The New School of Security: Using the Cloud to Secure the Cloud
April 9, 2019
Legacy security was built on the premise of a moat; keep people and data away from the infrastructure, and they can’t attack it. Firewalls, intrusion detection systems, or intrusion prevention systems – these tools delivered “network-centric” solutions and aimed to keep access at a safe distance.
Originally, firewalls performed the task of preventing unwanted, and potentially dangerous, traffic. Then security vendors started pitching “next-generation firewalls,” which was based on a model that targeted applications, users and content. It was a shift that provided visibility and context into the data and assets that organizations were trying to protect.
This has been the model for most security innovation until the advent of the cloud. In modern environments, value is derived from the interaction and connections between and among users, applications, and data.
A new approach for new computing environments
With modern architectures, threats that target public clouds (PaaS or IaaS platforms) demand a new level of insight and action. They operate differently than traditional datacenters: executables come and go instantaneously, network addresses and ports are recycled seemingly at random, and even the fundamental way traffic flows has changed. To operate successfully in modern IT infrastructures, you have to reset how you think about security in the cloud.
Surprisingly, many organizations continue to use network-based security and rely on available network traffic data as their security approach. It’s important for decision-makers to understand the limitations inherent in this kind of approach so they don’t operate with a false sense of security. A purpose-built cloud solution is the only thing that will provide the type of visibility and protection required.
There is no next-generation firewall
Security teams in modern environments must first realize that in the cloud, most traffic is encrypted; that means the network has no ability to inspect it. Even if you could perform a “Man in the Middle” attack to decrypt the data, the scale and elasticity of the cloud would make the current Next-Generation Firewalls useless.
In an IaaS environment, applications are custom-written, which means there are no known signatures that can identify the app. The application becomes identified based on its security profile, and that can change based upon how it’s used. For example, a security profile and behavior of a database app will be different in communication patterns. From a launch perspective, however, they are the same application and a next-generation firewall cannot distinguish between them to understand the application behavior or required policy.
As environments increasingly make use containers and orchestration systems like Kubernetes, as well as serverless computing, they present even more challenges for outdated security tools. These new types of tools are built with microservices, an innovation that befuddles next-generation firewalls because they are blind to how they work.
Using the cloud to secure the cloud
One of the greatest cloud security challenges comes from the fact that the cloud delivers its infrastructure components, things like gateways, servers, storage, compute, and all the resources and assets that make up the cloud platform environment, as virtual services. There is no traditional network or infrastructure architecture in the cloud.
Deploying workloads into the cloud can quickly involve complex sets of microservices and serverless instances that function in fluid architectures that change every few minutes or seconds, creating a constantly changing security environment.
Here are some of the common security challenges presented by the cloud:
- DevOps process
- Ephemeral workloads
The combined effect of all this innovation? Exponential growth in a cloud environment’s attack surface. A busy cloud environment can generate as many as eight to ten billion events per month, which makes threat detection a much more challenging proposition. Of course, attackers are well aware of these vulnerabilities and are working frantically to exploit them.
The only way to secure a continuously changing cloud environment is through continuous, real-time approaches to security. These security functions need to include the following capabilities:
Continuous real-time anomaly detection and behavioral analysis that is capable of monitoring all event activity in your cloud environment, correlate activity among containers, applications, and users, and log that activity for analysis after containers and other ephemeral workloads have been recycled. This monitoring and analysis must be able to trigger automatic alerts. Behavioral analytics make it possible to perform non-rules based event detection and analysis in an environment that is adapting to serve continuously changing operational demands.
- Continuous, real-time configuration and compliance auditing across cloud storage and compute instances.
- Continuous real-time monitoring of access and configuration activity across APIs as well as developer and user accounts.
- Continuous, real-time workload and deep container activity monitoring, is abstracted from the network. A public cloud environment provides limited visibility into network activity, so this requires having agents on containers that monitor orchestration tools, file integrity, and access control.
New security tools designed to deeply monitor cloud infrastructure and analyze workload and account activity in real-time make it possible to deploy and scale without compromising security. When operating in the cloud, businesses need to know that their infrastructure remains secure as it scales. They need assurance that they can deploy services that are not compromising compliance or introducing new risk. This can only happen with new tools designed specifically for highly dynamic cloud environments, tools that provide continuous, real-time monitoring, analysis, and alerting.