Cloud computing represents a completely unique opportunity to re-think enterprise security and risk management.

Cloud security has become a divisive topic within many companies. Some see cloud computing as a business necessity, required to maintain with competitors, or a vehicle to seriously change “old world” IT. Others see daunting and threatening security risks. To me, cloud computing represents a chance to re-think, re-design, and operationalize information security and risk management to drive business agility.

Cloud computing offers a completely unique change in managing information systems: using automation. While most observe automation because the cornerstone of cloud computing’s cost savings and efficiency, automation is equally valuable, if not moreso, for information security and risk management. today’s security problems, the landscape is plagued by methods which are largely manual and disconnected.

• Business systems are launched and retired faster than security teams can identify, analyze, and track.
• Risks are implicitly accepted by business sponsors during design, development, and operation, but mitigated only when pressed by security and risk management.
• Security policies are enforced primarily by manually executed audits and processes.
• Scaling today’s information security and risk management problems to cloud velocity is untenable, but doing so without refactoring poses a fair greater risk to the enterprise.

A successful approach combines the refactoring of existing information security and risk management practices with automation that operates at cloud speed and scale. That automation includes four key components:

• An execution engine that reliably deploys virtual systems to data-driven design
• Lifecycle-centric systems management and operational tools
• Automated sensory and scanning systems that identify key issues and risks
• A policy evaluation engine that may drive planned automated responses and notifications

The combination of those powerful automation and refactored information security concepts creates an atmosphere wherein security requirements for cloud systems are codified and enforced in a prescriptive and proactive manner.

One example may be seen in enterprises that engage in routine security system and business application scans. The challenges with these scans begin with identifying the systems to be scanned. This is one of the most time-consuming process, nonetheless it can be the critical factor to success. Once identified, systems are scheduled for scan, then scanned, and results are analyzed. Then, the safety team communicates the failings to the project/development/business team, they usually negotiate remediation timelines, risk acceptance, and deferrals.

The IT security team typically manages the complete process, spending more time on bureaucracy than on security. As a result overhead, these scans are often performed on production or near-production systems. The processes are considered successful when each application or server within the enterprise is scanned annually.

In cloud-centric operations, a system could be running for hours or days, meaning the present processes will likely miss the system completely. While this gap could be mitigated by slowing down cloud deployments to suit existing processes, an improved strategy is revising the safety scanning process for the cloud.

In agile cloud operations, for example, a cloud management platform would be conscious of every system started by business and development teams. Through automation and policy, each system is scanned upon startup and restart. Results may be sent automatically to both system owners and knowledge security. More importantly, scans may well be performed in the course of the earlier stages of system development, when it’s easier, cheaper, and faster to make system changes. Further improvements are gained by automatically separating results into those that may be immediately acted upon by system owners, and those who require further analysis by security experts.

By adapting security scan processes to the cloud, businesses may be able to act more nimbly in a cloud-centric environment while moving to more frequent scans and earlier, cheaper remediation. Such gains does not be available without the cast foundation provided by a cloud management platform.

By deploying a cloud management platform with a rich automated policy infrastructure, it may be confident that they’ve established governance, compliance, and security that are configurable, automated, and enforced. In doing so, they’re enabling the business to function with cloud speed and agility, knowing that information security was portion of the adventure.

Bankim Tejani is a senior security architect with ServiceMesh, an active member of the Austin Open Web Application Security Project (OWASP), and co-founding father of the Agile Austin Security SIG.

More Insights