Information Security and Network Awareness

Hurricane Labs

Subscribe to Hurricane Labs: eMailAlertsEmail Alerts
Get Hurricane Labs: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Related Topics: Cloud Computing, SOA & WOA Magazine, Cloud Security Journal , Secure Cloud Computing, DevOps Journal

DevOpsJournal: Article

The DNA of Cloud Security

Just because you access an application from the Internet, does NOT make it a cloud solution.

Just like the Boston Red Sox and lo-cal deserts and hybrid cars, everybody loves a bandwagon. We get caught up in the hype. Business concepts are not immune. Cloud and cloud-centric computing have been getting a great deal of play in business media and the blogosphere, and most companies are quickly moving to adopt various cloud platforms. So much so that that many solutions that claim to be cloud, really are nothing but server-based enterprise applications wrapped in a browser experience.

Just because you access an application from the Internet, does NOT make it a cloud solution. It might look like a duck and quack like a duck, but when you look at its DNA, it’s more like an old goose. So what?  If it doesn’t have the proper “cloud DNA,” it means the end user organization is not realizing the oft-hyped benefits and true ROI the cloud promises. AND, if an organizations goal is meant to embrace the cloud as a go-forward enterprise IT strategy, it will discover that applications and solutions without the right DNA will need to be replaced.

So is cloud simply the Frankenstein monster created by marketing geniuses looking to repackage software and take advantage of companies unwilling to look past the label? Emphatically no. Cloud is a true deployment strategy with significant advantages and benefits– and there are true cloud security offerings, but you simply have to know which questions to ask.

Now the following can be generally extrapolated to most cloud-based solutions, however I am focusing on security applications and services (aka security-as-a-service). This includes such solutions as SIEM, Log Management, Single Sign On, Identity Management, Access Management, Password Management and other similar applications/services.

So, what kind of DNA does cloud-based security require to have the right pedigree?

Multi-tenancy. Right away this excludes private and hybrid cloud. Why? The cost. Having a private cloud requires the purchase of a dedicated server. It might not be on your premises, but it is an expense that is typically passed along to those wishing a private cloud. Many people think a private cloud provides additional protection—that data won’t comingle with other companies’ data. We know  comingling is a fallacy. Security on a multi-tenanted server creates isolated databases. Data simply does not leak from one database to the other. What it does do is provide a significant cost savings due to economies of scale and centralization.

But this is more than just a public versus private debate. The overall benefit of multi-tenancy is more complex. Let’s say an enterprise deploys a private cloud and has multiple servers attending to a half dozen applications. That simply means a dedicated security analyst has to monitor and maintain multiple sessions, create more CPU cycles, and invest in more storage. Then consider the effort of having to take the data from each of these independent silos and compare and contrast network patterns, anomalies and traffic. Tine consuming does not even begin to describe it!

OpX versus CapX: A true cloud deployment does not require any hardware on premises or ask you to buy rack space on some server farm. If a solution provider says you do, then that’s the first indicator that the solution is not truly cloud compliant. Anything more than a sensor (which requires no rack space) designed to pass through information never needs to be on premises. But the bigger picture here is ensuring that cloud deployment creates positive cash flow! If we are talking enterprise applications, traditionally you are buying hardware and software. That cash is spent right up front and deployment takes considerable time (We’ve ALL heard the horror stories). That capital expense languishes and provides no business need value. Moreover it spreads any potential ROI years down the road(typically 3). And there are NO guarantees that the set up will work.

Conversely, subscription-based, zero-day deployment of a true cloud solution cash flow improves because all you are paying for is an operational service. You receive the ROI immediately. You don’t have to go hat-in-hand to the CFO to carve out CapX budget. Additionally, the ability to scale up and down based on business need won’t require you to invest in more hardware or shutter existing servers.

DevOps: This is the true language of the cloud. It allows the instant scalability and builds/supports architecture without absorbing any more overhead. If the future is truly moving to the cloud, you need the right infrastructure to anticipate and incorporate the methodologies for expansion and leverage of existing and legacy applications.  DevOps standardizes the collaboration, communication, and coordination between developers and IT operations. Many companies have already adopted the methodology, but it is quickly becoming the industry standard.

The larger issue is some solutions out there are built on old technology code…even some based on client/server that have simply been jerry-rigged for web deployment. It is those solutions that will have great difficulty as the cloud environment becomes more mature and more and more a pervasive and integral part of enterprise architecture.

Scalable: Human DNA imprints the general size to which a person will grow. Cloud DNA is infinite and fluid. The flexibility to scale up when annexing a new division or acquisition or scale down to reflect right sizing, cloud security must instantly conform. It should be as seamless as flipping a switch.

Administration: The greatest asset beyond the technical advantages of security-as-a-service is the service. This goes beyond the benefits of migrating through updates and maintenance without ever noticing the footprint or creating havoc with your customized view. It is confidence and comfort to know your entire enterprise is monitored 24/7/365. And not just by an automated algorithm picking up brute force attacks. With all the alerts and alarms, having a dedicated analyst overseeing the operation makes most CTOs sleep better at night.

To be sure, there is hype. But if you select the right cloud-based solutions, you will find that it is the paradigm shift that will change how business is done. Look around you, it’s already changing.

Kevin Nikkhoo
Built from pure cloud DNA!

CloudAccess.com

More Stories By Kevin Nikkhoo

With more than 32 years of experience in information technology, and an extensive and successful entrepreneurial background, Kevin Nikkhoo is the CEO of the dynamic security-as-a-service startup Cloud Access. CloudAccess is at the forefront of the latest evolution of IT asset protection--the cloud.

Kevin holds a Bachelor of Science in Computer Engineering from McGill University, Master of Computer Engineering at California State University, Los Angeles, and an MBA from the University of Southern California with emphasis in entrepreneurial studies.