According to Gartner, most enterprises these days are using more than one public cloud service, and in many cases organizations are increasingly invested in using container-based and cloud-native applications. The move to cloud computing brings significant benefits to the enterprise, but it also adds new risk factors that may be outside the scope of your usual cybersecurity practices. Securing virtual machines, containers, Kubernetes and serverless workloads whether in public, private or hybrid clouds means developing an effective understanding of the security issues affecting cloud workloads. In this post, we explain the challenges and solutions to effective cloud security.
What Is Cloud Security?
Cloud security can be thought of as an element of cybersecurity that pertains specifically to maintaining the confidentiality, integrity and availability of data, applications and services located on servers controlled partially or entirely by one or more third parties.
In order to secure your data, services and business continuity when using cloud providers and/or cloud services, it is vital to understand that the nature of the risk is quite unlike managing data that is held on a traditional, on-premises server, which is typically maintained, controlled and secured by the business owner.
How is Cloud Security Different?
First, an organization must understand their obligations under the shared responsibility model of their cloud service provider (here is the AWS Shared Responsibility Model). Broadly, the cloud service provider, or “CSP,” is responsible for security of the cloud, the customer is responsible for their security in the cloud. Your CSP provides for physical security, power, air conditioning, the like. You are responsible for securing the confidentiality, integrity, and availability of your data. This means giving careful consideration to identity and access management (IAM), cloud workload protection (CWP), configuration (CSPM), and application coding and architecture.
With cloud computing services, crucially, the main difference is that whenever using any kind of cloud architecture that contains some element of a public cloud service, the data owner has neither physical control of, nor physical access to, the underlying hardware. In addition, the data owner typically needs to communicate with the cloud provider or service across the public internet, rather than having traffic protected within the perimeter of a local intranet and firewall. Finally, the containers themselves, Docker images, securing Kubernetes clusters and such, also present unique security challenges.
What Are the Components of a Cloud Security Strategy?
Whether AWS, Azure, or Google Cloud, there are several aspects to securing your organization’s public cloud footprint:
1. Identity & Access Management (IAM)
A user should only be given access to the right resources, at the right time, to complete their job. IAM solutions deliver a set of policies to make this objective reality.
2. Cloud Workload Protection (CWP, or CWPP)
Like user workstations, cloud workloads are vulnerable to malware, ransomware, and zero-day attacks. CWPP solutions protect workloads from such exploits, by providing for the runtime security of applications running on cloud infrastructure like VMs and containers. Cloud workloads run on Linux and Windows hardware, whose OSes are vulnerable to exploitation by malware.
Examples of such malware include ransomware that encrypts and exfiltrates vital data, or cryptomining malware that hijacks cloud infrastructure for the purpose of mining cryptocurrency on your bill. CWPP includes protection, detection, and response capabilities against such threats.
3. Configuration Security Posture Management (CSPM)
If cloud services are to be secure they must be securely configured. CSPM solutions deliver a framework of policies to monitor configuration security and track it over time. CSPM provides for the consistent and secure configuration of cloud services in conformance to centralized governance, security, and compliance policies.
Internet-facing resources are especially critical, as bad actors automate the process of probing cloud infrastructure for vulnerable configs. Customer lists and intellectual property can be quietly exfiltrated. Configuration security failures often make headlines, such as when a cloud storage service containing sensitive corporate data is misconfigured, inadvertently exposing the data to unauthorized eyes.
Fortunately, the Center for Internet Security (CIS) publishes benchmarks for the secure configuration of cloud resources, so an organization can compare their security posture to these best practices at any given moment.
4. Cloud Access Security Broker (CASB)
CASB is a hardware or software enforcement point sitting between cloud users and cloud service providers. The CASB will enforce enterprise security policies, provide visibility, usage governance, compliance, and data loss prevention.
5. Cloud Application Architecture
Cloud-native applications can and should be architected in a manner that provides for security-in-depth.
How Secure is the Cloud?
When properly managed by the user, the (public) cloud is very secure, arguably more secure than a self-managed data center. The top cloud service providers – Amazon, Google Cloud, Azure – have a strong profit motive driving their need to address cloud security, in keeping with the Shared Responsibility Model. Moreover, these CSPs hire the best talent specialized in cloud security. The overwhelming majority of highly publicized cloud security failures are the responsibility of the user, not the provider, a point which Gartner continues to make in their research. Cloud users should understand their duties under the Shared Responsibility Model, and how they vary by service and CSP.
Is a Private Cloud More Secure Than a Public Cloud?
The answer is, it depends. A private cloud consists of IT infrastructure for the exclusive use of a specific organization. That organization alone is responsible for securing their private cloud, and so, depending on multiple factors like budget, expertise, tooling, and process, the security of private clouds will vary wildly. For that matter, the security of any one private cloud will vary over time, for the same aforementioned reasons.
In contrast, a public cloud is scalable, on-demand infrastructure that is shared by multiple organizations. Knowing that security is a primary concern of their customers, cloud service providers have a very strong incentive to provide the best possible security of the facility, hardware, and networking, while simultaneously making sure that their customers understand where their duties end and the customers’ begin.
What is a Hybrid Cloud?
