Cloud Security: Automated and Self-Healing

Have you ever considered how much working with the cloud resembles the inner workings of the hereditary material in humans and almost all other organisms – that is, DNA? In living organisms, characteristics and behavior are dictated by the composition and order of certain DNA building blocks. Likewise, the characteristics and behavior of cloud infrastructure (a combination of compute, storage, network, and security services) can be controlled by what I call “Cloud DNA”: software-defined policies and procedures, APIs, and solutions that are combined and automated to create an appropriate cloud configuration.

Cloud DNA provides an opportunity for evolution in how we look at security. Software-defined infrastructure (SDI) replaces the traditional view of infrastructure, which featured purpose-built hardware, a unique command console, switches for DNS, and so on. The cloud, combined with SDI, allows us to treat everything as code and use APIs to accomplish all tasks. We achieve elasticity and agility through code. Much has already been written about software-defined compute, software-defined storage, and software-defined networking. My passion is software-defined security, where we can utilize SDI to achieve better security, and eventually consume security as a service.

Security as a Service

By its very nature, cloud security is a changing environment. Sometimes we’re not sure what the right configuration is exactly, and over time, a configuration may deviate from the desired setup. Software-defined security – security as a service – enables IT to use code to query and compare a cloud infrastructure configuration to an existing baseline, then take action if needed.

For example, if I don't want to open port 80 in the pubic cloud, I can query the infrastructure and perform a command line instruction that closes it if it's open. No tedious work is required. Instead, two simple calls are sufficient – one to the API and one to take corrective action. The following figure shows how a self-healing cloud could work:

Autonomous Cloud Security

By hooking into all the cloud APIs, we can go far beyond this simple example to create complex security tools that can be controlled through code. Eventually, pursuing this automation framework can take us all the way to an autonomous, self-protected cloud. For example, imagine that an IT technician sees that a cloud VM is infected with malware. Without Cloud DNA and software-defined cloud security, we must open the console and try to clean up the VM with tools, and this takes time. With security as a service, the security control automatically identifies the infected VM, launches a new VM, and drops the infected one. The issue is resolved in 30 seconds instead of three days. Machine learning and automation will create this self-healing, well-configured infrastructure.

We’re not there yet. However, we’re making progress, as documented in the recent IT@Intel white paper, “Boosting IaaS and PaaS Security in the Public Cloud.”

Cloud Security – a Constant Learning Process

The vision of a self-healing, well-configured cloud is just that right now – a vision. We’re on a journey. I am invigorated by the cloud’s rapidly changing environment, where new ideas and new solutions emerge all the time. I’ve been doing cloud security for close to a decade, but I'm still learning a lot of new things: new domains of expertise, new capabilities. Increasing my knowledge as the cloud evolves is crucial to helping Intel build a strategy and architecture for cloud security. As Robert Brown, the CIO of the U.S. Army Security Assistance Command, said at the 2016 Gartner Symposium/ITxpo, IT personnel "are going to be continually challenged to increase their knowledge of future IT services [while] maintaining current IT services." An article in CIO Magazine recently stated that “skills gap is an abyss for information security.”

For example, at one point I had to teach myself what “elasticity” really means and how to make software-defined security a reality even on a basic level. How do I set firewall rules using the command line instead of a console? What are the unique risks that we have in the public cloud versus the traditional environment, and how do I manage them with automation? These questions are blending into new domains and skill sets. I am lucky to have peers, team members for collaboration, and other sources for education.

While I am a team leader for cloud security at Intel, it’s not a one-person effort. I encourage my team members to learn too. Having motivated people who are keen to learn new things is key to our ability to progress; they must use technology to resolve new challenges. Employees are empowered to advance their knowledge, and right now, cloud security is a very good place to advance.

Each domain is vast and deep – no one can “know it all” and that includes me. For example, one team member may delve deeply into vulnerability management, while another focuses on compute issues. They go beyond just reading papers or testing in the lab to discover how this stuff works in the real world. Our team is learning from each other, enriching their overall knowledge – it’s a bidirectional discussion. No one person can learn everything – it's too huge.

I am proud to have an engaged and motivated team that is working together to resolve issues when they arise and achieve tangible results in the field of cloud security. The cloud poses new challenges, new models of operation, and solutions all the time. We openly discuss options and drive our dream forward one result at a time. Our team atmosphere is positive, even if things aren't working perfectly – we know we'll solve it eventually.

Boosting IaaS White Paper ThumbnailI encourage you to read the paper, “Boosting IaaS and PaaS Security in the Public Cloud,” and join me and Intel’s IT department in moving the cloud forward toward its true potential.

Published on Categories SecurityTags , , , , , ,
Shachaf Levi

About Shachaf Levi

Shachaf Levi is a Cloud Security Architect at Intel. He has been working in cloud security for the last six years, and has been with Intel since 2004. He is currently building a combined strategy and architecture for cloud security, covering public and private cloud, SaaS (software as a service), PaaS (platform as a service), and IaaS (infrastructure as a service). This includes creating a reference architecture, roadmap, and capability building blocks, then selecting solutions to secure cloud usages across the various threats and compliance requirements. He enjoys new technology, innovative ideas, and working with and empowering engineering and operational teams toward successful solution adoptions while encompassing stakeholders’ needs. In particular, he is interested in automated solutions. Shachaf has published several white papers and a YouTube video documenting his security and automation work.