1 Introduction
The easy availability of cloud services has provided a way to develop and deliver new applications and services in a way that is more flexible, more responsive to changing demand, and more cost effective than traditional approaches. This is made possible by the dynamic just-in-time nature of the virtual infrastructure provided by these services together with the rapid DevOps approach based on containers and micro services. However, this dynamic virtual infrastructure creates security challenges. The legacy approach to IT security assumes a comparatively static environment and this is not optimal for the needs of today's dynamic infrastructure and development methodologies. Dynamic just-in-time infrastructure and development need a dynamic just-in-time approach to IT security.
When IT services were delivered directly from owned physical equipment, the procurement costs, processes, and delays meant that change was slow, and innovation was hard. IT security tools and approaches evolved to manage the security risks associated with this static environment. Controls could be applied after equipment was installed, and the IT estate could be accurately catalogued in a Configuration Management Database (CMDB). Since change was highly managed, risks were relatively static, and manual or partially automated security management processes were enough. For example, weekly scanning could find and fix any newly discovered vulnerabilities and identities, and manual processes were adequate to manage access permissions.
This is no longer the case when using services where infrastructure is virtual and new resources are created and destroyed dynamically as they are needed. The inventory of these virtual resources is not fixed but is constantly changing as demand fluctuates and applications are deployed. In this dynamic environment all the well-known risks, such as unpatched vulnerabilities, still exist but, in addition, there are new risks. These new risks arise from the new kinds of services that the cloud offers, such as serverless computing, as well as misconfiguration by the user of the cloud services components that they are using.
One particular area of concern is around DevOps. The traditional approach to the deployment of new applications involved risk assessment followed by security controls being implemented prior to deployment. However, the flexibility provided by DevOps now makes it easy to rapidly deploy new code without strictly enforced checks. In the race to provide functionality, it is often the case that security takes second place. This can lead to common vulnerabilities remaining in the code and system configuration, which can then be exploited by cyber adversaries. Furthermore, in this dynamic environment the virtual infrastructure components have privileges and, where these are excessive, there are additional vulnerabilities that can be exploited. It is important that cyber security tools integrate with modern development environments to ensure that security and compliance policies are implemented during application development and deployment, without slowing DevOps down.
One area that is often forgotten is disaster recovery for cloud services. While the CSP (Cloud Security Provider) is responsible for the continuity of their services, the cloud tenant is responsible for backing up their data and applications. This is needed not only to guard against malicious attacks but also against errors. Whether critical application data is deleted by ransomware or by mistake, the CSP is not responsible. Backup policies for cloud assets should be set and enforced.
Dynamic just-in-time IT needs dynamic just-in-time cyber security management. It must be able to implement security controls when new resources are added, without placing a burden on IT resources. To do this the platform must automatically monitor and catalogue new resources. It should support both prescriptive controls through policies that ensure that the security attributes of resources are applied as the resources are created. It should also support detective controls, without requiring manual intervention, such as the installation or configuration of agents.