By Subhalakshmi Ganapathy, Product Evangelist, IT Security, ManageEngine
A cloud environment is not a replica of an on-premises network or a data center. Unlike traditional data centers, which have a rigid IT architecture blueprint, the cloud comes with flexibility that allows users to architect their infrastructure and resources. With the cloud’s dynamic space, users can change their infrastructure or decide to go with a different architecture. Further, the way the data transfers and systems communicate differs largely between the cloud and on-premises networks. In the cloud, applications interact with each other using application programming interfaces (APIs). Cloud vendors provide various APIs, such as Platform as a Service APIs, Software as a Service APIs, and Infrastructure as a Service APIs, for users to connect to their service, transfer data, and to manage access to their data and systems hosted in the cloud. Such stark differences in how the IT architecture is being designed and communicated differentiates cloud and network security.
How a network security model would not fit your cloud
Intrusions are one of the most common threats to on-premises networks. Adversaries try to exploit open ports, vulnerabilities in internet-facing endpoints, and more to break into the network. Later they move laterally within the network to gain hold of high-profile accounts, or critical resources to carry out attacks. They also employ slow exfiltration tactics and techniques to sneak sensitive data out of the network without being detected. Such risks—network penetration and slow exfiltration of data— are irrelevant to cloud security. With the cloud, all those adversaries have to do is take control of the APIs to hijack the resources and steer the sensitive data to their command and control server.
According to the 2021 IBM Security X-Force Cloud Threat Landscape Report, two-thirds of cloud incidents can be attributed to misconfigured APIs that allow unauthorized access. As businesses rush to the cloud, many will likely fall for misconfiguration-caused-breaches in 2022. Technological research firms, such as Gartner, also expect that through 2023, at least 99% of cloud security failures will be through cloud resource misconfigurations.
What’s the fix to this big cloud security threat?
Every cloud vendor has their own resource types, configuration attributes, APIs, and interfaces. If an organization adopts a multi-cloud environment, the complexity of governing the many APIs and interfaces is huge. Setting up the cloud policies, controls, and configuration attributes isn’t a one-time effort. Post-deployment configuration changes, termed as drift, can also lead to huge cloud data leaks if not monitored constantly.
Here are two pointers to avoid cloud security threats:
#1: Get to know your cloud: Most misconfigurations occur due to a lack of visibility. Gain visibility into the different communication points of your cloud by constantly auditing security policies and controls. Looking out for major changes and analyzing the legitimacy of a policy change can save you from disastrous misconfigurations.
#2 Get to know your cloud users: Monitor users who try to access your cloud resources and data. With the increased cloud adoption, malicious API traffic has also increased. So it’s important to understand cloud traffic patterns, what kind of services or applications employees use, and what the source of incoming cloud traffic is.
While the visibility, shadow IT, and cloud traffic monitoring concerns can be addressed using a robust cloud access security broker (CASB) solution, detecting and fixing misconfigurations across the infrastructure, platform, and software hosted on cloud can be done using cloud security posture management (CSPM) tools. A security information and event management (SIEM) tool, with its behavioral analytics and extended detection and response (XDR) component, can complement the working of CASB and CSPM solutions in ensuring cloud security.
A unified console
Organizations are adopting different tools to address cloud security concerns, such as keeping shadow IT under check, stopping malicious API traffic, ensuring that the right security policies and controls are employed, and detecting and fixing misconfigurations. When these tools are disjointed and don’t communicate with each other, it adds more complexity to ensuring cloud security. A unified console, that seamlessly orchestrates different security events and tools, displays applicable metrics that help resolve these issues and is both efficient and cost-effective.
The cybersecurity market has already learned the importance of security tool convergence. User and entity behavior analytics, which was a standalone component for quite some time, converged predominantly with SIEM. All other security tools, such as threat intelligence platforms, security orchestration, automation, and response (SOAR), and XDR are getting consolidated within the bigger platform, SIEM. Such consolidations help businesses formulate stronger security strategies and defense systems to keep attackers at bay.
SIEM tools act as a platform where all security data are consolidated and analyzed. Contextual security inputs such as threat feeds, malware data points, and vulnerability scanners’ inferences are fed to the system for effective analysis. With the artificial intelligence or machine-learning-based behavioral analytical component, security events are better analyzed and the red flags are spotted accurately. With an effective SOAR or XDR component that comes with the SIEM tool, incident resolution becomes easier and the security operations center can always keep track of their key metrics. The cybersecurity market has learned from the past and with the increase in cloud adoptions, tools such as CSPM and CASBs are also taking their place in bigger platforms such as SIEM.