Automating Security in the Cloud: Modernizing Governance through Security Design

CloudHealth Tech Staff
Published:
May 3, 2019
3 minute read

Automation in many areas of cloud computing has eliminated manual processes and the errors that accompany them; yet many businesses are apprehensive about automating security in the cloud. We look at the reason for this apprehension, and explain how you can modernize governance through security design.

Automation has made a significant contribution to the growth of cloud computing. By eliminating repetitive manual tasks such as provisioning, configuring, clustering, and load balancing, cloud computing has become more efficient. Being able to construct reliable and predictable workflows saves IT teams time and money, and contributes towards more effective corporate governance.

Yet in some areas, corporate governance is still in the Dark Ages. Although willing to “automate everything” when it comes to deploying assets in the cloud, many businesses are apprehensive about automating security in the cloud. Is it because IT security teams are fearful of losing their jobs? Is it because IT security teams don´t trust automation as much as developers? Or, is there another reason?

 

Is There a Lack of Understanding about Automating Security in the Cloud?

Security in the cloud is a delicate subject. Due to some businesses failing to understand the “shared responsibility model”, or only providing security training to key personnel rather than business-wide, there are considerable gaps in many businesses´ cloud security. Consequently, when it comes to automating security in the cloud, some businesses may feel it´s better to wait until they have their manual processes working efficiently before attempting to automate them.

That´s not necessarily the wisest thing to do. It´s already been seen how automation can eliminate repetitive manual tasks in asset deployment, and eliminate the human errors that can expose security vulnerabilities and put the business at risk. Automating security in the cloud is hardly any different. You simply automate the repetitive manual tasks and eliminate the errors. Nobody is going to lose their job and, after a while, IT security teams may grow to trust automation as much as developers!

How to Start Automating Security in the Cloud

To start automating security in the cloud, you need to implement a cloud management platform with automation capabilities such as CloudHealth. Then you find a repetitive manual security-related task - such as reminding users to change their passwords every 90 days - and create a policy so users are automatically notified when their passwords need changing. You can also create a policy that passwords follow a specific format (i.e. ten letters, two numbers, and two punctuation characters).

Once you can see how this simple task can be automated and the password policy enforced, you can extend automating security in the cloud to other tasks. The CloudHealth platform will monitor compliance with your security policies around the clock, and take a user-defined action when a policy violation occurs. Typical automated security policies could include:

  • Notifying IT security teams when a larger than normal number of assets is launched outside regular working hours
  • Initiating a function to secure unencrypted storage volumes with specific tags (i.e. business-critical or personal data)
  • Terminating assets that do not conform to a security policy (i.e. launched in a non-U.S. region or launched with unauthorized open ports)
  • Revoking user access if an account is logged into from outside a specified IP range or if the user has disabled multi-factor authentication.

Modernizing Governance through Security Design

Governance in the cloud is a lot different from governance in on-premises environments, where costs are mostly fixed, performance is limited by the capabilities of installed software, and data is protected by a firewall. Yet a significant number of businesses rely on administrative and operational security controls with limited technical enforcement. Automating security in the cloud can enable the technical enforcement of your governance policies by:

  • Preventing users from overriding the rules
  • Establishing the reliable operation of controls
  • Enabling continuous monitoring and real-time auditing<

Modernizing governance through security design follows a similar path to how you would start automating security in the cloud. First conduct a risk assessment or penetration test to identify vulnerabilities. Take advantage of CloudHealth´s automation capabilities to eliminate the vulnerabilities and build a secure environment. Validate your security by design if effective, and extend to other areas of your cloud operations using CloudHealth´s other capabilities.

Find Out More about CloudHealth’s Other Capabilities

CloudHealth is more than a solution for automating security in the cloud. Our platform can be used to reduce costs, optimize performance, and maintain control over your cloud, multi-cloud, or hybrid cloud environment. If you would like to find out more about CloudHealth’s other capabilities, do not hesitate to get in touch.