New security requirements for Cloud Workload, what changes and why is it different?
The Cloud Security Alliance (CSA) has done the most comprehensive studies on the new requirements brought by cloud computing and the CSA has established the 11 top threats:
1. Data Breaches
2. Misconfiguration and inadequate change control
3. Lack of cloud security architecture and strategy
4. Insufficient identity, credential, access and key management
5. Account hijacking
6. Insider threat
7 Insecure interfaces and APIs
8. Weak control plane
9. Metastructure and applistructure failures
10. Limited cloud usage visibility
11. Abuse and nefarious use of cloud services
Enterprises need to protect workloads, it is a must have
For a start, you can’t protect what you can’t see. So, increasing visibility in order to be able to control is a foundational step. To address these new requirements, you need new solutions and approaches.
On the other hand, the scale and concentration of workloads brings greater attraction to hackers. Developers are reusing code and templates and are not aware of security best practices with new cloud services as shown by our study on AWS in 2011.
Why traditional solutions do not work?
Infrastructure as Code brings elastic perimeters and accelerated changes, APIs bring new attack surface and possibilities of misconfigurations. Imagine deleting a data center with a few lines of code (or a bug).
Furthermore, the configuration of the cloud services bring new attack surface that must be monitored. On the other hand, while it is possible to deploy agents in the Virtual Instances, the agents will not evaluate the configuration of cloud services and are an additional hassle to manage and support.
Enterprises need specific security solutions to Cloud Workload
Gartner definition: “CWPP is defined by host-centric solutions that target the unique requirements of server workload protection in modern hybrid data center architectures”
Security Engineers are dealing with the following use cases:
– compliance with international or company specific standards
– vulnerability management
– IaaS usage control
– incident Detection and Management
– risk management
However, the new requirements brought by IaaS bring new challenges to address these use cases. Or as Gartner puts it “Simply running agents designed for on–premises servers and hoping these will work in IaaS is not sufficient”. (CWPP)
Compliance and manual security audits are great snapshots of the company security posture but they cannot keep up with the pace of today’s business. Although automated vulnerability management cannot replace a comprehensive audit by experts, it can highly reduce the risk exposure to large scale and automated attacks.
Furthermore, the DevOps way of “deploying often and fully automated” brings a new opportunity for applying patches and thus increasing security in a timely manner. DevOps do not patch live systems. Instead they patch the templates from which the workloads are generated and then bring them to production.
How to implement a plan for Cloud Workload Security?
You had enough with problem statement and requirements. Now that your company is already putting workloads on IaaS, how do you start?
Establishing priorities and a roadmap is a good way to start. Gartner has done an hierarchy of protection strategies that will help you.
A good plan might be a bottom-up approach. There are plenty of good tools that may help you during the ride!
Elastic Detector provides the bottom 3 layers of protection for every IaaS cloud, such as AWS, Microsoft Azure, Openstack, vCloud and many others.
Discover Elastic Detector new features like:
- configuration and vulnerability management
- network segmentation analysis
- integrity monitoring