Originally published by The Doppler
For years, enterprises moving to the cloud have been concerned with the security of their data and applications — and they should be! Cloud transformations are complex, and there is a lot on the line.
How enterprises approach security in the cloud depends, in large part, on what kind of deployment model they choose. Many enterprises start with a private cloud where the security approach changes minimally. However, once workloads get moved to a public cloud provider, the need for automation demands that security approaches evolve. There are a number of deployment models from which to choose: Hybrid IT, where some workloads move from an on-premises data center to a public cloud provider; Hybrid Cloud, where workloads are run in both private and public clouds; and Multicloud, where the organization adds a second or third public cloud for running workloads.
Just as each of these environments offers different business advantages, each also presents different security challenges. Security strategies should take into account a variety of factors, starting with the needs of the organization, and the risk profile of the industry. Strategies should focus on key issues, such as access control, encryption, logging and monitoring, threat and vulnerability management and the differing approaches each type of cloud environment requires for deploying these capabilities. Success hinges on four disciplines, which are key to effectively managing security in these environments: standardization, instrumentation, training and automation. Addressing these security disciplines enables you to develop a control plane that works across heterogeneous cloud models.
Exploring the four key security disciplines
Looking more closely at each security discipline, standardization is the critical foundation for all cloud deployment types. Standardizing architectures and controls across cloud environments is required to support scale, automation and reuse across deployment types. Therefore, standardization should occur not just within a particular cloud environment, but also across environments as much as possible. If you do not know what your standard configuration should look like, you will have a harder time detecting anomalies. No one wants to be chasing their tail while threats dwell in your environment, hidden only by a blizzard of snowflakes! Standardizing your automation stacks and image build allows you to deploy them as infrastructure as code (IaC), and apply tactical security protections as part of a CI/CD pipeline. Determine what parts of your stack need to differ, based on the capabilities inherent in each cloud deployment model, but focus on keeping them as uniform as possible.
Instrumentation is often where enterprises focus first, but this should come after defining the cloud deployment model and standards, as those decisions will drive tooling needs. Focus on instrumentation that improves visibility and enables correlation across on-premises and cloud environments. Again, minimize dwell time (the time threat actors go undetected) in your environment by ensuring the best visibility for your security operations team. Do not shoehorn on-premises tools into public cloud service if you can deploy a tool that supports both environments natively. Focus on maximum commonality in your tool stacks, and standardized instrumentation across your hybrid IT environment, to maximize visibility while minimizing complexity.
Training is an often overlooked discipline in adopting public cloud, but it is essential, and should be started as early as possible in your enterprise’s cloud journey. Different environments have different operating characteristics and different architectures. It is critical that your IT and security operations understand the key differences between the various architectures, as threat vectors will appear different in each one. What looks like common east-west traffic in an on-premises data center could be lateral movement by an intruder in your public cloud estate, and your team needs to understand the difference.
Automation, the last essential discipline, helps streamline security practices and enables you to do more with less. Security teams are under siege from both budgets and bad guys. Automating common security processes–such as security tool/config deployments (e. g., shifting left), log aggregation, analysis, alerting and compliance monitoring–will free the human team to focus on higher value tasks. The security automation endgame is developing SOAR (Security Orchestration, Automation and Response) capabilities, where the high-fidelity capture of forensic data supports discovery and remediation. For example, if a Linux host is deployed without applying the proper CIS benchmarks, it will be detected and moved to an isolated sandbox. Implementing additional SOAR capabilities allows the IT staff to focus more on high-value practices, such as active threat hunting. Your level of success with these capabilities across a Hybrid IT landscape will vary by environment, as public cloud platforms provide robust support for these capabilities, while they are more labor intensive on-premises.
Attending to these key security disciplines across the various deployment models is challenging. While there is no silver bullet, management approaches and tools are continuing to evolve multi-environment support. Adopting a container strategy, for example, offers workload portability across different deployment models, while supporting standardization, tooling commonality and robust automation. Tools such as Kubernetes or OpenShift offer differing approaches to adopt and manage containers, and both have broad adoption and vibrant ecosystems. Developing a container strategy will help streamline and focus your efforts to operate a Hybrid IT, Hybrid Cloud or Multicloud estate securely.
The adoption of standardization, effective instrumentation and robust automation, plus ensuring that your teams are trained on the architectural and operational differences between cloud deployments, are essential to securely unlocking their value to your enterprise.
Key Security Focus Areas for Managing Hybrid IT Security
Who has access to what in your IT environment? And how do you control it? Knowing these answers about your cloud environment is essential to scaling and managing across multiple cloud environments. Unfortunately, most enterprises have multiple sources of identity and access control. Minimizing the sources of identity and streamlining role-based access control (RBAC) models are key. You will want to centralize and standardize these as much as possible across environments. Having separate identity and access models in different environments adds unnecessary complexity, and can result in mistakes made in managing access.
