How to ensure a secure migration to AWS, Azure and Docker
The cloud IaaS revolution
Adoption of cloud is skyrocketing. The global public cloud service market is projected to reach $206.2 billion in 2019 [2]. Forbes expects that 83% of enterprise workloads will be in the cloud by 2020 [4]. And more than $1.3 TRILLION in IT spending will be affected by the shift to the cloud by 2022 [3].
On the other hand, according to IDC [1] the expectations are that by 2022, the top 4 cloud "megaplatforms" will host 80% of infrastructure-as-a-service (IaaS)/platform-as-a-service (PaaS) deployments, and by 2024, 90% of G1000 organizations will mitigate lock-in through multicloud and hybrid cloud technologies and tools.
Challenges in hybrid clouds
There has been a great evolution since I first teamed up with the other founding member of the Cloud Security Alliance (CSA) for the first guidelines of security for cloud computing in 2009.
What did not change was that security is still the biggest roadblock for cloud adoption and due to the lack of skills on cloud and security [6], we have assisted to a major growth of data breaches due to misconfigurations. Mcafee found that about 99% of misconfigurations go unnoticed by companies using IaaS. The enterprise companies we spoke to told us that they were aware of, on average, 37 misconfiguration incidents per month. Yet our real-world
data shows that companies actually experience closer to 3,500 such incidents [5]. However in the same study only 26% of our enterprise survey respondents said their current security tools could audit configurations in IaaS.
Why traditional solutions do not cope with cloud and containers?
First, it all starts with the shared responsibility model with the cloud provider. Customers give up some control and visibility to the cloud provider, and the cloud provider gives back some tools such as virtual firewalls or security groups, and some visibility such as firewall logs.
This is enough for "lift and shift" use cases, and customers may deploy their virtual machines (instances on EC2) and assess the security of their workloads using traditional vulnerability management tools for example.
One step ahead, more business efficiencies come from using APIs, elasticity and automation, what I'll call Infrastructure as code. Infrastructure as Code (IAC) is a type of IT infrastructure that operations teams can automatically manage and provision through code, rather than using a manual process, sometimes referred to as programmable infrastructure.
Therefore, enterprises can start using processes and agile tools from developers, what gave birth to the DevOps paradigm and Containers adoption.
Once DevOps program the infrastructure and are using continuous integration and deployment (CI/CD) tools, it is crucial for security to know if there are no misconfiguration or mistakes. Imagine several developers making continuous changes through code in the infrastructure when you have hundreds of security groups and users declared in Identity and Access Management (IAM) databases.
Ensure a secure migration to AWS, Azure and Docker
With so many security processes and tools that enterprises need to migrate to the cloud and containers, we must start with a plan and priorities. Referring to the Gartner CWPP study, at the base of the pyramid, there are the 2 most important functionalities: vulnerability management and configuration management. Having started a company to help enterprises perform this in IaaS I cannot agree more :-) So, in this article I'll focus on these 2, but instead I'll take into account the customer use cases and maturity of adoption.
4 step plan for protecting workloads in AWS, Azure and Docker
-
Lift and Shift: Enterprises move virtual machines and data to IaaS (mainly AWS EC2 and S3) and try to replicate the same security processes. In this case, security teams require auto-discovery for assets so that security adapts to the elastic perimeter, and enterprises need to deploy virtual appliances of the scanners in order to assess the private (not public facing) assets.
-
Shift and Assess: Once enterprises moved their workloads to IaaS and start using more cloud services (AWS VPC and Cloudwatch for example), security teams add security configuration checks. Here we are talking about the benchmarks CIS AWS, CIS Azure, CIS Docker (ECS on AWS) and CIS Kubernetes (EKS on AWS).
-
Assess and Automate: When enterprises adopt Infrastructure as code and DevOps agile processes, security teams need integration with CI/CD and to apply CIS AWS and CIS Azure benchmarks in continuous mode using the APIs. Depending on the workloads, it might make sense to deploy more specific checks, for example AWS EMR, if the enterprise is focusing on big data analysis.
-
Automate and Extend: After this journey, cloud providers keep industrializing new cloud services, such as Serverless (Lambda on AWS, Functions on Azure). Enterprises start testing them and adopting and then comes security. As a security team, it's challenging to keep up with the pace of new services and best practices for hundreds of cloud services and containers services.
Here at Outpost24, we are working hard to help customers on their journey to cloud and containers and ready for stages 1, 2 and 3, and doing a lot of research at the 4, stay tuned!
References
1. IDC Cloud Security Road Map : Identifying Limitations to the Shared Responsibility Model as well as Requirements and Best Practices, August 2019
2. Forbes, Roundup Of Cloud Computing Forecasts And Market Estimates, September 2018
3. Gartner, 28 % of Spending in Key IT Segments Will Shift to the Cloud by 2022, September 2018
4. Forbes, 83% Of Enterprise Workloads Will Be In The Cloud By 2020, January 2018
5. Mcafee Cloud-Native: The Infrastructure-as-a-Service (IaaS) Adoption and Risk Report, September 2019
6. SANS Cloud Survey adoption, 2019
LogicMonitor’s Cloud Vision 2020: The Future of the Cloud Study
Gartner