Cloud Security: Where Should We Start?
Posted March 8, 2022 by Sayers
Major cloud solution providers including Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) have steadily added functionality to make their features more secure. But can they say their clouds are truly secure by default?
If you think of the cloud as fundamentally an operating platform, it’s typically much more sophisticated than a single operating system can be. But sophistication brings complexity. “Although the cloud provider brings security components into their offerings when it comes to your data, applications, processes, and services, those things are very much not secure by default in a cloud environment,” says Ken Wisniewski, Senior Cybersecurity Solutions Architect at Sayers.
That’s why we’ve taken highlights from a Sayers cloud security Q&A panel discussion to highlight a variety of tools to help secure your organization’s clouds and measure their security posture.
Make The Most of Cloud Native Security Offerings
As a tenant in the public cloud, you don’t have the same level of control you would have in a physical, on-premise data center. “There’s a philosophical question about whether you could ever achieve the same level of security in the public cloud,” says Gerry Wollam, Senior Cybersecurity Solutions Architect at Sayers. “The answer is a great big ‘it depends’ on the cloud provider doing their job.”
Cloud environments offer hundreds of different functionalities across multiple disciplines, which creates more complexity than an on-premise solution. Wisniewski cautions, “Creating a cloud account for users to develop applications and services without any security guardrails in place creates a playground that’s rife for misconfiguration, manipulation, or exploit.”
The first step in securing that playground is to take advantage of native security tools and services offered by cloud providers. You’ll find dozens of out-of-the-box security-related capabilities offered by Azure, AWS, and GCP.
“There’s a tremendous amount you can take advantage of that you wouldn’t necessarily have at your disposal in a typical data center environment,” says Wisniewski. “For example, network security groups, which are host-applied firewall capabilities, allow you to do things such as greater segmentation without having to instrument your operating system or your solutions.”
Other examples of security services offered by cloud providers include application firewalls, secure storage for cryptographic keys and passwords, a managed ledger for data entries, and identity management for your apps.
Explore Three Main Categories Of Third-Party Security Tools
In addition to cloud native security controls, third-party tools are another option for your organization to consider when moving to the cloud. These can be especially useful in a multi-cloud environment.
“If a customer has decided on a specific public cloud provider, then it’s clearer for them to use the native security controls, which may be simpler for them,” says Wollam. “But usually the next step in their architecture is going to be multi-cloud, which brings more questions. Do they use cloud native controls the way this one provider or multiple providers do? Or should they overlay a third-party tool that can be managed centrally, for whatever use cases they have?”
Those third-party cloud security technologies tend to fall into three main categories:
Cloud Security Posture Management (CSPM). This toolset identifies configuration problems and compliance risks in the cloud, gauging them against a regulatory framework or a custom check you’ve created.
Cloud Access Security Broker (CASB). These intermediaries between users and cloud service providers consolidate enforcement for multiple types of security policies such as authentication, encryption, logging, and alerting.
Cloud Workload Protection Platform (CWPP). As the name implies, CWPP focuses on protecting any type of workload in enterprise environments, including physical servers, virtual machines, containers, and serverless workloads.
“With those three core capabilities, we’re talking about controlling and auditing the configuration of our cloud platform (CSPM), auditing and monitoring our SaaS platform configuration and controlling the data sent to and from those SaaS platforms (CASB), and then wrapping our workloads in security (CWPP),” says Wisniewski. “You have a fairly holistic toolset to apply controls across your cloud environments, regardless of what they are.”
How To Measure and Monitor Your Organization’s Security Posture
Even if you’re not ready to assess your environment’s security posture with a third-party tool or technology, you can begin by using the evaluation tools your cloud solution provider offers.
“Whether it’s Azure Security Center (now part of Microsoft Defender for Cloud), AWS Security Hub, or GCP Security Command Center, it’s in the best interest of cloud providers to keep you secure,” says Wisniewski. “They will at least bring you the foundational elements to assess your security capabilities, so rely on those as a good starting point.”
As you move into more complex environments such as multi-cloud, look at CSPM-type toolsets that allow you to apply a standardized set of checks across multiple cloud service providers. Those usually trackback to standards such as NIST or other well-architected frameworks, providing a more granular view into your cloud presence.
However, assessing software provided as a service in your environment – such as Microsoft 365 or Dropbox – requires a different approach.
“You can’t install an agent or a piece of software into those SaaS environments, but you can determine your security posture by either manually reviewing the configuration you’ve put in place as a user, or interrogating the APIs developed by those solutions,” says Wisniewski.
This is similar to the CASB type of solution set, where you audit what the solution provider’s API can tell you about how secure they are.
However, as you scale to having multiple cloud provider accounts, the increased complexity calls for an overlay capability to audit those multi-cloud environments, so your security solution can meet your use cases and compliance goals.
For more on this topic, watch the 35-minute “Moving to a Secure Cloud” Q&A panel from the Sayers #Curio Virtual Tech Summit, now available free on-demand. Three of our industry-leading experts on architecting and securing the cloud answer your most pressing questions on cloud security as you move to the cloud.
Questions? Contact us at Sayers today. We offer extensive security solutions to cover all areas of your business.