How to Integrate Risk-Based Security With Your Cloud-Native Infrastructure
Published 05/26/2022
This blog was originally published by Vulcan Cyber here.
Written by Roy Horev, Vulcan Cyber co-founder.
Cloud-native infrastructures take advantage of all cloud computing has to offer: distributed architecture, scalability, flexibility, and the ability to abstract multiple layers of infrastructure—allowing it to be defined in code. Relying on automation, this code-based configuration approach offers numerous benefits:
- Easy-to-manage infrastructure
- Ability to turn features on and off as needed
- Greater accuracy
- Improved speed
- Continuous delivery
- Enables customers to meet their multi-cloud needs
- Modernizes and streamlines business and IT processes
While cloud-native infrastructure and applications offer resilience, multi-cloud or hybrid cloud adoption enables the best-of-breed combination tailored to an organization’s specific needs. Offering the ability to combine different technologies in order to gain a competitive edge and major cost management benefits, it is clear why an increasing number of organizations are adopting a multi-cloud or hybrid approach as opposed to remaining only in the public or private cloud.
But any complex architecture brings with it security concerns—no matter the infrastructure. Managing the security of your infrastructure, however, will allow you to reap the benefits of cloud without harming availability, integrity, or confidentiality due to vulnerabilities in the system.
Risk-Based Security Management
Every organization faces unique challenges that may require very different security strategies. However, some businesses tend to consider short-term security goals while neglecting to set long-term security, leaving the organization vulnerable.
But it’s important to understand that security management and maturity is not about meeting a set of security compliance requirements or following ad-hoc practices; rather, it’s about developing a security process.
Adopting a risk-based security management approach that takes into account the organization’s unique operational aspects can significantly improve a company’s security posture. Certain business processes and assets may be more critical, thus taking into account vulnerabilities alone is insufficient. Integrating risk-based security with cloud security provides actionable security risk analytics to better understand and mitigate end-to-end risks.
A threat combined with an identified or potential vulnerability (cyber risk) could adversely affect an organization, harming its reputation and causing other damage. Because the negative impact may be technical or organizational, risk-based security management requires cross-team collaboration as opposed to the involvement of the IT or security teams alone. Once companies understand system weaknesses, they can better understand the risks while also taking into account business and asset values.
The steps of risk management:
- The first step of risk management is to identify the assets you need to secure.
- The next step is to understand and assess the security controls that need to be implemented.
- When a risk is identified, it needs to be remediated. In some cases, when a third party is involved such as a cloud service provider (CSP) or software as a service (SaaS) provider, some risks can simply be transferred to the other party. However, it’s very important to check what can be transferred according to the cloud shared responsibility model. And in cases when it can’t be remediated, you may simply choose to accept, avoid, or control the risks after evaluating the situation. Risk acceptance is especially relevant in cases where organizations are using legacy systems and old technologies with dependencies that cannot otherwise be supported with new technologies. By prioritizing the risks that are identified so that the higher risks get first priority, you may also be able to avoid or control them. Identified risks need to be addressed whether a public or a multi-cloud environment.
- Once these security controls are in place, the information needs to be authorized and continuously monitored.
Risk-Based Security for Cloud-Native Infrastructure
When cloud migrations accelerate, cyber-risk management verticals may change due to the updated infrastructure and shared responsibility model with CSPs.
Meeting security compliance requirements while maintaining the agility, speed, and scalability of your cloud-native infrastructures is challenging. And in many cases, cyber-risk management processes are neglected when they haven’t been properly evaluated and adapted to the cloud.
While the key focus should be scalability, automation, and infrastructure as a code (IaC), these elements are often neglected when companies migrate to or adopt cloud without proper strategies. In some cases, depending on the infrastructure, mechanism changes, and integrations with multi platforms, new add-ons could result in the attack surface broadening.
When it comes to risk mitigation, traditional technical controls and compliance mechanisms don’t always fall in line with cloud since cloud-native infrastructure and design principles can be very different. On-premises infrastructure generally focuses on upgrading software and managing access controls lists (ACL), while the cloud-native deals more with managing and maintaining permissions and strong authentication. These differences therefore must be understood properly and specifically addressed.
Cloud Security Traps
Cloud threats can be internal or external, and when combined with unidentified system vulnerabilities can lead to serious security risks. Cloud security traps may be due to lack of awareness when it comes to cloud security responsibility models with CSP, dark data, access management, and lack of visibility due to complexities.
Cloud-native infrastructures offer special features such as abstracting layers and enabling repetitive actions through automation and infrastructure as code. When it comes to automation, the principle of least privilege (PoLP) is not always followed: Programs may have root privileges to execute tasks that don’t necessarily require such high privileges. This poses additional risks in the environment.
In order to anticipate risks, vulnerabilities and threats must be identified. Asset management is key here, as unidentified assets can be dangerous in cloud environments. But asset identification can be challenging due to cloud sprawl and limited visibility in multi-cloud environments and cross-collaboration platforms.
No matter which cloud deployment model or cloud service you choose to use, data and access management as well as data protection are always the responsibility of the organization. Multi-tenant, fully distributed infrastructures and rapid migration can change and expand your attack surface. Adopting new security controls and policies following cloud migration is therefore crucial for mitigating issues that may arise.
This involves:
- Proper asset management
- Following best practices and guidelines related to system hardening
- Revising policies and procedures to be streamlined with cloud
- Use of cloud-native security tools to harden systems
- Understanding the responsibilities of the CSP and the organization in protecting assets in the cloud
A risk-based security approach enables organizations to identify, understand, and prioritize their risks. With the growth of cloud and its architectural diversity, microservices, and complex cloud setups, traditional security controls and procedures often fall short. Mechanisms such as cloud security posture management and cloud-native security (including containers and cloud workload protection) can provide more comprehensive protection in the cloud.
Streamlining Security for Cloud-Native Infrastructure
With today’s cloud-native infrastructures, often combined with other hybrid or multi-cloud environments, end-to-end visibility can be difficult to achieve. And without proper visibility, streamlining the environment, applying security policies, and continuous monitoring can prove difficult. Cloud security therefore requires centralization as well as an understanding of responsibilities, assets, and attack surfaces.
When it comes to cloud-native infrastructures, risk-based security can help identify unique and specific risks in your cloud environment, evaluate your assets, and prioritize and remediate the risks.
About the Author
Roy Horev believes if you choose a job you love you will never have to work a day in your life. So he co-founded Vulcan Cyber and the rest is history. Before Vulcan, Roy was VP R&D at BackBox and was a systems engineer at Safeway Israel.
Related Articles:
The Evolution of DevSecOps with AI
Published: 11/22/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
Managing AI Risk: Three Essential Frameworks to Secure Your AI Systems
Published: 11/19/2024