How the Cloud Simplifies Security

In case you missed it over the holiday break, Amazon’s CTO Werner Vogels published a great piece on LinkedIn regarding the increased popularity of building simpler systems and applications that can be extended over time to include greater complexities.

This trend lends itself quite well to the direction cloud-native offerings are taking, especially where security products and solutions are concerned.

Traditionally, solutions providers for static networks tend to complicate everything, even down to the way customers can build and scale applications in their environment, which is mostly due to a lack of consideration for the software development lifecycle (SDLC).

In the past, vendors tended to focus 100% on defense and not on the overall usability and functional integrations that have today become part of the lifecycle.

Simply put, complicating the way applications and services are built and deployed is the nature of traditional security technology development.

Microservices

Vogels noted that monolithic systems are being abandoned more readily as contemporary applications are more often being broken down into more fundamental component parts.

“Deconstructing services and software systems into the smallest building blocks possible is a trend that is becoming hot in software development. The small services are often dubbed microservices and are supported by management components,” Vogels wrote.

“This makes applications more flexible and also changes the software development process. Patching the larger systems with software updates is no longer needed but instead delivering a new version of the microservice to replace the previous version is what is required.”

This really sets the stage for immutable infrastructure deployments and updates, and that’s a huge leap forward, as we will no longer be required to update monolithic stacks or have huge, complicated deployments.

This is trend is extremely advantageous for security (and all of us) because it means these smaller components can be updated independently of one another, allowing for an extremely rapid time-to-response for security patching and vulnerability remediation.

It also more tightly scopes the data and customer risk in the event that any particular component should be compromised and need to be quarantined.

Security that can consume these smaller iterative deployments and provide specific context to the dynamism in the cloud represents yet another huge advantage over the the traditional static datacenter.

Serverless Architectures

Vogels also pointed out that “one of the biggest revolutions we have seen in the technology world in the last few years is the rise of serverless computing. This has been largely triggered by the launch of AWS Lambda that no longer requires a server (physical or virtual) to run application code.”

Just like most companies don't need to - and often times can't effectively - operate a traditional datacenter, there is not much of a difference in how organizations govern server operations.

They can only configure operating systems like Redhat or Windows in a finite number of ways - and most of them come to the same resolution in the end anyways. This means non-differentiated infrastructure becomes part of the platform, and companies tend to focus entirely on their value proposition and core competency.

By eliminating the need for customers to manage operating systems as part of the cloudstack, platform providers deliver efficiencies to the customer.

Examples of such are enriched customer platform experience, reduced scope in which customers must maintain mastery/expertise/excellence, and freeing up critical bandwidth for companies to focus more on secure software development and the feature enrichment of their product line.

“This tremendously simplifies application development as architects only need to think about business logic and no longer need to worry about managing fleets of servers to run their software,” Vogels wrote.

“This makes it easier to achieve the security and reliability to protect their business and their customers. After all, no server is easier to manage than no server.”

This gets into kind of a funny space, because what happens when you remove IP addresses from the equation in the world of traditional security products? The answer is: They all break.

There are very few technologies out there that are really ready to consume an API-only infrastructure world where we don't need to run IP scans for open ports/vulns, and we don't care about intercepting traffic on the way to the host.

This is actually very liberating and makes architecting applications and services much more natural to engineers. However, this means a whole new world emerges that requires a focus on securing infrastructure.

APIs for Everything

API-driven, API-centric, API-only infrastructure means we are entering a world in which legacy security offerings cannot parallel to the more traditional data center operating model, which is why there are an extremely limited number of solutions for customers who are making the move to the cloud.

“The days where systems were built out of software pieces that were under total control of the developer are long gone. Modern development is a matter of connecting many different services together some from cloud providers, such as managed databases or analytics services, others from the 3rd party cloud ecosystem,” Vogels noted.

“To be able to connect and consume these services they need to have an Application Programming Interface or API.”

Vogels completely nails it here. Like I always say, the new datacenter is the virtual, highly-distributed, aggregation of disaggregated service layers from various providers. The only consistent reality? All of them have sophisticated APIs, and as such the customer must learn to adapt to them.

“Unique functionality can also be made available to partners or customers to consume these services, creating new collaboration and revenue models,” Vogels continued, and I could not agree more.

Security in the API is a fairly new model that offers distinct advantages over black-box security. If you buy a firewall, you have no idea what the heck it is doing under the covers, and no one can really modify that behavior - you can merely add ACLs.

Now, with modern API-centric security technologies, you can consume provider APIs and paint color to them with your own business logic and policies through extensifying the security solution. This is why Evident.io’s custom signatures exist.

“APIs are giving organizations of all sizes the ability to create entire ecosystems of development that is allowing their core business to grow into unexpected directions,” Vogels wrote.

“This is bringing their data and functionality in front of many more users, and creating partners who are passionate about helping them improve their service.”

Indeed, as APIs are proving to be a unifying constant in the cloud. They can allow a two-person shop to achieve the same capabilities as an organization that has ten-thousand people to leverage, which significantly levels the playing field in the marketplace and should not be understated.

The Cloud Simplifies Security

Vogels concluded by pointing out that “looking to the future, and specifically into 2016, we will see a general acceptance that ‘organizations are more secure in the cloud than in their own data centers… By offloading the management and improvement of the infrastructure security to a cloud provider, it is simplifying security for organizations of all sizes.”

This has been true for some time, as the default set of controls included in the use of such services far exceeds what most startups would be able to implement on their own in a datacenter.

For example, AWS has native DDoS protection measures in place at the network level, but does not expose these to the customer. Since they control the ingress/egress points of their regions, they can really stem attacks before they disrupt the internal operation and shared compute environment.

To buy equivalent equipment from Arbor Networks or Radware, a startup would be investing hundreds of thousands - if not millions - of dollars. This expense all happens before you generate your first dollar in revenue or deploy your first application in the datacenter - yet it comes included in the price of your AWS infrastructure.

Conclusion

Companies are finally moving beyond some of the fear-based anti-cloud marketing that happened years ago and are realizing the benefits of having controlled, automated infrastructure.

Removing the human element from some pieces of the model allows for reliable deployments, duplication of environments (development, staging, production) in a reliable fashion, and numerous other consistencies that didn't exist in the legacy datacenter world.

Customers who are sophisticated, like CapitalOne and Intuit, really make the most of this new approach by investing in cloud-native security technologies to enhance their experience.

Companies new to the cloud can similarly invest much smaller amounts of resources for far greater returns when building our their security architecture and solution set.