The cloud revolution and virtualization introduced a fundamental paradigm shift in IT, and with the protection targets changing, security now needs to evolve, says Steve Riley, research director at analyst firm Gartner.
With SaaS [software as a service] and PaaS [platform as a service], for instance, organizations are trying to protect data that is hosted on systems they no longer own with technology that has traditionally been constructed around the notion of protecting physical systems they do own, he points out.
"The server infrastructure itself has changed and necessitates a fresh approach to the problems of securing cloud-based infrastructure," he says in an interview with Information Security Media Group.
"Servers are no longer something that you tend with great care and put your arms around. A server in the IaaS [infrastructure as a service] cloud today is just a line of script - in the case of AWS [Amazon Web Services] its 'EC2 run-instance'".
The security mindset must change from thinking about servers as boxes to thinking about infrastructure as code and how an organization today needs to build skills around that, Riley says (Also see: Cloud Security's Next Evolution?).
"Servers in the cloud are just disposable horsepower, and resources in the cloud come from 'build scripts' now," he explains. In this new paradigm, getting a new server is as simple as running the build script for it. "You pull the up-to-date image from the cloud provider, run it, install and update apps, integrate into the delivery environment and put it into production," Riley says.
A New Focus
Therefore, infrastructure and operations staff need to move away from a focus on patches, updates, and babysitting boxes to learning code -such as PowerShell or Python - that can help in this new environment, he advises.
"Whether it's IaaS, PaaS or SaaS, get your access management strategy right," he says. "Look at RBAC [role-based access-control methods]. Ensure that the principle of least privilege is used, and that the root account isn't used for everything." (See: 'Security is a Demanding Journey')
Riley says that many cloud providers are now providing key management capabilities that are maturing fast and might be worth looking into.
In this interview (see audio player link below image), Riley also discusses:
- The shared security responsibility model in the cloud;
- The rise and relevance of DevSecOps.
- The impact of cloud providers providing add-on security services;
At Gartner, Riley is a research director covering various aspects of cloud security. He tracks the security and compliance capabilities of public cloud providers, researches how to design and deploy secure workloads in public clouds, and monitors the threat and vulnerability landscape present in public cloud services. His areas of research include software-defined security and the integration of security into DevOps aka DevSecOps.