Cloud security is the collective term used to describe the policies, procedures, technologies, and tools that are required to address business security threats, internal or external, as organizations adopt cloud technologies. With a vast number of cloud-based systems available to deploy at the click of a button, it is essential that a solid security posture is maintained. New technologies need new security solutions to ensure digital assets are both available to their consumers, while properly secured.
The Challenges of Cloud Security
In some respects, securing applications, systems, data, and services in the cloud is very similar to doing so in the data center. Some elements of the cloud operating model make it easier, while others can make it more difficult. Delegating as much responsibility for security to your cloud service provider is considered good security practice, but it is important to understand which responsibilities are retained by the customer. The complexity of maintaining a solid security baseline certainly increases with new suppliers involved in the running of your infrastructure as well as everything that runs upon it.
Some of the key challenges of cloud security are:
The Dissolving Perimeter: In the data center, your organization has a physical boundary – the brick walls of the building. You retain absolute control of all access, whether that be physically in regard to security and personnel, limiting site visits and applying your own rules, or in terms of network access via boundary firewalls and layered controls. Some highly secure deployments would see no remote access whatsoever.
In the cloud, the Cloud Service Provider (CSP) owns and operates the data centers that host the services you consume. Building security, staff vetting procedures, granting access for maintenance and operations, and other related elements are all managed by the CSP. You may have specific requirements, but the CSP is under no obligation to honor them – their terms and conditions will be the guide. When it comes to networking the same applies. The business of a CSP is to grant access to their customers, so boundary controls will be far less restrictive than was commonplace in days past. You get network controls at the account or subscription level as well as within, but even then, the boundary is much more porous than it was. The emphasis of cloud computing is on access and collaboration, and old-fashioned perimeter-focused controls are no longer fit for purpose.
The Shared Responsibility Model: As we’ve just discussed, many aspects of security are the responsibility of your Cloud Service Provider (CSP), and while it may be advantageous to delegate responsibility for some aspects of security to a third party, it is important to know which remain with the customer. The shared responsibility model outlines where responsibility for aspects of security lies, and the boundary between supplier and customer moves depending on the nature of services consumed.
The CSP will always be responsible for the maintenance and physical protection of their systems, as well as the premises in which they are hosted. The CSP also commits to offering availability to the customer in line with their service level agreement (SLA), and the resulting uptime of host infrastructure.
Responsibility for the elements running on top varies based on service type:
IaaS: The Infrastructure as a Service model includes virtual machines, and sees the provider responsible only for sufficient infrastructure to enable customer build. Using the example of a virtual machine upon which a customer runs a Linux image, the customer is responsible for the operating system, patching, security, logging and monitoring, user access management, and everything beyond the base infrastructure. The majority of security responsibility lies with the customer.
PaaS: The Platform as a Service model includes managed database platforms, and typically the division of responsibility sees the CSP responsible for the infrastructure, operating system, and service application, such as database engine, while the customer is responsible for controlling access and the database content. The CSP will be responsible for patching and management to the extent that the customer is unaware of their presence.
SaaS: The Software as a Service model includes fully managed services such as Office 365, where the customer has no security responsibility beyond granting users access to their tenant and ensuring the platform is suitable for any data stored within it.
Serverless: Serverless solutions sit between PaaS and SaaS in terms of security responsibility, with serverless compute being a managed PaaS offering, and the software running on it being SaaS.
Containers: Containers sit between IaaS and PaaS. A container service that runs everything and only grants access to an orchestration service could be considered PaaS, where a container service that sees customers build and maintain container images and run the orchestration service is closer to IaaS.
Although the customer retains more security responsibility in the IaaS model, they also retain much greater control. Regardless of the operating model of the services chosen, the customer will always be responsible for ensuring the services they procure deliver the required level of security. The customer is also always responsible for adequately securing the services being consumed (often using tools provided), and deciding what data it is appropriate to store in the cloud services consumed. That also means the customer retains responsibility for configuration checks, penetration tests and red team exercises.
Limited Visibility: With the delegation for some aspects of your organizations technology operations and security responsibility come challenges in keeping track of everything in an increasingly complex technical environment. Cloud services are designed for accessibility, and it can be hard to keep track of who can access what. A lack of visibility may introduce security vulnerabilities, opening the door for malicious actors. The ability to identify security vulnerabilities and threats is essential to avoiding security events and keeping your digital assets safe.
It’s easy with on-premises deployments – everything under one roof and totally in your control. In the cloud, with the limitations we’ve already mentioned, it takes more planning, and legacy management tools are not sufficient. Cloud infrastructure is dynamic and elastic, with new services deployed at the touch of a button and new workloads auto-commissioning to deal with peaks in demand – great advantages of the cloud model, but also a concern for security. Using cloud-native tools, and tools designed specifically to provide total visibility of your cloud assets, help you track resources for performance, cost management, and security.
