Navigating The Complexity Of Cloud Security

Cloud environments offer a range of benefits including improved automation, business continuity, and enable DevSecOps practices that integrate security into the entire software & infrastructure lifecycle. Yet the overall cloud security landscape can be rife with stumbling blocks for your networking administrators and engineers.

Navigating that landscape requires understanding why cloud security can be so challenging, how it’s different from on-premise, your role in the shared responsibility model, and the promise of a platform approach in third-party cloud security solutions.

Why Is Cloud Security Challenging?

Cloud security covers a wide range of disciplines including data, applications, identity and access management (IAM), workloads, networking and much more. Who is responsible for what in a public cloud can depend on which cloud provider you’re using and the services you’re adopting, among other factors.

Unlike an on-premise network, you no longer own the hardware your business is running on. Each cloud provider offers several hundred native services with varying degrees of complexity. Add to that the constantly changing threat landscape and we have an extremely difficult environment to monitor and manage.

Ken Wisniewski, Senior Security Architect at Sayers, says:

“Complexity is a huge challenge in cloud environments and it’s only getting worse as Azure, AWS, and Google continue to add more services and additional things to manage. Complexity leads to misconfiguration as well as skill gaps among traditional IT administrators, engineers, and architects.”

What Is The Shared Responsibility Model In Cloud Security?

Moving from on-premise to the cloud doesn’t mean you’re giving up all responsibilities for security. You’re still responsible for certain areas within a shared responsibility model, which can vary by use case and other factors such as chosen services, regions, and applicable laws and regulations. 

Each cloud provider publishes its shared responsibility model including those for AWS, Azure, and Google Cloud Platform. 

Expect your cloud provider to be responsible for data center physical security and network uptime, but don’t rely on them to protect your data, applications, and credentials. You’re still responsible for many aspects of security in the cloud, including IAM. 

Wisniewski says:

“Cloud abstracts away some responsibility, but your system admins, cloud administrators, cloud architects, and engineers are still responsible for a lot. While you’ve given up the hardware and maybe some of the networking, you’ve added a tremendous amount of complexity with the capability you’re getting in those cloud environments.” 

For basic security in the cloud, take advantage of the built-in native cloud provider security functionality and identity controls. If you’re not sure you’re using them correctly, a third-party cloud security assessment can help.

Cloud Security Technology Platforms And The Rise Of CNAPP

Third-party solutions with advanced functionalities can solve many cloud security challenges, especially when the skill gap is too steep for your in-house team. Cloud security technology platforms align with one or more of the three main cloud service areas: Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). 

SaaS:

• Cloud Access Security Broker (CASB). One of the technologies within the Secure Access Service Edge (SASE) architecture, CASB focuses on areas including compliance risks and access control. CASB serves as an intermediary between users and cloud service providers to consolidate enforcement for multiple types of security policies. 
• Security Service Edge (SSE). As a subset of SASE, SSE has become an overarching category on top of CASB, secure web gateway, and zero trust network access. SSE secures SaaS applications, websites, and private applications.
• SaaS Security Posture Management (SSPM). An offshoot of the CASB space, SSPM includes API-driven integrations and focuses on areas including SaaS risk assessment, configuration drift monitoring, and security control automation. 
• SaaS Management Platform (SMP). As an overall management platform, SMP provides overarching SaaS usage monitoring, data monitoring, policy management, and automation. 

IaaS: 

• Cloud Workload Protection Platform (CWPP). CWPP focuses on vulnerabilities and protecting any type of workload in enterprise environments including physical servers, virtual machines, containers, and serverless workloads.
• Cloud Native Application Protection Platform (CNAPP). This integrated set of CWPP and Cloud Security Posture Management (CSPM) capabilities helps identify and reduce security and compliance risks during development and production of cloud-native applications.

PaaS: 

• CSPM. This toolset identifies cloud platform configuration problems and compliance risks in the cloud, auditing them against a regulatory framework or a custom check you’ve created. 
• CNAPP.

CNAPP supports IaaS and PaaS deployments and integrates a variety of cloud security capabilities for multiple layers of protection including CSPM, CWPP, and Cloud Identity Entitlement Management. CNAPP helps identify and reduce security and compliance risks during development and production of cloud-native applications. 

As independent offerings, CSPM and CWPP lack the context of a consolidated platform and generate a large amount of potentially false positive information. With the combination of data between the control plane configuration, workload-level vulnerability, and runtime state, CNAPP can better prioritize and take action on cloud security events. 

Wisniewski says:

“As with most things in the IT security and infrastructure world, platformization/consolidation is king. While CWPP and CSPM still have their value independently, their consolidation gives us the encompassing term of CNAPP, which is the path forward overall. If you’re in the cloud, consider CNAPP capabilities even if you already have a CSPM or CWPP solution.”

CNAPP platforms can flexibly incorporate different components and modules to solve cloud security challenges, whether container or application development, building the cloud network, or managing virtual servers in the cloud. 

How And Where To Start With Your Cloud Security

Faced with the complexity of securing your organization’s clouds, where do you start? 

A third-party cloud assessment, which Sayers offers, can identify gaps in your current infrastructure and security in the cloud. That first step can lead to building a roadmap to a more secure and agile IT environment for your organization.

Though not as comprehensive as a cloud assessment, our cloud security workshops are a no-cost option to consider. 

Wisniewski says:

“We can help you navigate the complex landscape of cloud security, improve the knowledge transfer among your teams, and help you select the right architectures, tools, and processes to better secure your cloud environments.”

Questions such as the following can help identify your cloud security maturity level and which services or third-party solutions would best fit your organization:

• How are you incorporating cloud-native security offered by cloud providers as part of a broader cloud security strategy?
• How many workloads are you running in your cloud environment?
• Are your IAM roles and policies sufficiently restrictive?
• What are your cloud infrastructure deployment practices, and do they include automation and infrastructure as code?
• If you are running containers/Kubernetes, how are you monitoring for vulnerabilities?

Questions? Contact us at Sayers today for expert services including cloud security architecture and assessments, capability matrix and prioritization, and implementation services for cloud firewalls and multiple clouds.