Welcome!

Related Topics: @CloudExpo, Java IoT, Linux Containers, Containers Expo Blog, Cloud Security, @BigDataExpo

@CloudExpo: Article

Mastering the Balancing Act of #Cloud Security and Business Agility

There are three clear control capability areas needed for IT to effectively manage financial, reputation and legal risk

In 2012, an IDG survey of enterprise cloud computing adoption showed that 70 percent of respondents said security was among their top three concerns, and two years later, not much has changed. The Everest Group Enterprise Cloud Adoption Survey released in March of 2014 shows that 70 percent of enterprises prefer private cloud because it offers higher security - a clear indication that security concerns still weigh heavily on the minds of enterprise leaders. Centralizing cloud resource access could prove to be the path through, addressing security concerns while providing the agility cloud computing promises.

It is understandable how cloud security presents itself as a chief IT concern when you consider that cloud computing transfers control from IT to business users and developers. And that adopting cloud entails replacing numerous IT processes with self-service portals.

While there are innumerous benefits to adopting cloud computing, transferring control away from IT does open the business to risk as it diminishes IT's ability to protect the organization's resources and data against unauthorized access and misuse. It also ties IT's hands when it comes to identifying and resolving security issues, and enforcing compliance with industry regulations. These are critical functions that have direct impact on business risk.

Addressing Business Risk via Security Controls
Cloud computing transforms the way infrastructure is provisioned in an organization. It replaces the centralized IT-controlled infrastructure provisioning model where developers make an infrastructure request that IT reviews and then fulfills, with a new, distributed developer-centric infrastructure provisioning process where developers effectively bypass IT. As a result, enterprises adopting cloud find themselves in a paradoxical situation where IT is responsible for the infrastructure security that developers now control.

There are three clear control capability areas needed for IT to effectively manage financial, reputation and legal risk.

  • Preventive capabilities: IT must be able to prevent insecure provisioning requests from being fulfilled, on both a per-user-role and per-environment basis. For example, IT must be able to enforce specific firewall policies for production infrastructure.

    In order to satisfy developer requirements, it is obvious that IT cannot change the way cloud infrastructure is accessed: provisioning must remain self-service. As a result, IT needs transparent and automated policy enforcement. Provisioning requests made to the organization's cloud need to be inspected in real-time and checked against governance policies that are in place. When approved, requests must be forwarded to the relevant cloud API; when denied, the developer that made the request must be immediately informed. Ideally, the developer should be provided with an explanation and an alternate course of action should be suggested.
  • Detective capabilities: IT must have a centralized view of infrastructure to identify vulnerabilities and intrusions; IT must be able to understand the purpose of every resource provisioned by the business. For example, IT must be able to identify the configuration of every deployed resource and the environment to which it belongs. That knowledge can then be used to decide whether an unusual firewall configuration or activity pattern should trigger an alert.


To satisfy these requirements, IT needs a federated view and understanding of all of the business's cloud resources, ensuring visibility over the organization's cloud resources. To do so, IT must ensure that every provisioning request is associated with a legitimate owner and use case (ideally in an automated fashion); that all provisioned resources remain visible throughout their lifecycle; and that metadata regarding their purpose remains accessible.

  • Corrective capabilities: IT must control access to the business's cloud infrastructure.  For example, IT must be able to revoke access for employees that leave the company, and be able to centrally identify and patch affected resources when a vulnerability is identified.

    To do so, IT needs centralized credential management to govern access to cloud resources. IT must ensure that access to cloud resources is controlled by the organization's existing identity management infrastructure, and not by ad-hoc SSH keys or RDP passwords created by developers. Naturally, in order to not hinder developer productivity, IT must ensure that developers can still access the resources for which they have a legitimate use.

