Most enterprises today use multiple public cloud services, according to Gartner. In many cases, that’s because organizations are investing in container-based and cloud-native applications hosted by a variety of different cloud service providers (CSPs). In fact, most businesses are finding that a single cloud provider simply can’t meet all of their needs.
Moving to the cloud has some significant benefits for businesses, but it can also introduce new risks outside the scope of traditional cybersecurity practices. Securing virtual machines, cloud-based containers, Kubernetes, and serverless workloads – whether in public clouds, private clouds, or some combination of the two (i.e. hybrid clouds) – means developing a deeper understanding of the security issues that come with cloud workloads.
This post explains what cloud security is and the challenges that come with it, as well as some effective tools for implementing cloud security solutions.
What is Cloud Security?
Cloud security is a component of cybersecurity specifically aimed at maintaining the confidentiality, integrity, and availability (CIA) of data, applications, and services controlled partially or entirely by one or more cloud providers. It’s an organization’s measures to protect the data and applications stored in or accessed from a cloud computing environment.
Whether organizations opt for public, private, or hybrid clouds, many aspects of cloud security are similar to traditional security – but some key differences are worth noting.
Traditional IT frameworks typically involve purchasing, installing, and maintaining IT devices on-site. Although traditional infrastructures give organizations more control over their data environment and a stronger cybersecurity stance, the cost of traditional IT systems is usually much higher and can limit the ability to scale.
Why is Cloud Security Important?
For most businesses, migrating to the cloud maximizes scalability and cost-saving opportunities and makes data management easier. Companies can access infrastructure on demand, enabling them to maintain cloud security frameworks that keep pace with emerging threats.
Organizations are often motivated to move to the cloud because cloud computing environments offer unmatched speed, agility, and efficiency. Organizations can instantly access new resources and services without waiting for hardware delivery or installing on-premises infrastructure.
But the shared nature of cloud infrastructure also introduces new risks. Because data lives on the cloud, organizations’ devices and servers must use application programming interfaces (APIs) to communicate with cloud servers. APIs act like doors, connecting one system to another, and cloud providers control the locking mechanisms that let information in or out.
That means cloud security isn’t just about securing the cloud – it’s about securing all the applications that connect your software, networks, services, and devices to the cloud.
What Makes Cloud Security Different?
Before committing to a cloud service provider, organizations must understand their obligations under the shared responsibility model.
For example, under the AWS Shared Responsibility Model, AWS is responsible for “security of the cloud,” while customers are responsible for “security in the cloud.” Here, the CSP protects the infrastructure running AWS cloud services including hardware, software, networking, and facilities; securing everything else is up to the customer.
With most shared responsibility models, customers are responsible for maintaining the confidentiality, integrity, and availability of their data stored on the cloud. In many cases, that means giving careful consideration to identity and access management (IAM), cloud workload protection (CWP), configuration (CSPM), and application coding and architecture.
Public cloud platforms like AWS enable scalability, but they also limit the physical control of and physical access to the underlying hardware of the cloud’s architecture. Because public cloud environments tend to store massive amounts of information, malicious actors often target them and can be subject to malware.
Additionally, data owners typically communicate with public cloud providers across the public internet rather than within the protected perimeter of a local intranet and firewall. With social engineering attacks on the rise, sharing sensitive information without additional security measures in place can put organizations at higher risk.
Some organizations opt for open-source cloud containers to combat public cloud security concerns. Because cloud containers create an isolated boundary at the application level, any problems will only affect that container rather than the entire server.
However, cloud containers also present unique security issues. For instance, securing Kubernetes clusters means keeping track of many moving parts and ensuring each cluster is up-to-date with the latest security patches.
Organizations may have less control over cloud security, but the cost, control, and safety benefits typically outweigh any drawbacks.
How Does Cloud Security Work?
Here are the core components of a cloud security strategy.
1. Identity & Access Management (IAM)
When it comes to IAM, most organizations and solutions adopt what is known as the principle of least privilege. That means the right users are only given access to the right resources at the right time to complete their job.
IAM solutions deliver the policies and technologies that make this objective reality by managing user identity information, defining and enforcing security policies, auditing access, and providing single sign-on capabilities. Although IAM tools help reduce identity-related access risks, they aren’t always designed with security in mind.
2. Cloud Workload Protection (CWP or CWPP)
Like user workstations (i.e., faster and more capable computers intended for individual professional users), cloud workloads are vulnerable to malware, ransomware, and zero-day attacks. CWPP solutions protect workloads from exploits as they move across different cloud environments.
Because workloads pass between multiple vendors and hosts, cloud workload security can get complex. Ultimately, responsibility for protecting cloud workloads must be shared to be effective.
Without the proper precautions, cloud workloads run on Linux or Windows hardware may be vulnerable to malware and ransomware.
3. Configuration Security Posture Management (CSPM)
CSPM solutions are designed to automate identifying and mitigating risks across cloud infrastructures, making them easier to secure. By continuously monitoring risk in the cloud, CSPM helps organizations prevent, detect, respond to, and predict risks in accordance with their centralized governance, security, and compliance policies.
CSPM is particularly important for internet-facing resources since threat actors increasingly automate probing cloud infrastructure for exploitable vulnerabilities. Because customer lists and intellectual property are more accessible for cyber criminals to exfiltrate quietly, configuration security failures often make headlines.
When cloud storage services containing sensitive corporate data are misconfigured, it can inadvertently expose that data to unauthorized eyes. Fortunately, the Center for Internet Security (CIS) publishes benchmarks for the secure configuration of cloud resources so organizations can compare their security posture to proven best practices at any given time.
4. Cloud Access Security Broker (CASB)
A CASB is a security solution providing additional visibility and control over cloud services.
CASBs act as security enforcement points, sitting between cloud users and providers and enforcing security policies that ensure compliance with data loss prevention (DLP) regulations.
CASBs can also provide real-time activity monitoring, so security teams can see which users are accessing which cloud services and when. They’re an important part of a cloud security strategy because they help to ensure that only authorized users have access to sensitive data, which helps prevent data leaks.
Organizations should consider a CASB if they are using cloud services to store or process sensitive data, or if they must comply with data privacy regulations such as the EU’s General Data Protection Regulation (GDPR).
5. Cloud Application Architecture
Cloud-native applications, or programs designed for cloud computing architecture, should be built to provide in-depth security. Building security into the application architecture and development process means following secure coding practices, using encryption for data in transit and at rest, and ensuring that authentication and authorization mechanisms are fully in place.
Organizations must consider the security implications of various cloud services before using them. For example, organizations with a managed database service should be familiar with the security controls to protect their data.
But building secure cloud applications may require a shift in thinking for many developers. Although security is often an afterthought in traditional application development, it must be front and center in the cloud. However, because data protection typically falls on the customer, it’s often up to organizations to ensure the cloud-native applications they use are secure.
Cloud Security Benefits
With so many security concerns, organizations may question whether cloud migration is right. The good news is that most major cloud providers invest heavily in security, including built-in features and controls that keep data safe.
Nonetheless, organizations need to understand that cloud security is a shared responsibility. Fully understanding a cloud provider’s security features and controls can help organizations fill in any gaps as they develop a cloud security strategy of their own.
Some of the major benefits of cloud services are described below.
Better Visibility Against Threats
Cloud services give organizations a clear view of activity in their network, enabling them to identify potential threats quickly. With thousands of accounts spread across multiple clouds, having the right security for cloud infrastructure is important.
Cloud providers typically provide various tools to assist users with these tasks. For example, activity monitoring helps organizations detect malicious behavior and block it before damage occurs. Many providers also offer threat intelligence services that can give users insights into the latest threats and provide guidance on protecting against them.
Improved Collaboration Across Teams
In a cloud environment, it’s easier for security teams to collaborate with other departments, such as the development team. Cross-collaboration ensures that security concerns are addressed at every application development stage and supports integrated compatibility, so nothing operates in isolation and data is synchronized in a reliable exchange.
Cloud security technology can also help organizations meet the regulatory framework requirements that they abide by, ensuring that organizations use, store, manage, transmit, and protect sensitive data in the cloud according to applicable controls.
This includes but is not limited to data encryption and a robust endpoint protection (EPP) solution. The best endpoint protection platforms use a multi-layered defense against sophisticated threats, combining signatures, static AI, and behavioral AI. They protect, detect, and respond to threats in real-time, at machine speed.
