Cloud security controls: Where are we now and best practice for future gains
Data breaches linked to poor Cloud Security Controls
One of the key reasons for poor security hygiene is the complexities cloud brings and the lack of understanding of the shared responsibility model and how to strengthen IaaS security capabilities. Use of multi-cloud is on the rise and security professionals need to familiarize themselves with the critical cloud security controls, detecting flaws and having enough foresight into best practices to fully secure their cloud workload.
Gartner predicted that: “Through 2025, 99% of cloud security failures will be the customer’s fault.” Many of the explanations around cloud breaches can seem vague, ‘misconfiguration’ or ‘mismanagement by third party’ which doesn’t give us enough insight as to where these issues stemmed from and we start seeing gaps not only in controls but gaps in our knowledge into this topic.
Where to start with critical Cloud Security Controls
Firstly, it’s important to understand the two key elements of IaaS security models - CWPP and CSPM, and why they’re critical to cloud security controls.
Protect your cloud workload
If an application is vulnerable to SQL injection, moving it to the cloud will not protect it from the threat. Organizations need to extend their Workload Protection Best practices to the Cloud Workloads. However, it's important to remember the cloud service providers (CSPs) are only responsible for securing the infrastructure they provide, not what you put in it. Many of them now offer security control tools that may help, but they don’t address the complex requirement for hybrid and multi-cloud scenarios.
A good example is the following prioritization model of CWPP controls by Gartner, recommending security teams to start at the bottom by tackling Operations Hygiene controls and move up the pyramid of criticality.
The prioritization model puts the focus on core server protection strategies, such as configuration and vulnerability management and network segmentation. This makes sense as the foundation of your IaaS security plan is to reduce your exposure and your risk. Default policies are not enough and re-using publicly shared virtual machine images bring a lot of potential risks as these are often not updated. Known vulnerabilities are the first thing attackers will target, so it is crucial to keep your operating systems assessed in a continuous way.
Assess and monitor misconfigurations
On the other hand, IaaS and PaaS bring APIs and a ton of configuration that less skilled teams can get wrong. The most common mistake is having loose permissions in cloud storage, exposing critical data to everyone. We’ve seen devastating examples of this in the form of the Capital One breach with huge ramifications. It’s becoming more common for hackers to exploit the low hanging fruit of a misconfigured server to steal data, and cloud storage is not the only service you must monitor. Security teams must understand how clouds are orchestrated and their variances as opposed to a traditional server. The first thing to implement are the CIS benchmarks. The benchmark is a great starting point for AWS, Azure and Google Cloud Platform (GCP) configuration management, containing a set of critical controls.
However not all benchmarks are made equal - AWS is the oldest with the least number of controls, Azure is more recent and complete, and GCP is the latest with a strong focus on Kubernetes. Taking the CIS Microsoft Azure Foundation Benchmark (version 1.1.0) as an example, the security controls can be grouped in the categories below followed by (the number of sub-controls) under each:
- Identity and Access Management (23)
- Usage of Security Center (19)
- Storage Accounts (8)
- Database Services (19)
- Logging and Monitoring (16)
- Activity Log Alerts (5)
- Networking (6)
- Virtual Machines (5)
- App Services (10)
This results in a sheer volume of 111 control points! Oddly enough, Azure’s own Security Center currently monitors less than 20% of the controls outlined in this benchmark, hence implementing an automated cloud security tool (Gartner calls it CSPM) that can provide better coverage is imperative to keep misconfigurations at bay without adding a huge resource burden.
Big data and Multi-cloud Considerations
Depending on your organizations’ use case and deployment approach you may need to implement more specific checks. The benchmarks cover foundational services, such as cloud storage and compute - but if your organization is doing Big Data analysis and using Elastic Map Reduce in AWS, this is not covered by the AWS benchmark, therefore security teams need to implement specific controls to protect your organization’s data.
If you’re new to cloud and looking to migrate to IaaS and PaaS and wondering where to start from a security perspective. Firstly, you can apply the same security controls that you have on-premise, the fundamentals are the same. Secondly, start with getting visibility into your cloud workloads and cloud configurations. Look for security tools that are tailored for hybrid environments, so you don’t need to use different tools and processes for cloud versus on-premise.
The cloud native controls from your providers, Azure, AWS and Google Cloud Platform will differ and the main issue with using cloud provider tools is they don’t support hybrid and multi-cloud environments. You do not want to use different tools with different scopes and approaches for different clouds. It is important to implement homogeneous controls and have visibility in a single pane of glass, removing silos and reducing costs.
As cloud keeps evolving at a rapid pace into PaaS and new services such as serverless or machine learning takes hold, it is almost impossible for security teams to be an expert in all clouds and services available and knowing the best security practices for each (more than 160 new services alone in AWS since last year). Despite cloud providers continuing to improve their support tools we are heading to an increasingly complex cloud architecture where security solutions are also evolving quickly so that they do not become an obstacle to digital transformation of enterprises.
How Outpost24 Protects your Cloud Assets and Data
A move to cloud shouldn’t spell disaster and doesn’t need to become an additional burden for your security team. In fact, moving to a system that is more compact and driven by automation makes implementing cloud security controls easier. Cloudsec Inspect works as a CWPP + CSPM by providing complete visibility of cloud vulnerabilities, continuously scanning workloads and monitoring for misconfiguration in the public clouds to banish cloud misconfiguration and keeps your workloads fully protected. Understanding the purpose of cloud security controlling is critical and allows your organization to adopt those controls and limits business disruption.
Register for our next webinar where our Cloud Security expert Sergio Loureiro will discuss Cloud security controls and how to apply the techniques in a practical way, so you can future proof your cloud security posture.
Forrester Analytics: Cloud Security Solutions Forecast, 2018 To 2023, April 2019
Gartner, Is the Cloud Secure, October 2019
Center for Internet Security, https://www.cisecurity.org/blog/cis-microsoft-azure-foundations-benchmark-v1-0-0-now-available/