Cloud Security Monitoring Challenges
Business needs are pushing all companies to leverage cloud services. Multiple benefits exist—ubiquitous access, speed to market, increased uptime, and lessened burden on overcommitted IT teams all play into the migration of previously internally-managed commodity services to cloud-based SaaS providers. Types of cloud services in use span the network, storage, and compute layers of IT as well as the corporate back end systems supporting HR, finance, legal, and operations. All of these systems house sensitive and proprietary data, and data security remains the primary concern of security professionals whose organizations are leveraging cloud service providers. The cloud shared responsibility model offers some level of security around the environment and looks good on paper, but it’s imperative for organizations to apply additional controls for data protection and monitoring in cloud environments, and that’s a multi-faceted challenge.
Data security is a primary tenet of cloud architecture, cloud monitoring, and cloud incident response capabilities. Focusing on a data security model oriented around networks can restrict access to only those who require it, but we must go beyond basic virtual networking to support cloud environments. This includes placing data security controls into a combination of policies that look at the assets involved, the applications in use, as well as the data being accessed by a particular identity (whether that identity is human or machine).
Deploying a zero trust model includes the positive enforcement of specific checkpoints that are required to be successfully passed before access is granted to a given piece of data or a digital resource.
What to do to update your cloud security capabilities
The best way to think about updating your cloud security capabilities to maximize your benefits is to ensure that you don’t immediately throw away all of your current tools. While many of your existing security tools and solutions in your on-premises security stack will not easily migrate or even function successfully in a cloud-native environment, you need to take an inventory of what tools you have, look at why they were purchased, and review the use cases for which they were implemented. By looking back, you will now be positioned to move forward.
Once you have a solid understanding of your existing on-premises or hybrid security tools, you can then determine what can be augmented to help support a zero trust architecture (i.e., data-centric focus; assumed-hostile network environment; ever-present threats; untrusted internal network: all devices, networks, users must be verified; and all traffic is logged and inspected). By evaluating and comparing current tools you can determine what else you will need to implement: cloud services identity authentication, device access authorization, network segmentation, logging and inspection of data access traffic, and data activity monitoring and auditing of controls.
Existing networks can be further secured through segmentation or monitoring gateways that apply granular policies and controls based on the data being accessed, the applications being used, and the identity of the users and services requesting access. These network-focused gateways can help you extend into the cloud quickly while providing viable security through continued expansion. One potential issue that may arise when extending existing directories or security user groups into the cloud is that you could be replicating an over-permissioned user into the cloud environment. But a zero trust architecture will help you identify these situations by enforcing a verification process at every step instead of allowing unfettered access to any cloud resource.
Keep in mind that you will want to take the time to rationalize your security stack and simplify it wherever possible as you enable cloud security gateways, network segmentation, and monitoring controls. This will drive cost efficiencies while ensuring effective data security is in place.
Zero trust throughout the stack
While a traditional zero trust architecture is network oriented, you must also ensure you include endpoints and applications in the security equation. Importantly, an endpoint-only strategy will not be effective, as endpoints are where the highest risk occurs from an exposure, internet access, and business email compromise standpoint. You always want to begin your zero trust journey at the network or application layer to define policies prior to implementing them on the endpoint, but you will need all three to be successful. Remember, the network is the mechanism by which users, processes, and services communicate while endpoints contain the highest risk of exploitability and applications contain the data attackers are after.
Planning for and upgrading client certificates will help ensure only validated endpoints connect and communicate. By doing so, anything outside of an encrypted and validated communication session will be dropped. This step alone will eliminate several risk vectors from an insider threat and stolen credentials perspective. But even if you’ve implemented controls on the endpoint, it’s the easiest thing for adversaries to exploit and so you must layer security on the network and around your applications.
Extending cloud-native security controls
Cloud architectures naturally align with zero trust models given the virtualized services that begin by defining virtual network zones where workloads are deployed and where sensitive data is accessed and stored. While native security controls in the cloud were initially weak, these controls and threat monitoring capabilities are increasing in effectiveness quickly. AWS Guard Duty, Microsoft Azure Monitor and Azure Sentinel, and Google Cloud Platform’s BackStory are all examples of enterprise-level security features that are being built and offered by the cloud service providers. Extending virtual segmentation gateways into the cloud service provider stack can support several layers of zero trust policies to enforce controls on the traffic, regardless of what identity is performing the action, what applications are in use, and what data is being accessed.
Logging and auditing are not only a critical compliance requirement, but a security imperative. Given the cloud architectures in place, not only will you need to enable logging at the virtual network, workload/system, and access control layers, all of the available traffic will need to be analyzed by a threat correlation and behavioral analytics engine to ensure appropriate response can be taken if any unusual or malicious traffic or events are observed.
Cybersecurity strategy impacts
The benefits of a zero trust design and data security control model extend to all organizations regardless of size, scale, and complexity. Ensuring that the strategy is aligned with business priorities and goals is paramount. Even the least technically-oriented leaders of a company can understand the benefits, goals, and purpose of zero trust. Making sure that the architectures are solid, the use cases are documented, and the policies are thoroughly tested will all help in ensuring that the zero trust technology is effective even as the IT landscape is aggressively evolving. Maintaining a clear focus on data security will help all zero trust initiatives maintain the level of assurance and transparency that is being continually challenged by every new, successful security breach.
Ensuring that the zero trust model is built as a multi-layered approach and implementing new capabilities where traditional security models have faltered will allow organizations to provide custom policies and controls for their specific assets and sensitive data. Allowing a scalable, proven, and customizable data security capability with zero trust helps businesses meet the obligation of safeguarding and protecting their data. Zero trust allows businesses to understand what the data is, where it is located, and how it should be protected with adaptive and scalable data security solutions that work in across all networks, with any devices, and in all user circumstances.