As businesses build increasingly complex IT infrastructures consisting of public, private, and hybrid cloud instances, securing these frameworks has become the cornerstone of IT strategy. Many security fundamentals remain unchanged, but how you address them in the public cloud is altogether different.
With modern, cloud-based and hybrid architectures, threats that target public clouds (PaaS or IaaS platforms) require a different type of insight and action. They operate differently than traditional data centers; executables come and go instantaneously, network addresses are recycled seemingly at random, and even the fundamental way traffic flows have changed. Operating successfully in cloud environments requires a shift away from legacy, network-based security, to a purpose-built cloud approach.
Understanding the nature of cloud workloads
Deploying workloads into the cloud can quickly involve complex sets of microservices and serverless functions in fluid architectures that change every few minutes or seconds, creating a constantly changing security environment. Here are some of the common security challenges presented by the cloud:
- Ephemeral workloads – To optimize the use of cloud platform resources, it’s common to recycle things like drives, IP addresses, data, firewalls, and other operational components. These functions and assets are constantly destroyed and recreated in a dynamic cloud environment, and the way they are delivered to users is constantly changing. Sometimes these workloads come and go in seconds.
- Microservices – In a cloud environment, applications are often broken down into many discrete functions. These microservices enable greater run time flexibility and more efficient resource utilization, but they also make security more complex. Where before you had to manage authentication and access control for an application, now you have to do that for each and every microservice that makes up a cloud app.
- Containers – Containers make it possible to easily deploy applications, functions, and microservices in tightly controlled containerized environments. Containers can introduce a whole new level of complexity and potential vulnerability. All containers in an environment share a common operating system kernel which if compromised by a poorly configured container, can compromise all the other containers in that environment. Also, it’s not always easy to see what’s happening between containers. For instance, monitoring traffic to and from an EC2 instance is one way to make sure you are operating securely. But if there are several containers sharing data inside one EC2 instance, a lot can be happening that is not visible to the monitoring tool. Additionally, using lots of container instances increases the chances of simple human errors like overprovisioning the container with functions and privileges it does not need.
- The DevOps process – In a cloud environment, new code is continuously being deployed. This can happen daily or even hourly, and in practice, DevOps deployments are often way ahead of security. Every newly deployed function or service represents a growth in the attack surface.
Applying a new approach to cloud security
Dynamic, ever-changing cloud environments are not well served by traditional security tools. That’s because those tools were never designed for fluid, high access environments like the cloud.
Continuous real time anomaly detection and behavioral analysis that is capable of monitoring all event activity in your cloud environment, correlate activity among containers, applications, and users, and log that activity for analysis after containers and other ephemeral workloads have been recycled. This monitoring and analysis must be able to trigger automatic alerts. Behavioral analytics make it possible to perform non-rules based event detection and analysis in an environment that is adapting to serve continuously changing operational demands. This approach delivers:
- Continuous, real-time configuration and compliance auditing across cloud storage and compute instances.
- Continuous real time monitoring of access and configuration activity across APIs as well as developer and user accounts.
- Continuous, real time workload and deep container activity monitoring, is abstracted from the network. A public cloud environment provides limited visibility into network activity, so this requires having agents on containers that monitor orchestration tools, file integrity, and access control.
New security tools designed to deeply monitor cloud infrastructure and analyze workload and account activity in real time make it possible to deploy and scale without compromising security.
When operating in the cloud, businesses need to know that their infrastructure remains secure as it scales. They need assurance that they can deploy services that are not compromising compliance or introducing new risk. This can only happen with new tools designed specifically for highly dynamic cloud environments, tools that provide continuous, real-time monitoring, analysis, and alerting.