olly - Fotolia
Security in the public cloud explained: A guide for IT and security admins
In this guide, IT security and industry experts share their top recommendations for protecting public cloud deployments
Who is responsible for security in the public cloud? This is a question businesses need to consider as they increasingly deploy more workloads and use cloud-based IT infrastructure, platform services and applications.
In Gartner’s How to make integrated IaaS and PaaS more secure than your own data center report, analysts discuss the benefits of adopting a cloud-native approach to IT security.
Gartner defines a cloud-native mindset as a way to consider IT infrastructure and applications in the cloud as modular and microservices-based. The report authors state that such an architecture is typically container-based, orchestrated and incorporates heavy use of application programming interfaces (APIs). In addition, Gartner says such IT infrastructure is updated using an immutable infrastructure approach.
However, the analysts warn that such an approach does not work well for on-premise IT. “The on-premise architectural patterns and their associated tools are poorly suited for the public cloud and will likely frustrate the needs of developers and business units adopting public cloud for its dynamic and ephemeral nature,” they note in the report.
Gartner urges IT security leaders responsible for cloud security to be open to embracing new approaches, patterns, products and best practices, and consider alternative IT security technology providers when adopting public cloud.
Why focus on cloud security?
While largely a benefit, the public cloud also leaves organisations open to public cloud security risks, particularly when they allow users to access on-demand services from various locations using different devices. Beji Jacob, who is on the ISACA emerging trends working group, describes cloud security as technology and techniques engineered to prevent and mitigate threats to an organisation’s cyber security.
“Companies must implement cloud computing security to support both digital transformations and the use of cloud-based tools to protect assets,” he says, adding that cloud security works by combining several technologies, all designed to tighten cyber defences for off-premise data and applications.
The role of threat intelligence in public cloud security
Rob Dartnall, CEO of SecAlliance, regularly conducts threat-led penetration tests (TLPT) that are part of regulatory frameworks, such as the Bank of England’s CBEST targeted assessment and the UK government’s intelligence-led simulated attack framework, GBEST, in the UK.
“A key component of the threat intelligence element of these tests is called ‘targeting intelligence’,” he says. “Essentially, it is hostile reconnaissance of an entity that includes many things, but importantly, the reconnaissance of the perimeter and cloud services of an entity to look for weaknesses that could be used to gain a foothold.”
In Dartnall’s experience, although technical exploitation of a perimeter service by the red teamer is rare against mature entities such as banks, the discovery of shadow services, intellectual property ranges and domains that the entity was not aware of is certainly not rare.
He says there is a direct correlation between those entities that suffer a breach and those that have deployed external attack surface management (EASM). This is an approach to perimeter security where an internal team or external security service provider continuously looks at the perimeter and beyond, not only looking at what is running, versions, services and ports, security controls and misconfigurations, but also at new shadow services, usually accidentally set up by rogue developers, engineers or architects. These shadow IT services, he says, consistently lead to security incidents and data breaches.
How AI can help support public cloud security
There is a role for artificial intelligence (AI) and machine learning (ML), which can operate at a large scale, utilising learning, and can adapt to an organisation’s data protection needs. By increasing automation, decision-making can be sped up, and data bound for, or already deployed, in the cloud, “can be assessed and appropriately protected more rapidly”, according to Scott Swalling, a data and cloud security expert at PA Consulting.
Swalling says cloud tools such as Google BigQuery and Amazon Macie use AI and ML to provide capabilities that help organisations better manage their data in public clouds and mitigate the exposure of sensitive data.
AWS Config, Azure Policy, or Google Cloud’s Security and Command Centre also help automate the monitoring and enforcement of security policies. Implementing continuous monitoring solutions will detect and alert on misconfigurations, suspect access requests and other security incidents in real time.
In addition to automated monitoring and enforcement, Swalling points out that the implementation of well-managed and regularly reviewed threat management allows organisations to be more proactive and agile in their response to threats.
