Cloud Network Security
Why is network security in the cloud critical?
Organizations of all sizes are migrating from on-premises networks to cloud networks, which results in increased cloud storage of sensitive data. While this information must be protected, the cloud introduces new challenges that can complicate security.
What are the security risks associated with cloud networks?
The very characteristics that make the cloud so powerful also make it difficult to secure. To begin, adding new assets to a cloud network is a simple process. IT and security teams have oversight of all new infrastructure in an on-premises network. This means that network expansion will take time and effort, but it also means that all new infrastructure will be configured by security experts. In a cloud network, new infrastructure can be added instantly by any person or system with the appropriate credentials, without the need for IT or security teams to intervene. This makes network expansion much easier, but also increases the likelihood that new infrastructure will not be configured securely, leaving it vulnerable to attack.
Another unique aspect of cloud network security is the rapid pace of change in cloud environments. Autoscaling and serverless computing enable the constant appearance and disappearance of assets in a cloud network. Traditional security measures such as vulnerability scanning are no longer sufficient because a vulnerable asset may exist for only a few minutes—more than enough time for a malicious actor to discover and exploit it, but far too little time for a weekly or even daily scan to detect.
Due to the ease of deployment and rapid rate of change, security teams have a difficult time maintaining a complete picture of their cloud environment. This is exacerbated in hybrid environments (information technology environments that combine on-premises and cloud-based networks), where disparate data is stored in disparate systems and protected by disparate security tools. In these environments, the security team must shuttle between multiple systems in order to manage their security efforts. Without unified data, it’s difficult (if not impossible) to get a true picture of an organization’s overall security posture or to track a malicious actor moving between cloud and on-premises networks.
Finally, when dealing with a network hosted by a public cloud service provider such as AWS or Azure, the network’s owner shares responsibility for network security with the provider. Although the specifics of this shared responsibility model vary by provider, in general, they are responsible for the cloud’s security, including physical security of data centers, hardware maintenance and updates, and so on. On the other hand, the network owner is accountable for the security of anything they upload to the cloud environment. Many people are concerned about relinquishing control over hardware and data center security, but established public cloud service providers such as Amazon, Microsoft, and Google can devote additional resources to physical security. The true danger associated with the shared responsibility model is the confusion that it can generate within an organization. Numerous security incidents have occurred as a result of people incorrectly assuming they didn’t need to worry about cloud security because everything was in the cloud and their cloud provider would handle everything.
Risk mitigation strategies for cloud network security
Apart from embracing DevSecOps and educating employees on how to use a cloud network securely, the most effective way for an organization to minimize risk in its cloud network is to define a cloud environment’s security baseline. While this baseline should ideally be established prior to an organization beginning to use a cloud network, it is never too late to establish one.
The baseline establishes the security requirements for the cloud network. The goal is to ensure that everyone—security, IT, engineering, and DevOps, for example—is on the same page regarding what needs to be done to maintain network security on an ongoing basis. A well-defined baseline can assist in addressing a number of cloud network security challenges, including ease of deployment, rapid change, and shared responsibility.
Organizations can establish this baseline by following some cloud network security best practices. To begin, the baseline should define the cloud environment’s architecture, how each asset type should be configured, and who should have read or write access to each component of the environment. Additionally, guides such as the CIS Benchmarks and AWS Well-Architected Framework should be used to assist in defining the baseline.
Ascertain that the baseline applies to all environments, including pre-production and test. These environments have frequently been used as an entry point for attacks. Allow the baseline to specify testing policies and controls, such as which production databases can be used or duplicated for testing (if any).
Additionally, the baseline should outline incident response plans and clearly define who is responsible for which aspects of cloud security in the organization on an ongoing basis. Additionally, it should be reviewed and updated on a regular basis to reflect emerging threats and best practices.
After creating or updating the baseline, it must be communicated to everyone who will interact with the cloud network. Additionally, the security team must collaborate with DevOps and develop mechanisms for enforcing the baseline. This entails creating cloud infrastructure templates (either through the cloud provider’s infrastructure as code solution or through a third-party vendor such as Terraform) with everything properly configured. Additionally, it requires continuous monitoring to determine when something has become obsolete or has been modified post-deployment and no longer adheres to the baseline. From the moment something is deployed, virtual machine templates should include an embedded agent to enable continuous monitoring and vulnerability detection.
When it comes to overcoming visibility challenges in cloud networks, security teams should begin by ensuring they have read-only access to all of the organization’s cloud accounts. Organizations attempting to secure and maintain visibility into a hybrid or multi-cloud environment should ensure that all aspects of the IT footprint are secured by a single team. Having one team responsible for on-premises security and another for cloud security frequently results in silos, blind spots, and the inability to track a malicious actor who moves between networks.
Teams responsible for the security of hybrid or multi-cloud environments should also reconsider their tool selection. Numerous legacy security solutions are not optimized for cloud computing. As a result, teams employ a variety of tools to secure their on-premises and cloud environments. Rather than that, the team should look for tools that enable them to manage security across the organization’s entire IT infrastructure in a centralized manner.
The majority of teams will benefit from the following tools:
- A vulnerability management solution that monitors and detects security flaws in cloud networks, on-premises networks, containers, and remote endpoints on a continuous basis. Additionally, the solution should be capable of detecting misconfigured cloud assets in real time.
- A modern SIEM or threat detection and response solution capable of aggregating data from all of an organization’s cloud and on-premises networks and systems. Additionally, the solution should detect threats automatically and assist the security team in responding quickly to an incident through features such as a visual incident timeline and automatic quarantining of potentially compromised accounts/assets.
Additionally, security teams should consider utilizing a security automation tool to assist in securing cloud networks. Automation can assist the team in keeping up with the rapid pace of change in cloud networks, enhancing visibility through data sharing between systems, increasing efficiency through the elimination of busywork, and mitigating incident damage through instant response to detected threats.
One way to leverage automation is to use a tool like Chef or Puppet to automate the deployment of cloud infrastructure templates (derived from your security baseline). This can simplify the process of creating complex architecture and reduce the likelihood of human error. Utilizing a security orchestration, automation, and response (SOAR) solution is another way to leverage automation. This type of tool enables the team to easily exchange data between systems without the need to spend time integrating them via APIs. Even better, a SOAR solution can automate a large number of manual processes that can eat up a security analyst’s day or cause an investigation to stall. For instance, the security team can use the SOAR tool to create workflows that automatically investigate suspected phishing emails, contain malware upon detection, provision/deprovision users, and streamline patching, among other things.
Apart from what has been discussed thus far, there are a few additional best practices for organizations interested in developing and deploying web applications on their cloud network. These organizations should strive to “shift left” and incorporate security into their software development lifecycle as early as possible (SDLC). In other words, security issues should be evaluated alongside other bugs during pre-deployment testing of code. Not only does this ensure that deployed code is secure, but it also provides developers with the opportunity to learn about the vulnerabilities in their code and how to avoid them in the future. Because the types of modern web apps being deployed on cloud networks are generally quite complex, organizations looking for a way to test these types of apps should ensure that any SAST, DAST, or IAST solution they consider is capable of handling their apps’ codebase.
The best way to determine this is to conduct a free trial of the tool. While this is not unique to cloud networks, any organization deploying web applications should seriously consider additional protections such as a Web Application Firewall (WAF) to prevent malicious actors from gaining access to the app and a Runtime Application Security Protection (RASP) solution to respond to a live attack that gets past the WAF.