Securing cloud environments is vastly different and more challenging than securing an on-prem environment. It may not be readily apparent, but there is a significant security difference between a traditional server user account and a cloud IAM role. For starters, a cloud IAM (identify and access management) uses inheritance across the cloud environment. If not properly configured, this can give a user unintended broad access and permissions.
Once in the cloud, visibility becomes a bit more difficult since the app infrastructure is now completely virtualized. What was once a patchwork of disparate and dissimilar infrastructures, now looks and runs in the same way. That’s great if your application environment is fully secure, all vulnerabilities patched, and user accounts locked down. But if your application environment isn’t, the cloud becomes a single convenient place for the entire Internet to magnify these flaws.
There is also a tendency to “fire and forget” with the cloud, and not fully understanding the shared responsibility model that comes with using it. Many cloud computing users don’t seem to realize that their failure to meet the obligation of cloud security will lead to large-scale security errors. Most recently, thousands of loans and mortgages from some of the biggest banks in the U.S. were found in the cloud. The server wasn’t protected with a password and had more than a decade’s worth of data, containing loan and mortgage agreements, repayment schedules and tax documents.
There is also a widespread reliance on APIs in the cloud, which multiplies attackable entry points into the applications and infrastructure. While APIs have been around for a long time, the growth of DevOps have made them absolutely critical for today’s administration and operations. APIs serve as combined access control and data translation role, coordinating distributed functions behind the scenes to present the user with a unified application service. And because APIs are not intended for human use, they are often set up to access any data within the application environment. APIs tend to be compromised in ways similar to breaches of other web applications, but because they are both increasingly important and hidden from view, they represent a much bigger risk.
Hybrid cloud architectures that leverage different cloud providers also amplify security gaps as different cloud applications can have different security profiles depending on whether than in AWS, GCP or Azure.
The moral of this lesson is not to let cloud security get the best of you. Management of cloud security doesn’t have to be complex or difficult. Check Point Dome9 handles it. Dome9 is a multi-cloud security solution that automatically assesses and remediates security risks providing full visibility and security controls across your cloud environment(s). It automatically constructs a real-time topology of your cloud security posture, including security groups, instances, and firewalls. Now you can easily identify configuration drift, assess the impact of new security vulnerabilities and spot firewall rule misconfigurations automatically.
It’s kind of funny but this seems a lot easily than managing my on-prem security.