Securing The New New Economy Infrastructure

mobile_securityUnlike many new economy players of the late 1990s, notable dotcom brands of today have staying power, not only due to more viable SaaS business models, but also due to their effective use of an increasingly mature set of cloud computing services. The likes of Uber, Airbnb, Dropbox, Netflix, and others have fundamentally changed how we get ourselves, and files, for that matter, from point A to point B and how we view content when we get there. These market leaders have disrupted established markets by not only recognizing that we, the consumer, want to do pretty much everything on our smartphones (including requesting a ride) but also, more importantly, by leveraging the agility of the cloud for continuous innovation and, thus, competitive advantage. It’s the speed of DevOps and the old guard better look out, unless the disrupters themselves get disrupted.

So, what’s the risk? How could these locomotives with massive valuations get derailed? As more assets move to the cloud, it’s arguably one-stop shopping for attackers seeking a treasure trove of data. These new new economy vendors share a stark reality with their more traditional competitors; they too are one breach away from a tarnished brand and a massively expensive incident response engagement. What, then, is so different about securing these environments?

At the end of the day, these cloud-native companies' infrastructures are still all servers and the data they create and access, right? Sure, but the make-up of these environments and the DevOps methodologies employed to managed them are different enough from on-premises data centers that a few things bear noting. Specifically, today’s new new economy data centers are:

  • Linux-centric
DevOps pros may differ on which Linux distribution they prefer--Debian, SUSE, or RHEL--but you won’t see any Windows in a truly cloud-native SaaS application stack. Windows in the cloud is the stuff of cloud-washed apps, which is perfectly appropriate for enterprises transitioning to the cloud, but the vendors we’re taking about have nothing to move; it was all built natively in the cloud and that means on Linux.
  • API-driven
Utilizing APIs to automate and integrate is, of course, core to a software-defined environment. In his recent blog posted titled The Highs and Lows of Cybersecurity Integration, my colleague Jon Oltsik notes the inefficiencies and seams between disparate security solutions that can be exploited by an attacker, a result of many enterprises buying nearly one of everything. In a cloud environment, even a 1.0 security offering must have a programmatic interface for integration into automation and continuous tools, not to mention SIEMs and data aggregators where analytics happen.

  • Based on transient resources
Blue-Green deployments, pioneered by Netflix, ease how new configurations, code, and apps are deployed, by bringing up a new fleet of servers to run concurrently with the old until it’s convenient to cut over. Others utilize auto scaling to provision compute resources as needed. In both cases servers are transient - so much for persistence – the come and go blues of the cloud. While a SaaS company can address a compromise via a rollback or refresh, it also means there's a risk of introducing a vulnerability to an entire new fleet of servers in minutes, creating an attractive attack surface area, especially for externally facing servers always subject to port scanning.

 

Despite these differences, what is absolutely the same between public cloud and on-prem infrastructures and deployment models is that good security hygiene starts with configuration management which treats security just as important as speed. In the on-premises world we talk about gold images and ghosting machines. The cloud corollary includes configuration automation tools such as Chef and Puppet which make it so for the software-defined approach. In both cases, immutable security controls including firewall configurations, monitoring tools, and data encryption need to be baked in as part of the gold image.

While established vendors race to close the agility gap by moving some workloads to the cloud and consider private cloud platforms for others, the new new economy vendors who have changed how we travel, purchase goods, and communicate, are already moving at the speed of DevOps and need to be sure speed doesn’t kill.

 

federal cybersecurity analysis

Topics: Cybersecurity Enterprise Mobility Cloud Services & Orchestration