Attackers increasingly strive to leverage cloud weaknesses that enable them to deliver malware to end users, gain unauthorized access to production environments or their data, or completely compromise a target environment. This strategy is known as a watering hole attack, and researchers have seen them emerge in cloud environments where they can cause even more damage.
To select a suitable cloud security solution for your business, you need to think about a variety of factors. We’ve talked to several industry professionals to get their insight on the topic.
Ben Carr, CISO, Qualys
Finding the right approach to cloud security is hard – it involves looking at your business requirements, goals and budgets. Some cloud security solutions are very targeted and do a good job within their niche.
However, this can lead to problems over time with IT teams dependent upon multiple agents with limited functionality and fragmented data feeding into multiple consoles. According to Oracle and KPMG, 78% of organizations currently use more than 50 security products. When teams are busy manually correlating data, threats are missed.
Look for vendors aligned to your strategic goals that offer more than just a single capability as companies look to do more with less. The tools should offer a holistic solution to cloud security and integrate within your existing ecosystem. It will enable you to focus on monitoring and respond to incidents more quickly.
Vendor relationship is also a critically important solution considering areas like data ownership, access, and deletion. The vendor relationship should be a partnership, not a single sales interaction. The recent SolarWinds hack has reminded us all of the importance of assessing third-party security posture and selecting vendors that will work collaboratively in the event of an incident or breach.
Martin Holste, CTO for Cloud, FireEye
Cloud’s allure is undeniable, increasing business agility and accelerating time to market is a primary goal in almost every modern enterprise. Ideally, a strong and secure public, private or hybrid cloud environment would encompass a perfect union of centralized visibility, integration and control that doesn’t compromise your success.
Let’s face it, managing security on-premises is hard enough, but add in multiple cloud vendors and platform options, increased threat vectors and attack surfaces – the need for cloud security cannot be overstated. Advanced attacks combine infiltration of on-prem, cloud, and SaaS systems requiring full visibility and control of all environments to defend.
So, when selecting a cloud security solution consider the following questions: Does this solution let the business build quickly in the cloud but also let me sleep well at night? Can I prove to myself, my board, and auditors that we have configured things correctly? If we have to start an investigation, can I trace the path of a given action, starting from login?
Organizations should feel confident that with the right security strategy, they can seize cloud efficiencies and streamline their business. The cloud has many advantages, and it will continue to be targeted by attackers so long as organizations continue to use it. However, the right strategies surrounding cloud use can help mitigate the risks.
Om Moolchandani, CTO, Accurics
Cloud security affects the entire organization, so selecting a cloud security solution requires buy-in from all stakeholders. You need to carefully balance benefits against direct and indirect costs.
Focus on automation since it improves consistency and velocity while reducing effort. Movements such as DevOps and GitOps are already on this path, making automation mandatory if security is to keep up. Policy as Code helps enforce security and compliance policies, adherence to best practices, and it fits well into automated processes such as GitOps, CI/CD pipelines and runtime security controls.
Enforcing security throughout the application lifecycle is critical. You obviously need to manage risk in the cloud runtime, but that’s also the hardest place to remediate problems effectively. Cloud resources are provisioned from Infrastructure as Code; fixes need to be implemented in the IaC. Favor solutions that protect while keeping the IaC up to date, rather than implementing fixes in runtime.
Solutions fluent in IaC can help you identify and manage configuration drift in the runtime. Even “safe” changes need to be reflected in the IaC, so that future deployments don’t cause regressions. Programmatic remediation capabilities help you fix more, faster, and are key to integrating the solution into DevOps processes. The most advanced solutions understand the topology and can help identify breach paths and prioritize kill chain remediation.
Glen Pendley, Deputy CTO, Tenable
With the elastic nature of cloud environments, assets can be accessed, utilized and altered, oftentimes by stakeholders outside of the security team, which can restrict security professionals’ visibility into their organizations’ cloud assets. Even further, scheduled vulnerability scans only provide teams with point-in-time snapshots, leaving considerable exposure for instances that can occur between scans.
Many cloud assets are clones of one another, meaning when one is exploited, it could have a cascading impact on all other copies. Once an asset is exploited, it is impossible to predict how far-reaching the impact is, even for temporary exposures. As a result, security managers should look for solutions that offer effective security, continuous visibility and reliable IT operations.
In addition, organizations should consider the type of user leveraging their cloud infrastructure. The role of each user (e.g. developer or sysadmin) will directly dictate the type of technologies they need to use. Cloud security is not a one-size-fits-all approach. It’s important to deploy a custom solution that meets the business and technology needs of the organization.
Kevin Schwarz, Principal for Transformation Strategy, EMEA, Zscaler
Assess fit: A cloud security solution must support direct offloading of internet traffic from all clients and devices in primary environments (e.g., Windows, IOS, Android, etc.) It must secure the new way of work – remote, device-agnostic, and outside the network perimeter.
Policy-based controls: A cloud security architecture must apply policy to ensure compliance for all users, wherever they may be, whatever apps they use, and for whatever devices/platforms they use to conduct their work.
Deliver security inline: The solution must be available globally, at the cloud edge, proximate to all users, even those in remote locations. That may require services delivered in/from multiple regions (especially for users in countries with data-residency regulatory requirements.)
Inspect SSL/TLS traffic: The solution must be able to inspect encrypted data with no added latency. Threat adversaries now hide malware in encrypted data packets, making it harder to detect. Cloud security solutions that don’t inspect all encrypted data are not sufficiently secure.
Support for integration: The solution should integrate with other technologies via APIs. Some solutions provide comprehensive security coverage (via CASB, SWG, SD-WAN, and other features). Those that don’t must be able to deliver those features in a cohesive way via API integration.
Itai Tevet, CEO, Intezer
Make sure it’s designed for Linux and cloud. Many security solutions are just a migration of a Windows Endpoint Protection platform. They are not built to run in highly scalable, Linux-based environments—both in resource consumption and protection against Linux threats.
Make sure it has runtime protection. Pre-runtime vulnerability scanning is great for reducing the likelihood of an attack by fixing known vulnerabilities. At the same time, it’s impossible to eliminate all software vulnerabilities. Not every vulnerability is known, not every software has a fix, and patching those that can be fixed takes time. Add to this the existence of vulnerable third-party software and Living off the Land (LotL) attacks, which is why you also need strong threat detection. When you get attacked in runtime, where actual attacks occur, you need to detect it.
Cloud infrastructure can be expansive and very diverse. It shouldn’t overwhelm you with logs, false positives and unactionable data. There are solutions available that don’t flood your security teams with every small change in production or “suspicious” network connection which are actually just legitimate software upgrades or natural changes in memory. Alert fatigue can result in a real compromise slipping past unnoticed. Look for a more robust solution that produces only high confidence alerts.
Protect all types of compute resources. Cloud environments are diverse and contain many different types of workloads (containers, K8s, VMs, CaaS, FaaS, etc.). Secure your entire infrastructure under one platform rather than with multiple solutions.