Cloud security

August 17, 2020 | Clint Harris

Introduction / Overview

There’s no doubt that the adoption of public cloud deployments has accelerated for most organizations recently. In fact, according to metrics released by Oracle recently, nearly half (49%) of all respondents to the Oracle and KPMG Cloud Threat Report expect to store most of their data in a public cloud by the end of 2020. Effectively managing the security and compliance of public cloud deployments can be tricky for many organizations. The same study revealed that 38% of the respondents indicated that detecting and responding to cloud security incidents is their number one cybersecurity challenge.  

There are multiple factors that contribute to the issues associated with deploying and maintaining highly secure cloud environments. In this article we’ll explore three of the issues most often encountered:

  1. Shared responsibility model
  2. Lack of visibility
  3. Misconfiguration / Configuration Drift

An exacerbating factor in all three common issues noted above is the lack of common terminology amongst components associated with the various public clouds as documented below:

 

Amazon

Microsoft

Google

Cloud Name

Amazon Web Services (AWS)

Azure

Google Cloud Platform (GCP)

Machine

Instance

Virtual Machine (VM)

Compute Instance

Storage

S3/EBS/Glacier

Blob Storage

Google Cloud Storage

Serverless Code Function

Lambda

Azure Functions

Cloud Functions

In addition to the differing terminology for components between the various public cloud providers, also keep in mind that the individual components themselves often require broad capabilities to effectively monitor and provide the security to maintain the various components within a cloud deployment. For instance, the machines deployed within the cloud may be most effectively monitored using conventional solutions often used in traditional on-prem deployments. These solutions include scan engines and / or host agents. The associated storage and serverless code functions require solutions providing functionality specific to the cloud that has the capability to derive account configurations and resources associated with the machines deployed. We’ll delve into more detail as we discuss the other common issues encountered in highly securing cloud deployments below.

Shared responsibility model

 Unlike security and compliance controls in  more traditional on-premise deployments, the security of public cloud deployments is always a shared responsibility between the cloud provider and customer. This shared responsibility model can be challenging for many different organizations. In fact, according to a recent Gartner report, 82% of cloud users have experienced security events due to confusion over Shared Responsibility Security Models. As you can see in the graphic below, depending on the type of cloud deployment you have, the elements that organizations are responsible for changes:

cloud shared security model

As illustrated above, while a Software as a Service (SaaS) deployment minimizes the number of elements that a public cloud customer is responsible for, that responsibility increases when using a Platform as a Service (PaaS) and continues to expand with Infrastructure as a Service (IaaS) deployments. Because of this, it’s key that organizations with public cloud deployments know which cloud components and associated security controls they’re responsible for so that they can implement appropriate controls and monitor them over time to provide for  their on-going effectiveness. 

Lack of visibility

Another common challenge facing many organizations is providing that  they have a complete and up to date visibility into their cloud deployments. One study noted that 38% of CISOs responding expressed inadequate visibility into public cloud workloads as their top cloud security challenge. It’s important to realize that visibility into the workloads / machines and all associated resources is a key requirement. Just as important is visibility into the overall public cloud account’s configuration and security controls. Without that complete picture it’s impossible to effectively protect public cloud deployments and provide that they remain protected over time.

Misconfiguration / Configuration drift

Once organizations have a complete understanding of the components that they’re responsible for protecting  and complete up to date visibility into their cloud assets and associated resources, the next important challenge to address is establishing, maintaining and enforcing approved configurations. Such configurations should include both internally defined security and compliance controls while including applicable industry standards and best practices. Once those approved configurations are defined and deployed, it’s critical that the assets and associated resources deployed within public clouds be consistently monitored and their approved configurations enforced.

AT&T Cybersecurity Consulting can help

Know that while the common cloud challenges noted above can be daunting for some organizations to address, AT&T Cybersecurity Consulting can be of great assistance when it comes to the security and maintenance of your public cloud deployments. Our Managed Cloud Security Monitoring Service not only effectively addresses the common challenges noted, it also includes access to and assistance from dedicated AT&T Cybersecurity Consultants who will provide expert assistance on-demand to help maintain your public cloud deployments. Please reach out to us at scan@att.com with any questions at all, or to request a demo of our Cloud Security Monitoring Service.

Clint Harris

About the Author: Clint Harris

Clint Harris is a twenty-five year information security veteran and has held leadership positions within worldwide security and compliance practices such as AT&T Cybersecurity Consulting, VeriSign, and formerly Symantec. Before entering the information security space, he began his information technology career in Six-Sigma Software Development and Quality Assurance Analysis.

Read more posts from Clint Harris ›

TAGS:

‹ BACK TO ALL BLOGS

Watch a demo ›
Get price Free trial