An increasing number of organizations are investigating options to migrate workloads to the cloud or replace legacy applications with a software as a service (SaaS) application. Moving assets from on-premise to the public or private cloud can enable substantial positive business outcomes but requires additional thought around how to protect sensitive information to maintain compliance, audit and privacy requirements.
There are many solutions in the marketplace that can be tailored to an organization’s specific information security requirements. Having said that, deciding on a given solution without first determining your specific organizational requirements and cloud footprint can be daunting.
A basic understanding of some of the key terms will go a long way in helping you navigate this area.
Let’s start by gaining an understanding of the different types of Public Cloud offerings available to your organization.
There are three general categorizations for public Cloud service offerings:
Infrastructure as a Service (IaaS)
IaaS providers supply the hardware and network resources you need to run your own platform and software -- just like running servers in your own server closet or raised floor, but someone else maintains the hardware and the hypervisor. You bring your own operating systems, middleware, and software.
Platform as a Service (PaaS):
PaaS provides the hardware, networking, operating systems, and middleware, and organizations are responsible for deploying and maintaining the applications that run on it.
Software as a Service (SaaS):
In SaaS offerings, the provider provides the application in addition to the hardware, networking, operating systems, and any middleware. An organization is then only responsible for the maintenance of the data stored within the software.
From time to time, you may see other acronyms with the *aaS designation – but, for the most part, other solutions-as-a-service can be categorized as one of the above. For instance, Identity as a Service (IDaaS) is generally a specific type of SaaS that focuses on the identity stack; and Artificial Intelligence as a Service (AIaaS) is generally going to be a specialty version of PaaS.
Security in the Cloud, then, needs to consider all these potential configurations, and markets have formed for each:
- Cloud Access Security Broker (CASB)
- Cloud Security Posture Management (CSPM)
Cloud Workload Protection Platform (CWP or CWPP)
The most mature of these markets is the CASB. Gartner defines these as, “…on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed.” You can think of CASB as protecting your SaaS implementations. It does this through four distinct capabilities:
Visibility: It can be difficult to measure how pervasive cloud usage is in an environment. This leads to some teams employing cloud-based solutions to more effectively complete projects or collaborate with other employees, vendors, and partners. If the IT department hasn’t approved these solutions (which is sometimes referred to as “shadow IT,”) it could lead to an undetected exposure of data. CASB solutions provide you with the visibility into which cloud solutions are in use, redirect users of Shadow IT to approved cloud applications with appropriate levels of control, or even simply block access to risky applications.
Data Security: A CASB solution also provides the capability of enforcing data controls, such as data classification, and enforcing controls around which users have access to what data. Typically, this will also include data loss protection (DLP) for the data in the cloud, either natively or through integration with enterprise DLP.
Threat Protection: Much like in the data center, cloud services are often under attack. Cloud-based protections model their data center brethren with things like user and entity behavior analytics (UEBA), threat intelligence, and licensed malware/sandboxing techniques to identify behavioral threats. For instance, a UEBA trigger may be on a user accessing data from two locations at the same time, or at different times than would be normal…or from a known botnet. CASB rules could then be triggered to send alerts upon detection of suspicious behavior, or even prevent it.
Compliance: Regulatory compliance rules were primarily created with data center architectures in mind, and organizations have struggled to apply sufficient governance in the cloud. CASB solutions provide the reports necessary to prove that the proper controls are in place around the residency and security of your data in the cloud and monitor its access.
Gartner defines CWPP as “…host-centric solutions that target the unique requirements of server workload protection in modern hybrid data center architectures.” In this regard, we refer to workloads as the specific capabilities in the cloud – such as a database, server instance, or container. You can think of CWP as protecting your IaaS and PaaS implementations with the following capabilities:
Visibility: Workloads may be spread across multiple cloud vendors, VMs, and traditional computer infrastructure, and traditional network security may not provide sufficient visibility into the flow of communications. CWPP solutions address this by providing firewalling capabilities, (either native or through OS and cloud security group policies), to segment the workloads and monitor the communication flows between disparate systems.
Configuration and Vulnerability Management: Many organizations assume that cloud providers take responsibility for providing vulnerability management and mitigating controls for attacks. As such, they do not apply the same level of system hardening and configuration review as they do for on-premises deployments. This is not generally the case, but many of the on-premise tools are insufficient for providing those protections in the cloud. CWPP solutions can validate your IaaS configurations and recommend specific changes to harden or patch your workloads or meet a standard baseline (such as those provided by the Center for Internet Security (CIS). They will often integrate with third-party vulnerability management tools to ensure a consistent process between on--premise and cloud implementations.
System Integrity Management: As organizations move to the cloud, they give up some control over the hardware, but may still need to report on it for security and compliance reasons. While cloud providers won’t give access to low-level BIOS information, they do allow CWPP vendors to integrate at the hypervisor level and validate the integrity of system images and containers before they are mounted for use. Once in a running state, CWPP agents can provide file integrity monitoring (FIM) to validate that critical system files and registry entries have not been modified.
Application Control: Workloads have become quite specialized, and most are running a single application (especially in cases where containers are used). This makes it possible to effectively whitelist these applications without potentially affecting availability by ensuring that the whitelisted applications can be run while all others are blocked. CWPP solutions integrate with your workload to provide this level of application control.
Threat Protection: As even hardened and whitelisted applications may still have vulnerabilities, it is important to protect against highly targeted attacks as well. CWPP solutions will offer a variety of protections that are commonly found in on-premise infrastructure, from memory protection, application-based signature and behavioral-based exploit protection, host-based intrusion detection and prevention (HIDS/HIPS), and even antivirus capabilities.
CSPM is an emerging market; it’s still early enough that it hasn’t been fully defined yet. Products in this space tend to focus on incorporating vulnerability, configuration, and compliance management processes into your IaaS cloud infrastructure, and include remediation workflow and automation when flaws are detected. CSPM focuses on the management level of IaaS instead of the workloads – to detect things like unauthorized instances being set up, or insecure storage bucket configurations.
To this point, best practices in cloud security have been a combination of CASB and CWP, though the lines between these solutions are blurring. For instance, many CASB vendors are finding value in expanding their protections to PaaS (a “lite” version of CWP, if you will). CSPM and CWP products have begun adding capabilities that make them more similar to each other, as well. Understanding where these products position themselves will help your organization understand how the strengths of each solution will align with your cloud security strategy.
If you’re still developing your cloud security strategy or would like to validate that your existing strategy is sufficient for your organization’s cloud structure, ePlus offers a variety of cloud assessments, including a Cloud Usage & Risk Workshop.
ePlus leverages partnerships with leading technology providers and couples that with deep technical knowledge and experience to provide a comprehensive approach to help you secure and mitigate the risks associated with multi-cloud infrastructures.
For more information, contact your ePlus sales representative or email us at firstname.lastname@example.org.