Cloud security refers to the procedures and the technology that an organization implements to protect its cloud workloads, data, and infrastructure from cybersecurity threats. Some risks are external, launched with malicious intent by criminals or hackers looking to steal data or leverage disruption for financial gain. Others may be internal, occurring via human error, through cloud misconfiguration or gaps and vulnerabilities due to the complexity of the cloud.
The Unique Nature of Cloud Computing Risks
Understanding cloud security means looking at the Shared Responsibility Model, a mainstay for all the major cloud providers. Often misunderstood by organizations, it is only securing cloud infrastructure itself that your cloud provider will take care of. That means that your cloud provider will handle access control and vulnerability patching only for physical hosts and hypervisors that are used to run your storage or compute resources.
On your side as the customer, you take full responsibility over cloud security for users, data, and applications. This usually includes all Identity and Access Management, handling external threats to cloud applications, and ensuring that you are compliantly managing data according to your organizational requirements.
Customer responsibilities for cloud security can also vary depending on the service model, whether that’s Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS). For example, Identity and Access Management and Application-level controls are always the customer’s responsibility on IaaS, but on SaaS and PaaS environments, this may be shared with the cloud provider or vendor.
Despite this shared responsibility model, it’s well known that Gartner believes that up to 95% of cloud security failures are the customer’s fault. It’s clear therefore, that existing cloud security methodologies could do with some work.
Traditional Cloud Security Solutions
Let’s look at the most common cloud security solutions that aim to meet the cloud security risks that today’s customers are faced with.
CSPM – Cloud Security Posture Management
Even in the earliest stages of the cloud, you can find examples of cloud security posture management (CSPM) tools. The idea was always to provide visibility into how your security status was being managed on the cloud, and was often initially linked to cloud compliance, providing feedback into whether you were compliant according to specific benchmarks.
However, CSPM tools that focused on compliance were built out of an immature attitude to cloud environments and often a naive idea of what a tight security posture meant on the cloud. Most security vendors were simply unaware of the risks of the cloud, and therefore focused on compliance as the lowest common denominator, and as a risk that they could control. In many ways, just as organizations began with ‘lift and shift’ approaches from on-premises to cloud in their migration strategies, legacy CSPM technologies were the lift and shift of on-premises security considerations to the cloud.
Understanding Cloud-based Access Control
When it comes to cloud security, access control is any system that an organization uses to stay on top of permissions and access to sensitive or critical information, applications, assets, or data. By putting into place tight identity management and access control in the cloud, companies can ensure that only the stakeholders who need access to any particular environment have these permissions. This best-practice is known as least privilege – and means just that. Every user has the least privileges that they need to do their job without impediment, and no further. This limits what an attacker can do if they get their hands on this user’s credentials.
Most tools that are used on the cloud to enforce and maintain access are known as CASBs, Cloud Access Security Brokers. These are hosted either on-premises or on the cloud, and sit between cloud consumers and cloud service providers, utilizing security policies to enforce access needs. Policies can cover anything from single sign-on, credential mapping, profiling of specific devices, encryption and tokenization, malware detection and response, and more.
Another term that you might hear when it comes to access control in cloud security is PAM. This stands for Privileged Access Management or Privileged Account Management, and may also be referred to as Privileged Session Management. All of these terms refer to any systems that are responsible for managing and securing users who have elevated permissions. On the cloud, this could be the account owner on AWS, or someone with user access administrator rights on Azure. Elevated permissions may not even pertain to a user, it could also refer to devices, applications and data that have access to critical systems or a large amount of freedom of movement within the network.
As these permissions are of extremely high value to cyber-criminals, they will come under attack more than any other.
Data Security in the Cloud
There are two main concepts when it comes to cloud data protection, data in transit, and data at rest. In transit refers to the encryption and cloud security steps that you place on data that is moving between services, such as to and from the cloud, or between databases. Encryption at rest is when the data has stopped moving, ensuring that it is secure in storage.
