Cloud computing is increasingly growing in popularity among businesses looking to improve operational efficiencies and cut down on technology resources. According to a recent report from IDC, total spending on cloud IT infrastructure in 2018 is forecasted to be $62.2 billion with year-over-year growth of 31.1 percent. These figures highlight that while cloud computing was once only adopted by a small number of organisations, it is now becoming the norm for businesses across the world.
Among these organisations moving to the cloud, many are turning to major cloud hosting providers like Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP), that offer software-, platform- and infrastructure-as-a-service. After disrupting the IT market with their flexible, powerful and competitively priced cloud services, we are now seeing a big push by these household named technology vendors to introduce security features in their offerings. According to recent estimates, AWS now holds a 33 percent share of the entire cloud market, closely followed by Microsoft Azure with a 13 percent share.
There’s already little room left for traditional hosting providers, and the latest push into security is another step towards further market dominance and customer tie-in, but should you get on board?
Putting their money where security is
The move into security comes with good reasons. 90 percent of cybersecurity professionals are concerned about cloud security, making it one of the biggest roadblocks to cloud adoption. To help overcome migration hurdles, major cloud vendors like Amazon, Google and Microsoft, have launched new features which are designed to secure cloud environments. The cloud providers already have an organisations’ data, applications and virtual machines, so it’s a convenient next step to use this trust as an opportunity to sell additional services like security.
These security operation center (SOC) offerings include identity access management to prohibit unauthorised access to cloud data, encryption for data in transit, multi-factor authentication and secure key management among other things. The services are integrated into each of the vendor’s cloud platform, which means that uptake has been strong as there is very little effort on the customer’s part. However, considering today’s new advanced cyberattacks targeting cloud environments, are these services enough?
While many organisations will believe that the security offered in AWS, Azure and GCP is state of the art, unfortunately this is not the case. The security offered by these vendors works well within their own environments, but they can be less effective for an organisation with a hybrid infrastructure.
This essentially means that additional security solutions are necessary for these environments.
The challenge of hybrid infrastructure
AWS, Azure and Google Cloud have disrupted the traditional infrastructure market. After realising that security is a major roadblock to cloud adoption, they are putting money and effort to built-in security features. But hybrid setups remain a challenge for organisations, with a 3x annual growth in hybrid cloud adoption it is important to look beyond the security tools offered by the leading cloud vendors for protection to help overcome these issues.
With 40% of organisations opting for hybrid cloud, organisations must consider how effective their security tools will be across these environments. A security tool that supports environments from multiple vendors will prove more beneficial than a tool that is compatible with only one vendor. Organisations should also have a clear understanding of the visibility and access control the tool will provide and strong insight into the level of protection it will provide against today’s advanced attacks targeting the cloud.
For example, the new Azure Security Center can handle security assessments for non-Azure assets but customers need to deploy the Azure monitoring agent and this is only available for a small subset of operating systems. With AWS this is not the case, only AWS hosted assets can be monitored. Therefore, if you have a lot of heterogeneous operating systems and legacy applications, you are limited by the tools and will need to use and integrate third party security tools to protect your data and assets.
In addition, some of the fundamentals and best practices – namely vulnerability assessment, CIS and CSA benchmarks for cloud security are not covered by the cloud service providers under the shared responsibility model, it is therefore your organisation’s responsibility to provide effective monitoring in these areas.
Six key elements to secure hybrid cloud
- Identify cloud assets automatically
It is easy for company departments to launch new virtual machines and use test storage for enterprises with IaaS not sanctioned by IT. To prevent cloud shadow IT, security teams must be able to automatically discover cloud assets when they are launched, so that they can evaluate their risk and put appropriate security controls in place.
- Cloud Security Posture Management
Gartner coined Cloud Security Posture Management (CSPM), sometimes called hygiene, hardening or configuration assessment. With Infrastructure-as-a-Service (IaaS) or Platform-as-a-Service (PaaS), cloud providers transfer a lot of risk to the configuration of the services by the user (for example on AWS S3, the risk comes from the permissions of the buckets, if developers get it wrong then data is exposed). Therefore, security teams need to run configuration assessment in a continuous fashion to ensure nothing is adrift.
- Hybrid Cloud Workload Security
With the IaaS shared responsibility model, organisations need to secure their workloads. This includes vulnerability management and hardening, network segmentation or anti-virus. It is especially important to have solutions that support cloud and non-cloud workloads.
- API support for automation
APIs are nothing new and most cloud services come with their own APIs to facilitate integration with other systems. On one hand it is important to implement solutions that use the API for discovery and configuration retrieval. On the other hand, the API by which data is accessed remains a weak link. Security teams should extend their assessment to this new attack surface and ensure robust authentication and encryption are in place.
- Identity and Access Management
Getting back to the simplest example of S3 buckets, user permissions are the most important configuration to get right. Therefore, security teams need to assess user rights and access on a regular basis and be alerted when abnormal activities are detected. In a hybrid scenario, this means connections to Active Directory as well to AWS IAM API.
- Data Security
Data is the crown jewels. Security teams need to have automated ways of identifying the data and then protecting sensitive data at rest and in transit through encryption
Cloud services providers are constantly evolving their solution to improve their security offerings to hold up their end of the shared responsibility model, and organisations moving into the cloud must do the same to keep up their part of the bargain.
Sergio Loureiro is a Director of Product Management at Outpost24. Prior to this he was the former CEO and Co-Founder of SecludIT (which is now part of Outpost24), a pioneer in cloud security and a founding member of the Cloud Security Alliance since 2009. Sergio has worked in cyber security for more than 20 years. He has occupied senior management positions in 3 security startups where he was responsible for email security products and security gateways, as the lead architect of security products such as SSL VPNs, log management, web security and SSL crypto accelerators. His career started at research labs in France and Portugal. Sergio holds a Ph.D. in computer science from the ENST Paris and MSc and BSc degrees from the University of Porto. He is also the holder of 4 patents.