Author bio: Maya Levine worked as a Security Engineer at Check Point Software Technology for 3 years before moving to her current role of Technical Marketing Engineer for Cloud Security. She is a Technical Evangelist with the company, regularly speaking at technology conferences and conducting media interviews with news channels.
What makes cloud security different from traditional network security? What are the new challenges?
As technology evolves to enable more rapid deployment for DevOps, it becomes more challenging for security teams to keep up and maintain control. The speed of deployment and changes have become exponentially faster. DevOps and Infrastructure-as-Code deployments enable developers to push code to production much more quickly than ever before.
The perimeter is not a great model for cloud security. Modern cloud applications have a high number of resources interacting with 3rd party services outside of their perimeter. Data can come in and out of our applications in many more ways than in the past. You actually have hundreds of perimeters now to secure.
In addition, cloud resources are inherently ephemeral, meaning constantly changing. From security policies to log investigations, IP addresses are basically useless. In essence, this requires a complete shift from the traditional methods of security enforcement.
What should I prioritize? Assuming I cannot do everything at once, what should I prioritize first?
If you are new to the cloud, or recently migrated to cloud, it can seem overwhelming to ramp up your security team to meet the challenges of securing cloud applications. A true cloud native security solution will have different layers of security built on top of each other.
The base layer – the foundation to your cloud security – should be Posture Management. Configuration scanning of cloud resources, including containers and serverless functions, must ensure least privilege, minimal risk, and no vulnerabilities. It is necessary to detect vulnerabilities at all levels of your environment, therefore, the Cloud Security Posture Management (CSPM) solution needs to code scan container images and serverless deployment packages.
There is so much room for misconfiguration in the cloud. As ThreatPost included in an article , “through 2022, at least 95 percent of cloud security failures will be the customer’s fault.” If you do posture very well – you will make your application pretty resilient to most low-level attackers.
Ok, what do I prioritize next?
Of course, you want to make your application resilient to all levels of attacks. The next security layer is to establish a strong cloud network security. Network firewalling allows IT admins to configure what goes in and out at the network layer. This layer should be capable of actually blocking unknown malware and zero day threats.
As I previously mentioned, cloud resources are incredibly ephemeral and their IP addresses constantly shift. For a cloud network security solution to provide true visibility, it must provide enriched logs with the asset’s name and details.
Another incredibly important feature that cloud network security provides is micro-segmentation. The ability to segment at the network level for North/South and East/West traffic means that even if a hacker is able to infiltrate your application, they will be relatively jailed to that environment.
Applications in the cloud are made up of smaller and smaller components – how to maintain security for all of these integrated, but separate, moving parts?
You are only as secure as your weakest code. If you have one line of code in a container somewhere that allows a hacker to infiltrate your system, it does not matter that you have secured everything else perfectly.
Containers and serverless functions have become synonymous with cloud development. The code itself is much smaller, more unique, and single purpose. But there are many more of them, creating a larger scope for you to protect. To protect these workloads, you need runtime security that is capable of two key tasks.
The first is baselining and modeling an entity’s behavior. This type of whitelisting is incredibly effective with these small and focused functions, as they often do the same tasks over and over again. Analyze what their behavior is, and only allow that.
Then, blacklist all common attacks and things you want to block.
How can I build bridges between developers and secure applications?
The short answer is through automation and inserting security into DevOps processes.
Let’s start with automation. “Security at the speed of cloud” is a catchy phrase, but it is also an integral concept for effective cloud security. Manual processes will never allow Security teams to keep up with DevOps speed. Security teams must set their own baselines for security and automate their responses to any deviances. A CSPM solution lets you create automatic remediation responses for when a compliance or security practice rule fails. “Continuous Compliance” does not mean constantly running compliance reports. It means actually maintaining a state of compliance to industry frameworks and security best practices. On the network security side, automation is key as well to an effective security policy. Speak the language of the developer – enforce the security policy through tagging, something almost every DevOps team is doing anyway. With a tag based policy, security will automatically follow cloud resources as they are spun up.
Developers utilize pipelines for cloud applications. By adding necessary security scans as a step in the CICD Testing stage, you integrate security into existing processes. Let’s use the example of a code scan for vulnerabilities and unknown malware. We know that open source code is vulnerable. Hackers scour open source databases for vulnerabilities, making pretty much any vulnerability in open source public knowledge. Yet, most cloud applications utilize open source repositories and integrate them into their code. Inserting the code scan into the CICD pipeline will stop any vulnerable code from ever reaching production. It notifies developers to fix security issues before deployment.
Do I need a new type of talent to accomplish robust cloud security?
In an ideal world, you would hire people with developer backgrounds. Having people on your team that can script and understand DevOps pipelines and cloud infrastructure will make enforcing cloud security a much easier process. You want talent that can deploy and manage cloud security effectively – this requires understanding of cloud constructs and how it works in practice.
However, there is a huge deficit for these skills. The demand for people with fluency in cloud and DevOps concepts is much higher than the supply. Luckily, there are existing tools that automate and apply security without the need for scripting. These can be used to enforce security in cloud native environments and mask you from the need to hire this highly sought after talent immediately.