When you stare at the clouds long enough, you begin to see things that weren’t there before. There’s a rabbit. Or, maybe it’s a duck. A gust of wind and suddenly, an elephant shapeshifts into a flying saucer.
If you look at public cloud infrastructure long enough, you get the same effect.
When you migrate workloads and services to a public cloud like AWS or Microsoft Azure, your IT infrastructure changes and new security challenges begin to take shape that weren’t there in your data center. Also, because cloud computing infrastructure is dynamic and scalable, it changes more frequently, adding a layer of complexity in monitoring your cloud security.
In this blog, we’ll look at some of the unique security challenges that appear in public cloud computing and why legacy security monitoring tools that were built for the data center may not be sufficient in addressing these challenges.
This is Part Two of a three-part blog series on hybrid cloud security. In this series, we are exploring the security challenges that impact cloud and hybrid cloud infrastructure environments as well as the best methods of detecting them. The blog series covers three main areas of focus:
- Part One: How security challenges persist, are amplified, or are mitigated in public cloud and hybrid cloud environments
- Part Two: New security challenges that are introduced by cloud environments
- Part Three: Best practices for securing your hybrid cloud environment
Safeguarding the Keys to Your Kingdom
As mentioned in Part One of this series, access keys and root account credentials are a major security concern in public cloud environments. They are the proverbial “keys to your kingdom,” and if an attacker compromises them, they can gain access and control over your cloud account. Once inside your account and with full permissions, an attacker can spin up cloud resources on your dime, steal your data, or run malicious software on your resources and with your reputation.
Compared to physical network environments wherein the infrastructure is ultimately finite and static, cloud environments are super elastic and can be scaled rapidly from a central management console. The only real limitation is the size of your wallet. A malicious actor with your root account credentials could easily spin up an enormous amount of resources (to mine bitcoins, for example), leaving you with an enormous bill.
While it’s seems like a no-brainer to not publically share your root account credentials, there have been many cautionary tales in recent years of web developers and even security industry analysts who have accidently published their AWS access keys to GitHub or other public locations, resulting in thousands of dollars of fraudulent charges racked up overnight. And, although the cloud service providers in these tales often come to the rescue to notify victims of fraudulent activity and to remediate charges, it’s important to remember that it is ultimately your responsibility to keep your credentials and access keys secure.
You can read more on how to secure your AWS root access keys here.
While it’s an important first step, it’s not enough to hide your keys and hope for the best. In many of these cautionary tales, cloud users had initially tried to scrub their encryption keys from publically shared data, only to miss an instance and later discover the mistake after their bills had skyrocketed. To avoid “alert by bill shock,” you should constantly monitor your cloud environment for suspicious root account logins, changes in security policies and privileges, and other anomalous activities. A cloud-native SIEM solution enables granular security monitoring and analysis of cloud activities by integrating directly into your cloud environment.
Managing Cloud User Activities
You probably aren’t the only person in your organization accessing your cloud resources. But, do you know who is and what they’re doing in your cloud environment? The nature of the cloud lends itself to a greater number of unsanctioned or “shadow IT” projects and IT decentralization—whether intentional or unintentional. In fact, as a recent Cisco report found, “companies are using up to 15 times more cloud services to store critical company data than CIOs were aware of or had authorized.”
It’s essential to your cloud security management to know who (users and services) are using your cloud resources so that you can identify the account activities that constitute “normal user behavior” and investigate the activities that do not. However, trying to implement organization-wide cloud security controls can leave security folks feeling like professional cat herders.
Fortunately, within your cloud accounts (the sanctioned ones that you’re aware of anyway), you have multiple methods and tools to optimize your identity and access management (IAM) as well as to protect your user accounts from threats like phishing attacks. These include creating role-based permission groups and enforcing multi-factor authentication policies for your users and APIs.
Cloud service providers also provide services that enable you to monitor environmental activities and changes. For example, you can leverage AWS CloudTrail to see all of the user activities and API calls made to your account. With a cloud-native SIEM solution that has direct hooks into these services’ APIs, you can readily monitor this data and perform security analysis in correlation to your other data sources and threat intelligence.
Finally, as with on-premises security management, it’s important to employ the principle of least privilege in your cloud environment, as Javvad Malik reminded us recently. While it’s a seemingly obvious practice—to give your users only the absolute minimum level of access needed to do their jobs—in practice, it can be slowly chipped away at as admins and developers ask for small exceptions here and there. Javvad reminds us to “regularly review access rights and privileges to ensure that the controls in place are the most appropriate…to hamper or fully deter an attacker that manages to get in.”
Navigating Your Blind Spots
The big benefit of cloud computing with Infrastructure as a Service (IaaS) is that you no longer have to deal with the capital and operational expenses of managing your infrastructure. The network infrastructure is abstracted away from you, maintained and secured by cloud service providers, and delivered as a beautiful economy-of-scale price.
The trade-off of cloud IaaS is that, by relinquishing your responsibility for the underlying network infrastructure, you also relinquish some of the deep network traffic visibility that security professionals are accustomed to having in on-premises networks. In the cloud, it’s no longer feasible to drop a passive tap or SPAN port on the wire to monitor traffic to detect threats and intrusions as you would in your own network. This means that legacy network intrusion detection systems (NIDS) are no longer effective tools for cloud security monitoring. This calls for…wait for it…yes, a paradigm shift.
While legacy security monitoring tools like NIDS cannot be readily shoehorned to fit your cloud security monitoring needs, you can still navigate the security blind spots in the cloud to get a complete picture of your security posture. You just need a new paradigm around cloud security monitoring.
In another blog post, AlienVault VP of Product Strategy, Russ Spitler breaks down intrusion detection to its core tenets and describes how you can leverage the data sources and services available to you in AWS to achieve intrusion detection. Russ’s blog illustrates the fact that cloud security management sometimes requires a different approach to the same end—security and threat management.
While public cloud computing delivers many operational, cost-saving, and security benefits to organizations of all sizes, the nature of the cloud as a public, shared, and on-demand environment creates its own set of security challenges that organizations must consider and be well-positioned to deal with. Unfortunately, many legacy security monitoring tools were built for the data center and are not readily deployed in the cloud, and their security functions do not align well to the unique capabilities and limitations of cloud environments. Instead, security professionals must evaluate their security needs and goals for their infrastructure—on premises, private cloud, and public cloud—and deploy security and threat management solutions and best practices that secure their complete hybrid cloud environment without unnecessary costs or complexity.
In Part Three of this series, we’ll identify best practices and methods for securing a hybrid cloud environment.