The flexibility and cost benefits of running applications in the public cloud are of growing interest to enterprises. But the benefits must be balanced with the risks, and the enterprise needs to deliver consistent security compliance across both private and public clouds services.
But how can an organization know what its security stance needs to be?
To develop their security compliance strategy, executives need to determine what cloud workloads to secure and how to secure them. Given that security compliance is 40 percent of the cost of managing cloud applications, determining how to automate cloud security compliance is critical to maintaining positive ROI.
Determining Your Security Strategy for Cloud Applications There are numerous security standards that outline the necessary measures for security.
If you have a Chief Information Security Officer (CISO), then they will be well versed in the security requirements of your industry and know the different cloud applications and workloads you might need. For example, the CISO will know the security compliance requirements to run an application server and database in an Amazon Web Services VM.
In general, security requirements in regulated environments fall into four major buckets:
Broadly applicable laws such as Sarbanes Oxley
Industry Specific Laws such as FISMA for US Federal Government systems, or PCI for the credit card industry
State regulations generally pertaining to privacy
International regulations, such as those in the EU
Clearly if you are in regulated industries like finance (FFIEC), healthcare (HIPAA), and retail (PCI), you should follow the security requirements associated with those industries. Tools such as the Common Controls Hub from Universal Compliance Framework (UCF) allow organizations to explore the space of regulations and select the appropriate regulatory requirements applicable for their business. If you are a cloud developer or cloud business, and you just want to apply the best practices in the industry, the Defense Information Systems Agency (DISA) guidelines are a good place to start.
Securing Cloud Workloads using Defense System Agency Standards DISA STIGS
Since 1998,DISA has enhanced the Department of Defense’s security systems by providing Security Technical Implementation Guides (STIGs). The STIGs (publicly available at http://iase.disa.mil/stigs/Pages/index.aspx) contain technical guidance for locking down information systems and software that might otherwise have vulnerabilities to malicious attacks. These guidelines are an excellent starting point for ensuring security compliance of your infrastructure and specify the desired security state of your computer assets. Most of the other security guidelines discussed above are generally subsets of the DISA STIGs.
Deploying and Automating your Security Profile Strategy Determining the applicable regulations and producing a standard policy document is only the first step of the process. In the past, such policy documents were applied manually to the infrastructure and were used for producing checklists for manual periodic compliance. These approaches do not scale to the cloud use cases and their rapid changes in infrastructure (virtual machines being started and stopped on demand), and the democratization of the management of the infrastructure (i.e. end users in lines of business creating and managing virtual machines instead of IT or security professionals).
After determining the security requirements for your cloud applications, you must standardize the application of the security profile across cloud applications. Doing it manually is time consuming, costly and prone to human error. The only scalable approach is to automate the application of security profiles starting with DevOps, and then automate the remediation through the applications complete lifecycle.
Reduce Risk through One-touch Security Compliance through Service Catalog If you have IT Service Catalog or provisioning tools like HP Cloud Service Automation (HP CSA), the task of security compliance gets easier.
IT organizations have already trained their business units to request IT services through a service catalog. Integrating automated cloud security compliance into the service catalog makes it easy for novice and expert users to develop applications with built-in security compliance.
The HP CSA and Raxak ProtectTM integration provides the industry’s leading service management capability with security profiles integrated in a service catalog (see image, right). This combination provides a turnkey solution for simple and quick provisioning of security compliant applications on both public and private clouds.
Raxak Protect, a SaaS based automated security compliance solution, not only automates the application and management of your security profiles, but it keeps up with the rapidly changing security compliance landscape so users don’t have to. Raxak Protect provides out-of-the-box industry standard profiles based on NIST and DISA STIGS or any custom security profile you chose for your industry or unique application workload. These security profiles are API-based so they are constantly updated.
Securing Cloud Applications throughout their Lifecycle
Knowing how to initially secure a cloud application is only part of the story. You need to monitor the application throughout its entire lifecycle. If the application changes, you need an automated security compliance system that applies the most up to date security profile. To provide complete application lifecycle security compliance, three features are critical:
Automated application of security profiles at the time assets are created.
Automated remediation of findings.
Logging and audit-ready reporting of findings and remediation actions.
Nimish Shelat is currently focused on Datacenter Automation and IT Process Automation solutions. Shelat strives to help customers, traditional IT and Cloud based IT, transform to Service Centric model.
The scope of these solutions spans across server, network, database and middleware infrastructure. The solutions are optimized for tasks like provisioning, patching, compliance, remediation and processes like Self-healing Incidence Remediation and Rapid Service Fulfilment, Change Management and Disaster Recovery.
Shelat has 23 years of experience in IT, 20 of these have been at HP spanning across networking, printing , storage and enterprise software businesses. Prior to his current role as a Manager of Product Marketing and Technical Marketing, Shelat has held positions as Software Sales Specialist, Product Manager, Business Strategist, Project Manager and Programmer Analyst.
Shelat has a B.S in Computer Science. He has earned his MBA from University of California, Davis with a focus on Marketing and Finance.