Thought Leadership

Dec 27, 2021

Cloud Security Controls: Are you at Risk?


As the cloud has risen to new heights, it has brought with it new approaches to security and a new set of security controls. These new cloud security controls are necessary to address unique challenges inherent to massively multi-tenant environments, fully distributed application and infrastructure, and new cloud-native constructs. The rapid transition shift to the cloud has created a raft of new security needs.

Traditional agent-based security approaches cannot keep pace with containerized and serverless environments, where ephemeral infrastructure may change every few minutes. In addition, because newer generations of cloud-native applications are so closely linked to infrastructure, in the cloud-native world the infrastructure and application security needs blend together. Many analysts call this new suite of controls collectively cloud workload security (CWS).

Cloud Workload Security Means Keeping Everything And Adding More Controls

While CWS controls are necessary to fight attackers in the cloud, they generally do not replace older security controls. For example, anti-virus, data loss prevention, network security, software integrity, and vulnerability scanning are all still required because the applications, while in the cloud, still are the same applications. That said, the underlying infrastructure is more complicated and ephemeral in virtualized environments and the cloud deployment introduces or makes feasible many new paradigms: container orchestration, the service mesh, microservices, serverless computing, and more. In this post, we will run through the new ranks of CWS controls, discuss their value and general strategies for cloud security.

CWS Focuses High in the Clouds for Observability and Governance

As per Forrester Research, when executed properly, CWS enables enterprises to create a unified solution for management and visibility of all workloads across different cloud service providers (CSPs). A CWS should provide observability and introspection at different infrastructure layers including the control plane, guest and host operating systems, containers, serverless functions, and related services and tools (identify management storage, networking). CWS includes a number of control domains, including some with overlapping capabilities. Here is a basic list.

Cloud Security Posture Management (CSPM): These solutions automate the identification and mitigation of security risk across all levels of cloud infrastructure, including Infrastructure as a Service (IaaS), Software as a Service (Saas), and Platform as a Service (PaaS). CSPM solutions are not only used to mitigate but also to visualize and assess risk and to monitor for compliance with security policies. When used correctly, CSPM solutions integrate with CI/CD pipelines to seamlessly apply policies for any containerized or virtualized environment. More recently, organizations have added Kubernetes management to this product category, although these solutions are sometimes broken out as Kubernetes Security Posture Management ((KSPM) solutions.

Cloud Workload Protection (CWP): CWP ensures that workloads are deployed in the cloud, availability zone, or other virtual location. CWP further scans workload to make sure that they have the right security measures set up. A CWP solution will roll up a number of legacy solutions including OS hardening, vulnerability scanning, network and namespace segregation, system integrity checks, and whitelisting applications.

Cloud Access Security Broker (CASB): A software or service solution that monitors user behaviors and enforces security compliance policies to ensure users are interacting with cloud applications in the proper way. A CASB is generally in communication with network and web application firewalls, DLP systems, and other related security systems such as SIEM. CASB.

Cloud Infrastructure Entitlement Management (CIEM): Similar to a CASB but generally broader in coverage, a CIEM gives security teams a platform to programmatically determine which users and systems (human and machine) can access which resources. CIEMs tend to overlay multiple clouds, services, users, geographies, and computing paradigms. A CIEM usually includes visualization and observability capabilities to allow SecOps and CloudOps to see both the big picture and quickly drill down to individual entitlements. CIEMs generally create and sustain a comprehensive inventory of existing cloud infrastructure entitlements, identify anomalies in cloud transactions and behaviors, and automate incident response to breaches or anomalous entitlements. In the highly complex environment that is today’s cloud, CIEMs help security teams enforce the principle of least privilege and reduce their attack surface.

Cloud-Native Application Protection Platform (CNAPP): The term was coined by Gartner, CNAPP solutions work to address configuration and workload security by scanning these elements during development and protecting them at runtime. CNAPP converges multiple technologies, primarily CSPM and CWPP, as well as Cloud Infrastructure Entitlement Management (CIEM), Kubernetes Security Posture Management (KSPM). Full-featured CNAPP solutions also include cloud-native API discovery and protection and serverless infrastructure security.

Container Registries: These are catalogs of approved container images supported by an organization and vetted by security. Because it is so easy to spin up new containers, security teams have implemented registries to ensure that only approved images can run on enterprise cloud systems. This is similar to package registries and code registries, like npm and GitHub.

New Controls, Same Old Problems

Adding all of these new controls to protect cloud environments has added an entirely new level of complexity to security operations. While many of these controls add new types of automation, humans still set the parameters and configure how these controls do their jobs. This means that even cloud security controls are subject to many of the same problems common in the pre-cloud world: misconfiguration of security controls and security drift. Even more, in the cloud, developers tend to have significantly more autonomy and DIY capabilities. This autonomy is the promise of the cloud but it also means that security shifts left and developers are responsible not only for secure code but also for secure workloads, data, and networks. Naturally, this results in security mistakes.

Forward-thinking cloud security teams actually step up their activities to simulate attacks and breaches in order to create near-continuous testing. By doing automated security testing on a continuous basis, security operations teams are more likely to spot configuration issues and security drift. This type of testing works far better when it can programmatically simulate actual breach activity, horizontal traversal, and real exploits taken from the MITRE Framework and CVE databases. Moving to the cloud has real benefits but it also entails a set of new risks. Cloud-native security controls may be better suited to the cloud than legacy controls but even the newer cloud-centric controls must be tested to validate that they actually block attacks as advertised.

For best protection, proactively, continuously validate, and optimize the effectiveness of your cloud security controls with breach and attack simulation tools from SafeBreach.

Get the latest
research and news