When making the big shift to the cloud, companies often become hyper-focused on the cost savings, greater scalability, and increased agility they hope to see as a result of their cloud adoption.
But in their eagerness to initiate fast changes and squeeze value from their cloud migration initiatives, they're also falling prey to a common misperception: that existing, or default, cybersecurity measures will suffice to secure their distributed multi-cloud environments.
The truth is, cloud security is a whole new ballgame, with an entirely new set of risks. To keep data safe, secure, and compliant in this new environment, your IT teams must take two actions. They must ensure that their cloud solutions have the right security capabilities in place, and they must ensure that those solutions are compatible with security deployed elsewhere across the distributed network.
They also need to understand the shared-responsibility model. This stipulates that, while cloud providers secure their infrastructure, data security assurances are the responsibility of an organization's security team. Simply applying perimeter defenses and traditional on-premises security measures will not suffice.
The reality is, misconfiguring your cloud security controls could very well leave the kind of gaps that cyber criminals are hoping for. In fact, Gartner predicts that by next year, 99% of all cloud security incidents will be the customer's fault due to device misconfigurations.
And if an attack is successful, the organization risks losing important data and/or experiencing an interruption in operations. This is on top of the reputation damage and compliance penalties they will receive as a result of having inadequate security controls and policies in place.
Don't overlook these five controls
For IT teams overseeing the move to the cloud, here are five essential features to address when deploying cloud security controls. by implementing these controls you'll capitalize on the DevOps agility and customer-centricity that the cloud provides, without compromising on the security or compliance they require.
1. Centralized visibility of the cloud infrastructure
Cloud security control essentials include centralized visibility into security policies, configuration settings, and user activity—as well as into risks that may be hiding in online data stores. This reduces the chances of your security team overlooking a vulnerability in cloud security due to misconfiguration, or missing anomalous activity that might indicate an attack.
The challenge is that different clouds offer different configuration settings—and those settings are often selected by developers without security expertise. Getting visibility across instances and clouds is no easy task.
To minimize these kinds of risks, security teams need centralized visibility into their cloud infrastructure. Cloud workload protection (CWP) tools can help with this task; they integrate tightly into cloud management and security systems.
These tools give security teams the ability to monitor and assess the configuration status of current services, along with the overall security posture of the cloud environment. Automated configuration monitoring allows IT teams to identify and quickly respond to security misconfigurations, thus bolstering security while shortening the time it takes to implement fixes.
Key capabilities of effective workload protection and platform security tools include:
Traffic analysis
Inspection of data stored in the cloud for sensitive or malicious content
Regular configuration monitoring and assessments
Recommendations for how to improve vulnerable areas of the cloud environment
Alerts for configuration issues
Identification of compliance issues due to misconfiguration
2. Native integration into cloud management and security systems
Unlike traditional data centers, cloud computing is based on a shared-responsibility model, where some security settings are controlled by the customer and others by the public cloud vendor.
Visibility into your security posture across clouds requires close coordination between your CWP solution and the underlying cloud environment. This implies API-level integration into tools such as Amazon Inspector and VPC Flow logs and GuardDuty for AWS; Stack Event and Flow Drivers for Google Cloud Platform; and Security Center for Azure.
SaaS customers may also require a cloud access security broker (CASB) solution that integrates deeply with the SaaS service to identify risks and configuration issues specific to the SaaS in use.
3. Web application layer protections combined with machine learning and AI
When it’s not clear who is responsible for protecting cloud infrastructure, additional security gaps open up. Your company is responsible for the security of applications deployed in the cloud, as well as the data stored there. Cloud providers take responsibility for the infrastructure only.
To best fulfill their role in the shared-responsibility model, your organizations needs to shore up security for web applications with web application firewalls. Threat detection for apps is different when apps run in the cloud rather than on premises, as controlling access to specific IP addresses won't work with cloud-deployed apps.
Here threat detection needs to take place within the application content, not the traffic. This requires constant granular adjustments that you can't handle manually.
Only an approach that leverages the computing power and speed of artificial intelligence can protect today's cloud-based applications. Machine learning can help detect the type of user and/or app behavior that signals a problem, and can implement protection measures in ways that no human-powered approach could match in terms of speed or accuracy.
4. Security automation
Given the cybersecurity skills gap, the current state of the cybersecurity field isn't sufficient to cover all enterprise needs in the 21st century. Cybersecurity professionals are in high demand, and existing security and DevOps teams have skills gaps that leave enterprises vulnerable to a wide range of threats.
Until the industry can keep pace with enterprise needs and demands for a larger and more capable pool of talent, security architects are encouraged to help organizations automate their security functions wherever they can.
One approach being used right now includes plugins that provide administrators more visibility into multi-vendor ecosystems, enabling automation and simplified management. When application changes arise, IT and DevOps teams can stay current without having to update their security policies every time app attributes evolve.
Security configuration scripts that can be downloaded from security providers can also help automate security operations.
5. Threat intelligence feeds
The more complex your cloud environment becomes—the result of vendor sprawl that occurs when you use multiple providers with different security platforms—the more vulnerable it becomes to threats. Maximum cloud security comes from a comprehensive solution that places under one umbrella every cloud service your company employs.
A good solution should incorporate dynamic threat intelligence feeds consisting of deep intelligence of global and local security events. When selecting cloud security controls, seek providers with solutions informed by the data collected across all of their deployed sensors.
Get clear on your cloud control strategy
Combined, all of these threat intelligence sources will help security teams and automated controls to better defend the infrastructures they're charged with protecting.
As cloud adoption grows, think more carefully about the cloud security controls you're implementing to reduce complexity, while ensuring comprehensive security. Cutting-edge features such as those outlined above will ensure that your organization is prepared as you face new and more complex security challenges as the business embraces digital innovation.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
