There’s a good reason cloud security has become the fastest-growing segment of the security market: Companies are realizing that their data isn’t necessarily secure just because it’s in the cloud and behind the shield of a major hyperscaler/cloud provider.
People (and companies) tend to think of the cloud as secure because the data is backed up and because most of the major cloud providers follow best practices in data protection, such as redundancy. But, if the relatively recent high-profile string of cloud security breaches is any indicator, this is far from true.
In this three-part blog series, we’ll explore the three main challenges companies face around cloud security—visibility, complexity, and governance—and what they can do to alleviate most of the pain points from these challenges.
Is Cloud Data Safe?
Yes—data stored in the cloud is generally very safe. But what you may not realize is that the security of all data created in the cloud, sent to the cloud, and downloaded from the cloud is only as secure as a) the cloud provider itself (do they patch, actively manage security, etc…?), and b) the controls implemented by the customer who owns the data.
Bottom line: Whether it’s hybrid cloud, public cloud, or private cloud, your cloud applications aren’t guaranteed to be safe and require full data protection, just like on-prem apps. Companies can’t, and shouldn’t, fully rely on the cloud provider to ensure this safety.
Do Public Cloud Providers Cover Data Protection?
Cloud providers, such as Amazon Web Services (AWS), Microsoft Azure (Azure), and Google Cloud Platform (GCP), do offer various cloud-native security features and services, some of them quite robust (such as Pure’s PX Backup). But supplementing these capabilities is essential for achieving enterprise-grade cloud workload protection from breaches, data leaks, and targeted attacks in the cloud.
Cloud Security Challenge #1: Visibility
According to Cybersecurity Insiders’ 2022 Cloud Security Report, more than a third of cybersecurity professionals cite “visibility into infrastructure security” as one of their “biggest operational, day-to-day headaches trying to protect cloud workloads.”
Obviously, companies can’t protect what they can’t see.
Not knowing where data is or what’s happening with it isn’t just a legitimate concern but also a serious security issue with enterprise data stored in the cloud. In most IaaS, PaaS, and SaaS models, the cloud providers have full control over the infrastructure layer and don’t expose it to their customers, who often can’t effectively identify and quantify their cloud assets or visualize their cloud environments.
Getting visibility into where your cloud data resides and what’s happening with it is essential for:
- Reducing risk
- Simplifying cloud management
- Speeding up mean time to detection (MTTD) and mean time to restore (MTTR)
- Driving business value
- Maturing your security program
All of this is covered in the field of FinOps—a growing discipline around controlling use and spend in the cloud. But it’s not necessarily easy to do.
What You Can Do to Improve Visibility
Understand and Establish What’s “Normal”
Your foundation for visibility into what’s happening with your cloud data is establishing a baseline for what your data is, where it typically resides, and how it’s typically used. This baseline will be used to develop the tools and processes you use for inventorying your data and establishing what’s normal activity in the cloud to identify potentially malicious activity.
Centralize Your Data Monitoring and Querying
Your cybersecurity professionals need an easy way to view and query all data. The best thing you can do to enable a consistent and easy view of all your data is to establish a centralized data monitoring strategy that captures statistics on information movement and infrastructure behavior from a variety of places and consolidates it into a single dashboard. Then, train your data analysts on a single standard to normalize tool-specific fields across integrated technologies and enable querying across technologies. Security teams can then use this unified view of data to accelerate threat analysis without needing extensive knowledge of each technology’s field names or search language.
Automation, primarily via AI and ML, will make your cloud security life much easier and your cloud security visibility much better by freeing up valuable human resources for important things such as threat detection strategy.
Automation allows teams to skip the data-gathering phase and go straight to the investigation phase. With more time to analyze data, experts can train their colleagues on the differences between normal and abnormal user behavior. Teams can also e-classify severity and dynamic scores based on additional context learned over time.
Automation can also be used for things like triage, remediation, and enrichment. Data enrichment can be particularly helpful because it can save time and also be used for consistent intelligence around activities such as threat hunting.
Ultimately, instead of relying on team members’ varying skill and experience levels, security analysts can use automation to minimize errors and missteps.
Add Tracking Probes
Consider adding application performance monitoring probes to the code of applications you develop in-house and inserting these probes at specific points where it’s important to establish visibility.
You can, for example, add an in-code trigger or probe at points where the program’s decision logic indicates the occurrence of an important event, such as a transaction not matching anything in the database. These probes will generate events that can then be captured, analyzed, and logged for cloud security intel. For third-party software, you can use something called a bytecode trace, which uses message tags to follow work between components or steps, provides insights into workflow performance, and identifies key components in the workflow.
Don’t forget to set up metrics for your cloud security, too, so that you know how well you’re doing with your visibility measures and if they’re helping or not. This will help your security team prioritize integrations to close gaps and make better arguments for security budget requests.