Adjusting Enterprise Security Practices to the Cloud

On-premises IT security mechanisms differ from public cloud and from provider to provider, so these experts explain upfront best practices for keeping workloads protected.

By Erin Poulson May 12, 2020

When a central Tennessee university wanted to move to the cloud, the project quickly stalled when the IT security and networking teams couldn’t agree on an architecture strategy.

At issue, said a systems administrator involved in the process, was that the teams weren’t familiar with how to secure data and applications on the various public cloud platforms they wanted to use.

“AWS and Azure leave things open about how you want to secure your cloud environment,” he said.

“It takes a lot longer to figure out how to implement security in their public cloud services because [each has] a whole new [set of configurations] to learn.”

That’s problematic for an organization with a lean IT staff that’s already strapped for time, he said.

The university isn’t the only organization struggling. In the Cybersecurity Insiders 2019 Cloud Security Report, an overwhelming 93% of companies reported being at least moderately concerned about public cloud security. Approximately 29% of companies said a lack of integration with on-prem security technologies constituted their biggest operational challenge with protecting cloud workloads.

Platform Differences

The problem is that if a company wants to fully secure its data and applications in the cloud, it needs people with in-depth knowledge of how to configure all the security features available from each cloud platform provider, said Harold Bell, a cloud security content expert at Nutanix. That’s a tough task when each platform has proprietary features and different configuration processes, he said. Respondents to the 2019 Cloud Security Report cited cloud platform-specific tools knowledge and skills most often (47%) as the top security skill needed in their organization.

There is a misconception of roles and responsibilities in the public cloud, according to Mike Wronski, director of product marketing at Nutanix.

“The public cloud doesn't secure your applications for you,” he said.

“The providers secure their infrastructure, but they don't ensure that the services are implemented securely. They leave that up to the customer.”

A customer is expected to know how to properly configure the cloud services to extend its security policies to a given provider’s infrastructure, which entails a learning curve for each platform, Wronski said.

Given the disparate cloud platforms and confusion over responsibilities, it’s no wonder that the 2019 Cloud Security Report stated that the three biggest cloud security vulnerabilities were due to user error: unauthorized access through misuse of employee credentials and improper access controls (42%); insecure interfaces and APIs (42%); and misconfiguration of the cloud platform (40%).

New Security Mindset Needed

When moving to the cloud, companies can’t rely on the same security practices that served them in the past. Things are different now, according to Mike Rothman, president and analyst at Securosis, a cloud security consulting and training firm.

“A lot of folks just want to apply the base controls and techniques they’ve used for years in their traditional data centers once they get into the cloud,” Rothman said. “They’re taking their entire application tech stack and moving it lock, stock and barrel up to a public cloud provider, including all the different security controls, firewalls, and proxies.”

Yet many of those on-premises tools aren’t designed for cloud environments, he said. Respondents to the 2019 Cloud Security Report agreed: 66% said traditional security solutions either don’t work at all in cloud environments or have only limited functionality.

And even if some solutions work, they aren’t always necessary in the cloud. Take firewalls, for instance. The firewalls that protected data centers can’t keep up with today’s cloud, hybrid and mobile environments. Firewalls are good at protecting perimeters, but, as Wronski said, “there is no perimeter anymore in public cloud.”

As organizations increasingly run applications on virtual machines or in containers, the number of vulnerable endpoints rises, with many endpoints being created and shut down quickly as needed. With a traditional firewall, IT would have to constantly update rules to keep those endpoints protected – an overwhelming, and in some cases, impossible job.

“We see a lot of folks using traditional firewalls in what I’ll say are suboptimal use cases,” Rothman said. “They’re breaking the architecture of the cloud and their application to run all their traffic through an inspection point, the firewall. I'm not saying there aren't [cloud] uses for firewalls…but in a lot of cases, you don't need them.”

Design and Architecture Are Key

So how does a company go about securing its data and applications in the public cloud?

Most important, according to both Wronski and Rothman, is to architect security and networking in a cloud-optimal manner upfront, before moving workloads over. Companies need to ask themselves what they can do to better isolate the different aspects of their applications and data to reduce their attack surface, they advised.

Rothman laid out a few granular recommendations that can get a company started on security in the public cloud:

Turn on logging right away – “We have this thing we call the first five minutes. Secure your root account, then turn on logging and monitoring. If you don’t, you’re blind in terms of what’s happening in your cloud,” said Rothman.
Use a multi-account strategy – Isolate resources in separate accounts (which is Google lingo), said Rothman. “Put an application in a separate account because that creates a hard security boundary between that application and everything else.” Attackers are notorious for breaking into one application and then moving laterally to all kinds of other resources when they’re not separated this way, he said.
Control access with least privilege – “Make sure you’re systematically restricting access as tightly as you can,” giving access only to those who need it, said Rothman. Least privilege can be difficult because it requires detailed familiarity with who and what needs access. But it can prevent breaches and all the negative fallout that comes with them, he said.
Control access via networking – “Networking is different in the cloud, but you can specify which set of resources can talk to which other resources,” he said. “And when you’re talking about something on the Internet, you want to isolate and segment that stuff down as tightly as you can. Again, it’s really about reducing lateral movement.”