AWS Startups Blog

Using the Cloud to Secure the Cloud: Moving From a Network-Centric to a Cloud-First Approach

Guest post by Patrick Flanders, Director of Marketing at Lacework

Most security solutions used by enterprises today emphasize a traditional network approach. Today’s modern organizations prize agility and transformation as underlying principles of their IT infrastructures. These enterprises that use the cloud to drive an innovative, agile business and technology agenda must adopt a security strategy that uses cloud principles to address cloud issues.

The kinds of threats that organizations face when running workloads in the cloud require a different level of insight and action. As opposed to protecting data centers and physical components, they focus on the dynamic rate of change among executables and activities: network addresses and ports are recycled (sometimes at random), users can be assigned privileges on-the-fly, data is pulled from a constantly changing assortment of repositories, and traffic flows through APIs and applications on an as-needed basis.

For organizations that are using cloud-first strategies for new projects or as part of their migration from older systems, the transformative effect is felt almost immediately. As a way to meet rigorous business requirements, they are able to deploy frequent code releases, use containers for easier orchestration, and process and store data that informs them of compliance issues and delivers cost-effectiveness measures. This is a continuous mode of activity, and SIEMs and firewalls aren’t equipped to deliver the insight needed, and they aren’t engineered for automation, nor can they function at scale.

The key is to use the cloud to secure the cloud. That may sound gimmicky, but only solutions developed for the cloud can understand how to address issues like speed and scale. Network-centric solutions presume that application calls, ID changes, requests, and other activities are orderly, like a line of people waiting for the morning train. The cloud, however, is more like a mosh pit.

To address security issues, users need deep visibility that leads to better control of how their cloud operates at cloud scale. This primarily means monitoring of all activities across all cloud components—accounts, users, apps, containers, machines—in addition to the network layer. The same speed that gives the cloud its advantages as an operating environment can be used to adapt to changes in the cloud. In other words, security needs to be deployed to monitor, detect, and alert on issues.

In order to understand the unique security needs of the cloud, it’s helpful to contrast it with the network approach so commonly used. These network-centric limitations help frame why a fresh, cloud-specific approach makes sense not just for environments like AWS, but also just for better overall security:

  1. Network logs cannot detect misconfigurations: Hackers search networks for vulnerable assets, but network traffic will alert on anything, even if it’s a false positive. A better solution is to identify front-facing apps and alert once an attack is not front-facing.
  2. Network-based detection delivers false positives: Even as networks grew to support demand among workloads and users, endpoints were physical and could rely on hardware solutions to protect them. In the cloud, ports and IP addresses are continuously recycled; network logs alone will not give the insight needed. Using network activity as a gauge will create irrelevant and false positives.
  3. Storage layer cannot detect malicious activity: Data leaks and misconfigured storage repositories do not appear in network logs without granular data.
  4. Cyber attacks are more sophisticated: Hackers are no longer just attacking the network attack surface. By changing privilege, pushing virus-filled applications, and changing config files are all ways that hackers exploit the cloud. Security teams need to see what’s happening inside the cloud in order to protect it.
  5. Network data won’t attribute actions to users: Hackers are getting more astute about exploiting root and service accounts by impersonating legitimate users. The only way to identify the true users is to correlate and stitch SSH sessions, which isn’t possible with network data.
  6. FIM not covered by network logs: Compliance frameworks like PCI, HIPAA, and others demand File Integrity Monitoring (FIM). However, network logs are unable to provide specific data about file-level changes.
  7. Network traffic doesn’t scale to identify deep packets: With IaaS and PaaS platforms, applications are custom-built. Firewalls typically cannot recognize custom applications, which means they can’t detect attacks.
  8. Network-based security is blind to container activity: Network logs are optimized to capture network activities from one endpoint (physical or virtual server, VM, user, or generically an “instance”) to another along with many attributes of the communication. However, they have no visibility inside an instance. In a typical modern microservices architecture, multiple containers will run inside the same instance and their communication will never be seen on network logs.
  9. Container orchestration traffic is not complete: You need to secure orchestration tools like Kubernetes and Docker between containers, but network logs do not attribute traffic to specific containers because of lack of visibility into the cloud environment.
  10. No file-based malware detection: A key indicator of compromise (IoC) is file hashes. They identify file vulnerabilities and need to be addressed in priority. Network logs cannot help in this regard because they have no information on file hashes or packages.
  11. Network volume makes data capture unfeasible: Traffic inside the cloud is 5x more voluminous than traffic among series and clients. The cloud provides maps of how that traffic happens which offers better insight and detail.

Emphasizing network-based security cannot provide the protection needed for a cloud environment. A new approach, one that relies on automation and end-to-end, continuous insights, is required to ensure the protection of your critical data assets, your IT infrastructure, and most importantly, your business.