The four tools I think are essential in anyone's Cloud Security stack are:
- Gateway: Don't trust your Attack surface to the Cloud, and do verify at the Gateway. Its a Defensive structure to limit attack surface and enforce policy.
- Security token service: Don't trust messages, implement verifiable security tokens. The STS handles Issue, validate, and exchange security tokens
- Monitor: Do implement monitors that record and publish auditable events
- Policy enforcement point/policy decision point: Use PEP/PDP to enable fine grained access control (XACML, ABAC). Create, manage, and enforce policy across domains
Whereas I hoped that we'd see these OOTB services from the major cloud providers, I was too optimistic. For a long time (too long), delivering on the above list fell squarely on the shoulders of the enterprise. Luckily its starting to change - see for yourself: you can now spin up an instance of Intel's API gateway on Amazon EC2.
Its a win from two perspectives - 1) improved security capabilities for cloud apps that deliver on core concerns in Don't Trust. And Verify. approach and 2) just as important (maybe more important) better integration. We don't need abstract security, we need integrated security, if you are on EC2, that's EC2 Security.
The more time I spend on security architecture, the more I realize - we don't have a security problem with integration requirements, instead we have an integration problem with security requirements. Successful security architecture deployment rests not just on capabilities, but just as much on the ability to integrate so that the enterprise can realize the benefits of the capabilities.