Cloud security refers to the procedures and the technology that an organization implements to protect its cloud workloads, govern how data is stored and management, and ensure all infrastructure is kept safe from cybersecurity threats. Some risks are external, launched with malicious intent by criminals or hackers looking to steal data stored in the cloud, or leverage disruption for financial gain. Others may be internal, occurring via human error, through cloud misconfiguration or gaps and vulnerabilities due to the complexity of the cloud.
This article will look at cloud security in detail, including why security for cloud computing is different from what you may be used to on-premises, and the different ways of approaching cloud security risk for today’s complex and dynamic cloud environments.
The Unique Nature of Cloud Computing Risks
Understanding cloud security means looking at the Shared Responsibility Model, a mainstay for all the major cloud providers on the public cloud. Often misunderstood by organizations, it is only securing cloud infrastructure itself that your public cloud provider will take care of. That means that your public cloud services provider will handle user access control and vulnerability patching only for physical hosts and hypervisors that are used to run your storage or compute resources.
On your side as the customer, you take full responsibility over public cloud security for users, cloud data encryption, and applications. This usually includes all Identity and Access Management, handling external threats to cloud applications, and ensuring that you are compliantly managing cloud data according to your organizational requirements and for regulatory compliance.
Customer responsibilities for cloud security can also vary depending on the service model, whether that’s Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS). For example, IAM and Application-level controls are always the customer’s responsibility on IaaS, but on SaaS and PaaS environments, this may be shared with the public cloud services provider or vendor.
Despite this shared responsibility model, it’s well known that Gartner believes that up to 95% of cloud security failures are the customer’s fault. It’s clear therefore, that existing cloud security methodologies could do with some work.
Traditional Cloud Security Solutions
Let’s look at the most common cloud security solutions that aim to meet the cloud security risks that today’s customers are faced with.
CSPM – Cloud Security Posture Management
Even in the earliest stages of cloud computing, you can find examples of cloud security posture management (CSPM) tools and similar cloud services. The idea was always to provide visibility into how your security status was being managed on the cloud, and was often initially linked to cloud compliance, providing feedback into whether you were compliant according to specific benchmarks.
However, CSPM tools that focused on compliance were built out of an immature attitude to cloud computing environments and often a naive idea of what a tight security posture meant on the cloud. Most security vendors were simply unaware of the risks of the cloud, and therefore focused on compliance as the lowest common denominator, and as a risk that they could control. In many ways, just as organizations began with ‘lift and shift’ approaches from on-premises to cloud computing in their migration strategies, legacy CSPM technologies were the lift and shift of on-premises security considerations to the cloud.
Understanding Cloud-based Access Control
When it comes to cloud security, access control is any system that an organization uses to stay on top of permissions and access to sensitive or critical information, applications, assets, or cloud data encryption. By putting into place tight identity management and access control in the cloud, companies can ensure that only the stakeholders who need access to any particular environment have these permissions. This best-practice is known as least privilege – and means just that. Every user has the least privileges that they need to do their job without impediment, and no further. This limits what an attacker can do if they get their hands on this user’s credentials.
Most tools that are used on the cloud to enforce and maintain access are known as CASBs, Cloud Access Security Brokers. These are hosted either on-premises or on the cloud, and sit between cloud consumers and cloud providers, utilizing security policies to enforce access needs. Policies can cover anything from single sign-on, credential mapping, profiling of specific devices, encryption and tokenization, malware detection and response, and more.
Another term that you might hear when it comes to access control in cloud security is PAM. This stands for Privileged Access Management or Privileged Account Management, and may also be referred to as Privileged Session Management. All of these terms refer to any systems that are responsible for managing and securing users who have elevated permissions. On the cloud, this could be the account owner on AWS, or someone with user access administrator rights on Azure. Elevated permissions may not even pertain to a user, it could also refer to devices, applications and cloud data that have access to critical systems or a large amount of freedom of movement within the network.
As these permissions are of extremely high value to cyber-criminals, they will come under attack more than any other.
Data Security Controls in the Cloud
There are two main concepts when it comes to cloud data protection, data in transit, and data at rest.
- Data in transit refers to the encryption and cloud security steps that you place on cloud data that is moving between cloud services, such as to and from the cloud, or between databases.
- Data encryption at rest is when the data has stopped moving, ensuring that it is secure when it’s being held in data storage.
