Today, like many organizations, you may be considering shifting IT resources to public cloud services, such as those from Amazon, Microsoft, Google, and other vendors. The prospect of greater capital efficiency, business agility, and enterprise scalability makes this move compelling.
Additionally, moving applications and data to the public cloud presents a number of security advantages. For example, long-standing information-security problems that you may struggle with in legacy environments — including visibility, identity/access management, and policy enforcement — are better handled by the service-oriented architecture (SOA) of public-cloud environments and their cloud-native tools. What’s more, a virtual private cloud’s (VPC’s) built-in foundation of visibility, identity, and policy enforcement offers an ideal solution for threat detection and resolution.
Although these benefits are real in a properly deployed public-cloud environment, migrating to the cloud also brings information-security challenges that necessitate a cautious and mindful approach.
Just as in legacy environments, early threat detection is the most effective means of protecting your information assets. That doesn’t change with the public cloud; but the physical and virtual space across which you’re now trying to detect (and mitigate) threats has greatly expanded. This is why many organizations are deploying endpoint modeling solutions to augment their existing security stack, and strengthen the security that the public cloud itself provides to their cloud-resident IT resources.
The Endpoint Modeling Advantage
Endpoint modeling automatically discovers each device that is on your network, including those in your cloud environment. It creates a software-based model of that device’s usual behavior; continuously monitors device behavior over time, looking for any deviations from the model; and when an exception or different behavior occurs, it generates a real-time, actionable alert sent to your security analysts, so your organization can respond.
As a result, endpoint modeling represents a nimble, scalable, and cost-effective means to enhance your security in the cloud. To give you a better idea of the benefits, we’ll use Amazon Web Services (AWS) as an example of how a public-cloud environment can be secured more effectively. We will also take a closer look at how AWS tools provide more visibility into the configuration state of all AWS resources, critical to improving security in the cloud.
The Gap Between “How it‘s Configured” and “How it Behaves”
Knowing the configuration state of all of your AWS resources is important. Why? Because if you know the configured state of all services, devices, users, and policy objects, then you can understand if those states are consistent with best practices and your expectations, or bump up against known network problems and security vulnerabilities.
For example, Amazon provides AWS-native tools, including AWS Config and Amazon Inspector, which make it easy to understand the state of your configuration, and verify that it is consistent with your company’s best practices. However, not all problems are known in advance: there are behaviors that can’t be detected through configuration management, including unknown software vulnerabilities, stolen credentials, user misbehavior, and unintended consequences of policy choices. These unknowns can lead to severe security problems.
It’s just as crucial to know what your cloud-resident resources are doing, because there’s a big difference between “what a resource is permitted to do” and “what behaviors a resource has been exhibiting.” Most security problems can be traced to an asset’s behavior that was permitted through its configuration, but proved to be damaging.
Visibility is a Key Aspect of Endpoint Modeling
Endpoint modeling adds the right level of visibility to the AWS environment, making it possible to gain insight into specific behaviors demonstrated by each AWS resource. It can automatically detect several important classes of security problems, such as:
- Did someone discover a backdoor in a software package we use?
- Does any third-party software or appliance in our footprint dial home?
- Is an authorized user abusing privileges?
- Has a configuration mistake been made, enabling remote access or another unintended resource use?
In short, endpoint modeling is a unique form of security automation — one that can detect when there is a previously unknown problem with your people, processes, or technology.
Public cloud environments enable better security than is possible in legacy computing environments, in part because they address long-standing issues such as visibility, identity management, and policy enforcement from the outset. But they also increase the challenge of maintaining security for IT resources by expanding the roster of “unknowns” that can pose threats. When endpoint modeling solutions are applied to cloud environments, both known and unknown problems can be found quickly, and security outcomes improve.