This category of cloud security is known as DLP, (Data Loss Prevention) and is definitely related to access control.
A smart DLP strategy or technology will address cloud data security challenges, and allow you to prioritize the data that needs protecting, classify and label it on the cloud, and gain visibility into the access paths that attackers may take to reach this critical and sensitive information. For example, files that are stored in the cloud may have broad sharing permissions. Think about a folder stored in Google Drive where the sharing settings allow anyone to access without credentials.
One example of a DLP tool that looks at cloud data security in particular is AWS MACIE, a smart technology that finds sensitive Personally Identifiable Information (PII) in places where it shouldn’t be.
CVEs Vulnerability in Staying on Top of Cloud Security Risks
Another common cloud security approach is the use of CVE’s. This stands for Common Vulnerabilities and Exposures, and is a list of known vulnerabilities found in applications. As an open-source solution, any member of the public can detect an issue, and report it to be added to the database. Each vulnerability or risk will get a unique ID, and a score based on metrics such as its ability to exploit, the impact, the type of attack vector, and more. You can also access a fix for the vulnerability, if available.
There are two main issues with this cloud security approach. Firstly, this only applies to known security threats in public applications. If there is a cloud security risk caused by your own code – you won’t find it with standard vulnerability management tools that rely on CVEs. Secondly, technologies that rely on CVEs will generate a large number of alerts, which are not contextualized or prioritized, and can lead to security professionals skipping steps, ignoring alerts, and experiencing alert fatigue.
Cloud Infrastructure Security Posture
As cloud environments get increasingly complex, there are new forms of deployments that push security teams to do more for securing cloud infrastructure earlier in the process. One such example is Infrastructure as Code (IaC). This is a relatively new way to build on the cloud, where instead of using the traditional cloud control to deploy new servers, your DevOps teams will write code that defines the way that your infrastructure will be built. Think about the whole configuration of your servers, from networks, to identities, databases and more, all installed through code, including all relationships and dependencies. Tools such as Terraform are increasingly popular for making this even quicker and more agile, reducing duplicate and manual effort in IaC deployments.
Securing this environment has been a growing challenge for many organizations. Security teams are often invited to give their input at the late testing or deployment point, to ensure that DevOps is not deploying over-permissive roles, risky permissions, or dangerous network configurations. The issue is that this analysis is static, and only gives insight into a specific point in time. The cloud is a dynamic environment, and without context or continuous insight, this cloud security approach is insufficient.
LightSpin Contextual Solution for Cloud Security
Today, organizations are looking for more from their cloud security solutions, often moving from traditional legacy CSPM technologies and limited point-solutions to deploy contextual, proactive cloud security that has intelligence at its core.
LightSpin is an example of the next generation of cloud security platforms, one that offers the ability to truly shift left. Our technology works early and continuously with DevOps in future-focused environments such as cloud-native and Kubernetes deployments, and with tools such as IaC.
Technologies that focus on security challenges that are simply transferred from on-premises environments, such as compliance benchmarking or network visibility will always remain two steps behind today’s dynamic cloud environments.
In contrast, at LightSpin, we aren’t looking to move on-premises best practices to the cloud. We aren’t thinking about on-premises at all. Instead, we utilize our years of insight and intelligence into what the attackers are looking for, to add context to cloud-native and Kubernetes, where it’s needed the most. Through graph-based visualization, we shine a light on your environment via your own unique business context, and uncover the attack paths the attackers could take to your most critical assets and sensitive crown jewels.
We then present these findings to you in a clear and shareable way, including all risks to your cloud environment, from misconfigurations and vulnerabilities, to overly permissive access paths, CVEs, or risks to specific datasets. To address alert fatigue, these are prioritized with a risk score, allowing your teams to focus directly on what matters the most at any given time.
Ready to give contextual cloud security a try? Schedule your demo.