nfosec expert Rani Osnat lays out security challenges and offers hope for organizations migrating their IT stack to the private and public cloud environments.
The combination of private and public cloud infrastructure, which most organizations are already using, poses unique security challenges. There are many reasons why organizations adopt the public cloud — from enabling rapid growth without the burden of capacity planning to leveraging flexibility and agility in delivering customer-centric services. However, this use can leave companies open to threats.
Since regulatory requirements or other preferences dictate that certain applications remain on private (on-prem) infrastructure, many organizations choose to maintain a mix of private and public infrastructure. Additionally, organizations typically use multiple cloud providers simultaneously or preserve the option to move between providers. However, this hybrid approach presents unique and diverse security challenges. Different cloud providers and private cloud platforms may offer similar capabilities but different ways of implementing security controls, along with disparate management tools.
The question then becomes: How can an organization maintain consistent governance, policy enforcement and controls across different clouds? And how can it ensure that it maintains its security posture when moving between them? Fortunately, there are steps professionals can take to ensure that applications are continuously secure, starting from the early stages of development and extending throughout the lifecycle.
Old Security Tools No Longer Effective in the Cloud
Security tools not born in the cloud are ill-equipped to protect applications running in the cloud for many reasons. First, they are incapable of coping with the considerably accelerated development cycles of cloud native applications, compared with traditional waterfall methods. Instead of releasing versions every few months, organizations that employ cloud native CI/CD are continuously integrating and deploying applications and updates, sometimes multiple times per day. This mandates an automated approach to ensuring security — one that’s embedded into the early stages of development so that it doesn’t become the bottleneck slowing development and operations.
Additionally, in the dynamic and diversified cloud environment, security solutions can no longer expect or rely on permanent infrastructure and location. If, in the past, we knew that a certain server ran a certain application (e.g., a Microsoft Exchange server or database), we cannot assume that the same scenario applies today. Modern cloud application solutions are tied to the application itself, not to its IP address or a specific server location. Automated orchestration of workloads means that a database might be running on one container now and on a different one, with a different IP address, 10 minutes later. Or, perhaps, tomorrow, the whole cluster will move to a different cloud provider entirely. This is why organizations need to use more modern, cloud-specific solutions rather than older ones not meant for the cloud.
Cloud Providers’ Own Security Tools: A Limited Answer
The major cloud providers all use what’s called “the shared responsibility model,” which, at a very simplistic level, distinguishes between security “of the cloud” (the provider’s responsibility) and security “in the cloud” (the customer’s responsibility). “Shared responsibility” does not translate into shared accountability. When it comes to the physical security of public cloud data centers, organizations need not worry; the cloud providers operate such security at the highest standards, similar to those employed by major banks and government agencies. But for everything else, the responsibility lies squarely with the customer organizations — in fact, Gartner predicts that through 2025, 99% of cloud security failures will occur on the customer’s side.
The tools offered by the cloud security providers (CSP) usually provide partial coverage for customer needs and increase the dependency of the customers on the cloud provider, but are not equally effective in protecting the multi-cloud environment, especially private clouds.
The New Stack is Great for Security
The good news is that the technologies that are used to run the new stack, such as containers and Kubernetes, enable better security than was ever possible before, and with more granular visibility and automation. They also make it easier to transfer security across private and public cloud environments, provided that the security controls are applied correctly.
Since containers are made to be portable and Kubernetes was made to be intraoperative with any cloud environment, if you attach security tooling that was specifically designed to protect your containers, you can run them anywhere uniformly, regardless of where your applications are.
Due to the complexity of cloud environments and the many moving parts involved, planning the tech stack requires a holistic approach to defend applications across their entire lifecycle — from development to production. Such an approach should be able to handle multiple security gaps across both infrastructure components and application code, whether managing vulnerabilities, misconfigurations, malware or behavioral anomalies.
The Born-in-the-Cloud Approach
Companies now are not only born in the cloud but specifically set out to secure the new cloud native stack, from containers to VMs and serverless. Cloud Native Application Protection Platform (CNAPP) — a new category named by Gartner — protects enterprise applications against attacks, which are increasing as the adoption of cloud grows.
While the future of cloud security is bright, the present is uncertain. This is due to the increase in the volume and sophistication of attacks that specifically target cloud infrastructure and supply chains. A vulnerable or badly configured Kubernetes node will be targeted within as little as 20 minutes. These sophisticated attacks might result in a variety of malicious outcomes, from cryptocurrency mining to credentials theft, and from rootkit installation to network traversal.
The lag between the race to move more workloads to the cloud and the ability to secure those workloads stems from knowledge and skills deficits, but there are platforms to bridge those gaps. More importantly, companies can achieve an unprecedented level of security as a result of the high level of policy-driven automation, the reduction in attack surface, and the ability to detect the smallest drift or behavioral anomalies of application components. Security methods that are an integral part of developing, deploying and running cloud applications are the way forward