Hybrid cloud is a combination of public and private cloud, one or more of each, where the private cloud component is typically an on-prem data center. A hybrid cloud strategy combines the best of both worlds. For a business already invested in on-prem infrastructure, the hybrid cloud model provides the opportunity to leverage their sunk on-prem investment for continued financial return while simultaneously developing or expanding their public cloud footprint to augment their IT strategy. While some may disagree on the primary disadvantage of a hybrid cloud model, increased management overhead, staffing, and tooling come to mind.
What Are the Security Risks of Cloud Computing?
We can start to get an idea of the security challenges that the cloud environment presents by looking at some recent examples of what happens when things go wrong.
Let’s suppose your data is hosted on multiple servers outside of your control. Typically, public cloud providers host multiple “tenants” on the same server. Although you can expect any reputable provider to maintain good data isolation between different tenants, perhaps a vulnerability in the computing stack used by your cloud provider has been discovered that allows an attacker to compromise private clouds managed by that provider, such as CVE-2020-3056.
Supposing such a bug was exploited on a remote server belonging to your cloud provider. The question for your security team in such a scenario is this: What visibility do you currently have into what is happening on your workloads? What cloud security controls do you have in place that would alert you to unauthorized access or allow you to threat-hunt across your containers after such a vulnerability came to light?
Automated Application Control for Cloud Workloads protects cloud native workloads with advanced lockdown capabilities that guarantee the immutable state of containerized workloads.
Other considerations for cloud security are seen in the sustained hacking campaign dubbed Cloud Hopper. Multiple top-tier organizations including such big names as Philips and Rio Tinto lost intellectual property to Chinese-backed APT actor APT10, which penetrated at least a dozen different cloud service providers, including Hewlett-Packard and IBM. The hackers dropped “bespoke malware”, leveraged dynamic-DNS and exfiltrated large amounts of data. Deploying EPP solutions designed primarily for protecting end-user devices like laptops and desktop computers isn’t going to help here: In fact, using solutions designed for endpoints on cloud instances is said to put enterprise data and applications at even greater risk.
Cloud security issues don’t end there, either. Gartner has stated that perhaps the biggest threat to cloud security in the next few years is likely to come from “mismanagement of identities, access and privilege”, with at least half of all cloud security incidents coming from such problems by 2023. Weak access controls due to misconfiguration can be exploited by external actors or by insiders or can lead to unintentional but nevertheless damaging data leaks.
Finally, vulnerabilities or misconfiguration in the container stack itself, such as container escapes, represent a challenging technical problem for security teams whose members may have limited experience in Docker and Kubernetes technology.
Solving the Cloud Security Problem
The kind of problems we noted in the previous section with bugs, misconfigured Docker images and attacks on MSPs—i.e., provider-side security issues—can only be managed through proper visibility and control over your containerized workloads.
Pre-runtime protections that scan both the host and ensure that it and the container image are infection-free are important, but they are not enough, as they will not protect the container against attacks once it is in use or offer any ability for your SOC team to threat hunt or do incident response.
Choosing a Workload Protection Solution
A better cloud security solution is to use something like an Application Control Engine, which does away with the need for “Allow-Lists” (aka “Whitelists”) and protects cloud-native workloads with advanced “lockdown” capabilities that guarantee the immutable state of containerized workloads, protecting your workloads against the unauthorized installation and subsequent abuse of legitimate tools like Weave Scope.
Bugs that allow Linux container escapes are best addressed by deploying behavioral detection capabilities on the workloads themselves. To that end, Workload Protection that can provide EDR and runtime protection for your cloud servers is essential.
Such a solution needs to be lightweight so that it does not impact performance, and ideally, it should offer functionality such as a secure remote shell, node firewall control, network isolation and file fetching. With a capable Workload Protection solution, you can gain both visibility and control over your containerized workloads.
Managing and Securing User Access Properly
In terms of securing the client—i.e., data owners—side of the equation, apart from having trusted endpoint security on communicating devices, it is essential that user access is properly managed and locked down to achieve a secure cloud. Allowing admins or other users excess access to critical data on cloud platforms is a data breach waiting to happen. Identity and access management (IAM) will help you to define and manage the correct roles and access privileges of individual users. Role-based access control (RBAC) should be implemented with Kubernetes clusters. Having Workload Protection with EDR will help your SOC team hunt for abuses of user privileges, be they insider threats or external attacks conducted through credential theft.
Protecting Communication Between the Cloud and the Client
With regard to protecting communication between the cloud and the client, there are at least two considerations to bear in mind. First, ensure that all data is encrypted both at rest and in transit. That way, even if a data leakage occurs, the information should be unusable to the attackers. Second, in the event of a denial of service attack, it is vital that you have a business continuity plan in place. This might include redundant capacity to cope with extra network traffic (easier in public or hybrid cloud situations) or engaging a DDoS mitigation service, both of which your cloud provider may offer.
Cloud security requires a different approach to endpoint security, as you are faced with the added burden of protecting both the devices you control and those that you don’t. Servers outside of your control can be running a software stack with vulnerabilities that you can not see or patch, and these servers may be managed by an unknown number of people who are equally outside of your control.
Of course, you can expect reputable cloud service providers to take their own security responsibilities seriously, but the core of the issue is that your threat surface is increased once you are dealing with third-party devices and staff. Moreover, the containers that you deploy can themselves contain issues.
These details should help to keep your cloud security plan comprehensive and up-to-date. Ready to see how SentinelOne can improve your cloud security strategy? You can book a demo here. Whether it’s container security, threat hunting, EDR capability, or more, our team is here to help your enterprise.