One of the greatest cloud security challenges comes from the fact that the cloud delivers its infrastructure components, things like gateways, servers, storage, compute, and all the resources and assets that make up the cloud platform environment, as virtual services. There is no traditional network or infrastructure architecture in the cloud.
Deploying workloads into the cloud can quickly involve complex sets of microservices and serverless instances that function in fluid architectures that change every few minutes or seconds, creating a constantly changing security environment. Here are some of the common security challenges presented by the cloud:
- Ephemeral workloads – To optimize the use of cloud platform resources, it’s common to recycle things like drives, IP addresses, data, firewalls, and other operational components. These functions and assets are constantly destroyed and recreated in a dynamic cloud environment, and the way they are delivered to users is constantly changing. Sometimes these workloads come and go in seconds.
- Microservices – In a cloud environment, applications are often broken down into many discrete functions. These microservices enable greater run time flexibility and more efficient resource utilization, but they also make security more complex. Where before you had to manage authentication and access control for an application, now you have to do that for each and every microservice that makes up a cloud app.
- Containers – Containers make it possible to easily deploy applications, functions, and microservices in tightly controlled containerized environments. Although containers are inherently secure, they introduce a whole new level of complexity and potential vulnerability. All containers in an environment share a common operating system kernel which if compromised by a poorly configured container, can compromise all the other containers in that environment. Also, it’s not always easy to see what’s happening between containers. For instance, monitoring traffic to and from an EC2 instance is one way to make sure you are operating securely. But if there are several containers sharing data inside one EC2 instance, a lot can be happening that is not visible to the monitoring tool. Additionally, using lots of container instances increases the chances of simple human errors like overprovisioning the container with functions and privileges it does not need.
- The DevOps process – In a cloud environment, new code is continuously being deployed. This can happen daily or even hourly, and in practice, DevOps deployments are often way ahead of security. Every newly deployed function or service represents a growth in the attack surface.
Traditional Approaches No Longer Work in the Cloud
Dynamic, ever-changing cloud environments are not well served by traditional security tools. That’s because those tools were never designed for fluid, high access environments like the cloud.
Traditional data center defenses were designed to protect a defined perimeter by monitoring and controlling data that moves in and out of the network environment. Defending the perimeter requires a layered defense strategy that typically includes these components:
- Router – Provides connectivity between the datacenter and the outside world, and can provide a first layer of defense through pre-set TCP/IP filtering.
- Firewall – Monitors IP address, port, and application traffic in and out of the network, and filters traffic based on a set of established rules and lists.
- Antivirus/malware protection – Scans for malicious code using known code signatures to identify threats.
- Intrusion detection and prevention – Monitors traffic inside the datacenter network to identify activity that violates defined policies.
- Access and identity management – Sets role and account-based policies to manage application and data access, and manages identity authentication.
When operating in the cloud, businesses need to know that their infrastructure remains secure as it scales. They need assurance that they can deploy services that are not compromising compliance or introducing new risk. This can only happen with new tools designed specifically for highly dynamic cloud environments, tools that provide continuous, real-time monitoring, analysis, and alerting.