Cloud security tools built with artificial intelligence (AI) and machine learning (ML) are effective against modern threat actors attacking the cloud. AI cloud technology augments security teams by automating the interpretation of attack signals, prioritizing alerts and incidents, and adapting responses based on the scale and attacker’s speed.
Private vs. Public Clouds
When adequately managed by the user, public clouds are generally more secure than self-managed data centers. The top cloud services providers like AWS, Google Cloud, and Azure are motivated to address cloud security because their profits depend on it.
Moreover, these CSPs have the resources to hire the best talent specializing in cloud security. The overwhelming majority of highly publicized cloud security failures are the responsibility of the user, not the provider, a point that Gartner continues to make in their research.
A hybrid cloud combines public and private clouds, one or more of each, where the private cloud component is typically an on-prem data center. A hybrid cloud strategy combines the best of both worlds. For businesses with on-premises infractures, it provides opportunities to leverage existing investments for continued financial return while simultaneously developing or expanding public cloud environments to augment their IT strategy.
However, hybrid cloud models have some disadvantages, including increased management overhead, staffing, and tooling.
Cloud Security Concerns
To better understand the security challenges cloud environments introduce, it can help to look at recent examples of what happens when things go wrong.
Less Visibility and Control
Suppose a user’s data is hosted on multiple servers outside their control. Typically, public cloud providers host multiple tenants on the same server. Although reputable providers tend to maintain good data isolation between different tenants, attackers can compromise private clouds by accessing the public cloud.
If such a bug was exploited on a remote server belonging to the cloud provider, customers might want to know: What visibility do I currently have into what is happening on my workloads? What cloud security controls do I have in place that would alert me to unauthorized access or allow me to threat-hunt across my containers after such a vulnerability came to light?
The sustained hacking campaign dubbed Cloud Hopper brings additional considerations for cloud security to mind. Multiple top-tier organizations, including Philips and Rio Tinto lost intellectual property to Chinese-backed APT actor APT10, which penetrated at least a dozen cloud service providers, including Hewlett-Packard and IBM. The hackers dropped “bespoke malware,” leveraged dynamic DNS, and exfiltrated large amounts of data.
In this case, deploying EPP solutions designed primarily for protecting end-user devices like laptops and desktop computers won’t help. Using solutions designed for endpoints on cloud instances may put enterprise data and applications at even greater risk.
Identity Security Mismanagement
Cloud security issues don’t end at endpoints, either. According to Gartner, the biggest threat to cloud security in the next few years is likely to come from “mismanagement of identities, access and privilege,” with at least half of all cloud security incidents coming from such problems by 2023.
External actors or insiders can exploit weak access controls due to misconfiguration, which can lead to unintentional but damaging data leaks.
Ideally, protection should extend beyond the initial authentication and access control to other identity aspects such as credentials, privileges, entitlements, and the systems that manage them, from visibility to exposure to attack detection. This can be done through ITDR or identity threat detection and response.
ITDR and cyber deception-based detections can enhance XDR platforms, which correlate additional attack data and activate incident response actions.
ITDR solutions add layers of defense by efficiently detecting and responding to identity-based attacks. This security method offers visibility to credential and identity misuse, privilege escalation activities, and entitlement exposures and extends from the endpoint to the Active Directory (AD) and multi-cloud environments.
Vulnerabilities or misconfiguration in the container stack, such as container escapes, represent a challenging technical problem for security teams whose members may have limited experience in Docker and Kubernetes technology.
Modern attack methods in containerized environments are gaining traction and becoming increasingly sophisticated. Given the rewards, threat actors will expend more effort to stay under the radar and defeat “best practices.”
Cloud Security Best Practices
The kind of problems noted in the previous section with bugs, misconfigured Docker images and attacks on MSPs—i.e., provider-side security issues—can be managed through proper visibility and control over containerized workloads.
Pre-runtime protections that scan both the host and ensure that it and the container image are infection-free are essential, but they are not enough on their own. They can’t protect the container against attacks once in use and don’t offer the ability for SOC teams to threat hunt or provide incident response.
