Skip to main content

What is Cloud Workload Security?

SecludIT, now part of Outpost24
Cloud and container security
Common beliefs that IaaS providers are responsible for the security of customer workloads, are wrong. The shared responsibility model for Infrastructure as a Service (IaaS) means that enterprises have to adapt traditional security to secure cloud based workloads. A cloud workload is a discrete capability or amount of work you’d like to run on a Cloud instance. It can be a web server, a container or an hadoop node for example.

New security requirements for Cloud Workload, what changes and why is it different?

The Cloud Security Alliance (CSA) has done the most comprehensive studies on the new requirements brought by cloud computing and the CSA has established the 12 top threats:

  1. Data Breaches
  2. Insufficient Identity, Credential and Access Management
  3. Insecure Interfaces and APIs
  4. System Vulnerabilities
  5. Account Hijacking
  6. Malicious Insiders
  7. Advanced Persistent Threats
  8. Data Loss
  9. Insufficient Due Diligence
  10. Abuse and Nefarious Use of Cloud Services
  11. Denial of Service
  12. Shared Technology Vulnerabilities

Enterprises need to protect workloads, it is a must have

For a start, you can’t protect what you can’t see. So, increasing visibility in order to be able to control is a foundational step. To address these new requirements, you need new solutions and approaches.

On the other hand, the scale and concentration of workloads bring greater attraction to hackers. Developers are reusing code and templates and are not aware of security best practices with new cloud services as shown by our study on AWS in 2011.

Why traditional solutions do not work?

Infrastructure as Code brings elastic perimeters and accelerated changes, APIs bring new attack surface and possibilities of misconfigurations. Imagine deleting a data center with a few lines of code (or a bug).

Furthermore, the configuration of the cloud services bring new attack surface that must be monitored. On the other hand, while it is possible to deploy agents in the Virtual Instances, the agents will not evaluate the configuration of cloud services and are an additional hassle to manage and support.

Enterprises need specific security solutions to Cloud Workload

Gartner definition: “CWPP is defined by host-centric solutions that target the unique requirements of server workload protection in modern hybrid data center architectures”

Security Engineers are dealing with the following use cases:
– compliance with international or company specific standards
– vulnerability management
– IaaS usage control
– incident Detection and Management
– risk management

However, the new requirements brought by IaaS bring new challenges to address these use cases. Or as Gartner puts it “Simply running agents designed for on–premises servers and hoping these will work in IaaS is not sufficient”. (CWPP)

Compliance and manual security audits are great snapshots of the company security posture but they cannot keep up with the pace of today’s business. Although automated vulnerability management cannot replace a comprehensive audit by experts, it can highly reduce the risk exposure to large scale and automated attacks.

Furthermore, the DevOps way of “deploying often and fully automated” brings a new opportunity for applying patches and thus increasing security in a timely manner. DevOps do not patch live systems. Instead they patch the templates from which the workloads are generated and then bring them to production.

How to implement a plan for Cloud Workload Security?

You had enough with problem statement and requirements. Now that your company is already putting workloads on IaaS, how do you start?

Establishing priorities and a roadmap is a good way to start. Gartner has done an hierarchy of protection strategies that will help you.

Gartner CWPP

A good plan might be a bottom-up approach. There are plenty of good tools that may help you during the ride!

Elastic Detector provides the bottom 3 layers of protection for every IaaS cloud, such as AWS, Microsoft Azure, Openstack, vCloud and many others.

Discover Elastic Detector new features like:

  • configuration and vulnerability management
  • network segmentation analysis
  • integrity monitoring

Get a demo of outpost24 vulnerability management

Looking for anything in particular?

Type your search word here