We know that "the enemy's gate is down." Many of us know the lessons from Vauban. We draw our computer security metaphors from the physical world, and it mostly works. Traditional security analogies talk about defense-in-depth, locks & surveillance, active defense, mitigation & response, and many other clever comparisons. Then came the cloud. While it's true that security fundamentals still apply, several things dramatically change when defense moves into the cloud.
Scale - A single IT admin can reasonably expect to manage between 100 and 250 physical assets. We expect cloud admins to scale up to 25,000 instances and beyond. The same scale that makes using the cloud attractive for business makes managing the cloud a Gordian Knot. Think about that scale in terms of security alerts, real and false positives.
Control - We can simply go over and troubleshoot in safe mode when an on-prem asset misbehaves. When the cloud instance misbehaves, the cloud provider might just reboot it for you. Even worse, your asset might get rebooted if somebody else on the same hardware misbehaves. Cloud providers give a different granularity of control.
Transience - This represents the biggest paradigm shift for the cloud. Where previous admins bragged about uptime, long-running servers become a liability in the cloud. Attackers can surround an asset, only to find the asset has disappeared. That idea sounds like a nightmare for most admins too, but the right tooling and mindset turns it into a strength.
We can leverage scale, control and transience away from liabilities and into strengths. Traditional physical defense metaphors do not capture the paradigm shift, so we need to make sure we abandon those when appropriate. Cloud security is different.
Nathan Cooprider is a Senior Software Engineer working on the Threat Stack instance agent. Nathan comes to Threat Stack from the endpoint engineering team of Bit9 + Carbon Black. Prior to Bit9, Nathan led the signal processing software team for the MQ9 Predator drone at BAE. He received his BS in CS from Brigham Young University and his PhD in CS from the University of Utah. Nathan has over a decade of experience working with computer systems. This includes eight refereed publications on the static analysis of microcontroller applications written in C. He also wrote a paper on multivariate data visualization, co authored a paper on multiple hypothesis tracking, and has supported language modeling research. Nathan's accumulated experience with various software engineering languages and tools includes C, C++, python, doxygen, Jenkins, OCaml, CIL, cmake, and many others.