A New Security Mindset for the Public Cloud

Guest post from Lacework, sponsors of AWS Security Week at the San Francisco Loft from April 8 – April 12. 

Many enterprises are adopting cloud-based strategies as they initiate new projects or migrate from older, legacy systems. To meet demanding and rapidly changing business needs, they employ frequent code releases, increasingly use containers, and process and store data for compliance. It’s an environment with a great deal of change and activity, but solutions like SIEMs and firewalls just can’t provide the level of insight required—they aren’t built for automation or scale.

Traditional security vendors can’t build solutions fast enough to address cloud migrants and upstarts who use a cloud-first strategy, so they’re cobbling together component parts through acquisitions in order to make something that vaguely resembles a comprehensive solution. They may be able to check a lot of boxes, but are unable to deliver a comprehensive, unified solution strategy. Ultimately, security teams who are tasked with oversight of workloads and accounts in the cloud recognize that they require an approach that can meet the velocity and scalability needs of fast-moving organizations.

Modern enterprises that want to move fast yet maintain effective security and compliance practices that are optimized for cloud and containerized environments will need to adopt solutions that provide comprehensive threat defense, intrusion detection, and compliance management over their cloud accounts and workloads, all at scale. In order to match business needs with security technology, here are three things to consider factoring into your security strategy:

Change is Continuous – Your Monitoring Should be Too

When you move into the Amazon Web Services (AWS) Cloud, you’re operating in a Shared Responsibility Model, so while there is an inherent layer of security provided, you can’t afford to not fully recognize how that responsibility is delineated. You need a migration plan that includes in-depth understanding of the different kinds of security features offered by the cloud provider and where you are responsible for securing your environment.

Configuration of resources is a great example. Firewall protection is critical to your environment, and AWS builds firewall functionality into its Amazon Elastic Compute Cloud (Amazon EC2) instances. However, configuration of those firewall settings is your responsibility, so your security team has to recognize what those settings are and be staffed to manage those access-control lists.

All the change happening in your cloud requires continuous monitoring. That security monitoring needs to be comprehensive across all cloud and orchestration activities, and to achieve that requires a tool that audits settings. You can apply a tool to do continuous scans and provide reports depending upon your organizational and response needs. In dynamic cloud environments where applications are being built on the fly and business requirements demand new use of data, frequent scanning and analysis of cloud and container activity is essential to achieve the necessary security posture.

Addressing Security at Scale with Automation

In this type of highly dynamic environment, there are too many ways that human error can introduce vulnerabilities and holes into the system. Everyone in the organization is responsible for security. A sense of ownership and responsibility should become embedded into how the entire organization operates. It is only through a collective effort and recognition about security that you will be able to effectively control the variables required to maintain security within your environment.

In order to do that, you need to validate that your controls are actually working as you need them to. A surprising number of enterprises rely on manual checks for this, but even for small organizations this is not scalable. The only way to do this effectively is through automation, and organizations will need tools that can monitor and analyze cloud events to ensure they are performing as expected.

Doing this will enable you to identify and make sense of situations where there is abnormal behavior within your cloud. For example, you may see traffic coming from unrecognizable IP addresses, or activity from accounts that have been unused for significant periods of time. Behaviors can be analyzed and then mapped against normalized activity to identify abnormalities. Done continuously, you get an accurate understanding of where threats are in your cloud.

The Importance of Self-Auditing

The cloud operates much differently than in other types of environments. You recycle IP addresses, spin up new Amazon EC2 instances, change configurations, and create and destroy data on the fly to perform on-demand resource capabilities. Services change all the time to meet users’ changing needs, so you need to vary how you deliver services to the resources that need them.

Much of what is happening is not user-facing. Servers talk to other servers through APIs, but there’s no user interaction. You’re often updating configurations of on-premises resources as well as your cloud environment. To grant secure access when it’s needed, you have to use the tools, ID sources, and federation provided by your cloud provider. A lot of autonomous connections are made, which is why access control lists and ID management control is necessary. The most effective way of doing this is through monitoring and auditing all your changes and controls through the help of an automated tool.

A lot of what is happening is not user-facing. For example, if I have a server in my environment that needs to talk to AWS, there’s no user interaction. You are not only configuring your local on-premises equipment to talk to the cloud, you are configuring the cloud, too. To be able to grant secure access when necessary, you need to leverage their tools, their identity sources, and their federation. A lot of autonomous connections are being made, which is why you have to stay on top of your access control lists (ACLs).

Throughout the life cycle of a cloud process, you must always audit changes and controls. Keeping track of changes gives you the awareness of where vulnerabilities exist, which gives you a better sense of control over all your cloud operations.

Effectively managing the responsibilities of your AWS accounts is easier when you use tools that give you deep visibility and analysis of workload and account activity. Automation is required in order to maintain that level of awareness in a continuous way. With the right discipline, coupled with the right tools, enterprises will be better equipped to thwart attacks and strengthen the overall security of their cloud environment.