Keep in mind that while adopting infrastructure as code (IaC) practices and incorporating them into your RBAC strategy support effective scaling, these also add complexity. However, this is necessary complexity, and well worth the effort. Both adopting IaC and minimizing the sources of identity are essential to managing across multiple cloud estates, but you will still need to solve for places where functionality differs between environments. For example, you may want to adopt a cloud agnostic orchestration tool like Terraform, on top of CSP tools such as CloudFormation and ARM Templates.
You must also understand that once you start packaging identity and RBAC models alongside application code, you are changing how security and operational teams need to monitor and manage the environment. With privileged access effectively being managed through code, it is critical that teams are aware of the process for handling this, and remain vigilant in monitoring repositories where this code is stored for any unauthorized changes.
This approach represents a totally different vector that may not have been considered by identity and security management professionals new to public cloud or IaC, so they will need to update their monitoring and management concepts.
LOGGING AND MONITORING
Effective logging and monitoring are essential for visibility into any environment. CSPs such as AWS, Azure and GCP, offer robust logging and monitoring capabilities with each of their platforms, but you will need to centrally aggregate these pools of activities. In any Hybrid IT model, visibility across all environments is critical for securely managing the estate. Most companies already have a security information and event management (SIEM ) system in place to monitor their data center based environments. When they move to the cloud, they need to centralize and aggregate all their monitoring activities, understand the difference between valuable signals and noise and pull these elements into a unified SIEM platform. While cloud providers all offer tools to help you do it on your own, it can be valuable to bring in a third-party tool from a vendor such as Splunk or Sumo Logic to help manage the aggregation of these logging and monitoring sources.
Once logs are aggregated, teams need to develop what “normal” looks like across the Hybrid IT landscape, and continuously improve determining which signals require a response or remediation. Again, this is where training and adopting automation can reap huge benefits over time for security professionals.
How is your data classified and secured? While encryption is essential, it is often inconsistently deployed, and thus its effectiveness is diluted. Validating which data falls into which category, and ensuring that it is appropriately encrypted, is a perennial challenge in on-premises environments, especially when those data environments have grown organically for eons. The good news is, cloud service providers, such as AWS, Azure and GCP, offer encryption management capabilities foundational to their platforms. They have made enterprise encryption easy, so there is no reason you should not encrypt everything. Doing so also provides a failsafe in case of any misclassified data.
But this encryption advantage becomes complex when managing data across a Hybrid IT, Hybrid Cloud or Multicloud landscape. While standardizing on data risk classification across Hybrid estates is somewhat straightforward, the execution of both encryption and key management needs to be evaluated based on business needs and the environment’s capabilities. Key management functions from different cloud service providers are all different, and your key scoping strategy needs to reflect these differences. If you adopt a multicloud strategy, you will have to determine if the edge of your key scope is also the edge of your CSP environment, and how to address decryption/re-encryption for data transfers between environments, egress costs notwithstanding. Alternatively, you can either: abstract out your key management strategy; leverage a hardware security module (HSM) to help manage keys; or leverage one cloud provider’s key management system (KMS) as the master key provider. Each of these approaches has advantages and disadvantages, but it is critical to work through them for the most effective Hybrid deployment.
RESPONDING TO THREATS
If you are implementing security practices across environments, your team will need to understand the architectural differences between environments so they can remediate them effectively. They also have to understand how the access to all the environments interoperate. What, if any, logical firewalls do you have between environments? And how are you monitoring them and doing threat hunting as a whole?
This is where training and automation play key roles. Your staff needs to be fully trained in the relevant architectures to be able to investigate and remediate threats properly. Over time, you want to integrate principles of SOAR (Security Orchestration, Automation and Response), so you can automate remediation for straightforward tasks such as malware protection. Automate those things you know are a problem in your environment and address them in a standardized way. That allows your team to focus on those things you know are higher value.
Companies that fail to embrace a strategic approach to security in Hybrid IT miss out on the real value cloud can provide. Many are trying to pay attention to their security needs, but often they do not know where to start. Many have not made the transition to security automation at scale, and do not understand what the adoption of infrastructure as code will mean to their security operations. Demand for these capabilities will increase in order to operate securely and effectively when scaling any variant of a Hybrid model.
One size does not fit all. There is a lot to consider, and companies should not enter into this challenge without a lot of thought. Deploying the right mix of standardization, instrumentation, training and automation, they can develop a plan that addresses both their security and their operational needs in the cloud.