Free Trial

Swim in the Cloud or Die

Cloud computing, on its own is a benign concept, identified as having these five attributes:

cavirin delivers

To some extent, the concept of cloud computing is as old as Generation X, rooted in the simple delivery of computing resources via a global network.  There were major milestones that we all can recall, the start of Salesforce.com (a major SaaS), the onset of Web 2.0 (two-Oh!), and the whole exercise of declaring the "Two Oh" of everything. Perhaps nothing impacted us more than the launch of Elastic Compute Cloud, EC2.  We gathered by the hundreds of thousands to hear and learn about the emergence of Amazon's S3 storage, the first major infrastructure as a service (IaaS).  Very quickly, cloud storage became mainstream to enterprise data centers worldwide, and with it, some of the largest disasters ever known throughout computing history.  Despite this, the benefits outweighed the risks.

By the end of our first decade in the new millennium, Google took us from gmail to Google sites, leveraging XML, CSS and Javascript, putting the potential to build Killer Apps into the hands of many a man and woman, and literally every child.  Google Apps, and Apple Apps barely had time to be dismissed by Generation X'rs because their millennial children were fast making profits, creating business from what seemed to be thin air.  It was not thin air.  It was the cloud.

Benefits

Unlike any previous evolution in computing, the emergence of cheap functional applications, the SaaS revolution, overran methodical IT Shops. The obvious business benefits ruled the day.  Shadow IT met the needs of literally every department.  The agility of doing things without the support of IT, however, would more often than not, resoundingly backfire.  Clear need for Cloud Governance would fast be overtaken by the threat of cyber attack, and Cybersecurity wins as the leading reason for controls and oversight to align the worlds of virtualization, cloud, and the principles of IT governance, especially security configuration controls.

It is no longer a matter of "if" companies will leverage the cloud, but a matter of how. Data Center Operations has worked to identify types of major risk in the development of Private and Hybrid Cloud infrastructure.  The evolution of configuration, equipment, network and site based risk management has in fact, been keeping pace.

data center risks

Things got real when mainstream developers jumped on board.  With the capacity to provision development environments on demand, Software Development Lifecycle (SDLC) was turned inside out.  The agile revolution meant that in house shops would begin to build and deploy the way millennials (children) consumed; quickly, without need for oversight, meeting immediate needs with little consequence for big picture implications.  And that was a good thing, really.

Application Development and DevOps Benefits

Cloud Computing is still, easily the highest rated topic in current technology design, implementation and control. No successful enterprise will circumvent the use of virtualization.  In fact, it is unlikely that any business today can accurately claim to be virtualization free, which makes understanding the risk model all the more critical.

Liberate Is the state of cloud computing today closer to the promise of liberation or are we increasingly experiencing less control and freedom as our business model is closer and closer to the life of a shark? Swim or die

Benefits in cloud computing are directly associated to the type of cloud service, or virtual service, and with these opportunities, there are new factors to be added in a company's risk.Risks in cloud computing

The Center for Internet Security – states up to 80% of cyber attacks could be prevented by five simple actions

  1. Maintaining an inventory of authorized and unauthorized devices

  2. Maintaining an inventory of authorized and unauthorized software

  3. Developing and managing secure configurations for all devices

  4. Conducting continuous (automated) vulnerability assessment and remediation

  5. Actively managing and controlling the use of administrative privileges

As identified by ISACA (Information Systems Audit and Control Association) the following attributes of cloud computing should be categorized under Business Impact and Risk:

Applications processed in the cloud have similar implications for the business as traditional outsourcing. These include:

  • Loss of business focus
  • Solution failing to meet business and/or user requirements; not performing as expected; or not integrating with strategic IT plan, information architecture and technology direction
  • Incorrect solution selected or significant missing requirements
  • Contractual discrepancies and gaps between business expectations and service provider capabilities
  • Control gaps between processes performed by the service provider and the organization
  • Compromised system security and confidentiality
  • Invalid transactions or transactions processed incorrectly
  • Costly compensating controls
  • Reduced system availability and questionable integrity of information
  • Poor software quality, inadequate testing and high number of failures
  • Failure to respond to relationship issues with optimal and approved decisions
  • Insufficient allocation of resources
  • Unclear responsibilities and accountabilities
  • Inaccurate billings
  • Litigation, mediation or termination of the agreement, resulting in added costs and/or business disruption and/or total loss of the organization
  • Inability to satisfy audit/assurance charter and requirements of regulators or external auditors
  • Reputation
  • Fraud
Common infrastructure benefits focus in availability, efficiency and recovery. Still, with benefits and opportunities, come Technology, Compliance, Licencing and Security Risks.
  • The introduction of virtualization brings many changes that need to be reflected in the tools that administrators use to manage systems. Some examples of the types of changes that need to be addressed include:
  • Servers and workstations no longer are tied to a particular, known location.
  • Releasing software patches is different in a virtual environment.
  • Backup and restore  -  central location as opposed to execution on the machine.
  • Monitoring tools that are used to correlating hardware and software events may no longer understand where dependencies lie.
  • In addition, each virtual platform has its own management tools, which need to be integrated into operations.

What could go wrong?

Gartner’s Strategic Planning Assumption, “Through 2020, 80% of cloud breaches will be due to customer misconfiguration, mismanaged credentials or insider theft, not cloud provider vulnerabilities.”

