In a recent article which focused on cloud security I presented a comparison between security-as-a-service and traditional style security tooling in the cloud. This installment is a deeper dive into the security as a service (SECaaS) paradigm.

It would seem to me that a natural outgrowth of the cloud computing and ‘everything as a service’ paradigm that the technology world is undergoing, would be that the tools and services we use to manage and secure our cloud environments also move into an ‘as a service’ mode.

In much the way one would expect, SECaaS works under the principle of a small agent controlled from an external service provider. It is not so different conceptually from controlling a number of firewalls (virtual or physical) from an external management console.

Here’s how it works. A security administrator sets the policy for the service in the SECaaS provider cloud, using online management tools, and sets what policy or policies applies to a group of VMs classified by any number of criteria.

Then, the SECaaS services governs the security activity within and around the VM via a lightweight, generic, agent installed within the VM. When a new VM is created out of a template the agent is included in the image.

Finally, the agent executes various security functions according to the direction/policy communicated from within the provider’s cloud environment.

For example, the security administrator creates a segmentation policy that all webserver VMs will only accept traffic on ports 80 and 443. The administrator creates a policy in the SECaaS cloud which is transmitted to the agents on all webserver VMs in the environment. The agent then acts to block and/or allow traffic as per this and other policies that apply to this type of VM.

Advantages

The advantages of using a SECaaS solution include:

• Increased agility. As the number of VMs expands contracts or moves (between physical facilities, and possibly cloud providers) the security level is maintained. This is because SECaaS agents are generally configured to reach back to the ‘mothership’ on activation.
• Reduced complexity. No need to deploy lots of different security tools into the environment and thereby add complexity.
• Security staff. In 2016, according to ESG Research, 46% of organizations reported a shortage of cyber security skills in their staff. SECaaS solutions can help to increase the skill sets of junior security administrators by providing a single pane of glass view of the security functions within the environment. SECaaS providers are working towards making policy setting tools more intuitive, thus making it easier for a limited size and/or skilled staff to be more effective.
• Consolidated control. Offloading of security policy creation and security management to a consolidated management point, that itself is managed and secured by a trusted external partner. This requires that trust and partnership be present in the relationship with the SECaaS provider. 

Issues

• Most SECaaS providers offer services that control a limited set of security functions such as identity and access management (IAM), segmentation, threat detection, anti-virus, vulnerability analysis, and compliance checking. Issues can arise when multiple providers are selected for parts of an overall solution. This leaves the VM stuffed with various distinct agents, reintroducing complexity, lowering agility as well as lowering manageability. The solution to this issue is to seek out those few providers that are reaching for a comprehensive approach. For example CloudPassage Halo  and TrendMicro AWS Defender provide much more comprehensive solutions than many others.   
• Currently no SECaaS services that I have found provide support for serverless or micro-services environments. With the rapid rise in these types of cloud application hosting environments this will become a critical distinguishing factor in an organisation’s decision to use SECaaS technologies. As more providers enter the SECaaS market it is assumed that the needs of these types of environments will be addressed.

Conclusion

As more organisations continue to adopt and move to the public cloud it becomes even more critical to secure those environments, applications and services. SECaaS providers continue to enhance their offerings and continue to add specific security services to their portfolios. As SECaaS matures it becomes an even more viable option for securing enterprise public and hybrid cloud deployments.

Read more: Cloud security best practice: Security as a service or cloud security tooling?

In order to meet the rapidly changing demands of today’s customers, companies are continually forced to redefine their business strategies in order to meet these needs, stay relevant and continue to see profitable growth. IoT deployment and development is integral in this transformation, and today businesses are increasingly seeing the value of investing their resources into IoT deployments. These technologies are able increase ROI through projects such as connecting supply chains or enabling smart office capabilities for employees.

read more

More than 90% of organisations polled by Enterprise Management Associates (EMA) say they are using DevOps practices in some capacity, yet they only support production applications only a third of the time.

The study, titled ‘DevOps/Continuous Delivery Tooling: Launchpad for the Digital Enterprise’, looks at the current state of software delivery and related tooling and summarises the results. The company argues that integrating and sharing metrics and data between diverse toolsets, via APIs, integration hubs, or both – need to be central to making product selections.

The primary focus areas for digital business initiatives include customer satisfaction, ‘using technology to match competitors’ digital presence’, and ‘faster time to innovation’, according to the report, although there were ‘significant’ differences in responses among small, medium and enterprise businesses.

The rubric sets out the rationale for the report. “Yesterday’s toolsets and support practices – in which tools relied heavily on human expertise and manual processes – are no longer viable,” the company notes. “At the same time, designing, developing, deploying and supporting complex modern application environments requires collaborative decision-making supported by a new level of cross-functional skills, knowledge, and judgment.

