Top 4 challenges to securing your cloud
By now, most IT professionals see the benefit of private, hybrid and public cloud within the enterprise. The cloud facilitates rapid innovation and improved control of platforms and workflows, enhancing a company’s ability to support increasing business demands. But cloud solutions also come with challenges, especially when automating cloud security at scale.
Let’s look at four of these challenges.
Changes in security strategy for the public cloud
The public cloud is essentially an extension of your network hosted on a third-party server. To that end, bridging the connection between on-premise locations and customer sites to the cloud should be a viewed as a security concern. In order to 'cloud burst' safely, you must understand the overall architecture, including what safeguards are in place from the cloud service provider (CSP).
Things happen differently in the cloud. When you offer a public cloud instance, you recycle things such as IP addresses and storage pools. You also constantly destroy and recreate data on-the-fly to perform any number of on-demand resource capabilities. Services can evolve depending on user need, constantly changing how you deliver those services to the appropriate endpoints. In addition, you need to manage data access appropriately while maintaining flexibility to automate and scale.
Many tasks in the public cloud are not user facing. However, you do need to grant secure access at times. For this, you need to leverage the CSP’s security tools, identity sources and federation. Numerous autonomous connections are being made, which requires you to stay on top of network access controls, certificates and commissioning/decommissioning procedures.
During the lifecycle of a cloud platform, you must continuously audit changes and controls. Tracking how the platform is configured requires constant monitoring. Keep all of these frequently shifting priorities in mind as you reset your thinking about security for the public cloud.
Rethinking traditional security approaches
Another challenge with public cloud is stitching together multiple security solutions into a single cloud infrastructure, even when vendors don’t work together.
For example, the tool you use to parse logs does not work with the data storage of a particular security tool. This may force you to either parse the data manually (limiting your ability to operate securely at scale) or to invest in and configure new security tools. Operating at scale in the cloud can generate large volumes of security data, such as syslog or other critical events. The only way to process all that data quickly is through automation. For that to work, you must select your tools carefully and ensure they work together.
Addressing risks associated with containers
As it becomes easier to deploy servers and applications, the potential for propagating vulnerabilities also increases. You must manage these processes carefully as you deploy and scale your environment. Containers themselves are quite secure. However, many IT professionals do not realize the potential for introducing vulnerabilities such as container breakout, image forgery and credential exposure. You may have controls in place to detect malicious behavior, but an internal threat actor may be able to approach cautiously and avoid detection. To avoid this, secure your environment and subsequent containers using a layered approach that deploys security controls at each step, such as with packet analyzers, reverse proxies and endpoint protection agents. Most importantly, lock down access control to decrease the risk of a malicious actor.
Aligning cloud security with DevOps
When it comes to deploying servers and applications in the cloud, you may lose security in place of convenience and velocity. Opening up your system to a potential breach is not worth the benefit of speed. It becomes a constant balancing act. The good news is, there are tools and processes to enforce more secure practices. For example, a continuous integration/continuous delivery (CI/CD) model leverages known good components as you update your applications. Security in the cloud means using these types of processes to become more disciplined about change management.
Any number of code assessment tools are available that scan code for vulnerabilities during development. They also provide notifications so that issues can be addressed before code goes to production. Penetration testers should also periodically review code and application servers from an outside perspective. Use the vulnerabilities they discover as an opportunity to raise awareness among your developers. If all else fails, rely upon internal processes, communication channels and an established incident-response team to address potential threats in your cloud environment.
As we move into the future with our workflows, servers and applications running in the cloud, IT professionals must prioritize the security conversation. With the right tools, policies and conversations, your enterprise can walk the line between speed, innovation and cloud security.
Paul Dackiewicz, CISM, CISSP, Manager of Network & Systems – Managed Services
Paul oversees the function of our Network, Data Center, and Security Operations within the Managed Services practice area. He has over 10 years of engineering experience and enjoys contributing to the success of ANM’s clients. Paul is an avid comic book reader and guitar / bass player.