The mismanagement of recommended configuration is both in and beyond our locus of control, however, cloud breaches impact everyone’s brand.  Laws put increasing responsibility for all consumers of the cloud to increase accountable oversight to their providers of cloud services, i.e dependency responsibilities

  • Reputation is a new target for cyber attacks
  • Criminals value our information  – financial, health, critical infrastructure
  • Cyber risk is challenging to understand and address, increased regulation imposed
  • The changing pace of technology increases unknown dependency on third parties and shadow IT
  • We cannot trace or control our data – data exfiltration occurs
  • The role of government and information custody is often misunderstood

 How Cavirin Cloud RescueCan help

Compliance in any environment

  • Cloud Native platform supporting 12-factor patterns (things like port binding, logs, concurrency…)
  • A “hyper plane” of integrated “risk assessment” amongst segmented vulnerability domains
  • Works with Private, Hybrid, and Public Clouds
  • Support AWS, Azure, GCP (Google Cloud Platform)
  • Manages thousands of out-of-box policies, well curated and certified (SCAP, XCCDF, OVAL)
  • Supports current compliance authority (PCI DSS, HIPAA, NIST, SOC 2, FedRamp, CIS Benchmark, DISA, CIS CSC, CSF)
  • Is CIS Certified security content (Multiple OS, Docker, AWS Cloud)
  • Complies with DISA standards in all aspects of delivery and reported results

Cyber Ready

  • Know the critical assets and who’s responsible for them
  • Get everyone involved in cyber-resilience
  • Assure they have the knowledge and autonomy to make good decisions
  • Be prepared for both unsuccessful AND successful attack
  • Prevent a cloud enabled cyber-attack from throwing your organization into complete chaos.

 All things being equal, cloud service environments put tremendous control in the hands of the consumer.  This can make for a very bad cloud.

Consumer Controls Itbad cloud

Cavirin offers industry leading Automated Assessment & Reporting (AAR); Automated Risk Analysis Platform (ARAP) and Compliance as a Service. ARAP together with AAR offers continuous risk visibility through scanning of corporate network, signaling issues and automatically discovering new IT assets. Effective auto discovery in On-Premise, Cloud and containerized infrastructures is the cornerstone of asset risk assessment. The auto – asset discovery ensures round the clock analysis, risk identification and reporting, greatly reducing the need for additional manned resources. Cavirin’s ARAP, AAR augments the standard GRC tool by replacing the manual and tedious process of information security baselines and through automated industry expert qualified interpretation and remediation guidance. Cavirin’s solution ties out the gap between written corporate policy and the configuration necessary to prove system policy alignment. 

Service Level factors controlled via Cavirin ARAP and AAR - better cloud

Service Level factors controlled via Cavirin

Information factors controlled via Cavirin ARAP and AAR - and even better cloud

IaaS areas controlled via Cavirin

Software as a Service factors controlled via Cavirin ARAP and AAR - not so bad cloud

 SaaS areas controlled via Cavirin

Platform and Infrastructure as a Service factors controlled via Cavirin ARAP and AAR - actually, pretty good cloud

Platform and Infrastructure areas controlled by Cavirin good cloud

Cavirin Security and Compliance actively contributes to all major standards and organizations responsible for the mapping of regulatory requirements and the most highly leveraged national and international standards. In addition to organic CIS Benchmarks and DISA STIG NIST based configuration hardening and change management, Cavirin has implemented all assessments with NIST Cybersecurity Framework (CSF) and NIST 800-53 r4 and Appendix J for Privacy. Clients who elect to use multiple policy packs, including ISO/IEC 27002:2013, will benefit by the extended use of multiple frameworks to align Information Security Programs and Policy.

About Cavirin

Cavirin is transforming the way IT security manages risk. Founded in 2012, Cavirin’s platform is a purpose-built agent-less solution that deploys quickly to on-premises, cloud, and containerized infrastructures, helping organizations reduce complexity, become more agile, and drive dramatic increases in efficiency with their risk and compliance programs. Leveraging continuous visibility and automated assessments, companies are empowered to make the right decisions faster. Cavirin’s Automated Risk Analysis Platform (ARAP) is a security and compliance fabric that provides continuous configuration evaluation with recommendations for alignment to industry standards and best practices, prioritizing systems and risk remediation efforts across complex hybrid IT infrastructures. Offering up-to-the-minute compliance assessments, Cavirin supplies audit ready evidence as measured by every major regulatory, and security best practice framework.

About Center for Internet Security

The Center for Internet Security, Inc. (CIS) is a 501c3 nonprofit organization focused on enhancing the cyber security readiness and response of public and private sector entities, with a commitment to excellence through collaboration. CIS provides resources that help partners achieve security goals through expert guidance and cost-effective solutions. 

About DISA

DISA, a Combat Support Agency, provides, operates, and assures command and control, information sharing capabilities, and a globally accessible enterprise information infrastructure in direct support to joint warfighters, national level leaders, and other mission and coalition partners across the full spectrum of operations.

Additional Critical Resources and Reading from NIST (links will open in new window and download the latest publication from NIST)

0
0
0
s2sdefault

© 2018 Cavirin Systems, Inc. All rights reserved.