Responsibility for cloud security is shared between the cloud service provider’s (CSP) security department and the corporate information security team. In order to ensure compliance, visibility, and control across the entire stack of applications, the cloud service providers and various security vendors have added a number of innovative approaches at different levels. Let us compare and analyze some of them.
Managed Cloud Services for Business Growth
Cloud service providers are launching new services at breakneck speed to help enterprise application developers bring new business solutions to market faster. CSPs are taking on more and more responsibility for securing each of these services, allowing corporate security teams to focus on the application. To be able to provide visibility and security and improve existing tools in such a diverse and rapidly changing environment, CSPs add event logs, API, Cloud Native agents, and other technologies that can be used by corporate security services.
Cloud Security Approaches
There are several different approaches to cloud security, each offering different trade-offs in terms of visibility and security, ease of deployment, required permissions, cost, and scale.
API and Event Logs
API and event logs are the best approach for identifying vulnerabilities in cloud accounts and detecting anomalous activity that the security services are interested in. Using these mechanisms, you can access the data of various accounts. So, the very first thing the security teams must do is gain multi-account access to the numerous cloud accounts in the organization. This approach provides excellent visibility but needs to be complemented by protection techniques.
Analyzing Images and Snapshots
Analyzing images and snapshots is an effective approach for obtaining more detailed information about workloads, both before and during application launching. This method enables analyzing a snapshot of the running system drive to detect any anomalies, vulnerabilities, or incidents due to configuration errors, etc. Snapshots provide detailed workload data but may fail to identify RAM-resident issues such as fileless malware used, for example, in advanced ransomware attacks. It is important to note that when we move to applications with no data, the usage of periodic snapshot analysis may be limited. This mechanism may not be suitable for cloud services for which snapshots cannot be obtained. Such an approach provides deep snapshot data but also must be supplemented with some protection methods.
Cloud-based agents and scripts are an effective approach to provide increased visibility and manageability. They provide an easy way to enhance cloud-native agents like SSM in a virtual machine. Agents can consume a lot of resources depending on their functionality. Support for cloud-based agents is limited to the capabilities provided by the CSP, such as operating system support or provided functionality. In many cases, cloud-native agents run commands that log the required information, implying the parallel operation of data loggers.
Sidecar and DaemonSet Containers
Sidecar and DaemonSet containers are used to easily deploy agents in containerized and serverless environments. Sidecar allows you to run one container for each pod by providing big data. However, it consumes a lot of resources and has a high cost as several sidecar containers run on the same server. They can be used in serverless container models that cannot apply DaemonSets. Because the functionality of Sidecar and DaemonSet is similar to that of the agents, many of the agents’ limitations mentioned above apply to them as well.
The agent-driven approach provides the best visibility and most effective control over the environment that the application runs in by launching the code that resides in memory along with the application itself. However, this approach is more complex because security services need to have Deep Discovery and forensic means in place in advance to be able to deploy these agents. Difficulties can also arise when adding agents since they must run on every machine, and the security team may not have the right to run software on every machine, especially in the cloud. Depending on the options supported, resource utilization and solution cost may be high. New technologies such as Extended Berkeley Packet Filters (eBPF) reduce resource consumption by agents, enhancing their usability.
The embedded-in-image/embedded-in-code approach allows security utilities to be embedded in a deployed application image. This allows you to deploy functional security elements without having to deploy an agent with every workload. Such an approach provides high visibility of the application performance and is suitable even for serverless applications. Compilation of code induces further critical issues due to the need to add code during the assembly of a software product, and code libraries must be available in every functional programming language.
No One Size Fits All Approach to Cloud Security
Different security approaches present unique trade-offs, and none of them can fully meet the requirements of different security services for the diverse set of platforms they support.
At any given time, different cloud services will be at different levels of implementation. Security teams need to take a step-by-step approach, starting the service implementation cycle with solutions that are easy to install and can provide an underlying security and visibility barrier. As the applications in the service evolve and more and more valuable applications become available online, a new security approach will be required that provides higher levels of detection and control in addition to existing practices.
No single approach can cover all customer use cases, and different combinations of security solutions will function at any given time.