There are a few things you just don’t leave home without — your keys, your wallet and usually, a large cup of coffee. These are the daily tools you use to get in and out of places, acquire things you need, and keep you alert and energized. This is not much different from your daily cloud security needs. Your organization needs to be fully equipped and protected across all aspects of your cloud environment to be prepared for whatever life throws at it.
Oftentimes when companies take a tactical approach to security (as opposed to a strategic one), they end up purchasing point solutions instead of a single, comprehensive platform. This is like leaving the house without your wallet one day, and your coffee the next. Frequently, when you follow a tactical approach to security, some important requirements are missed, leaving you vulnerable to a whole host of issues.
In this post, we will cover the five most important areas of cloud security that all organizations should be incorporating into their everyday security strategy so you can fill in the pieces and get back to building your defenses.
Who gets access to production is a long contested battlefield that has only gotten uglier since the rise of Software as a Service. We explain at length in this post why it’s becoming a common practice to trust developers with production access, but in short, it’s adopting a “trust, but verify” policy via continuous monitoring. This is where workload insights come in. Workload insights help organizations verify whether their environments have been compromised by insider threats and/or data loss by tracking suspicious user activity, connections to command and control servers, and access to key files and configurations.
Threat intelligence is a big buzzword today. But what does it really mean? In short, threat intelligence tells you when and where you’re at risk. It will tell you when your workloads talk to active APT command and control servers (a.k.a. the bad guys) so you can stop them before they get into your systems. From a defense perspective, this is the last step before it’s too late to detect a threat and prevent it from wreaking havoc within your environment. By the time an attacker gets to this stage, your main objective should be to contain the damage and limit what the attacker can access to curb the exploit’s impact.
Whereas just years ago compliance was more about ticking the boxes to pass the audit, today, it has become a board-level necessity to implement and maintain strict controls and processes to minimize exposure, liability, and risk. And for good reason. One of the best ways to demonstrate that security controls are in place is by having detailed audit trails and built-in reporting that show the historical records required to meet compliance regulations and ensure that data and infrastructure are protected.
Zooming out one layer from the workload is the infrastructure. Companies leverage software-defined infrastructure and configuration management tools to ensure that systems are launched and configured correctly. While this ensures that your environment is uniform and consistent, how will you know what changes are being made across your infrastructure? And how will you know if your cookbook has been tampered with or whether unauthorized systems are being launched or misconfigured?
A lot can happen here, and that’s why monitoring at the infrastructure layer can monitor and alert you on things like user, event name, counts of events, source IP, etc. the moment they change so you can act fast.
Last but certainly not least is compliance reporting. Development teams often try to circumvent the chain of command to complete a job, installing unauthorized packages in the base AMI, or worse yet, manually installing packages directly on production environments. While developers need production access to get their work done, security teams need to be verifying the attack surface of packages installed. This is where vulnerability management comes in. It allows you to monitor the configuration of your workloads and infrastructure to detect any increase in the attack surface. Deploying vulnerability management in your cloud environment equips you to know where there are weaknesses in the workload so you can mobilize defenses to protect them.
Now, how do you go about implementing and integrating each of these five areas of security? After hearing requests time and again from customers, we built the Threat Stack Cloud Security Platform® to incorporate all five of these security features in one. This approach consolidates security monitoring, alerting, and analysis into a single solution that combines all of the ingredients to an effective cloud security posture. We’d love for you to see it for yourself!