The rush to manage workloads in the public cloud through technologies such as containers and APIs has created a rich crop of targets for hackers through poorly configured resources, a lack of credentials, and the use of nonsecure protocols. More than 21,000 container orchestration and API management systems were exposed on the Internet to anyone who crossed paths in June alone, recent research shows.
Security risks, though, haven't deterred organizations from continuing their flight to the cloud. Nearly one-third of organizations run at least 30% of their workloads in public clouds now, and in two years more than half (55%) will do so, Doug Cahill, a senior analyst covering cybersecurity at Enterprise Strategy Group, noted at his talk at RSA this year.
That's going to pose some serious challenges to security teams that will need to monitor and protect a changing and growing array of workloads scattered across a number of public cloud services.
Here's how to avoid a very public security fail in the public cloud.
To err is human
One of the greatest risks to workloads in the cloud can come from the workload's owner. "We constantly monitor more than 4,000 enterprise environments for companies of all sizes, and the biggest risks to workloads stem from the lack of oversight and human errors associated with cloud configuration before the workloads even enter the new environment," said Christine Meyers, director of product marketing at Alert Logic, a managed security services provider.
She added that in her company's "State of Threat Detection" report for 2018, researchers found that 35% of breaches were a result of cloud misconfigurations resulting from human error.
For organizations, the challenge is not the security of the cloud itself, but the security and control of the technology, according to Gartner. "In nearly all cases, it is the user—not the cloud provider—who fails to manage the controls used to protect an organization's data," Kasey Panetta wrote for Gartner, which predicts that through 2022, at least 95% of cloud security failures will be the customer's fault.
It's been said that using your own data center is like cooking at home, and using the cloud is like going out to dinner. That kind of thinking can lead to trouble. "Using the cloud is not really going out to dinner. It's borrowing a fully stocked kitchen," explained Edwin Yuen, a senior analyst covering cloud systems management at Enterprise Strategy Group.
"The kitchen can be secure, but you're still the cook. The cloud provider ensures that the infrastructure is secure, but users are still installing software and configuring security and access, and they have to do the job correctly."
—Edwin Yuen
Stolen and compromised credentials provide unauthorized access to nonpublic information stored and processed in the cloud. "Like a landlord, cloud service providers are responsible for securing the building, but not the locks and keys of the tenants," said Mark Sangster, vice president and industry security strategist for eSentire, a cybersecurity company.
"If a tenant loses their keys and an unauthorized person enters their apartment, that’s on the tenant."
—Mark Sangster
Not your dad's security environment
"Users are jumping into the cloud without understanding how to do cloud security, which can be dangerous to their organizations," said Fernando Montenegro, a senior analyst at 451 Research.
Inadequate workload protection can be particularly dangerous for an organization, according to Terry Ray, CTO at data and application security company Imperva.
"Workloads have access to everything behind the application. Without controls in place, you can do almost anything."
—Terry Ray
Compromised workloads can also be a source of valuable data for attackers because those workloads often contain some of the most sensitive customer information. In addition, a compromised workload can bring viruses and other malicious software back with it when the data is accessed by the organization, noted Scott Sanders, CEO of 5nine, a maker of a security and management platform for the Microsoft cloud. "If that organization does have proper continuous and contextual scanning of its cloud workloads, it can be further compromised,” he said.
With the European Union's new General Data Protection Regulation now in effect, that kind of data leakage can be very costly to a company. "Organizations can be subject to steep fines," said Manish Kalia, co-founder and CEO at cloud security company Orkus.
"Facebook could face up to $1.63 billion in fines under GDPR due to its just-reported breach of 30 million accounts. That is why it is critical to control access to your sensitive data in the cloud continuously."
—Manish Kalia
That can be challenging, though, because it's difficult to maintain consistent security in the cloud. "It is incredibility hard to maintain consistent cloud security, because of the massive scaling of objects and data in the cloud that is simply unprecedented," Kalia said. "The rate and pace of changes to cloud workloads—changes that generate even more data—are equally unprecedented."
That makes automation even more important for securing workloads in the cloud, noted Adam Geller, senior vice president for cloud product and engineering at Palo Alto Networks, a multinational cybersecurity company.
"Automation is becoming table stakes for how you operate in the cloud."
—Adam Geller
Securing a vast number of objects in the cloud requires security automation across hybrid infrastructure and multiple functions with effortless scalability and speed, said Siri Oaklander, an advanced technologies principal at cloud security firm CloudPassage.
"It requires turning security into an autonomic service used to vet objects automatically as they are created or changed, as well as on a regular recurring basis."
—Siri Oaklander
Maintaining consistent security can also be challenging if a security team is wedded to tools not up to the task. Cloud security can be difficult to maintain if security and IT teams don't take advantage of the underlying API infrastructure their cloud providers offer, said Matt Chiodi, vice president of cloud security at cloud threat defense firm RedLock.
"These APIs can be leveraged to instantly understand what's happening in cloud environments, and yet many teams are still using outdated scanning methods. This approach does not work in the cloud, as resources are highly ephemeral and change frequently."
—Matt Chiodi
What's more, many next-gen security tools for the cloud do not provide an automated way to apply security controls continuously and pervasively across cloud environments. "This becomes even more complicated in a multi-cloud environment, where administrators need to deploy security products into each infrastructure and manually configure security controls as new workloads come online," explained Marcela Denniston, vice president of field engineering at ShieldX, a maker of cloud security and microsegmentation software.
Merging security and DevOps
A key to securing cloud workloads going forward will be the combining of DevOps and security into DevSecOps. "Organizations have to be aware that part of the development lifecycle has to include DevSecOps," said Imperva's Ray.
As you go through agile development you need to have technology in place that recognizes the need for additional scrutiny across an application's components, making certain the components can validate each other and watches back-end traffic," he added.
"Most organizations don't monitor traffic between individual components because they never had to. They were all on one server, so there was nothing to watch. With the cloud, there is stuff to watch, and you have to be watching it."
—Terry Ray
Organizations are recognizing that the problem of security as you use the cloud is large enough that you can't have people do it, Ray added. "You have to have automation."
Workloads in the cloud operate in an agile, dynamic way," explained Dan Hubbard chief product officer for Lacework, which analyzed 21,000 cloud environments for a report titled Containers At-Risk. "With data in on-premises environments, there is a linear correlation between where the data lives and where it gets accessed. It’s easier to put layers of security around those well-defined endpoints."
"[In] the cloud you've got data that gets surfaced and transacted through API calls and served up in all types of environments—desktops, mobile, IoT, and so forth. This is the beauty of the cloud—data can be more broadly used and applied to what the user needs."
—Dan Hubbard
It's beauty at a price, though. "Traditional security measures cannot apply the needed automation or continuous insight to detect common changes that happen in the cloud, like configuration and settings changes," Hubbard said. "Every time one of these things happens, there are potentially new risks."
Keep learning
Get up to speed on unstructured data security with TechBeacon's Guide. Plus: Get the Forrester Wave for Unstructured Data Security Flatforms, Q2 2021.
Join this discussion about how to break the Ground Hog Day repetition with better data management capabilities.
Learn how to accelerate your analytics securely into the cloud in this Webinar.
Find out more about cloud security and privacy, and selecting the right encryption and key management in TechBeacon's Guide.
Learn to appreciate the art of data protection and go behind the privacy shield in this Webinar.
Dive into the new laws with TechBeacon's guide to GDPR and CCPA.