Choosing a Workload Protection Solution
For a better cloud security solution, consider an Application Control Engine, which removes the need for “Allow-Lists” (aka “Whitelists”) and protects cloud-native workloads with advanced “lockdown” capabilities. This guarantees the immutable state of containerized workloads, protecting them against unauthorized installation and subsequent abuse of legitimate tools like Weave Scope.
Bugs that allow Linux container escapes are best addressed by deploying behavioral detection capabilities on the workloads themselves. To that end, Workload Protection that can provide EDR and runtime protection for cloud servers is essential.
Such a solution needs to be lightweight so that it does not impact performance, and ideally, it should offer functionality such as a secure remote shell, node firewall control, network isolation, and file fetching. With a capable Workload Protection solution, users can gain visibility and control over containerized workloads.
Managing and Securing User Access Properly
In terms of securing the client (data owners) side of the equation, user access must be appropriately managed and locked down to achieve a secure cloud apart from having trusted endpoint security on communicating devices. Allowing admins or other users excess access to critical data on cloud platforms can lead to data breaches. Identity and access management (IAM) helps define and manage individual users’ correct roles and access privileges.
Role-based access control (RBAC) should be implemented with Kubernetes clusters. Having Workload Protection with EDR will help SOC teams hunt for abuses of user privileges, whether insider threats or external attacks conducted through credential theft.
Protecting Communication Between the Cloud and the Client
When protecting communication between the cloud and the client, there are at least two considerations to bear. First, ensure that all data is encrypted at rest and in transit. Even if a data leakage occurs, the information should be unusable to the attackers.
Second, in the event of a denial of service attack, a business continuity plan must be in place. This might include the redundant capacity to cope with extra network traffic (easier in public or hybrid cloud situations) or engaging a DDoS mitigation service, both of which cloud providers may offer.
Types of Cloud Security Tools
Cloud users can utilize a myriad of cloud security tools. They all have the potential to impede cyberattackers and strengthen cloud security, but these are the fundamental types of cloud security tools:
Cloud Infrastructure Security Tools
Comprehensive cloud security begins with infrastructure and architecture. This includes physical hardware, like workstations, servers, and storage devices, along with the various switches, wires, and routers, required to maintain an active network connection and software for connecting to access points.
The tools needed to secure this type of hardware include:
- Cloud web security scanners
- Cloud vulnerability detection
- Cloud penetration testing
- Cloud antivirus and firewalls
Cloud Regulatory Compliance Tools
Regulatory compliance is an integral part of any cloud security strategy. Depending on the type of data being stored or processed in the cloud, there may be several compliance regulations that organizations must meet.
Some common regulatory compliance requirements for cloud storage include:
- The Health Insurance Portability and Accountability Act (HIPAA)
- The Payment Card Industry Data Security Standard (PCI DSS)
- The Sarbanes-Oxley Act (SOX)
- The General Data Protection Regulation (GDPR)
The Best Cloud Security Tools
SentinelOne’s Singularity Cloud helps organizations secure endpoints across all public, private, and hybrid cloud environments. Undoubtedly, organizations need to have the proper security for their cloud architecture because there are thousands of accounts dispersed across numerous cloud systems.
Singularity Cloud extends distributed, autonomous endpoint protection, detection, and response to computing workloads running in private and private clouds and on-prem data centers.
SentinelOne’s Singularity Cloud:
- Blocks and quarantines malware across cloud instances, containers, and Kubernetes clusters.
- Stops threats such as crypto miners and ransomware.
- Preserves immutability of containerized workloads.
- Innovates quickly without sacrificing security.
- And more.
Choose the Right Cloud Security Provider
Cloud security requires a different approach to endpoint security, especially given the shared burden of protecting both the devices organizations control – and those they don’t. Servers outside of a user’s control can be running a software stack with vulnerabilities that they cannot see or patch, and these servers may be managed by an unknown number of people who are equally outside of their control.
Organizations can expect reputable cloud service providers to take their security responsibilities seriously, but the issue’s core is that a threat surface inevitably increases when dealing with third-party devices and staff. Moreover, the containers can contain topics themselves.
These details should help organizations keep cloud security plans comprehensive and up-to-date. Ready to see how SentinelOne can improve its cloud security strategy? Book a demo here. Whether it’s container security, threat hunting, EDR capability, or more, SentinelOne is here to help with enterprise security.