Organizations are relying more and more on cloud platforms such as Amazon AWS and Microsoft Azure to run their business-critical applications and manage their data and files.
While the cloud service providers take over some security tasks, their customers (you) retain responsibility for protecting end user data, applications, operating systems, endpoints, and network traffic. And just as with on-premises applications, you must monitor user and system activity to detect attacks. In addition, cloud platforms introduce new complications for security, such as:
Below are some best practices to help address these concerns, as well as the risk of data breaches and compliance violations within cloud environments. To learn about securing specific cloud environments, check out our AWS and Azure resources.
It is difficult enough to uncover vulnerabilities and misconfigurations in on-premises data centers. It is even harder on dynamic cloud platforms, where assets such as virtual machines appear and disappear at a rate that’s difficult for traditional vulnerability management tools (not to mention security and IT teams) to keep track.
To protect your data in the cloud, you need a vulnerability management solution that continuously monitors and detects vulnerabilities and misconfigurations in cloud networks. It must be able to discover and assess assets as soon as they are spun up in virtual machines and containers, verify compliance with policies and regulations, and calculate risk scores to help you prioritize vulnerabilities. The power to organize cloud-based assets into dynamic groups and assess them selectively, and to then create custom reports on vulnerabilities and assets that will satisfy your operations teams and auditors, is also critical.
To speed up the delivery of new application features, application development teams are leveraging continuous deployment tools and processes. But automation and fast development cycles can date security testing tools designed for less dynamic environments. Today’s dynamic application security testing (DAST) solutions uncover OWASP Top 10 and many more common vulnerabilities in web applications.
For cloud-based applications, DAST solutions can be integrated with automation and DevOps tools like Jenkins and Azure DevOps Pipelines to trigger security testing at specific milestones in the development process or at every code commit. This allows development and security teams to “shift left” by finding and fixing vulnerabilities early in the software development lifecycle (SDLC) when they are less costly to fix, and to prevent code with vulnerabilities from being put into production. DAST tools can also generate reports that help document the compliance of cloud-based applications with PCI DSS, HIPAA, and many other regulations and industry standards.
More and more organizations are moving to hybrid and multi-cloud architectures. To detect threats in these complex environments, it’s essential to break down security information silos and employ advanced analytics. The key is deploying a SIEM that can collect, normalize, enrich, and analyze data from on-premises networks, remote endpoints, and cloud platforms such as AWS and Azure.
A SIEM designed for cloud environments can integrate with native AWS services such as AWS CloudWatch, AWS CloudTrail, and AWS GuardDuty, and with native Azure services such as Azure Active Directory, Azure Monitor, and Azure Security Center. This allows it to collect critical log and activity data from cloud infrastructure and applications.
An optimal SIEM should then be able to enrich this data with information gathered from the corporate network and utilize User Behavior Analytics (UBA) to detect anomalous activities indicating compromised credentials, and Attacker Behavior Analytics (ABA) to identify activity patterns typical of data breaches.
Organizations utilizing IaaS and PaaS platforms need to be especially vigilant for attackers capturing administrative credentials, taking control of cloud platform consoles, and appropriating resources for cryptojacking, hosting botnets, and other illicit purposes. Detecting these activities requires a SIEM that can gather a wide range of data from cloud platforms and quickly flag the use of new cloud regions, services, or compute instance types.
Everything changes quickly in the cloud. To keep pace, security teams need to speed up data collection and analysis, alerting, and workflows to block attackers and remediate vulnerabilities.
For example, a security orchestration and automation solution can integrate with cloud services to accelerate tasks such as: