Five Essential Capabilities for Airtight Cloud Security
SECURITY IN THE CLOUD REQUIRES NEW CAPABILITIES It is no secret; security and compliance are at the top of the list of concerns tied to cloud adoption. According to a recent 2017 Cloud Security survey to over 350,000 members of the LinkedIn Information Security Community, IT pros have general concerns about security in the cloud (33 percent), in addition to data loss and leakage risks (26 percent) and legal and regulatory compliance (24 percent) 1. The number of reported breaches in enterprise datacenter environments still far exceeds the reported exposure from cloud platforms, but as businesses start using public clouds to run their mission-critical workloads, the need for enterprise-grade security in the cloud will increase. General cloud security isn t lacking by any means, with IaaS providers such as AWS offering a multitude of tools to help you secure your cloud environment. Implementing these tools however can prove daunting; according to a recent 2017 Gartner Report titled Assessing Cloud Security Monitoring and Compliance Capabilities in AWS. Third-party solutions are often necessary for full security life cycle assessment, compliance and GRC (Governance, Risk and Compliance) 2. But IaaS security is built on a model of shared responsibility between the cloud service provider, such as Amazon Web Services (AWS), and the customer. End-to-end security relies on enterprise customers establishing and enforcing strict policies and processes. Many organizations fail to secure their vital infrastructure end-to-end because they do not realize that security in the public cloud is fundamentally different from enterprise datacenter security. Today s enterprise datacenter has several layers of security measures. Connection policies and access controls are handled with care by firewalls, routers, and switches that designate zones, control which protocols are allowed, and revoke access to unauthorized users and machine processes. Supplementary security, such as intrusion prevention systems and malware protection, is often in place as well. The cloud is very different from the datacenter. The cloud is highly dynamic, flexible and instantaneously configurable; simple changes to security policies can expose private resources to the world. There are a lot of moving parts which means there can be oversights and errors. Configuration management, patch management, connection policies and access control require attention to detail. Public cloud environments require a centralized, consolidated platform for security that is built from the ground up for the cloud, and allows administrators to monitor and actively enforce security policies. The tools and techniques that worked to secure datacenter environments fail miserably in the cloud. Server-based controls such as firewall policies, file integrity monitoring (FIM), logging, and strong access controls may have to be applied to each workload, but they should be controlled from a single dashboard. Following is a checklist of the five capabilities enterprise customers need to look for when selecting a platform to manage infrastructure security in the public cloud. 1 POWERFUL VISUALIZATION - YOU CANNOT FIX WHAT YOU CANNOT SEE Figure 1: Powerful Visualization for Complete Security Control 1 Crowd Research Partners, Cloud Security 2017 Spotlight Report, Holger Schulze, March 29, 2017. 2 Gartner: Technical Professional Advice: Assessing Cloud Security Monitoring and Compliance Capabilities in AWS, Mike Morrato, February 13, 2017. 2
Public cloud providers such as AWS have built rich security features and granular controls, allowing administrators to manage which workloads can talk to each other and which are exposed to the whole world. As cloud environments grow across multiple virtual private clouds (VPCs), accounts and regions, it becomes increasingly challenging to understand and correctly configure security policies. Mapping relationships with a visualization tool can help administrators understand the network security posture and identity configuration errors. Taking the time to complete this process is even more critical in dynamic environments, where cloud elasticity means new workloads are being spun up on demand. NETWORK SEGMENTATION USING AGENTLESS, CLOUD-NATIVE SECURITY CONTROLS2 Figure 2: Network Segmentation with Agentless Security Controls Once a workload is created OS, apps and connections determined network security policies such as AWS security groups (SGs) need to be put in place to segment traffic and control access to servers. Developers and operations teams usually just accept the default security policies, which are overly permissive, allowing any connection from anywhere to any port on the new virtual server. It s easy to restrict access to one IP or several, but many administrators cannot predict beforehand which IP addresses they will be logging in from which means they fail to restrict critical access. Unfettered access to workloads in a cloud environment can be prevented by microsegmenting the network using built-in SG policies in cloud environments, so that breaches in one part of the application cannot spill over into other instances or services. 3
