Who is responsible for security in the public cloud? This is a question that companies must consider as they increase the number of workloads they run and use cloud-based IT infrastructure, services, and applications.
In Gartner's report, “How to Make Integrated IaaS and PaaS More Secure Than Your Data Center,” analysts discuss the benefits of adopting a cloud-native approach to IT security.
Gartner defines a cloud-native mindset as a way of looking at IT infrastructure and applications in the cloud as modular and based on microservices. Such infrastructure is typically container-based, orchestrated, and involves extensive use of application programming interfaces (APIs), the report authors note. Additionally, Gartner says such IT infrastructure is updated using an immutable infrastructure approach.
However, analysts warn that such an approach does not work well for local IT. “On-premises infrastructure patterns and associated tools are not suitable for public clouds and are likely to frustrate the needs of developers and business units that embrace public clouds for their dynamic and transient nature,” they point out in the report.
Gartner urges IT security leaders responsible for cloud security to be open to adopting new approaches, patterns, products, and best practices, and to consider alternative IT security technology providers when adopting public cloud.
Why focus on cloud security?
While a huge benefit, the public cloud also leaves organizations vulnerable to public cloud security risks, especially when it allows users to access services on demand from different locations using different devices. Peggy Jacob, a member of ISACA’s Emerging Trends Working Group, describes cloud security as the technology and techniques designed to prevent and mitigate threats to an organization’s cybersecurity.
“Companies must implement cloud computing security to support digital transformations and use cloud-based tools to protect assets,” he says, adding that cloud security works by combining several technologies, all designed to harden cyber defenses for off-site data and applications.
The Role of Threat Intelligence in Public Cloud Security
Rob Dartnall, CEO of SecAlliance, regularly conducts threat-led penetration tests (TLPT) that are part of regulatory frameworks, such as the Bank of England’s Targeted Evaluation (CBEST) and the UK Government’s Intelligence-Based Attack Simulation Framework, GBEST, in the UK.
“A key component of the threat intelligence component of these tests is what’s called ‘targeting intelligence,’” he says. “Basically, it’s a hostile reconnaissance of an entity that involves many things, but most importantly, reconnaissance of the entity’s perimeter and cloud services to look for vulnerabilities that can be used to gain a foothold.”
In Dartnall's experience, while technical exploitation of the perimeter service by the red team is rare against mature entities like banks, the discovery of shadow services, IP domains, and domains that the entity was not aware of is certainly not uncommon.
He says there is a direct link between the entities suffering a breach and those that deployed External Attack Surface Management (EASM). This is an approach to perimeter security where an internal team or external security service provider is constantly looking at the perimeter and beyond, looking not only at what's running, versions, services, ports, security controls, and misconfigurations, but also at new shadow services, which are usually created by mistake. By rogue developers, engineers or architects. He says these shadow IT services constantly lead to security incidents and data breaches.
How AI can help support public cloud security
There is a role for artificial intelligence (AI) and machine learning (ML), which can operate at scale, using learning, and can adapt to an organization's data protection needs. Through increased automation, the decision-making process can be accelerated, and data associated with the cloud, or already deployed, can be assessed and appropriately protected more quickly, according to Scott Swaling, a data and cloud security expert at PA Consulting. .
Cloud tools like Google BigQuery and Amazon Macie use artificial intelligence and machine learning to provide capabilities that help organizations better manage their data in public clouds and mitigate exposure to sensitive data, Swaling says.
AWS Config, Azure Policy, or Google Cloud Security and Command Center also help automate the monitoring and enforcement of security policies. Implementing continuous monitoring solutions will detect and alert on misconfigurations, suspicious access requests, and other security incidents in real time.
In addition to automated monitoring and enforcement, Swalling points out that implementing well-managed threat management that is regularly reviewed allows organizations to be more proactive and agile in their response to threats.
Why Traditional Identity and Access Management Fails
Identity and access management is a key component of proactive IT security management. However, traditional asset-centric approaches to identity management will fail to provide the visibility needed in cloud environments, warns Carlos de Solá Caraballo, senior principal analyst at Gartner.
He recommends that IT security leaders focus on user identities and associated permissions, establish baselines for normal behavior and configure alerts to detect anomalies.
“This approach enhances the ability to track and manage incidents across the cloud infrastructure, ensuring a more comprehensive and timely response,” he says.
The role of shared responsibility
Whether an organization is beginning its journey to migrate core services to the cloud or launching an evergreen cloud-based project, engaging security professionals with a deep understanding of the cloud security model is critical.
Elliot Wilkes, chief technology officer at Advanced Cyber Defense Systems, talks about a shared responsibility model in cloud computing, where cloud providers take responsibility for certain elements of each service. He says they need to monitor, defend, and protect those elements, which include physical infrastructure, access controls in data centers, resilient power backups, and the like. “All the things you would normally expect from a data center, the cloud provider will provide,” he says.
Knowing which parts of the public cloud infrastructure are managed by the cloud service provider enables IT teams to develop a plan for how to address the vulnerabilities they need to address.
Gartner's Caraballo recommends that IT security leaders engage their governance, risk, compliance (GRC) and legal teams early in the cloud provider selection process.
Wilkes agrees, saying, “Explicit contract terms are essential to ensuring robust incident response support from the cloud provider.”
Caraballo recommends that IT security leaders consider overall business resilience when developing a strategy for responding to security incidents that occur in cloud environments. He notes that this requires a broader approach, including not just technical responses but also strategic planning, such as digital supply chain redundancy and strong legal contracts. He urges IT security leaders to ensure that their incident response plans are comprehensive, include cloud-specific considerations, and align with their overall business continuity and disaster recovery strategies.
Why does cloud security require a different approach?
According to Caraballo, the shift to cloud environments requires a radical shift in incident response strategies. He urges IT security leaders to reevaluate and modernize incident response processes, and leverage automation, proactive collaboration, and identity-centric security to address the unique challenges posed by the cloud.
“The dynamic nature of cloud security requires incident response strategies that are equally dynamic and flexible, ensuring that organizations can respond quickly and effectively to emerging threats,” he adds.
The good news, at least from Swalling’s perspective, is that cloud providers have the ability to assess massive amounts of data and threats. He points out that this means that public cloud services are currently better at leveraging AI than simpler in-house security tools.
