Implementing cloud deployments has a major impact on information security. For one thing, not all in-house security tools are compatible with cloud provider infrastructure. There are also major concerns regarding the scalability and speed of production deployments that cloud brings. Information security cannot slow down the business, but it must find a way to embed security controls and monitor the standard deployment cycle.
When building a model for cloud workload security controls, the following is a short list of things to consider:
- likeliest threats based on workload type (i.e., virtual machines, containers, serverless functions);
- data types and sensitivity;
- system builds and controls requirements;
- cloud environment security posture; and
- existing controls in place in-house versus cloud-native capabilities.
VMs and cloud workload security
Most organizations today, rather than trying to re-create the exact same workload controls they've had on premises, should look specifically at tools and controls that can help to enhance cloud workload security (both from a third party and cloud native). Because most cloud workloads now consist of virtual machines, the majority of endpoint tools in this space integrate as agents in virtual machines -- such as Dome9, Cloud Passage and even some traditional agents from providers like Carbon Black, Crowdstrike and others). Most antimalware tools have also adapted their products to cloud environments as standalone appliances that communicate with either lightweight agents on VM workloads or via APIs from the cloud provider, minimizing the impact on performance. There are some newer tools that offer dedicated "micro-segmentation" for cloud workloads -- that is, software that has its own unique policy engine as well as host-based software. While this option may be the most flexible in some ways across internal and cloud environments, it could also be prone to vendor lock-in and performance issues.
Another critical aspect of securing virtual machine workloads is patching and configuration management. In almost every case, it's a good idea to strongly consider cloud-integrated services like AWS Systems Manager, Cloud Deployment Manager in Google Cloud Platform (GCP) or Azure Update Management. These services are integrated into all APIs and automation components of their respective cloud environments and are usually tuned to be lightweight and easy to get started. Other great options that are better choices for hybrid cloud models are configuration automation and orchestration tools like Puppet, Chef, Ansible, Salt and similar template-based products that apply configurations continuously and help maintain system state.
Container tweaks for better cloud workload security
For containers using Docker, Kubernetes and other integrated service platforms, the set of controls is somewhat different. Protecting these workloads will usually rely on container-based tools that integrate with both image scanning and check-in as well as runtime security for detecting malware.
It's critical to define a container image configuration that can be scanned for vulnerable libraries and components. Most third-party tools can help with this, including Aqua Security, Twistlock (part of Palo Alto), Sysdig and others; native options in the cloud provider environments include native image scanning in AWS Elastic Container Registry, scanning in the GCP Container Registry and the Azure Security Center scanner for container images in the Azure Container Registry.
Runtime security for containers is more likely to be accomplished with third-party tools versus anything native from cloud providers. The same is true for serverless functions, which security teams should evaluate for code flaws, as well as permissions and access controls.