In A Cloud Speed World, Is It Time To Leave It To The Machines?
By Yuval Shchory, Head Of Product Management, Cloud Security
The cloud has completely revolutionized how businesses work. Where once both web presence and internal applications were essentially static, with changes only made after much deliberation and via pre-planned upgrades, the enterprise and its public face is now entirely dynamic and seemingly in a constant state of flux. From an environment that was essentially stable and predictable, we’ve now entered a new era of complexity and rapidity, where everything happens at ‘cloud speed’.
Staying on top of this new normal is a huge challenge for all technology-focused teams, but particularly for DevOps and Security. Yet is it even possible for these teams, no matter how big they are, to fully control the CI/CD pipeline and ensure that the applications they’re continually launching and upgrading aren’t about to open their company up to online threats? Is it time instead to let artificial intelligence (AI) and machine learning (ML) do the heavy lifting for these teams?
The challenge of cloud speed culture
With cloud breaches surpassing on-premises attacks, there’s no doubt now that enterprise security is cloud security, and the attack surface has never been wider. Cloud has enabled the enterprise to become much more flexible and responsive to the world in real-time, but it’s done so by figuratively throwing open every window in the house rather than just allowing access via a few well-guarded doors.
Remember, it’s not so long ago that Security was involved from day one in any application’s development. The Dev team might not have liked it, but it was standard procedure that Security would advise on how the app needed to be built in order to comply with the enterprise’s network and security policies.
However, we no longer live in that world, and at many companies, Security’s visibility into app development has diminished to almost zero. That’s because, while security remains important, the functionality of cloud apps is often regarded – certainly by the DevOps team – as being a greater priority. In this scenario, Security is increasingly seen as a choke point in the development process rather than a vital component.
The dominance of cloud speed has brought about a cultural change to the extent that now, Security may only be alerted to a new app the day before it launches. The DevOps team might have ticked the box of giving them a heads-up, but how is Security meant to properly secure an app in a 24-hour timeframe? In the cloud speed world, rapidity of demand often trumps absolute safety.
Network policies can no longer keep up
Of course, there are plenty of enterprises that have realised this situation is untenable. Yes, they need to quickly develop, launch and update their apps on a rolling basis, but this can’t be done at the expense of security – it only takes one public-facing breach to plunge a company into a crisis it might take years to recover from.
At these more forward-thinking enterprises, the cloud speed culture has been tempered by a ‘shift left’ security philosophy where developers are both encouraged and empowered to secure their code as they write it, rather than deliver an app that needs to be secured after the fact. There are a variety of tools now available to automate the shift left process, making it as painless as possible while giving Security more visibility into the development of cloud apps.
But securing the code at the point of origin is only one part of the challenge. What about when it’s released into the cloud environment? The way in which different cloud assets interact with each other ‘in the wild’ is also a major factor impacting an enterprise’s security posture, particularly when those assets are being continually tweaked, often without Security’s knowledge. How do you control which assets have access to each other, and how do you ensure that the connections between them are only used by permitted traffic? DevOps’ habit of leaving ‘back doors’ into apps for rapid alteration is also a problem in itself.
Traditionally, access and permission rights have been defined by network policies. But making these work in the cloud speed world is both a laborious and often futile exercise, because the cloud environment and the assets within it are constantly changing. Teams have tried to maintain policies and crunch the relevant data by importing usage and traffic logs from routers into Excel files – but as well as just providing a series of static pictures rather than a real time update, this method is clearly not scalable. In fact, this challenge goes way beyond what a team of people can realistically do on their own.
Intelligent automation is the solution
The challenge of protecting assets 24/7 is a cloud speed problem that requires a cloud speed solution. Just as automation has made the job of securing code as it is created a lot easier, so the application of AI and ML can assist with the ongoing protection of cloud assets.
By gathering the relevant data from the DevOps system in real-time, an AI programme, using ML, can model and rapidly calculate every possible permutation of an asset’s journey – including connections, protocols, traffic type etc. – and use this information to suggest the appropriate network access policy at that present moment. The AI programme can also directly provide actionable insights to developers to ensure that every configuration they make is compliant with the policy it has defined.
There are clearly a number of advantages to this approach, with speed and accuracy being the obvious ones. But it also means that the relationship between DevOps and Security can be a lot less confrontational, with Security not feeling like it’s being a bottleneck to app roll-out, and DevOps not having to ask permission for every little change (and thus being less tempted to leave backdoors into apps). By receiving trusted insight from the AI programme, a developer can tell if their configuration is too open while also being provided with the relevant fix. And Security doesn’t have to constantly breathe down DevOps’s neck about permissions.
While some teams may be wary of introducing AI into their systems, it’s really just another form of intelligent automation, and many people now accept that both successful app development and cloud security are impossible without automation. Developers shouldn’t regard AI as a threat, but a way of performing the tedious but essential legwork necessary to keep their code compliant at cloud speed. And just as importantly, it’s an entirely sensible way to bridge the gap between what DevOps knows and what Security knows without one constantly feeling under pressure from the other.
To learn more about unified security from code to cloud, please read here.
For a free cloud security assessment, please click here.