Increasing Utility and Appeal of Native Cloud Security Controls

One of the major benefits of cloud computing is agility—the ability to quickly deploy and scale infrastructure, services, and applications. That benefit can be hampered by the time and effort it takes to integrate and test third-party security applications and services. Fortunately for those deploying into the cloud, today’s well-integrated native cloud security controls make it easier to deploy secure applications. The capabilities of the controls are often as good or better than third-party security solutions, and they are faster to integrate. My recent experiences with cloud projects have confirmed that, as has Intel IT, who describes their own experience in this excellent white paper on using native cloud security controls.

Native Cloud security controls have many advantages. When you are building out infrastructure for an application or service, rather than installing a firewall on a VM or container along with the network segments in front and behind it and managing routing, it is much simpler and faster to use port limiting features available natively on cloud infrastructure. Doing this also reduces attack surface in comparison. In addition to port restrictions, built-in Web Applications Firewalls provided by a cloud Service Provider (CSP) can guard against attacks higher in the network stack, further reduce attack surface, and provide DDoS protection. Having the infrastructure handle HTTPS encryption can greatly simplify managing certificates—it’s done in one place rather than being distributed among multiple VMs or containers. Moreover, native cloud security controls can be turned on and scaled quickly through cloud resource templates, enabling DevOps and security at the same time. As part of a team that designed and built out the infrastructure for the XPRIZE Data Collaborative, we made many design choices that leveraged native cloud security controls.

Vendor lock-in may be a concern with using built-in services, but standardizing on a few CSPs and products makes it relatively easy to move between them. Using native cloud security controls does not mean that you cannot use third-party security products or have security processes run on-premises. Intel IT’s architecture for using native cloud security controls, shown in this figure, includes third-party products running on-premises. An additional benefit to standardizing the use of cloud native security services is installation of a minimal level of security. Intel IT has incorporated standardized “guard rails” for applications and services deployed to CSPs so that a baseline of security is automatically built in when Intel’s users deploy to the cloud (blocking potentially hazardous ports is one example). Evaluating and validating both native controls and third-party products is an ongoing process, enabling Intel IT to move in either direction as warranted.

In the long run, I see cloud services continue to offer not just more security services but increasingly functional and robust services. When we were building out the XPRIZE implementation, we had to put certain security controls into a VM running a third-party software package because the native controls were not sufficient. Less than a year later, the CSP’s native security controls had evolved to the point where we can consider removing those VMs for capabilities that are part of the cloud provider’s infrastructure.

For more information, check out: