Cloud network security is an area of cybersecurity focused on minimizing the chances that malicious actors can access, change, or destroy information on a public or private cloud network. Although the principles for securing cloud networks are similar to those for securing on-premises networks, unique aspects of cloud environments mean different tactics are required.
Organizations of all sizes are migrating from on-premises networks to cloud networks, which means more sensitive information is being stored in the cloud. This information needs to be protected, but the cloud also introduces new challenges that can make security tricky.
The things that make the cloud so powerful also make it challenging to secure. For starters, deploying new assets in a cloud network is very easy. In an on-premises network, the IT and security teams have oversight over all new infrastructure. This means expanding the network is slow and laborious, but it also means that all new infrastructure is configured by security experts. In a cloud network, new infrastructure can be instantly added by any person or system with the right credentials, with no direct involvement by the IT or security teams. This makes it far easier to expand the network, but also increases the chance that new infrastructure isn’t configured securely and thus is vulnerable to attack.
Another unique challenge of securing cloud networks is the speed of change in cloud environments. Technologies like autoscaling and serverless computing mean that assets in a cloud network are constantly appearing and disappearing. Traditional security measures like vulnerability scanning are no longer enough because a vulnerable asset might only exist for a few minutes—which is more than enough time for a malicious actor to find and exploit it, but not nearly enough time for a weekly or even daily scan to detect it.
The ease of deployment and high rate of change make it very difficult for security teams to maintain a complete picture of their cloud environment. This is made worse in hybrid environments (IT environments that include both on-premises and cloud networks), where different information is stored in different systems and protected by different security tools. In these environments, the security team needs to bounce back and forth between various systems to manage their security efforts. The lack of unified data makes it difficult (if not impossible) to get an accurate sense of the organization’s overall security posture or track a malicious actor who is moving between cloud and on-premises networks.
Last but not least, when dealing with a network on a public cloud service provider like AWS or Azure, the network’s owner shares responsibility with the provider for securing it. Although the details of this shared responsibility model vary depending on the provider, in general they are responsible for securing the cloud itself, such as the physical security of the data centers, maintenance and updates to hardware, etc. The network owner, on the other hand, is responsible for securing anything they put on that cloud environment. Many people worry about giving up control of securing the hardware and data centers, but established public cloud service providers like Amazon, Microsoft, and Google can devote more resources to things like physical security. The real risk in the shared responsibility model is the confusion it can create within an organization. More than a few security incidents have occurred because people incorrectly assumed they didn’t need to worry about cloud security because it was in the cloud and their cloud provider would take care of everything.
Beyond embracing DevSecOps and educating employees on how to use a cloud network in a secure manner, the most effective thing an organization can do to minimize risk in its cloud network is to define a security baseline for the cloud environment. Ideally, this baseline should be established before an organization starts using a cloud network, but it’s never too late to create one.
The baseline lays out what the cloud network should look like from a security perspective. The objective is to make sure everyone—security, IT, engineering, DevOps, etc.—is aligned on what needs to be done to keep the network secure on an ongoing basis. A properly defined baseline can help address a number of challenges in cloud network security, including ease of deployment, speed of change, and shared responsibility.
There are some cloud network security best practices organizations can follow to establish this baseline. First, the baseline should specify the architecture of the cloud environment, how each type of asset should be configured, and who should have read or write access to each part of the environment. Guides like the CIS Benchmarks and the AWS Well-Architected Framework should also be used to help define the baseline.
Make sure the baseline applies to pre-production and test environments. In many cases, these environments have been used as an entry point for an attack. Have the baseline specify policies and controls for testing, such as which (if any) production databases can be used or duplicated for testing.
The baseline should also map out incident response plans, as well as clearly define who in the organization is responsible for which aspects of cloud security on an ongoing basis. It should also be revisited and updated regularly to reflect emerging threats and new best practices.
Once the baseline has been created or updated, it needs to be communicated to everyone who will touch the cloud network. In addition, the security team needs to work with DevOps and implement ways to enforce the baseline. This means creating cloud infrastructure templates (using an infrastructure as code solution from the cloud provider or a vendor like Terraform) where everything is properly configured. It also means implementing continuous monitoring to detect when something has become outdated or been changed post-deployment and no longer follows the baseline. Virtual machine templates should include an embedded agent to allow for continuous monitoring and vulnerability detection from the moment something is deployed.
When it comes to the challenges around visibility into cloud networks, security teams should start by making sure they have (at minimum) read-only access to all the organization’s cloud accounts. Organizations trying to secure and maintain visibility into a hybrid or multi-cloud environment should make sure that a single team is responsible for securing all parts of the IT footprint. Having one team responsible for for on-premises security and another responsible for cloud security and another responsible for cloud security often leads to silos, blind spots, and difficulty tracking a malicious actor who moves between the networks.
Teams dealing with the security of hybrid or multi-cloud environments should also consider reassessing the tools they use. Many legacy security solutions are not optimized to support cloud networks. This results in teams using different tools to secure its on-premises and cloud environments. Instead, the team should look for tools that let them manage security for the organization’s entire IT footprint in one place.
Most teams will benefit from tools like the following:
Security teams should also consider leveraging a security automation tool to help secure cloud networks. Automation can help the team keep up with the rapid pace of change in cloud networks, enhance visibility by sharing data between systems, work more efficiently by eliminating busywork, and minimize the damage from an incident by instantly responding to detected threats.
One way to leverage automation is by automating the deployment of cloud infrastructure templates (from your security baseline) using a tool like Chef or Puppet. This can simplify the creation of complex architecture as well as minimize the chances of human error. Another way to leverage automation is by using a security orchestration, automation, and response (SOAR) solution. Such a tool can allow the team to easily exchange data between systems without having to take the time to integrate them using APIs. Even better, a SOAR solution can automate many of the manual processes that can fill up a security analyst’s day or slow down an investigation. For example, the security team can build workflows in the SOAR tool that automatically investigates suspected phishing emails, contain malware when it’s detected, provision/deprovision users, streamline patching, and much more.
In addition to everything that has been mentioned so far, there are a few additional best practices for organizations that are looking to build and deploy web applications on their cloud network. These organizations should look to “shift left” and incorporate security as early as possible in their software development lifecycle (SDLC). In other words, security issues should be evaluated as part of pre-deployment testing of code and treated like any other bug. Not only does this ensure deployed code is free from security vulnerabilities, but by flagging security issues during testing, developers get the opportunity to learn what vulnerabilities exist in their code and how they can avoid them in the future. The types of modern web apps that are currently being deployed on cloud networks are generally pretty complex, so organizations looking for a way to test these sorts of apps should make sure that whatever SAST, DAST, or IAST solution they’re considering can handle the codebase of their apps.