By Jonathan Villa
Cloud
computing and in turn, cloud security, is continuously evolving. Years ago, it was about
moving to the cloud, whereas now it's more about Cloud 2.0 with a focus on cloud
observability, integrating multiple
layers, and the security strategies employed by organizations. This article
will look at the three generations of cloud security technology adopters,
technologies and environments.
The
Early Adopters: 2010-2015
In
this phase of cloud security evolution, the early cloud security adopters were
just figuring things out as they build environments. Cloud computing, being an
API-driven infrastructure, enabled anyone with programming or application
development experience to write code that requests information (metadata) and
processes the responses. It was incumbent on teams leveraging the cloud during
this time to use APIs to build tools for themselves in order to understand the
overall security posture of the cloud footprint.
These
"in-house" cloud security tools were useful, but they were fairly basic. While
these solutions improved over time, they ultimately provided continuous
compliance and visibility of a public cloud environment's current state.
Throughout this first generation, cloud security adopters were focused on
network security and configuration best practices.
The
introduction of virtual private clouds improved the secure usage of native
cloud compute services available at the time as security teams could now create
private zones with centralized ingress and egress points. However, egress
traffic would leverage NAT Gateways with limited functionality to centralize
outbound response traffic or initiate new outbound traffic. While that design
pattern was functional, there weren't many options available to create a
centralized point of egress traffic that provided the inspection and analysis
needed from a security perspective. The Cloud Service Provider made some
network traffic information available, but not the deep packet inspection
required for threat analysis. It was simple, high-level visibility into the
traffic flow between hosts with basic insight into traffic traveling north to
south.
During
this time, a new perimeter formed that many did not recognize as being a
perimeter - the highly-privileged role of the cloud identity. Although not widely implemented, one positive
capability provided by the Cloud Service Providers was a means to control and
centralize access by supporting federated identities. However, there remained a
wide gap between authorization security and the security fundamental of least
privilege. And so this leads us into the next generation of cloud security
evolution.
The
Informed: 2015-2018
Some
enterprises understood that despite the strength of network security in the
cloud and deploying secure configurations at the cloud management layer, more
analysis was needed at the cloud provider API layer. While API logs were being
captured to monitor and report on cloud activity, the analysis was not
in-depth. Platforms that leveraged machine learning began to surface, informing
cloud customers of anomalies within environments. This allowed cloud customers
to recognize that they also needed to emphasize securing their cloud platforms
in addition to workloads and network.
Additionally,
new serverless architectures were introduced, causing a significant shift for
those accustomed to checking off the boxes for anti-virus, IDS, IPS, and
standard server hardening. This generation of cloud security platforms arose
because even in a serverless environment, the API logs were being recorded and
analyzed. This meant that in settings where only cloud PaaS offerings were
used, capturing and analyzing the activity of a cloud customer's environment
was possible.
Cloud
Everywhere: 2018-Present
In
this current phase of cloud evolution, it's impressive to see where we are
today in the architecture and operations of cloud environments-both from a
business solution and security perspective. Now we have containers,
server-less, infrastructure-as-code, platform-as-a-service, deployment and
management of third-party infrastructure solutions and more becoming available
at a rapid pace. DevSecOps patterns have matured to automate and secure the
complete lifecycle from development to infrastructure and include operations
pipeline with security at its core.
For
example:
- Developers
have the tools to build and deploy secure cloud infrastructure across multiple
cloud providers.
- Site
Reliability Engineers provide the building blocks to leverage
infrastructure-as-code to build massively scalable architectures.
- Firewall administrators are deploying and
managing cloud-native appliances within the CI/CD process (a nod to
"shift-right" in moving more automation to the traditional security solutions).
Conclusion
Despite
the growing maturity of cloud security as a dedicated discipline, enterprises
are often left asking which is more effective: cloud-native services or third
party solutions. There are now third-party cloud security platforms with new
features and capabilities, mature and cost-effective native cloud security
services, and the traditional security platforms that have introduced new
capabilities and first-class support for the public cloud.
While
all of these tools are great and the trajectory shows constant maturity, do we
understand what we're looking at? For example, we can get Terabytes of data
into a SIEM, but we need to know what we are looking for - what are the
indicators of compromise within an API-driven-infrastructure?
Cloud
security continues to evolve, and it has required a different way of thinking.
Not only from a cloud customer's perspective but also from vendors and the
cloud service providers. Those that have
been the most successful have retrained their problem-solving approach during
each of these generations. As cloud
continues to evolve, the pattern of being able to quickly adapt to the changing
landscape will ensure success for enterprises.
##
ABOUT THE AUTHOR
JONATHAN VILLA, PRACTICE DIRECTOR - CLOUD
SECURITY, GUIDEPOINT SECURITY
Jonathan Villa has worked as a technology consultant since 2000 and has
worked in the information security field since 2003. For more than 10 years,
Jonathan worked with a large municipality as a senior consultant in several
competencies including PCI compliance and training, web application
architecture and security, vulnerability assessments and developer training,
and web application firewall administration. Jonathan also co-architected and
managed an automated continuous integration environment that included static
and dynamic code analysis for over 150 applications deployed to several
distinct environments and platforms.
Jonathan has worked with virtualization and cloud technologies since 2005, and
since 2010 has focused primarily on cloud security. Jonathan has worked with
clients in various verticals across North America, South America and Asia to
design and implement secured public and hybrid cloud environments, integrate
security into continuous integration and delivery methodologies and develop custom
application and security solutions using the AWS SDK. He has also provided
guidance to customers in understanding how to manage their environments under
the Shared Responsibility Model.
In addition to providing PCI training, Jonathan also has presented to law
enforcement on cybersecurity and was a speaker at the Cloud Security Alliance
New York City Summit. Jonathan holds the following certifications: CISSP, CCSP,
C|EH, PCIP, AWS Certified Solutions Architect - Professional, AWS Certified
SysOps Administrator, AWS Certified Developer, AWS Certified DevOps
Professional and Security+ certifications including the CSA Certificate of
Cloud Security Knowledge.