It is no secret; security and compliance top the list of concerns tied to cloud adoption. According to a recent 2016 survey completed by more than 300,000 members of the LinkedIn Information Security Community, IT pros have general concerns about security (53 percent, up from 45 percent in last year’s survey), legal and regulatory compliance (42 percent, up from 29 percent), and data loss and leakage risks (40 percent) in the cloud. The number of reported breaches in enterprise datacenter environments still far exceeds the reported exposure from cloud platforms, but as businesses start using public clouds to run their mission-critical workloads, the need for enterprise-grade security in the cloud will increase.
Infrastructure-as-a-service (IaaS) security is built on a model of shared responsibility between the cloud service provider, such as Amazon Web Services (AWS), and the customer. End-to-end security relies on enterprise customers establishing and enforcing strict policies and processes. Many organizations fail to secure their vital infrastructure end-to-end because they do not realize that security in the public cloud is fundamentally different from enterprise datacenter security.
Today’s enterprise datacenter has several layers of security measures. Connection policies and access controls are handled with care by firewalls, routers, and switches that designate zones to control which protocols are allowed, and revoke access to unauthorized users and machine processes. Supplementary security, such as intrusion prevention systems and malware protection, is often in place as well. The cloud is very different from the datacenter. The cloud is highly dynamic, flexible, and instantaneously configurable; simple changes to security policies can expose private resources to the world. There are a lot of moving parts – which means there can be oversights and errors. Configuration management, patch management, connection policies, and access control require attention to detail.
Public cloud environments require a centralized, consolidated platform for security that is built from the ground up for the cloud and allows administrators to monitor and actively enforce security policies. The tools and techniques that worked to secure datacenter environments fail miserably in the cloud. Server-based controls such as firewall policies, file integrity monitoring, logging, and strong access controls may have to be applied to each workload, but they should be controlled from a single dashboard.
Following is a checklist of the top five capabilities enterprise customers need to look for when selecting a platform to manage infrastructure security in the public cloud.
1. Powerful Visualization—You Cannot Fix What You Cannot See
Public cloud providers such as AWS have built rich security features and granular controls, allowing administrators to manage which workloads can talk to each other and which are exposed to the whole world. As cloud environments grow across multiple virtual private clouds (VPCs), accounts, and regions, it becomes increasingly challenging to understand and correctly configure security policies. Mapping relationships with a visualization tool can help administrators understand the network security posture and identity configuration errors. Taking the time to complete this process is even more critical in dynamic environments, where cloud elasticity means new workloads are being spun up on demand.
2. Network Segmentation Using Cloud-Native Security Controls
Once a workload is created – OS, apps, and connections are determined – network security policies such as AWS security groups need to be put in place to segment traffic and control access to servers. Developers and operations teams usually just accept the default security policies, which are overly permissive, allowing any connection from anywhere, to any port on the new virtual server. It’s easy to restrict access to one IP or several, but many admins cannot predict beforehand which IP addresses they will be logging in from – which means they fail to restrict critical access. Unfettered access to workloads in a cloud environment can be prevented by microsegmenting the network using built-in security group policies in cloud environments so that breaches in one part of the application cannot spill over into other instances or services.
3. In-Place Remediation and Active Enforcement—Go Beyond Monitoring
Customers cite elasticity and flexibility as the primary reasons for moving infrastructure to the cloud. However, tracking and maintaining control of security policies is where elasticity and flexibility can lead to issues. Virtual machines are on the move – changing from one domain to another – and policies may not follow. This can lead to inadvertent exposure of backend servers to everyone. Security operations is really responsible for monitoring such changes to ensure that elasticity does not create misconfigurations or open back doors to sensitive data. As mentioned before, a visualization tool that makes such mistakes immediately apparent, combined with the ability to fix discovered issues immediately and prevent them from recurring in the future, are the weapons of choice to combat moving assets.
4. Time-Limited Access to Services with On-Demand Networking
If you remember years back, the city of San Francisco gave all the keys to their router kingdom to one network administrator, who ended up going rogue and would not give them up even after being put in jail. Maintaining control over the keys to your network and infrastructure is the single most critical requirement for protecting cloud deployments.
A security platform that allows a resource owner to assign access rights on an as-needed basis, on-the-fly, for a limited amount of time can help prevent such incidents. A contractor or employee can be granted access for a particular window of time. After the time allotted expires there is no need to manually revoke access – it’s automatic. This allows organizations to maintain a closed-by-default security posture by keeping the good guys in for just the right amount of time.
Finally, implementing security training for your staff is a must in the opinion of many experts. In fact, according to a recent survey, 61 percent of organizations plan to train and certify existing IT staff on cloud security, 45 percent partner with a managed security services provider, and 42 percent deploy additional security software to protect data and applications in the cloud.
5. Logging and Independent Audit Trail—Watch Everything
In the worst-case scenario, every workload, dynamic administrator rights management, firewall policies, and file integrity management is in place, but things might still go wrong. A malicious visitor to the website may cause a denial of service by repeatedly refreshing a page that requires compute-intensive backend processes. How do you find the problem?
Monitoring and logging every packet that passes across the cloud environment makes it possible to detect anomalous behavior and demonstrate that the security controls are in place as designed. Ensuring security controls are in place as designed could be indispensable during an audit when it is necessary to prove that controls are actually working.
It’s essential for IT security pros to have visibility into network architectures and on-system controls to provide better defense against the growing number of malicious attacks and inadvertent credential leaks. Deploying cloud controls everywhere and employing a central management dashboard make for an iron-clad system. These five capabilities will help deploy secure compute environments that will drive cloud adoption.