Recently I led a mini bootcamp with Northrop Grumman Corporation (NGC) to help them transition to the cloud. We went over the business and technical issues involved in scoping, implementing, managing and securing a cloud-based presence. I spent the day with Northrop Grumman Chief Cloud Strategist Robert Wenier and 300 NGC employees who wanted to learn more about working in the cloud.
Foundational IT as a Backbone to the Cloud
As I got to know Robert, I quickly picked up how he had long ago mastered essential concepts and practices back in the traditional client/server, installed days that have helped him master the cloud.
First of all, Robert knows his end points: He knows Linux and Windows cold. He also understands how web-based systems – including databases and web servers – communicate with each other.
Second, he knows his computer networking – and vendor-neutral networking at that. Because he focused on how routing works rather than just one vendor’s operating system or devices, he’s easily able to address bottlenecks and create more efficiencies. If he had stuck with one vendor’s approach to things, he would have been lost.
Third, Robert has a solid cybersecurity foundation. Instead of focusing on what I call the tool parade approach to security, he focused on understanding the hacker lifecycle and how hackers exploit a particular attack surface. He looks at security from a problem-solving perspective, rather than focusing on how to use a specific application or technology.
Fourth and perhaps most importantly, he understands how to focus on often-neglected details:
- The business of the cloud: When you’re ready to move to the cloud, it’s vital to first capture the essential business processes and needs of the company. The technology is secondary.
- Proper planning and how to integrate Agile development methods with security: Though some folks still want to stick with waterfall-based Gantt charts, Agile has been winning the day.
- Migration issues: When companies move too quickly, they end up moving their problems to the cloud rather than transforming their practices as part of moving to the cloud.
- Choosing the appropriate platform: Instead of privileging one platform over the other (e.g., Amazon Web Services (AWS) instead of Azure), we were able to focus on how a particular cloud solution can help different businesses. For example, small businesses love Azure, because it contains so many solid Microsoft-based solutions. Yet, larger entities tend to use AWS or Azure’s Large Instance solutions because of the scalability and default closed security approach.
- Default security stances: Some platforms, including the typical Azure and AWS Beanstalk, tend to take a default open approach to security, while others take a default closed approach. I’ll let you guess which stance both Robert and I felt was the most appropriate across the board.
How to Pen Test the Cloud
I found it fascinating as NGC employees began asking us questions like how to pen test a cloud implementation. On the one hand, pen testing a cloud-based Windows or Linux system is much like doing so on any installed system in your server room. If you want to test your own applications, then you don’t need permission.
There are some critical differences, though. For example, in many cases, you need to get permission from the cloud provider.
For example, most cloud providers don’t allow you to test the following:
- The physical data centers or hardware owned by the cloud provider
- Services or applications that are offered and managed by the cloud provider
- Systems or services or applications belonging to other tenants in the cloud
- Applications and hardware that the cloud provider has sourced from third parties
Lessons Learned from a Cloud Transition
It was exciting to witness the absolute free-for-all of information that was exchanged throughout the day. A group of developers and pen testers talked about how they could best include a good pen test in the code creation stage. Security analysts huddled together to discuss how they would best identify a particularly nasty variant of the EternalBlue exploit. Another group talked about the best cloud-based distributed denial of service (DDoS) mitigation services for large versus small businesses.
Too soon, the day was over. I got to meet some absolute monster IT pros and witness a very large, very influential company in transition. It was fascinating. One employee had so much fun that he told me he was going to get CompTIA PenTest+ so that he can better audit the cloud-based system he’s managing.
It’s really exciting to see how organizations such as Northrop Grumman are leading the way by holding mini bootcamps, encouraging IT certifications and adopting the cloud.