Having Your Cybersecurity And Eating It Too

The Catch 22

The very same year Marc Andreessen famously said that software was eating the world, the Chief Information Officer of the United States was announcing a major Cloud First goal. That was 2011. Five years later, as both the private and public sectors continue to adopt cloud-based software services, we’re interested in this question: how in the world do you eat cloud software?

Cybersecurity today seems to have an unfortunate Catch-22. You want to test (and re-test) your live cloud services to see if they are really secure, but testing too aggressively or frequently will disrupt, degrade, or even leave those services more vulnerable. Keeping your live services up and running is difficult: your aggressive scanning and testing is essentially eating those services — to see if they are good or bad — at the same time you are trying to keep them all in one piece.

Splitting In Half

As the title of this blog hints, running a live system and fully testing that same live system is exactly like trying to have your cybersecurity cake and eat it too — pick one, not both, or more realistically pick half of each. We’ve even heard penetration testing on a live network described as “running fast while shooting at your own feet to see if your boots are really tough enough for the journey.” (Please do not try this at home!)

boots-cyber

It’s no secret that classical vulnerability and penetration testing is filled with wise caution, legal landmines and detailed guidance to mitigate the impact on real operations and businesses. At least one way to try to maneuver around this Catch-22 requires a separate non-production environment of equivalent hardware and software. It’s not easy to keep that non-production environment up-to-date and it demands a lot of constant investment of time and money. The unfortunate reality is that such environments quickly diverge from real operational systems, making them less meaningful. It’s often double the cost for just a fraction of real cyber security benefit.

As businesses rapidly accelerate their dependence on cloud services and the federal government puts sensitive data into the cloud, achieving more secure cloud-based services is critically important. We’re all interdependent and have a shared stake in the outcome.

With a lot on the line there is no shortage of expectations – from financial sector penetration testing requirements to a new military effort calling for more proactive testing of critical operational systems. And we can’t help but mention the groundbreaking Cyber Grand Challenge using artificial intelligence based techniques.

Government Embracing The Cloud

Likewise, as security concerns cause the federal Government to step more firmly into the cloud — there’s even a cloud.gov these days after all — the government’s own penetration testing penetration has also anticipated this seeming Catch-22 in cybersecurity. The government expressly allows “testing in a non-production environment” to “limit the impact on business operations.” Then, in the same breath, they wisely require that the non-production environment be “identical to the production environment.” And to reinforce the point they even use italics, noting that the “environments must be exactly same” and not just “almost” the same. We couldn’t agree more!

The Clone

Our answer, then, to the original question — how in the world do you eat cloud software? Leverage the inherent ability of any cloud environment to generate and operate exact (cloned) image of the live systems. Then test those exact images. It’s a bit like interacting with a hologram, except in the cyber world the hologram behaves and reacts exactly like the real thing — because it is as real as the original due to the inherent design of the cloud’s serviced-based architecture. Once you’ve set up the parameters for the cloud service, it makes little sense to ask Amazon, for example, which particular servers in which racks you are running on, because it doesn’t make one bit of difference operationally.

As the cloned versions are setup, the live cloud services keep going while the cloned version is taking the heat. Even if during testing the cloned version goes down in flames, so to speak, that’s ok for two reasons. First, the live operational system is still running fine — keeping your customers and users happy — and, second, you have proactively uncovered an issue before it could have grown into an even larger, real one.

Meanwhile, you can just restart another cloned image and get right back to testing — no need to clean up or try to rewind time. And this approach works across multiple cloud platforms, whether hosted or on premises or a mix, so you can choose your cloud provider — or more likely choose a few of them. Furthermore, your existing investment in scanning, testing, and security tools can also be applied to the exact images.

We agree there’s really no silver bullet in cybersecurity, as it clearly takes a diverse range of tools and techniques to keep a system secure, but a service-based cloud infrastructure really does have one particular silver lining: by scanning and testing fully cloned images, you can have your cybersecurity and really eat it too.

By Ernesto DiGiambattista, Co-Founder and CEO, Cybric

ernesto


Prior to founding Cybric, Ernesto DiGiambattista was the Chief Technology & Security Officer for Sentinel Benefits & Financial Group, where he was responsible for transforming a legacy technology team into a technology innovation service group.

In addition, Ernesto was a senior member of Bank of America’s Information Security & Resiliency Group and Corporate Audit organizations. Further, Ernesto has been a trusted advisor on private and public cybersecurity policy to members of the U.S. Senate and the U.S. House of Representatives.

In June 2015, Ernesto was recognized by the Boston Business Journal as a 2015 Finalist for Boston CIO of the Year.

Martin Mendelsohn

Supporting CISOS, CIOS and CTOS That Are Overwhelmed During the COVID Battle

The Covid Era and CISO Stress Even before COVID-19, senior technology executives, including CISOs, CIOs and CTOs were overwhelmed, and felt an increasing lack of ballast in their lives. Some went so far as to ...
Mor Cohen Tal1

The Top 2 Challenges of Next-Gen Applications

Challenges of Next-Gen Applications When you think of why customers move to the cloud, there are a few key things that they're trying to achieve. Agility How do I do more with less. How do ...
Move bot migration

MoveBot – New Data Transfer Platform

Data Transfer Platform Branded post by Movebot As cloud computing and storage continue to provide enhanced ROI to organizations, businesses are storing their data on the cloud– instead of on-premise servers. Storage migration is an ...
Torsten

Five Ways to Secure Access to Web Workloads

Secure Access to Cloud Workloads Organizations are increasingly moving their workloads to the cloud to achieve greater agility, flexibility, and cost savings. That’s a major reason why worldwide spending on public cloud services and infrastructure ...
Figure4

DevOps – Secure and Scalable CI/CD Pipeline with AWS

Secure and Scalable CI/CD Pipeline According to Gartner, a leading research company, worldwide public cloud revenue will grow by 17.3 percent in 2019. Total spending on IT infrastructure products (server, enterprise storage, and Ethernet switches) ...
Mark Barrenechea

Introducing the Information Advantage

Technology. Information. Disruption. The world is moving faster than ever before at unprecedented scale. Businesses today are operating in the next industrial revolution, and the rules have changed. This is Industry 4.0. It is imposing ...