As enterprise workloads move to the cloud, more cybersecurity professionals are experiencing the complications of protecting their workloads in these faster and more dynamic environments. These are typical public cloud security challenges. Part of the reason is because cloud infrastructure is very easy to set up, so more and more people are now able to do it, even without the help of IT.
With almost anyone having the ability to spin-up cloud services, the rise of net new public cloud security challenges was inevitable. You can quickly end up with a huge number of assets and no effective way to track them or monitor them.
We took a quick poll in our recent Security Visibility webinar with Cyber Security Insiders to learn about the biggest day-to-day operational headaches cybersecurity professionals experience in the context of protecting these cloud environments.
In this blog post we’re highlighting three of the biggest public cloud security challenges security operations said they are facing, along with some of the key requirements for solving those issues through automation.
To learn more about the top five public cloud security challenges from our QuickPoll, listen to our webinar recording linked at the end of this post.
If things are changing too fast, you can quickly lose visibility into your infrastructure security. And if you don’t know what you have, you can’t protect it. Additionally, without tools developed with cloud infrastructure in mind, you can’t keep up with the speed of change.
Simply put, due to the rate of change, security and compliance stakeholders often can’t see what’s in their cloud infrastructure, and not knowing how they’re configured can be an enormous hidden risk, as those assets could have major vulnerabilities in them, making them ticking time bombs. This year alone, we’ve seen multiple, significant compromises, including at Capital One and Facebook, both of which included the compromise of an S3 environment.
This S3 type of issue comes primarily from not knowing the asset is out there and not knowing that it’s misconfigured, which is both a very big problem, and a broad-based problem. It’s usually the first of the public cloud security challenges that’s tackled with a security solution.
When you move to an environment where you have microservices, for example implemented in containers which may be driven by Mesos or Kubernetes, those microservices, can come up, do one small job, then vanish after a very brief period of time. They might be up for literally minutes or even seconds in some cases. In that kind of rapidly moving environment, if you don’t have continuous visibility into it, there’s just no way to manage it. So, the automation there is key.
While continuous visibility is only part of the equation, automated notification and tracking of remediation is also critical to solve public cloud security challenges. Remediation usually starts out with routing information to the right owners, which generally entails informing the system owners of how they need to remediate certain issues and ensuring they have a solid understanding of the level of priority and urgency required. They also need to understand it on their own terms.
In a traditional environment, which was more slow-moving, remediation was a much slower process. You might send out a lengthy report, once a month or once a quarter—with a list of all the issues that needed to be resolved. Today, with these cloud environments being in constant motion that remediation data stream needs to be constant and it needs to be in whatever form your Ops teams want in order to make it truly efficient and effective.
Traditional network security tools made sense when users and applications were hosted in more static, centralized data centers, but they’re not designed for the dynamic distributed virtual environments. In the AWS Cloud Security Survey 2019, 85% of respondents confirmed that legacy security solutions either don’t work at all in their cloud environments or only have limited functionality.
Based on this type of cloud infrastructure security research and what we’ve heard from our customers through the years on the kind of solution that would actually meet their security requirements, below we’d like to share what we’ve learned. And we’re happy to report that it seems to coincide with what we heard in our webinar from the participants. In a nutshell, to address public cloud security challenges and maintain security and compliance visibility, security professionals need and want the ability to:
In addition to looking for issues to clean up on the attackable surface areas, people are also looking for issues related to compliance. These are consistently the two key missions in many cases for the CSO’s organization:
From a compliance perspective, verification tracking and monitoring are equally important. As part of an audit, you would need to show that these types of issues were found, remediated, and that you verified that they were remediated, a process that should also be automated in order to keep up with the rate of change.
A traditional data center environment was relatively simple. It had fewer types of components that were more homogenous, where modern applications—cloud-based app environments—have more components. Typically, they have more of the smaller components, and they’re more varied. Additionally, in most cases, the perimeter orientation goes away in the cloud environment creating additional public cloud security challenges. While there are still perimeter controls, the centrality of the perimeter as the primary security control point changes dramatically.
When you take that traditional data center environment and you introduce private cloud infrastructure, you’re likely adding multiple virtualization environments, such as containerization. You will also begin to introduce automation tools, such as Chef and Puppet, which also increases the rate of change dramatically in these environments. This creates a lot of complexity, even in a data center. While there’s additional complexity here, the basic security model which is perimeter-driven is very much the same.
Adding public cloud infrastructure to the mix, is more of a huge leap for many organizations because you now have the shared responsibility model, which on the one hand is great for security and compliance, because they no longer have to deal with a lot of components in the data center. However, there are net new public cloud security challenges that have to be addressed with a new approach to security, such as monitoring and safeguarding the configuration of these environments and the services that run in them.
Within the shared responsibility model, as opposed to having total ownership, you now have a shared control model in which you share some responsibility with that public cloud provider. In addition, the hardware appliances that were once part of a very straightforward security model turn into these virtual cloud environments. Which means, you have to deal with virtual networking and virtual servers which are very easy for application infrastructure teams to change, making the rate of change go through the roof and driving greater challenges for security and compliance.
While these types of changes used to happen very much on security’s terms, this is no longer the case due to the rise of public cloud infrastructure, which creates somewhat of a cultural shift within enterprises.
The key thing to remember is, while there are things you can absolutely depend on your public cloud provider to do, you are still responsible for maintaining your part of the shared responsibility model. Ensuring you are clear on the details of your cloud infrastructure security responsibilities will help you understand the capabilities you need in a security solution.
So what should you look for in a security solution in order to enable these capabilities?
While automation is critical in securing your public cloud infrastructure, your ideal cloud security visibility solution should have the following characteristics to support it:
In these dynamic public cloud environments, if you don’t have ongoing insight into your infrastructure it is impossible to manage its security posture or tackle the public cloud security challenges. Because continuous discovery, inventory, and assessment is critical, effective automation of these needs in a dynamic IaaS environment is a must.
Automation relieves the burden of manual monitoring inherent in legacy systems. It also drastically streamlines the management of IaaS, which allows your organization to quickly and effectively mitigate risk, remediate issues, and maintain compliance—all while reducing burden to your IT security team. That is why continuous risk assessment and issue visibility which supports daily, hourly, and on demand needs is critical.
Hear cybersecurity experts Carson Sweet, CloudPassage CEO and founder, and Holger Schulze, Cybersecurity Insiders CEO and founder discuss public cloud security challenges and:
CloudPassage is here to help security teams improve threat prevention and vulnerability management for cloud infrastructure. Learn more about Cloud Secure, our Cloud Security Posture Management solution,