Where the Rubber Meets the Road
Cloud security has been an issue since 2006 when cloud emerged with the release of AWS EC2. Back then, all cloud instances were exposed to the Internet, and access was only available with root keys. To address these respective problems, Amazon announced AWS Virtual Private Cloud and AWS Identity and Access Management. Some AWS competitors have also issued access control management, though they remain somewhat limited. Yet, these controls only address IT's preventive needs, are only available on AWS as of this writing, and are often complex to use.

As a result, IT is frequently opting to deploy a cloud management platform (CMP), an often on-premise, web-based application, that sits between end-users and the multiple cloud platforms that they may use. CMPs are extensible platforms that let IT departments customize the CMP's behavior to fit their organization's workflows and policies.  In turn, CMPs enforce those IT policies in a fully transparent and automated fashion, so that developers aren't slowed down by red tape when getting work done. As a result, CMPs ensure that IT is provided the security capabilities it requires, while ensuring developers retain the agility they need.

Most importantly, CMPs play a critical role in addressing all three control capability areas:

  • Preventive: CMPs can provide IT with governance and role-based access control capabilities, and empower IT to secure and control access to cloud resources on a per-user or per-user-group basis. Using a CMP, these policies can be enforced in real-time, so that developers are not slowed by their enforcement. IT can, for example, ensure that specific firewall rules are automatically added for every single instance that is launched, and that instances are automatically launched in secure networks (e.g. a specific AWS Virtual Private Cloud, or VPC).
  • Detective: Because CMPs are used for the provisioning of all the organization's resources, they may automatically keep a precise account of the resources that were provisioned, by whom, and for what purpose. As a result, resource tracking can be performed automatically, and developers won't have to perform extra effort to comply with IT policies.
  • Corrective: CMPs may centralize the creation and use of CMP-controlled credentials and make those available to dev and IT, or automatically configure cloud resources to leverage the company's existing identity management framework instead. For example, with a CMP, IT can enforce developer use of Active Directory credentials to login to their instances.

While cloud momentum continues to grow, so does concern - rightfully so - for cloud security. While IaaS providers have taken steps to address these concerns within their systems, they do not currently address the spectrum of capabilities needed to fully address business risk. CMPs are an effective option that can be deployed in a way that addresses IT, business, and developer needs.