“Surmounting these challenges to embrace the requirements of a new era requires changes to mindsets, skill sets, and tooling.”

This aligns with various pieces of research around DevOps. According to a study from Sumo Logic back in March, more than two thirds of enterprises either plan to adopt DevOps or are already doing so, while in the same month Quali found that almost half of applications in traditional environments were considered complex for cloud.

“As the pace of business continues to accelerate, coordination across DevOps processes, practices, and tools becomes increasingly important,” said Julie Craig, research director of application management at EMA. “This research provides valuable insights into the ways in which high performing IT organisations are accelerating delivery of key business services and, in doing so, impacting the business bottom line.”

(c)iStock.com/MarkRubens

A couple of updates in the Australian data space this morning; Telstra has announced it has acquired Company85, a UK-based provider of data centre, cloud and network services, while Amazon Web Services (AWS) is launching a new service in Canberra through NEXTDC.

Telstra, primarily a telecoms firm, is looking at Company85 to expand its position in the UK, seeing it as ‘a key market’ for their growing technology services business, as well as help their push towards Europe. Christopher Smith, executive director of business technology services at Telstra, added Company85’s ‘market-leading approach’ for standardising and automating data centre migrations was key.

“As organisations look to digitise their business, whether it’s to expand into new markets, create new products or improve efficiency, they are increasingly seeking integrated solutions for their network, security, and cloud infrastructure, as well as advice on how to implement and manage these,” said Smith.

“Company85’s broad set of consulting capabilities will help us to differentiate our offerings in Europe,” Smith added. “We will be able to engage in IT transformation conversations with prospective customers early in the proposal stage, which we believe will help to strengthen our position and create demand for our network services in the region.”

Elsewhere, co-location provider NextDC has announced that its C1 data centre in Canberra will be the first in the Australian capital to host AWS Direct Connect, which aims to give organisations an easier access point from their premises to AWS. AWS already has three availability zones for EC2 in Sydney, with a further edge network location in Melbourne.

“The launch of the AWS Direct Connect service out of NextDC’s Canberra data centre will enable our federal and ACT Government customers to connect the hyperscale AWS Cloud and run synchronous replication across independent zones, helping to ensure government data is managed securely – with high resilience,” said Andrew Phillips, AWS Australia and New Zealand public sector country manager.

“This, in turn, will help government agencies deliver improved services to Australian citizens, who increasingly rely on digital services for their interactions with government.”

In his session at 20th Cloud Expo, Brad Winett, Senior Technologist for DDN Storage, will present several current, end-user environments that are using object storage at scale for cloud deployments including private cloud and cloud providers. Details on the top considerations of features and functions for selecting object storage will be included. Brad will also touch on recent developments in tiering technologies that deliver single solution and an end-user view of data across files and objects to support high performance cloud applications like transcoding, content distribution and SaaS.

read more

SYS-CON Events announced today that Systena America will exhibit at SYS-CON’s 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Systena Group has been in business for various software development and verification in Japan, US, ASEAN, and China by utilizing the knowledge we gained from all types of device development for various industries including smartphones (Android/iOS), wireless communication, security technology and IoT services.

read more

SYS-CON Events announced today that Systena America will exhibit at SYS-CON’s 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Systena Group has been in business for various software development and verification in Japan, US, ASEAN, and China by utilizing the knowledge we gained from all types of device development for various industries including smartphones (Android/iOS), wireless communication, security technology and IoT services.

read more

SYS-CON Events announced today that CollabNet, a global leader in enterprise software development, release automation and DevOps solutions, will be a Bronze Sponsor of SYS-CON’s 20th International Cloud Expo®, taking place from June 6-8, 2017, at the Javits Center in New York City, NY. CollabNet offers a broad range of solutions with the mission of helping modern organizations deliver quality software at speed. The company’s latest innovation, the DevOps Lifecycle Manager (DLM), supports Value Stream Mapping for the development and operations tool chain by offering DevOps Tool Chain Integration and Traceability; DevOps Tool Chain Orchestration; and DevOps Insight and Intelligence. CollabNet also offers traditional application lifecycle management, ALM, for the enterprise through its TeamForge product.

read more

Every successful software product evolves from an idea to an enterprise system. Notably, the same way is passed by the product owner’s company. In his session at 20th Cloud Expo, Oleg Lola, CEO of MobiDev, will provide a generalized overview of the evolution of a software product, the product owner, the needs that arise at various stages of this process, and the value brought by a software development partner to the product owner as a response to these needs.

read more