Whose cloud is it, anyway?

How automation helps to ensure robust security is enforced across enterprise cloud deployments, by bridging the gap between developers and security teams

At our recent AlgoSummit EMEA event in Lisbon, I was talking with a customer who mentioned that in his organization, his IT security team was having difficulty getting in-depth visibility into, and control over, what was happening in the company’s public cloud deployments.  He said that the organization’s cloud environments were being spun up and managed by the company’s application and DevOps teams and, from a security viewpoint, his team wasn’t fully aware of what was happening in them.  Despite this, management expectation was for the IT team to report on and take ownership of its cloud security.  

This is a common problem within organizations using the public cloud.  Our recent survey, conducted with the Cloud Security Alliance, found that the responsibility for managing security in the cloud is often fragmented.  Just 36% of respondents stated it was the responsibility of the security team; 28% stated it was IT operations; 15% stated the cloud team; 6% said that application owners or DevOps were responsible.

In many cases, these various teams operate in relative isolation from one another.  As a result, the processes of deploying new applications and updating existing ones are not being done with the involvement of IT security teams: different business units often open new public cloud accounts and spin up new instances to suit their needs, and the security team is often tasked with securing these deployments when they were not being part of – in some cases, not even aware of – the deployment process.

Yet these changes to existing business applications, or the deployment of new applications can all have a major impact on the organization’s overall security and compliance posture.  They require changes to network security access definitions, storage and permission configurations, and more.  They also usually require new connectivity paths between the organization’s on-premise networks and the cloud deployment (incidentally, this is often the first time that security teams will become aware of application changes or deployments in the cloud – because new connectivity paths demand changes are made to the organization’s perimeter firewalls).  Unless all of these changes are planned and executed with security in mind, cloud configurations may have potential gaps that a hacker could exploit. 

If security teams can’t get a holistic view of their organization’s overall status across both cloud and on-prem networks, they can’t easily identify emerging potential – or actual – security risks.

So can companies ensure that all of their respective teams, including DevOps, application owners and security can collaborate easily and effectively, so that cloud changes are not introducing security or compliance problems, while ensuring that security is not restricting the organization’s agility? 

Bringing teams together

This is where network security management solutions play a key role in bringing all the different teams together, supporting their respective processes while ensuring security is maintained.  As we’ve described previously, a network security automation solution that supports the DevOps methodology enables teams to automatically and easily adjust and migrate the relevant security policies when they are moving applications from development to test and production.  The solution also gives every team the visibility and control of security that is needed across the organization’s entire network environment.

In practice, AlgoSec’s solution can notify security teams when security policies are being changed and alert on newly introduced risks across the rest of the enterprise on-premise and cloud networks. At the same time, developers can use the solution to identify connectivity issues, automate changes faster – especially when they require additional changes to network security controls deployed such as firewalls deployed on-premise, at the bridge from the on-premise environment to the cloud, or as virtual appliances in the cloud. Such cases that include on-premise to public cloud connectivity tend to be the trickiest ones to manage, and may delay applications going into production.

Also, as security teams are responsible for compliance across the entire organization, the automation solution gives them the visibility and controls they need to assess and report on the organization’s overall risk and compliance status; visibility into cloud assets and central view of security controls such as security groups across all accounts and VPCs facilitates more efficient, easier management of the entire estate.

With full visibility and control over both cloud and on-prem networks, an organizations’ various development, application and security teams can all collaborate and work more efficiently. This resolves arguments over who is responsible for security, while strengthening the business’ overall security and compliance postures.