More Stories By Sebastian Stadil

Sebastian Stadil is founder and CEO of Scalr. He has been a Cloud developer since 2004, starting with web services for e-commerce and then for computational resources. He founded the Silicon Valley Cloud Computing Group, a user group of over 8000 members that meets monthly to present the latest developments in the industry. As if that weren't enough, Sebastian founded Scalr as an open source project in 2007. Sebastian is a frequent lecturer on cloud computing at Carnegie Mellon University, and sits on the Google Cloud Advisory Board. When he is not working on Scalr, Sebastian likes to make sushi and play rugby.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Latest Stories
Multiple data types are pouring into IoT deployments. Data is coming in small packages as well as enormous files and data streams of many sizes. Widespread use of mobile devices adds to the total. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists will look at the tools and environments that are being put to use in IoT deployments, as well as the team skills a modern enterprise IT shop needs to keep things running, get a handle on all this data, and deli...
The explosion of new web/cloud/IoT-based applications and the data they generate are transforming our world right before our eyes. In this rush to adopt these new technologies, organizations are often ignoring fundamental questions concerning who owns the data and failing to ask for permission to conduct invasive surveillance of their customers. Organizations that are not transparent about how their systems gather data telemetry without offering shared data ownership risk product rejection, regu...
Quickly find the root cause of complex database problems slowing down your applications. Up to 88% of all application performance issues are related to the database. DPA’s unique response time analysis shows you exactly what needs fixing - in four clicks or less. Optimize performance anywhere. Database Performance Analyzer monitors on-premises, on VMware®, and in the Cloud, including Amazon® AWS and Azure™ virtual machines.
SYS-CON Events announced today that Grape Up will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Grape Up is a software company specializing in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market across the U.S. and Europe, Grape Up works with a variety of customers from emergi...
20th Cloud Expo, taking place June 6-8, 2017, at the Javits Center in New York City, NY, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy.
Translating agile methodology into real-world best practices within the modern software factory has driven widespread DevOps adoption, yet much work remains to expand workflows and tooling across the enterprise. As models evolve from pockets of experimentation into wholescale organizational reinvention, practitioners find themselves challenged to incorporate the culture and architecture necessary to support DevOps at scale. In his session at @DevOpsSummit at 20th Cloud Expo, Anand Akela, Senior...
SYS-CON Events announced today that Super Micro Computer, Inc., a global leader in compute, storage and networking technologies, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Supermicro (NASDAQ: SMCI), the leading innovator in high-performance, high-efficiency server technology, is a premier provider of advanced server Building Block Solutions® for Data Center, Cloud Computing, Enterprise IT, Hadoop/...
Amazon has gradually rolled out parts of its IoT offerings in the last year, but these are just the tip of the iceberg. In addition to optimizing their back-end AWS offerings, Amazon is laying the ground work to be a major force in IoT – especially in the connected home and office. Amazon is extending its reach by building on its dominant Cloud IoT platform, its Dash Button strategy, recently announced Replenishment Services, the Echo/Alexa voice recognition control platform, the 6-7 strategic...
In his keynote at @ThingsExpo, Chris Matthieu, Director of IoT Engineering at Citrix and co-founder and CTO of Octoblu, focused on building an IoT platform and company. He provided a behind-the-scenes look at Octoblu’s platform, business, and pivots along the way (including the Citrix acquisition of Octoblu).
Bert Loomis was a visionary. This general session will highlight how Bert Loomis and people like him inspire us to build great things with small inventions. In their general session at 19th Cloud Expo, Harold Hannon, Architect at IBM Bluemix, and Michael O'Neill, Strategic Business Development at Nvidia, discussed the accelerating pace of AI development and how IBM Cloud and NVIDIA are partnering to bring AI capabilities to "every day," on-demand. They also reviewed two "free infrastructure" pr...
Judith Hurwitz is president and CEO of Hurwitz & Associates, a Needham, Mass., research and consulting firm focused on emerging technology, including big data, cognitive computing and governance. She is co-author of the book Cognitive Computing and Big Data Analytics, published in 2015. Her Cloud Expo session, "What Is the Business Imperative for Cognitive Computing?" is scheduled for Wednesday, June 8, at 8:40 a.m. In it, she puts cognitive computing into perspective with its value to the busin...
SYS-CON Events announced today that Hitachi, the leading provider the Internet of Things and Digital Transformation, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Hitachi Data Systems, a wholly owned subsidiary of Hitachi, Ltd., offers an integrated portfolio of services and solutions that enable digital transformation through enhanced data management, governance, mobility and analytics. We help globa...
Blockchain is a shared, secure record of exchange that establishes trust, accountability and transparency across supply chain networks. Supported by the Linux Foundation's open source, open-standards based Hyperledger Project, Blockchain has the potential to improve regulatory compliance, reduce cost and time for product recall as well as advance trade. Are you curious about Blockchain and how it can provide you with new opportunities for innovation and growth? In her session at 20th Cloud Exp...
Cognitive Computing is becoming the foundation for a new generation of solutions that have the potential to transform business. Unlike traditional approaches to building solutions, a cognitive computing approach allows the data to help determine the way applications are designed. This contrasts with conventional software development that begins with defining logic based on the current way a business operates. In her session at 18th Cloud Expo, Judith S. Hurwitz, President and CEO of Hurwitz & ...
Everyone wants to use containers, but monitoring containers is hard. New ephemeral architecture introduces new challenges in how monitoring tools need to monitor and visualize containers, so your team can make sense of everything. In his session at @DevOpsSummit, David Gildeh, co-founder and CEO of Outlyer, will go through the challenges and show there is light at the end of the tunnel if you use the right tools and understand what you need to be monitoring to successfully use containers in your...