This category of cloud security is known as DLP, (Data Loss Prevention) and is definitely related to access control, hoping to limit data breaches and protect cloud data from any other threats that can affect regulatory compliance and control.
A smart DLP strategy or technology will address cloud data security challenges, and allow you to prioritize the cloud data encryption of that which needs protecting, classify and label it on the cloud, and gain visibility into the user access paths that attackers may take to reach this critical and sensitive information. For example, when you’re thinking about data storage in the cloud, you need to consider whether the files may have broad sharing permissions. Think about a folder stored in Google Drive where the sharing settings allow anyone to access, either from desktop or mobile, the office or at home, and all without credentials.
One example of a DLP tool that looks at cloud data security in particular is AWS MACIE, a smart technology that finds sensitive Personally Identifiable Information (PII) in places where it shouldn’t be.
CVEs Vulnerability in Staying on Top of Cloud Security Risks
Another common cloud security approach is the use of CVE’s. This stands for Common Vulnerabilities and Exposures, and is a list of known vulnerabilities found in applications. As an open-source solution, any member of the public can detect an issue, and report it to be added to the database. Each vulnerability or risk will get a unique ID, and a score based on metrics such as its ability to exploit, the impact, the type of attack vector, and more. You can also access a fix for the vulnerability, if available.
There are two main issues with this cloud security approach. Firstly, this only applies to known security threats in public applications. If there is a cloud security risk caused by your own code – you won’t find it with standard vulnerability management tools that rely on CVEs. Secondly, technologies that rely on CVEs will generate a large number of alerts, which are not contextualized or prioritized, and can lead to security professionals skipping steps, ignoring alerts, and experiencing alert fatigue.
Cloud Computing Infrastructure Security Posture
As cloud computing environments get increasingly complex, there are new forms of deployments that push security teams to do more for securing cloud infrastructure earlier in the process. One such example is Infrastructure as Code (IaC). This is a relatively new way to build on the cloud, where instead of using the traditional cloud control to deploy new servers, your DevOps teams will write code that defines the way that your infrastructure will be built. Think about the whole configuration of your servers, from networks, to identities, databases and more, all installed through code, including all relationships and dependencies. Tools and cloud services such as Terraform are increasingly popular for making this even quicker and more agile, reducing duplicate and manual effort in IaC deployments.
Securing this environment has been a growing challenge for many organizations. Security teams are often invited to give their input at the late testing or deployment point, to ensure that DevOps is not deploying over-permissive roles, risky permissions, or dangerous network configurations. The issue is that this analysis is static, and only gives insight into a specific point in time. The cloud is a dynamic environment, and without context or continuous insight, this cloud security approach is insufficient.
LightSpin Contextual Solution for Cloud Security
Today, organizations are looking for more from their cloud security solutions and each individual cloud provider, and are regularly seen to be moving from traditional legacy CSPM technologies and limited point-solutions to deploy contextual, proactive cloud security that has intelligence at its core.
LightSpin is an example of the next generation of cloud security platforms, cloud services that offer the ability to truly shift left and create policies that make a difference at the build stage, that DevOps teams can use to see a real difference in the way they work every day. Our technology works early and continuously with DevOps in future-focused environments such as cloud-native and Kubernetes deployments, and with tools such as IaC.
Technologies that focus on security controls and challenges where the risk has been simply transferred from on-premises environments, such as compliance benchmarking or network visibility will always remain two steps behind today’s dynamic cloud computing environments.
The LightSpin Difference for Cloud Security
In contrast, at LightSpin, we aren’t looking for more robust cloud security from day one. We aren’t looking to move on-premises best practices to the cloud. We aren’t thinking about on-premises at all. Instead, we utilize our years of insight and intelligence into what the attackers are looking for, to add context to cloud-native and Kubernetes, where it’s needed the most. Through graph-based visualization, we shine a light on your environment via your own unique business context, and uncover the attack paths the attackers could take to your most critical assets and sensitive crown jewels.
We then present these findings to you in a clear and shareable way, including all risks to your cloud computing environment, from misconfigurations and vulnerabilities, to overly permissive user access paths, CVEs, or risks to specific datasets. To address alert fatigue, these are prioritized with a risk score, allowing your teams to focus directly on what matters the most at any given time.
Ready to give contextual cloud security a try? Schedule your demo.