Compliance Management: Compliance considerations vary with location and industry. Data protection, localization, and regional as well as industry regulations can become more challenging in the cloud. Cloud service providers design their services to be resilient, performant, and easy to consume. That can often mean global reach – fantastic for availability and performance, but complex from a compliance point of view.
Your organization may be required to comply with PCI DSS, GDPR, HIPAA, as well as many other obligations related to data localization, access, and retention. The organization may be consuming cloud services from multiple cloud service providers. It is vital to ensure you know where your data is, what handling requirements exist, and who has access. Automated tools can greatly simplify this process, taking some of the complexity out of tracking and satisfying your compliance obligations.
Misconfiguration: Misconfiguration is a serious problem, whether in the cloud or on-premises. Misconfiguration may take the form of insecure storage, poor logging, privacy violations, insecure deployment and transport, or exposed secrets. Most security vulnerabilities are introduced by common errors and poor software development processes, and this issue is compounded by the scale of cloud deployments as well as visibility as above. Reactive measures are insufficient to prevent the issues created by misconfiguration, and real time monitoring is the only way to address misconfiguration before vulnerabilities are introduced.
Essential Capabilities for Cloud Security
Legacy tools designed for the data center to meet the security needs of on-premises solutions are inadequate for the cloud. Fortunately, a new breed of cloud-focused solutions and tooling are available to help organizations create and maintain a robust security posture, addressing the challenges listed above.
Essential security capabilities for the cloud include:
CSPM: Cloud Security Posture Management addresses misconfiguration issues by automatically detecting and remediating errors in cloud configuration. With the complexities of cloud solution configuration, as well as the native tools provided being inconsistent within a CSP, as well as between CSPs, it is almost inevitable that mistakes will happen. Prevent risks from becoming vulnerabilities with real-time scanning of cloud content for insecure items, and look toCSPM for continuous protection.
CIEM: Cloud Native Entitlement Management provides administration identity and access controls to mitigate the risks associated with granting excessive permissions. The dynamic nature of cloud, and the ease with which new resources can be created, requires a dynamic solution – CIEM automatically monitors resources as they are commissioned. Visibility of resource accesses provides clarity, and baselines can be created to ensure overly permissive defaults at container level do not result in excessive permission to resources.
Vulnerability Scanning: Regular scanning for vulnerabilities has always been important, but the cloud makes it even more so. With new resources being created regularly, often with internet presentation and broad access, as well as applications created using third-party tools and code components, attack vectors have become much more numerous. Routine scanning of cloud infrastructure and code for vulnerabilities should be considered a necessity, with new vulnerabilities being discovered daily.
CNAPP: Cloud Native Application Protection Platforms provide integration of cloud security controls and compliance controls, consolidating the information provided by other cloud security services into a single view.CNAPP provides consistency between environments and management teams by considering security and compliance management as a constant. By managing security and compliance throughout the lifecycle, problems can be detected before they become issues.
Container Security: Containers represent a security challenge because they are built in layers, with applications and services added to the base operating system over time. Often only the upper layers of the image get regular attention, while vulnerabilities can go unchecked in the lower layers. Container images can become large over time, making scanning them for vulnerabilities difficult. Choosing a container security solution designed for the purpose enables vulnerabilities to be identified in container images, as well as during deployment in CI/CD pipelines.
Serverless Security: Serverless deployments are a unique security challenge, running on demand on underlying infrastructure of which you have no visibility or control. Securing serverless environments means achieving continuous scanning and configuration management to protect the lifecycle from code development to production, and beyond.
Compliance Management: Compliance is a complicated business area, made much simpler in the cloud by tools designed for the purpose. Automated solutions rely on established frameworks, as well as customizations, to provide high quality real-time information on compliance status. Heatmaps can help prioritize remediation efforts, and those efforts can be automated to return configuration items to their approved baselines.
Cloud Security is a Partnership
Delegating security responsibility to a Cloud Solution Provider (CSP) may seem daunting, but it is important to remember they operate in line with recognized standards, such as SOC 1/ISAE 3402, SOC 2, SOC 3, FISMA, DIACAP, and FedRAMP. As well as PCI DSS, ISO 9001, ISO 27001, ISO 27017, and ISO 27018. They have been providing services to organizations globally for many years, including Fortune 500, Government, Banking, and many other highly regulated environments. CSP native tools are often very good, but also often difficult to master at scale.
The CSP is responsible for the security of the premises and underlying infrastructure, but customers need to ensure they configure the services they consume correctly, and provide adequate controls to secure their digital assets. Cloud security and productivity can be improved immeasurably by tools designed to meet the challenges listed above, as well as any other specific to your industry or organization. When you review the market for cloud security solutions, be sure to select feature-rich tools that offer the full suite of capabilities required to achieve a robust cloud security posture.