Why traditional identity and access management falls short
Identity and access management is a core component of proactive IT security management. However, Carlos De Sola Caraballo, senior principal analyst at Gartner, warns that traditional asset-centric approaches to identity management will fail to provide the necessary visibility in cloud environments.
He recommends that IT security leaders focus on user identities and their associated permissions, establishing baselines for normal behaviour and configuring alerts to detect anomalies.
“This approach enhances the ability to track and manage incidents across the cloud infrastructure, ensuring a more comprehensive and timely response,” he says.
The role of shared responsibility
Whether an organisation is beginning its journey of migrating key services to the cloud or launching a cloud-native evergreen project, involving security specialists with a deep understanding of the cloud security model is an important factor.
Elliott Wilkes, chief technology officer (CTO) at Advanced Cyber Defence Systems, touches on the cloud shared responsibility model, whereby cloud providers are responsible for certain elements of each of the services. He says they need to monitor, defend and protect these elements, which include physical infrastructure and access controls at datacentres, resilient power backups and the like. “All of the things you’d typically expect a datacentre to provide, the CSPs [cloud service providers] will provide,” he says.
Knowing what parts of the public cloud infrastructure are managed by the cloud service provider enables IT teams to develop a plan for how to tackle the security gaps they need to address.
Gartner’s Caraballo recommends that IT security leaders engage governance, risk and compliance (GRC) and legal teams early in the process of selecting a CSP.
Wilkes agrees, saying: “Explicit contract stipulations are necessary to ensure robust incident response support from the CSP.”
Caraballo recommends that IT security leaders consider overall business resilience when developing a strategy to respond to security incidents that occur in cloud environments. He notes that this requires a broader approach, which involves not only technical responses, but also strategic planning, such as digital supply chain redundancies and robust legal contracts. He urges IT security leaders to ensure their incident response plans are comprehensive, incorporating cloud-specific considerations and aligning with overall business continuity and disaster recovery strategies.
Why cloud security requires a different approach
According to Caraballo, the transition to cloud environments necessitates a fundamental shift in incident response strategies. He urges IT security leaders to reassess and upgrade their incident response procedures, leveraging automation, proactive collaboration and identity-centric security to meet the unique challenges of the cloud.
“The dynamic nature of cloud security demands equally dynamic and flexible incident response strategies, ensuring that organisations can respond swiftly and effectively to emerging threats,” he adds.
The good news, at least from Swalling’s perspective, is that cloud providers have the ability to assess vast amounts of data and threats. This, he points out, means public cloud services are currently superior in leveraging AI than simpler on-premise security tooling.
Practical public cloud security
Luca Domenella is head of cloud operations and DevOps at Soldo, a European spend management platform provider. He says the company “was born in a public cloud” and is cloud-native.
Domenella says the cloud introduces new challenges for the company to manage, covering not only IT infrastructure, but also the software it develops in-house.
“We changed the approach from perimeter-side security, since security appliances and a lot of the technology deployed to lock down the perimeter of the corporate network are not required on the public cloud. Instead, cloud-native technologies like web application firewalls and denial of service protection can be deployed on public cloud infrastructure,” he says.
Given its business deals with financial transactions, Domenella says Soldo needs to comply with the PCI DSS standard. It needs to provide secure application programming interfaces (APIs) and connect securely to external APIs. “Security within the application is very important because we expose APIs for our customers to automate tasks,” he says. “We also use APIs ourselves, and we expose endpoints like our web console.”
Initially, the company used open source log monitoring tools like Nagios, Grafana and Prometheus to observe and monitor its cloud infrastructure. But Domenella claims using such tools and observability platforms to monitor security is tough. “It’s difficult to look into what the application is doing,” he says.
Soldo has now deployed Dynatrace Application Security to identify and prioritise software vulnerabilities continuously and automatically across its entire software delivery lifecycle, including at runtime.
Domenella says Dynatrace offers the company a level of control over the security of its software, by continuously monitoring for application vulnerabilities in production environments. “We instantly know how a new vulnerability affects our digital services, so we can respond quickly to keep our customers’ data safe,” he says.