Securing cloud environments is vastly different and more challenging than securing an on-prem environment. It may not be readily apparent, but there is a significant security difference between a traditional server user account and a cloud IAM (identify and access management) role. For starters, a cloud IAM uses inheritance across the cloud environment. If not properly configured, this can give a user unintended broad access and permissions.
Once in the cloud, visibility becomes a bit more difficult since the app infrastructure is now completely virtualized. What was once a patchwork of disparate and dissimilar infrastructures, now looks and runs in the same way. That’s great if your application environment is entirely secure, all vulnerabilities patched, and user accounts locked down. But if your application environment isn’t, the cloud becomes a single, convenient place for the entire Internet to magnify these flaws.
There is also a tendency to “fire and forget” with the cloud, and not fully understanding the shared responsibility model that comes with using it. Many cloud computing users don’t seem to realize that their failure to meet the obligation of cloud security will lead to large-scale security errors. Most recently, thousands of loans and mortgages from some of the biggest banks in the U.S. were found in the cloud. The server wasn’t protected with a password and had more than a decade’s worth of data, containing loan and mortgage agreements, repayment schedules, and tax documents.
There is also a widespread reliance on APIs in the cloud, which multiplies attack-able entry points into the applications and infrastructure. While APIs have been around for a long time, the growth of DevOps has made them critical for today’s administration and operations. APIs serve as combined access control and data translation role, coordinating distributed functions behind the scenes to present the user with a unified application service. And because APIs are not intended for human use, they are often set up to access any data within the application environment. APIs tend to be compromised in ways similar to breaches of other web applications. Still, because they are both increasingly important and hidden from view, they represent more considerable risk.
Hybrid cloud architectures that leverage different cloud providers also amplify security gaps as different cloud applications can have other security profiles depending on whether than in AWS, GCP, or Azure.
The moral of this lesson is not to let cloud security get the best of you. Management of cloud security doesn’t have to be complex or difficult. Check Point Dome9 handles it. Dome9 is a multi-cloud security solution that automatically assesses and remediates security risks providing full visibility and security controls across your cloud environment(s). It automatically constructs a real-time topology of your cloud security posture, including security groups, instances, and firewalls. Now you can easily identify configuration drift, assess the impact of new security vulnerabilities, and spot firewall rule mis-configurations automatically.
It’s kind of funny, but this seems a lot easier than managing my on-prem security. 😊