How to Secure the Cloud Simply, Effectively, and in Real Time
In my prior blog post on cloud security, I discussed how migrating to the cloud comes with certain security risks for your company.
To summarize, security for your IaaS cloud deployment means securing the applications and your private network that is set up in the cloud. Setting up, for example, VPC (Virtual Private Cloud) in AWS provides you with a flexible and highly scalable always-on data center. You are renting network, and machines (Elastic Compute Cloud, “EC2”, instances) from AWS. It is your IT and security teams’ responsibility to set up user accounts and network access through IAM, security groups, and private/public subnets in AWS.
These configurations can get quite complex as you set up different types of workloads (e.g. web servers, database servers, and application servers). When setting up hundreds or thousands of EC2 instances in your VPC, the complexity can be exponential. Bad actors can then capitalize on this complexity by gaining access to the cloud environment and exfiltrating your corporate data, as I illustrated in an attack scenario.
Unfortunately, defending against these types of attacks isn’t as easy as moving the workloads to the cloud. Cloud environments have unique security needs that legacy security solutions cannot always address. As a result, you cannot simply take an on-premises security solution and plug it into the cloud.
Choices of Security Solutions for the Cloud
You do have a few options that are applicable to the cloud, however. In its 2018 Hype Cycle for Cloud Security report, Gartner lists 30 technologies that take access control, identity and other principles into the cloud for the purpose of reliably improving the security of cloud-based apps. Of these tools, Gartner anticipates that over the next two to five years, three types of cloud security technologies will deliver the highest levels of benefits for IT and security teams. These are as follows:
- Cloud access security brokers (CASB): These on-premises or cloud-based tools enforce cloud security policies whenever your employees attempt to access services (SaaS applications) hosted in the cloud. According to Gartner, CASBs support security policies pertaining to encryption, single sign-on, and authentication.
- Cloud workload protection platforms (CWPP): CWPPs are security solutions that commonly use an agent to protect cloud-based workloads, which consist of applications and other code groupings. Gartner explains that these tools work across hybrid environments and commonly support container-based architectures.
- Cloud security posture management (CSPM): Originally branded as Cloud Infrastructure Security Posture Assessment (CISPA) solutions, CSPM tools go beyond reporting to address customer configurations and setup errors in their cloud environments.
Another concept popular these days is Zero-Trust Network. While this concept could work for simpler and smaller data centers and cloud deployments, in other cases Zero-Trust Network can introduce considerable complexity. You might think that “never trust, always verify” is a good maxim around which you can structure your network security strategy. The problem is that organizations tend to go too far with their Zero Trust mindsets by executing a full quarantine of their network using many segmentation gateways. This setup increases the complexity of your security architecture; convolution that we already know makes it more difficult for security professionals to defend against threats. These considerations point to why the Zero Trust model doesn’t always work.
Choosing the Best Cloud Security Solution
Obviously, not every solution will fulfill your business needs. You need to find a solution that works best for you. As you do your research, keep in mind these key considerations:
- A good cloud security solution needs to be able to detect all types of digital threats in the cloud. These dangers include threats attempting to enter the cloud environment as well as those already moving within the cloud.
- A cloud security solution should not be overly complex. If it is, security will get more complicated to implement.
- Look for a solution that can work across hybrid environments. That is, it should be capable of securing assets hosted on-premises and in the cloud. Requiring different solutions for each of these environments increases network complexity and makes it harder for your security professionals to defend your computer systems.
- A good cloud security solution is one that monitors network activity in real time. The solution can’t simply collect the data and analyze it after the fact as this will result in the damage being done by the time that your security team has a chance to formulate an action plan.
- Lastly, what’s the use of a security tool if it can’t scale to meet your evolving needs? This solution needs to be able to handle all the additional traffic created by migrating resources to the cloud. As such, it must be able to generate an increasing number of alerts in response to anomalous activity while still maintaining a low number of false positives.
A Balanced Cloud Security Model
Recognizing these different security objectives and possible solutions, I would like to describe how we at Lastline® are looking to help address some of these security challenges. Lastline Defender™ is one such tool that meets the criteria above. Lastline Defender helps detect advanced threats from both entering and operating within your virtual private cloud (VPC).
What makes Lastline truly stand out, however, is its ability to flag this activity at each stage of an attack, thereby providing your defenders with multiple opportunities to stop bad actors in their tracks. Let’s look back at the attack scenario I discussed in the previous blog and see how Lastline could have helped detect each of its phases:
- Exploitation: Leveraging its full network traffic visibility and signature capabilities, Lastline would have alerted your security team that someone exploited a Drupal vulnerability to gain access to an app residing on the public cloud workloads.
- Access: Lastline would have detected evidence via VPC flow logs that an attacker scanned for other workloads and began to move laterally to another port, in this case a database containing sensitive data.
- Exfiltration: Using anomaly detection on VPC flow logs, Lastline would have spotted the attacker’s attempts to access the service, extract a copy of the database, and exfiltrate the information to the cloud.
Lastline Defender for Cloud delivers a unified interface to provide full visibility and threat detection for both cloud workloads and on-premises assets. Learn more about the Lastline difference and how it’s able to detect attacks that other solutions miss.