer of abstraction across clouds allows end-user organizations the ability to exercise standard integrations with ease, eliminating the need for costly one-off custom development efforts. Ultimately, this will accelerate the pace of cloud adoption and innovation.”
Nunnikhoven described the effort as “a working group within the CSA that is trying to establish a standard for services to adopt, to allow security tools to connect to these services. So if you have a collaboration service that you’re using and it supports the open standard… and you have a security tool that supports the same API, then they can talk to each other. It’s trying to short-circuit this challenge we have today, of a security control or product that is customized to a specific service, and has to keep up with the paces on that service.”
Organizations desperately need to centralize their monitoring, performance management, and risk management services, Nunnikhoven noted. He describes centralization of everything as the toughest technical challenge facing his customer organizations today. “You need to know what’s going on,” he said. “And that’s where a lot of companies drop the ball.”
Once that ball is dropped, these companies tend to use the sheer number of non-interoperable applications among their various cloud environments as an excuse not to evolve their security postures.
“Whether you know it or not – that’s a really scary phrase — this is what’s happening in almost every organization I visit today,” the Trend Micro VP said. “If you’re on top of it, your best-case scenario is, you have multiple controls that address each of these services. From a security team perspective, that’s a nightmare.
“You’ve got a huge operational burden, [and] you’ve got a massive challenge in time and resources to try to address this. And I have yet to meet a security team that was happy with the level of resources and the number of team members on that team. They’re struggling to keep up, because of the rapid pace of change, not only in the applications they’re trying to defend, but the threat landscape.”
Feature image from Scott M. Fulton III.