One of the most challenging aspects of cloud security is that there can be many things that can go wrong.
At the root of this is the inherent complexity of modern cloud infrastructure, encompassing multiple platforms and layers of provision such as PaaS, and SaaS, virtual networks, plus individual components such as virtual servers and containers. These silos create an extra burden to manage which in turn increase the chance that a security issue due to misconfiguration, oversight, or unauthorized action – will occur.
Network security is inherently complex, which is why it requires specialized skills. Cloud security adds to this in a variety of ways. Unfortunately, in many cases, these problems remain invisible because organizations have not implemented a consolidated cloud security policy, posture management, or a Cloud Access Security Broker (CASB) solution to detect any issues in a proactive way.
The most common cloud security issue is misconfiguration of a cloud resource, which can be caused by a range of issues, including forgetting to apply a security setting, or misunderstanding the issue of shared responsibility within a platform. Cloud resources change so frequently, this type of mistake becomes inevitable.
Misconfiguration occurs more frequently as infrastructure grows beyond a manageable level without a proper policy & central configuration toolset. This rise in complexity is inevitable as more platforms, third-party tools, and new capabilities are added.
Software elements that are particularly vulnerable to poor cloud security hygiene are APIs, which give developers a way to connect disparate applications and services to one another. However, APIs not only come with vulnerabilities of their own but offer hackers an interface which can be abused.
Most organizations focus on delivering business goals rather than securing data. Contrary to the simple idea of an error-prone end user, this also applies to IT departments.
By design, user access to cloud data and applications is remote. This turns access control into a vital defense worry against unauthorized access. A major headache is that this must be integrated with unified access control across the entire enterprise.
Less common but still potentially serious cloud risks include underlying vulnerabilities in the cloud platforms that create problems for any architecture based on shared tenancy, such as attacks on the cloud software supply chain.
Monitoring cloud security posture is designed to address these problems across different layers of infrastructure. Importantly so, by using a Managed Detection and Response (MDR) SOC this can be done in a way that integrates with other types of security monitoring.
Monitoring the security posture of a cloud software stack extends from the infrastructure layer (virtual networks and virtual machines) to the application layer. The challenge is to have sufficient control points at each level that provide sufficient information and control to MDR services. This allows accurate telemetry which can be used to correlated and detect incidents at the earliest possible stage.
IaaS and PaaS monitoring present similar challenges in terms of security but at different layers of the stack. IaaS monitoring must integrate to the service provider stack that provisions virtual machines and storage, which are targeted by criminals in their kill chain. In both cases, this type of monitoring checks their security posture for suspicious activity, malware, or unauthorized access to these resources. IaaS monitoring also checks for misconfiguration, rogue accounts, and issues such as absent data encryption.
Azure Active Directory is becoming the de facto identity management solution in the cloud. AAD services represent the core of an organization’s network and identity system, which also makes it a major target for compromise. Microsoft provides a comprehensive set of controls and telemetry points which can feed an MDR solution with real-time information on attempts to take advantage of misconfigurations or elevate user privileges and correlate these to network or device threat detection.
Effective cloud threat detection requires the ability to monitor for a wide range of events across multiple platforms using public cloud vendor APIs such as Amazon CloudWatch & CloudTrail, Azure Log Analytics & Sentinel, Google Autonomic and many more. Each of these provides its own security protections but a well-designed MDR solution will correlate these across platforms through a unified interface.
Effective cloud monitoring is extremely crucial in the modern era. It must integrate multiple layers of threat detection while offering real-time altering security teams’ need to respond to anomalies. Additionally, it must encompass every layer of cloud exposure, providing the visibility and scale necessary to protect resources. Finally, cloud protection must help maintain compliance, monitoring an organization’s cloud assets against sector-specific regulations. The cloud is too large and complex to be monitored using the established model of siloed security – the foundation of good cloud security and risk management is adopting an integrated approach.
