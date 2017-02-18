Part 2: What You Need to Know About Hybrid Cloud Security

In the first article of this three-part series on hybrid cloud security, we discussed the Shared Responsibility Model and examined how the most common attack strategies persist, are amplified, or are mitigated as assets move from data centers to the cloud. Today, we'll look at some of the unique security challenges that are introduced by public cloud environments.

While cloud computing delivers many operational, cost-saving and security benefits, it takes place in a public, shared and on-demand environment, which creates a new set of security challenges for organizations. Because cloud computing infrastructure is also dynamic and scalable, it changes more frequently and further complicates the security monitoring process.

Because of these factors, many legacy security monitoring tools that were built for the data center cannot be adapted for cloud monitoring, and their security functions may not align with the unique capabilities and limitations of cloud environments. In short, such tools may not be able to effectively address cloud security risks.

In our hybrid cloud world, we must evaluate our security requirements and goals for on-premises, private cloud and public cloud infrastructures so we can identify and deploy security and threat management solutions that will safeguard all environments without unnecessary costs or complexity. In this article, we'll also share some tips and best practices that can help keep your organization - and its business-critical data - safe in the cloud.

Protecting the Keys to Your Kingdom

As mentioned in part one of this series, access keys and root account credentials are the proverbial "keys to your kingdom," and, as such, are a major security concern in public cloud environments. If these credentials are not properly secured and your credentials are compromised, malicious actors can gain access to and control over your cloud environment.

Once they are inside the account, they can steal data and run malicious software on your systems. They can also easily spin up cloud resources indefinitely (to mine bitcoins, for example), leaving you with an enormous bill. There's no parallel for this type of attack in an on-premises environment since the resources in your data center are likely owned, static and finite.

At this point, you're probably thinking: "Well, isn't this an easy fix? I'll just make sure to avoid publicly sharing my root account credentials." However, it's not quite that simple. There have been numerous incidents over the past few years where web developers and even security industry analysts have accidently published Amazon Web Services (AWS) access keys to GitHub or other public locations, resulting in a spate of fraudulent charges. Although the cloud service providers in such cases often come to the rescue to notify victims of fraudulent activity and remediate charges, it's important to remember that it is ultimately your responsibility (remember the Shared Responsibility Model!) to keep your credentials and access keys secure.

What can be done? A good first step is to hide your keys, but this measure alone is not enough. You also need to constantly monitor your cloud environment for suspicious root account logins, changes in security policies and privileges, and other anomalous events. A cloud-native security information and event management (SIEM) solution can be a tremendous asset here, as it enables granular security monitoring and analysis of cloud activities by integrating directly into your cloud environment.

Managing Cloud User Activities

The public nature of the cloud lends itself to a greater number of unsanctioned or "shadow IT" projects and IT decentralization - whether intentional or unintentional. In fact, a recent Cisco report found that "companies are using up to 15 times more cloud services to store critical company data than CIOs were aware of or had authorized."

To ensure the success of cloud security management, therefore, it's essential to know who is using your cloud resources (both users and services) and what they are doing. This will help you identify the account activities that constitute normal or acceptable user behavior so you can quickly investigate any anomalies and irregularities that occur. Here are a few best practices to help you in this endeavor:

Cloud accounts offer multiple methods and tools to optimize identity and access management (IAM) and protect users from threats such as phishing attacks - use them. These controls include creating role-based permission groups and enforcing multi-factor authentication policies for your users and APIs.

Cloud service providers also offer services that enable you to monitor environmental activities and changes. With a cloud-native SIEM solution that has direct hooks into these services' APIs, you can readily monitor this data and perform security analysis in correlation with other data sources and threat intelligence.

As with on-premises security management, it's important to employ the principle of least privilege in your cloud environment. While this is a seemingly obvious practice - giving users only the absolute minimum level of access they need to do their jobs - it can be slowly chipped away, as admins and developers ask for small exceptions over time. An important secondary best practice is to regularly review access rights and privileges to ensure that the controls in place are still appropriate for users.

Navigating Blind Spots

One of the biggest benefits associated with cloud computing and Infrastructure as a Service (IaaS) is that it can help reduce total cost of ownership (TCO), as companies no longer have to manage the capital and operational expenses of maintaining their infrastructure. However, the flip-side of this is that relinquishing responsibility for the underlying network infrastructure also means that companies often lose deep network traffic visibility.

Earlier I made reference to the Shared Responsibility Model. This is a security model put in place by the IaaS vendors that separates the responsibility "of the cloud" with security "in the cloud." Effectively, IaaS providers are responsible for implementing security measures to ensure that the cloud infrastructure is secure. This includes the physical infrastructure, along with compute, storage, database and networking. Everything above this layer, from client-side and server-side encryption to the operating system, firewall, platform, applications, access and data, are all the responsibility of the user. It is because of this separation that, within dynamic cloud environments, it's no longer feasible to drop a passive tap or SPAN port on the wire to monitor traffic and detect threats as you could in an on-premises network. Clearly, a new approach is needed to provide similar visibility into cloud environments.

You need to find ways to navigate the unique security blind spots of the cloud to get a complete picture of your risk posture, and this entails a paradigm shift around cloud security monitoring. With this thought, I will leave you to ponder the concept in question, until we return to this point in the third and final installment in this series.

