Cloud Threats Are Different, Your Security Should Be Too

In the unlikely chance that you haven't noticed, enterprises have been rapidly moving IT infrastructure and operations to the cloud for a while now. This 'new' foundation is helping deliver innovative capabilities and applications at an amazing pace.

However, as organizations scale these nascent cloud environments, they are creating large, new attack surfaces, which poses fundamental challenges to existing security models.

Modernizing the Application Deployment Lifecycle

Developers can now rapidly deploy, manage, and tear down cloud environments using tools and automations like infrastructure-as-code (IaC) templates and container registries, as part of continuous integration and development (CI/CD) pipelines. 

These teams are decomposing monolithic applications into microservices, then independently managing the constituent parts. This has made it easier to build heterogeneous application stacks comprising VMs, containers and serverless functions, while leveraging multiple cloud platforms to deliver differentiated services.

Each part of these diverse architectures requires its own configuration and protection, creating deep complexity for security teams, and revealing a host of new threat vectors.

Cloud Threat Vectors and Attack Surfaces

The threat landscape for cloud native applications is increasingly diverse.

Open Source Software

DevOps predominantly leverage open source software libraries to develop their applications. However, there is limited visibility into the vulnerabilities and dependencies in these software packages that can be exploited in the runtime.

Publicly Available Container Images

Developers frequently rely on public container image repositories to build applications. But the images can include unnecessary packages and libraries with critical vulnerabilities. Security teams often lack visibility needed to find malicious code such as malware, which can be exploited in a running container.

Coded Automation

IaC templates can be used to define and represent all aspects of a cloud deployment. However, DevOps can't be expected to understand the nuances of each cloud service, or more importantly, how to configure them to ensure secure deployments. This can lead to a proliferation of misconfigurations as templates are reused across an organization.

Public Facing Web Applications

Systems deployed into cloud environments are, unsurprisingly, reachable by users and traffic from the internet. This exposes workloads to a whole series of threats and attacks against web applications, like DDoS or BotNets.

Fluid Perimeters

Microservices deployed at scale present an extremely large attack surface; and their ephemeral nature means that surface is in constant flux. Vulnerabilities and exploits present in container images can easily move laterally, resulting in data exfiltration.

Democratized Access

Configuring fine-grained identity and access management (IAM) permissions is difficult given the volume of services and myriad configuration options. Excessive permissions for both IAM and instance profiles are shockingly common, and can be exploited by malicious actors.  

New Threats, New Tools

The dispersion of responsibilities and threats means that security can no longer be the sole responsibility of the security team. Controls have to span the entire application stack and development lifecycle; but adding new tools or new responsibilities for each vulnerability is not a scalable solution.

This depth of coverage and functionality requires purpose-built cloud security tools that can address the threat vectors above and allow security and development teams to share responsibility. This has given rise to consolidated Cloud Native Security Platforms that can manage a range of use cases from a single console, including:

Threat Detection

The cloud comprises a multitude of services with a large number of configuration parameters, options, and runtime telemetry. Cloud native tools can leverage machine learning (ML) to correlate threat intel feeds across asset and service classes to understand indicators of compromise and surface the high-risk issues.

Workload and Runtime Security

Some platforms are able to automatically build models of runtime behaviors based on sanctioned processes, file systems, and network access, then alert on deviations. This keeps protections close to the workloads, in a decentralized manner that scales to meet the elastic needs of an application. 

Identity-Based Microsegmentation

Identity is the new perimeter. Teams will need to begin defining microsegmentation policies using a combination of metadata attributes, labels and other key value pairs, as IP addresses can be meaningless in the cloud. Microsegmentation at the network layer is also necessary to sanction communication between microservices in Zero Trust models and can dramatically minimize the blast radius of an exploit. 

IAM Controls

Excessive IAM permissions constitute a major threat vector for cloud exploits. Mapping these roles across the cloud is exceedingly complicated. Cloud tools can use ML capabilities to identify excessive permissions and provide remediations to ensure fine grained access. 

You Can't Secure What You Can't See

No matter how you build your security strategy, the most basic requirement should be full visibility into all assets deployed in the cloud, and the compliance posture of these assets. This is step one to overcoming blind spots caused by disparate tools and shadow IT.

 And the most simple way to do that is to adopt a Cloud Native Security Platform that offers complete visibility across any cloud environment and any workload, with compliance controls and automation to empower collaboration throughout the development lifecycle.

Vinay Venkataraghavan, Office of the CTO, Palo Alto Networks, has extensive experience in architecting and building cloud native and containerized applications as well as security products. He is an active member of the CNCF Sig-Security WG and is passionate about sharing his security knowledge with the community. Vinay has spoken at many conferences including AWS re:Invent, Google Cloud Next, and Microsoft Ignite, among others, and has helped enterprises secure their digital and cloud footprint. He believes that security does not have to be difficult to adopt and that automation along with DevSecOps is a winning combination. He has built numerous solutions and integrations that have made security, cloud native.