2021 has been a tremendous year for the ONUG Community of Global 2000 IT business leaders and sponsor members.  In the ONUG Collaborative, Oracle Cloud has joined to help develop the open source Cloud Security Notification Framework’s Decorator along with Microsoft Azure, IBM Cloud and Google Cloud Platform under the guidance of FedEx, Cigna, Raytheon, Intuit, Adobe, Fidelity Investments, Goldman Sachs, Kaiser Permanente, etc.  Cisco, Sysdig, Wiz, Concourse Labs and many others are now making the Decorator, a common data model and metadata scheme to wrap attributes of cloud security logs, alerts, events, etc., so that the industry has a standard way to express and ingest cloud security notifications.   

The Decorator is user driven; that is, so many ONUG Community members have provided requirements and input into its development. Steve Jobs was right in that the best products and projects stem from the user experience. The Decorator will massively reduce SOC (Security Operations Center) engineers’ toil of mapping cloud security messages across multiple cloud service providers (CSP) to NIST/MITRE and their ingest into SIEMs, SOARs and Security Data Lakes. SOC teams will gain visibility across multi CSPs for the first time and be able to allocate resources to posture assessment and not toil.  

Why is the Decorator so important and why are all the major CSPs engaged? The scale of cloud security and on-prem equipment that is streaming security notifications to consumers is growing at a rate that can only be described as hyper exponential. For perspective, a typical Global 2000 company will receive some 20 Peta messages a year from a single CSP. That’s millions of cloud security notifications per second. If you multiply that out across the Global 2000, you get a number that is only 100,000 shy of all the stars in the universe!  That’s about 200 billion trillion. That is where we are today, and it only represents some 10 to 15% of Global 2000 company’s workloads that are in the public cloud.   

This is why every Global 2000, and many below that level, are building their own rocket ships of security infrastructure–that is, the SIEMs, SOARs and Security Data Lakes. The hope is that this security infrastructure can ingest all this data, and automation can be applied to detect anomalistic behavior before there is a compromise. But wait, it gets worse.  

Most Global 2000 firms have been forced to double and triple their security infrastructure spending just to keep up with the streams of cloud security notification data coming at them. It goes without saying that humans cannot process this level and rate of information flow.  

Even if they could, you wouldn’t be able to find them; there’s a shortage of cloud security engineers. Nine months is about the average time it takes to fill a requisition. In addition, we’ve found in the Collaborative that a security engineer can only support some 50 CSP accounts! Another observation is that CSP consumption in the Global 2000 grows linearly while the number of cloud security notifications grows exponentially. 

What the Collaborative members discovered and realized is that there needs to be a standard way in which cloud security notifications are sent to them from CSPs. It is unrealistic to ask the CSPs to re-write how they send these notifications, so it was decided that messages would stay the same so there is no disruption to security tools, etc. But notifications can be wrapped or decorated with standard attributions based upon a canonical data model. Thus the Collaborative will publish on Github a canonical data model (standard way to express event name, description, time, severity, etc.) and a metadata scheme on how to decorate a notification. The beauty of this model is that everyone can add to the canonical data model with your own unique requirements of what you would like to see. This is the power of a community. CSPs and many other vendors will offer an option to receive their cloud security notification streams that are verified and certified to adhere to the canonical data model and metadata scheme.

You have a certain event or alert or log that you want to see included in the Decorator, then you can add it via Github. The Collaborative has a review group who will receive all submissions and accept, modify or deny contributions.  The more logs, events, alerts that are decorated, the more useful the Decorator will be to your corporation and the industry at large.

The rate of cloud security notifications will only increase over time; this can be a limiting factor to scaling cloud consumption. With a standard way to express notifications, code them and enhance them, then the more useful information and protection this information can provide to cloud consumers. In short, when your CEO asks if your corporation is safe, you’ll be confident in your answer knowing that your workloads are within the minimal viable security posture.  

At ONUG Fall on October 20th and 21th, Collaborative members will demonstrate the Decorator for the first time in a multi-cloud environment. Its Github repo will be published, and the community can start contributing to its development. Look forward to seeing you at ONUG Fall! You may register here.