The cloud IaaS revolution
Cloud computing spending is growing at 4.5 times the rate of IT spending since 2009 and is expected to grow at better than 6 times the rate of IT spending from 2015 through 2020, according to IDC Rapid Growth of Cloud Computing 2015–2020.
The fastest-growing segment of the market is cloud system infrastructure services (Infrastructure as a service or IaaS), which is forecasted to grow 35.9 percent in 2018 to reach $40.8 billion by a Gartner study dated 2018.
On top of that, Gartner expects the top 10 providers to account for nearly 70 percent of the IaaS market by 2021, up from 50 percent in 2016.
More impressive yet are the results until today and especially of the leader Amazon Web Services (AWS).
Amazon’s latest quarterly results released in April 2018 show AWS attained 43% year-over-year growth, contributing 10% of consolidated revenue and 89% of consolidated operating income.
Another amazing indicator from AWS, saying that customers had migrated more than 23,000 databases using the AWS Database Migration Service since it became available in 2016.
Challenges in hybrid clouds
There has been a great evolution since I first teamed with the other founding member of the Cloud Security Alliance (CSA) for the first guidelines of security for cloud computing in 2009.
What did not change was that security is still the biggest roadblock for cloud adoption.
66% of IT professionals say security is their most significant concern in adopting an enterprise cloud computing strategy, according to a LogicMonitor survey (based on interviews with approximately 300 influencers interviewed in November 2017).
According to Gartner's Best Practices for Securing Workloads in AWS, we need to focus on guest instance workload-based security, but most legacy host security solutions weren't designed to support the protection of cloud-based workloads.
Why traditional solutions do not cope with cloud and containers?
First, it all start with the shared responsibility model with the cloud provider. Customer give up some control and visibility to the cloud provider, and the cloud provider gives back some tools such as virtual firewalls or security groups, and some visibility such as firewall logs.
This is enough for "lift and shift" use cases, and customers may deploy their virtual machines (instances on EC2) and assess the security of their workloads using traditional vulnerability management tools for example.
One step ahead, more business efficiencies come from using APIs, elasticity and automation, what I'll call Infrastructure as code. Infrastructure as Code (IAC) is a type of IT infrastructure that operations teams can automatically manage and provision through code, rather than using a manual process, sometimes referred to as programmable infrastructure.
Therefore, enterprises can start using processes and agile tools from developers, what gave birth to the DevOps paradigm and Containers adoption.
Once DevOps program the infrastructure and are using continuous integration and deployment (CI/CD) tools, it is crucial for security to know if there are no misconfiguration or mistakes. Imagine several developers making continuous changes through code in the infrastructure when you have hundreds of security groups and users declared in Identity and Access Management (IAM) databases.
Ensure a secure migration to AWS, Azure and Docker
With so many security processes and tools that enterprises need to migrate to the cloud and containers, we must start with a plan and priorities. Referring to the Gartner CWPP study, at the base of the pyramid, there are the 2 most important functionalities: vulnerability management and configuration management. Having started a company to help enterprises perform this in IaaS I cannot agree more :-) So, in this article I'll focus on these 2, but instead I'll take into account the customer use cases and maturity of adoption.
4 steps plan for protecting workloads in AWS, Azure and Docker
Lift and Shift: Enterprises move virtual machines and data to IaaS (mainly AWS EC2 and S3) and try to replicate the same security processes. In this case, security teams require auto-discovery for assets so that security adapts to the elastic perimeter, and enterprises need to deploy virtual appliances of the scanners in order to assess the private (not public facing) assets.
Shift and Assess: Once enterprises moved their workloads to IaaS and start using more cloud services (AWS VPC and Cloudwatch for example), security teams add security configuration checks. Here we are talking about the benchmarks CIS AWS, CIS Azure, CIS Docker (ECS on AWS) and CIS Kubernetes (EKS on AWS).
Assess and Automate: When enterprises adopt Infrastructure as code and DevOps agile processes, security teams need integration with CI/CD and to apply CIS AWS and CIS Azure benchmarks in continuous mode using the APIs. Depending on the workloads, it might make sense to deploy more specific checks, for example AWS EMR, if the enterprise is focusing on big data analysis.
Automate and Extend: After this journey, cloud providers keep industrializing new cloud services, such as Serverless (Lambda on AWS, Functions on Azure). Enterprises start testing them and adopting and then comes security. As a security team, it is challenging to keep up with the pace of new services and best practices for hundreds of cloud services and containers services.
Here at Outpost24, we are working hard to help customers on their journey to cloud and containers and ready for stages 1, 2 and 3, and doing a lot of research at the 4, stay tuned!