As greater numbers of companies eye a shift to cloud-based applications and services, the need for stronger cloud workload protection increases correspondingly. According to a recent “State of Cloud Security” report by McAfee, organizations’ use of cloud services increased by 15% from 2017 to 2018, which only substantiates what most network and security professionals already know. The migration to cloud has been steady for more than a decade, and though technology teams have grown accustomed to dealing with the complexities of managing data in a network owned by another organization and shared with others still, security teams continue to wrestle with visibility into cloud risks and the means by which to mitigate those risks.
Managing security in and of the cloud is no small feat, complicated by the fact that each cloud service provider (CSP) offers slightly different types and levels of security controls to customers. This is no knock on CSPs; they are working hard to offer mechanisms by which customers can layer protection inside the environment. That said, according to the McAfee report, nearly a third of cloud consumers say they lack visibility into what data their organizations have in the cloud, and approximately a quarter of respondents (in each of the following categories) said they are unable to monitor data in transit to and from cloud applications, that cloud applications are being provisioned outside of IT, and that they have “incomplete control” over who can access sensitive data in the cloud.1
This combination of lack of visibility and control is particularly concerning when you consider the amount of sensitive data organizations are putting into the cloud, emerging and recent regulations for security and privacy of data, and the shared responsibility model for protecting cloud data. Companies cannot afford (sometimes literally) to fail at protecting cloud workloads. Yet, per a recent Threat Stack report, 62% of companies have not implemented multi-factor authentication for access to sensitive data in the cloud, and 27% of respondents said their organization has not implemented the AWS-native security services included in the service. Even more alarmingly, Threat Stack found that 73% of companies have at least one critical misconfiguration in their AWS deployment, which means that attackers can “gain access directly to private services or the AWS console.” Combined, these missteps lead to a path of least resistance for cyber criminals who are looking to steal, destroy, or otherwise manipulate organizations’ data for their illicit gain.
Focusing on security fundamentals
“Misconfigured cloud servers, networked backup incidents, and other improperly configured systems were responsible for the exposure of 2 billion data records” in 2017, according to the IBM X-Force Threat Intelligence Index, a statistic which should hold enough water to convince even the most risk-tolerant company to pay more attention to fundamental security operations including cloud workload protection. For years, organizations have been using network security tools that were built for on-premises data centers and trying to adapt them to cloud environments. Unfortunately, doing so results in attackers usurping address-based network constructs to achieve lateral movement and ultimately exploit cloud consumers’ sensitive data. All the while, network and security teams remain blind to unauthorized network traffic because traditional tools lack visibility in highly-dynamic environments.
To stop unauthorized access and exploitation, organizations need cloud workload protection that supplies visibility, data-focused security control, and monitoring capabilities uniformly across environments. Security teams are stretched too thin and have too much cybersecurity ground to cover to spend time managing and monitoring diverse sets of tools for disparate environments, especially when those tools do not (cannot) supply actionable insights that can be correlated across the company’s multi- or hybrid cloud networks. As companies increase usage of cloud for applications and services, having a well-thought out strategy and effective tools already in place will ease the pain of cloud workload protection; scaling without a strategy will lead to bigger problems—and more data lost—down the road.
Watch our on-demand webinar, "Why Zero Trust Security is Essential for Your Cloud and Data Center."
Accounting for human error — without blaming the humans
Cloud misconfiguration (per the reports above) and stolen credentials are likely to remain top threats to companies’ cloud data, therefore organizations need to layer protection to ensure attackers are prevented from moving laterally inside the network and accessing business-critical applications and services. An organization’s approach to cloud workload protection must include a means by which security and network teams first gain better visibility into what’s communicating in the cloud and how those communications are happening. Beyond visibility, teams must be able to measure and quantify network overexposure. If the business can measure cost and productivity gains of using the cloud over on-premises networks and tools, security/network teams need to be able to show where, when, and how cybersecurity risks counterbalance profits.
The next layer of cloud workload protection is to focus on age-old security fundamentals including:
- Institute automated security-related patching
- Keep track of versioning
- Apply automated user account provisioning/deprovisioning
- Enforce least-privilege access
- Implement multi-factor authentication (notably for admin accounts)
- Turn on encryption for data at rest and in transit
- Create regular data backups for critical data
- Monitor continuously
- Use zero trust networking to ensure attackers can’t hide in approved network traffic
The reason organizations have moved (are moving) applications and services to the cloud is because creating modern microservices-based infrastructure and application stacks is easy. Operating and securing them is hard — especially when the right strategies and tools for cloud workload protection are not implemented. Security and network teams have to embrace the shared responsibility model of cloud security and take advantage of available tools to gain visibility into cloud workloads, protect workloads and the networks on which they are communicating, and monitor their environments.
1. IaaS and SaaS usage