Tuesday, February 19, 2019

Cloud Myth: It's all the same... or It's all different...

Another round of questions....

1. What is the biggest myth business and IT departments have about the cloud?
The biggest myth organizations have about IT cloud infrastructure is that you can lift and shift your existing workloads into the cloud using the same architecture, methodology, and tools that you have used in the past. This may be true in some cases, but the reality is the architecture radically changes from one cloud to another. They all have different capabilities, and some have features that may drive business decisions from cost savings or an architectural requirement. Moving to the cloud presumes application distribution and potentially shifting trust boundaries. Risk must be managed. Visibility is required in hybrid and multi-cloud deployments along with the ability to uniformly report on and affect change across the different environments.

Planning is critical to safely and effectively migrate workloads to the cloud. The good news is that at this point there is a large body of knowledge from those that have gone before you. There are astounding successes and equally colossal failures. Work with your cloud provider closely.

2. Why is this myth so pervasive?
It's not uncommon to make assumptions based on what you have known before. However, the shift to software defined architecture creates capabilities, and in some cases limitations, that differ from traditional physical infrastructure.

3. In what way/ways does this myth hamper IT and/or business operations?
Assumptions slow the end game because you start with the wrong ideas and end up with misguided plans. A bad result is that your applications don't work as intended. Worse? The applications work, but risk is mismanaged, resulting in ineffective security or compliance controls.

Work with your cloud provider and correct your assumptions. Then create realistic strategies and a working plan. Ensure you have the proper technologies to support your applications – required to run your business – and the appropriate security and compliance controls in place – required to protect your business. Borrowing from the military, "Prior planning prevents poor performance."

4. What can be done to dispel this myth?
Learn. Attend migration workshops of the cloud providers that interest you. Preferably more than one. Build healthy budgets into the migration plans. Plan. Manage your risk.

And specifically, build budget into the plans to ensure you fully understand geographically distributed deployments and can identify risk across the distributed Data-center. The tools and methodology may change, but the end objectives of visibility and control do not change. Those are fundamental to assurance. Again. Manage your risk.

5. Is there anything else you would like to add?
Good business leaders understand and respect risk. Great business leaders learn how to manage and respond effectively to risk. The presumption is visibility. You cannot act on what you cannot see.

Thursday, February 7, 2019

Don't be Naive - Good to Great

Most people like money and opportunity. A lot. Ideally, the mission objectives and sense of purpose drive motivation, but given a similar sense of purpose and higher pay.... It happens. People move on. Getting faced with shifting slightly grey lines... Operatives working for government entities get some of the best training and are forced to learn to be resourceful. Great assets. You have to think, where do these people go in their careers? One of my closest friends is a combat mercenary. Why? Because he learned a specific skill set from the government that enables him to be effective in the physical combat theater - And he gets paid a lot of money to use this skill set. The pay? Good to Great.

Awesome reporting. Great work guys.
https://www.reuters.com/investigates/special-report/usa-spying-raven

Wednesday, February 6, 2019

Well-Architected Cloud = Manage Your Risk. Seriously.

Manage your risk. You got a cloud? What is well-architected?

Well-Architected = Risk Managed.

This series of questions came across my desk this morning. Interestingly, it took me back nearly 10 years when I first started in cloud security. I’ve been in information security for nearly 20 years, and I believe much of the strategy and definition – the construct – of the secure environment is still the same.

How would you define a well-architected cloud?

A well-architected cloud provides assurance, or the grounds for confidence that the integrity, availability, confidentiality, and accountability have been adequately met. “Adequately met” includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors by users or software, and (3) sufficient resistance to intentional penetration or by-pass. This is a close paraphrase of the definition of assurance from NIST SP 800-27. 

What are the elements that go into a well-architected cloud?

There are three elements covering the technical implementation of a well-architected cloud. The technical controls of best practices, regulations, and standards based on CIS, NIST, PCI DSS, and others can be summed up into configuration, solutions, and design. The configuration of every application and endpoint must be configured to reduce the probability and impact of intentional and unintentional action. Hardening guides address many of these issues for the network, compute, storage, and virtualization components. System solutions provide additional insight, accountability, or control over the security and compliance of the environment. Examples include firewalls, identity and access management, and systems monitoring. Finally, given that each one of the individual components is secured as much as possible and additional solutions provide you the insight, accountability, and control over your environment, your last consideration is the environment design. This can include separating trusted and untrusted zones, implementing a DMZ, providing secure multi-tenancy, etc. 

What's the best way to achieve a well-architected cloud?

Identify the business objectives, dataflow, and preferred user interactions before building the system. Decide how subjects will interact with data objects and what controls will be in place across the reference monitor that controls authentication and authorization. The security model of the most trusted systems in the world depends upon strong access controls. This only works if you understand who has access to critical data and how to protect it using secure configurations, solutions, and design. Bottom line. Plan for it. The military has a saying, “Prior Planning Prevents Poor Performance.”

What should IT never do when constructing a cloud architecture?

Assume that you can do a direct lift and shift into the cloud. The intent of the controls have not changed, and neither have your objectives. However, the implementation, visibility, and tools available significantly change. Take the time to understand the platform you are moving your data into and how that platform functions versus how you have handled your data in the past on premises.

What are the cloud architecture pitfalls that IT might fall into?

Again. Never assume you can do a direct lift and shift into the cloud. Never embark on a journey without a known destination and plans for how to get there. Start with a comprehensive set of security requirements inclusive of configurations, solutions, and design principles that must be met. 

Is there anything else you would like to add?

Cloud environments bring tremendous opportunity, as long as you can maintain visibility and manage risk across the entire environment. That's been a consistent message on this blog since its inception in 2011. Manage Your Risk.