With cloud migrations now under way at most organizations, security is top of mind. Unlike on-premises data center approaches to security, the cloud introduces new challenges especially for DevOps teams. Fortunately, the experiences of cloud-first enterprises and early adopters can shine a light on the primary pain points, pitfalls, and best practices for securing cloud infrastructures. From conversations with customers across a cross section of industries that are in advanced stages of cloud adoption, I’ve gleaned a few key takeaways that are worth sharing.
Keep cloud workloads secure. Operating in the cloud means continuously building, deploying, and maintaining workloads of different kinds, including virtual machines, containers, and microservices. Automated creation and deployment of these workloads makes them particularly prone to proliferation of security vulnerabilities and misconfigurations.
For example, infrastructure as code (IaC) is now used by many organizations to automate as much infrastructure deployment as possible – meaning undetected security flaws will make their way through the various development and staging environments and into production. Many of these risks result from hidden combinations of vulnerabilities, misconfigurations, and excessive privileges. For example, a publicly exposed machine with a critical vulnerability that also has excessive permissions creates a ready-made attack vector.
Organizations are addressing this problem by automating workload scanning and identifying toxic combinations through correlation of risk indicators, such as vulnerabilities, exposed secrets, and malware, to detect and prioritize critical workload risks.
Manage multicloud expertise gaps. The proprietary nature of each public cloud platform complicates the work of achieving multicloud security. Most organizations use two or more cloud vendors for different business needs and to curb risk, which introduces a new set of complications because each cloud provider has its own approach, definitions, and nomenclature when it comes to security controls and configurations.
Meanwhile, most companies lack expertise in more than one cloud platform. To maintain a consistent security posture across different cloud provider infrastructures, organizations need to understand the nuances of cloud security per cloud and see deeply into all the resources they’ve deployed on them.
To bridge the need for an intimate knowledge of each cloud platform they use, savvy cloud enterprises have adopted multicloud security tools that provide a unified, consistent view of each cloud platform and their security posture, and recommendations on how to fix vulnerabilities.
Lock down privileged identities and entitlements. Organizations are finding it hard to understand when permissions in the cloud pose a security risk and pinpoint who (or what, in the case of a cloud service) has access to any given resource. Administrators are often not aware whether a user possesses a highly privileged identity or can escalate their privileges at will.
In software development pipelines, for example, testing and production accounts are often not segregated, making production environments — which should be the cleanest and safest — vulnerable to excessive access permissions that should be weeded out. Native tools supplied by cloud providers often provide limited capabilities and require specialized skills and a comprehensive understanding of the platform to monitor and detect security risks.
This challenge is being overcome by advanced cloud organizations using identity-centric monitoring tools that provide deep visibility into privileged identities across multicloud environments and detect and remediate unnecessary and excessive permissions. They can also help enforce compliance with internal security policies across different clouds as well as industry best practices, controls, and standards.
Common to all these use cases is a clear need for automation to maintain a secure environment despite the cloud’s complex, dynamic nature. Security-minded companies are focusing on automating risk assessment, prioritization, and remediation that spans pre-production, test, and production environments. This approach provides the visibility and actionable recommendations needed to prevent misconfigurations and vulnerabilities from proliferating in multicloud infrastructures.