3 PROTECTION IN-PLACE REMEDIATION AND ACTIVE - GO BEYOND MONITORING Figure 3: In-place Remediation and Active Protection Customers cite elasticity and flexibility as the primary reasons for moving infrastructure to the cloud. However, tracking and maintaining control of security policies is where elasticity and flexibility can lead to issues. Virtual machines (VMs) are on the move changing from one domain to another and policies may not follow. This can lead to inadvertent exposure of backend servers to everyone. Security operations is really responsible for monitoring such changes to ensure that elasticity does not create misconfigurations or open back doors to sensitive data. As mentioned before, a visualization tool that makes these mistakes immediately apparent, combined with the ability to fix discovered issues in real-time and prevent them from recurring in the future, are the weapons of choice to combat moving assets. TIME-LIMITED ACCESS TO SERVICES WITH ON-DEMAND NETWORKING4 Figure 4: Dynamic Access Leases for Time-limited Access 4
If you remember years back, the City of San Francisco gave all the keys to their router kingdom to one network administrator, who ended up going rogue and would not give them up, even after being put in jail. Maintaining control over the keys to your network and infrastructure is the single most critical requirement for protecting cloud deployments. A security platform that allows a resource owner to assign access rights on an as-needed basis, on-thefly, for a limited amount of time, can help prevent such incidents. A contractor or employee can be granted access for a particular window of time. After the time allotted expires there is no need to manually revoke access it s automatic. This allows organizations to maintain a closed-by-default security posture by keeping the good guys in for just the right amount of time. Finally, implementing security training for your staff is a must in the opinion of many experts. In fact, according to the recent 2017 Cloud Security Spotlight Report, 53 percent of organizations plan to train and certify existing IT staff on cloud security, 30 percent plan to partner with a managed security services provider (MSP), and 27 percent will deploy additional security software to protect data and applications in the cloud.3 5 LOGGING AND INDEPENDENT AUDIT TRAIL WATCH EVERYTHING Figure 5: Logging and Independent Audit Trails In the worst-case scenario every workload dynamic administrator rights management, firewall policies, and file integrity management is in place, but things might still go wrong. A malicious visitor to the website may cause a denial of service by repeatedly refreshing a page that requires compute-intensive backend processes. How do you find the problem? Monitoring and logging every packet that passes across the cloud environment makes it possible to detect anomalous behavior and demonstrate that the security controls are in place as designed. Ensuring your security controls are in place as intended could be indispensable during an audit, when it is necessary to prove that controls are actually working. Crowd Research Partners, Cloud Security 2017 Spotlight Report, Holger Schulze, March 29, 2017. 3 5
IN CONCLUSION It s essential for IT security pros to have visibility into network architectures and on-system controls to provide better defense against the growing number of malicious attacks and inadvertent credential leaks. Deploying cloud controls everywhere and employing a central management dashboard make for an iron-clad system. These five capabilities will help deploy secure compute environments that will drive cloud adoption. ABOUT DOME9 SECURITY Dome9 delivers verifiable cloud infrastructure security and compliance to organizations across every public cloud. The Dome9 Arc SaaS platform leverages cloud-native security controls and cloud-agnostic policy automation to enable comprehensive network security, advanced IAM protection, and continuous compliance in Amazon Web Services (AWS), Microsoft Azure and Google Cloud environments. Dome9 offers technologies to assess security posture, detect misconfigurations, model gold standard policies, protect against attacks and identity theft, and conform to security best practices in the cloud. Organizations use Dome9 Arc for faster and more effective cloud security operations, pain-free compliance and governance, and rugged DevOps practices. Learn more at https://dome9.com. CONTACT US Dome9 Security, Inc. 701 Villa Street Mountain View, CA 94041 USA +1 877-959-6889 https://dome9.com contact@dome9.com For a free security assessment or trail, please contact: US Sales: +1-877-959-6889 International Sales: +44-20-8144-0620 Copyright 2017 Dome9 Security, Inc. All rights reserved. Other brand names are for identification purposes only and may be the trademarks of their holder(s). 6 FECB06162017