The challenge of obtaining visibility into cloud security

Digital criminals are increasingly pivoting to the network after initially attacking an endpoint or publicly accessible cloud. Indeed, a network foothold enables attackers to move laterally to more valuable cloud workloads. They can then steal their target organization’s sensitive information and monetize it in whatever way they deem fit.

Many of us are fighting back against the threat of lateral movement by augmenting our visibility over the network. However, we’re constantly running into challenges in the cloud. When using AWS Virtual Private Cloud (VPC) or Azure Virtual Networks (VNets) to detect threats in network traffic, for instance, we’re missing packets’ application-level context. We thus can’t detect the malicious activity that hides within them. In this post, we will discuss why achieving visibility into the cloud continues to pose a challenge. We’ll then explore how we can gain the requisite level of visibility in the cloud.

Why Visibility in the Cloud is Such a Challenge

The issue of obtaining visibility in the cloud largely boils down to the complexity that characterizes our cloud environments. First, cloud-based assets tend to be more short-lived than more traditional IT assets. Many of us have micro-services that are spinning up and down over a period of hours and days. For example, an AWS Lambda function invoked by a trigger to execute a specific take will be short lived. This type of activity stands in stark contrast to that of servers and laptops, traditional IT assets which tend to spend years connected to the network. As a result of such constant change, we struggle to manually achieve complete network visibility, as it’s difficult to keep track of everything that’s connected to the network over a period of time.

Second, our cloud environments are inherently complex. That’s because many if not most of us don’t have a single cloud. In its 2019 State of the Cloud Survey, for instance, 84 percent of participating organizations told RightScale that they had a multi-cloud strategy. The study also found that the proportion of respondents with a hybrid cloud strategy had grown slightly from 51 percent in 2018 to 58 percent a year later.

While using multiple cloud environments might suit our business needs, it makes it difficult for us to find  centralized and unified security solutions that can work across multi-clouds as well as on-premises data centers. Traditional security controls that we might be inclined to apply to the cloud reflect the security needs of the static data center. As such, they might not protect dynamic and unpredictable cloud workloads  as well.

Given these and other complexities, it’s no wonder that many of us struggle with obtaining visibility over the cloud. Here are just a few studies that illustrate this fact:

• In its 2019 Cloud Security Report, a third of respondents told Cybersecurity Insiders that a lack of visibility was an operational security headache for their SOC teams. Only compliance received more attention at 34 percent of survey participants.
• In a survey from Dimensional Research, just one-fifth of IT professionals said that they had complete and timely access to their data packets in public clouds. (The rate was slightly better for private clouds at 55 percent of respondents.) Nearly nine in ten respondents disclosed their concerns that a lack of cloud visibility was obscuring security threats facing their organizations.
• When asked to rank the most difficult aspects involved with managing public cloud security on a scale of 1 to 4, respondents to the Cloud Security Alliance’s Cloud Security Complexity: Challenges in Managing Security in Native, Hybrid and Multi-Cloud Environments study ranked lack of visibility as a 3.21. This issue followed just behind misconfigurations and security risks as the biggest challenge with a ranking of 3.35.

The findings presented above are troubling. Without adequate visibility, we could easily lose control over our cloud-based assets and resources. Forbes notes that digital attackers could abuse improper security controls to access our cloud environments, conduct reconnaissance and follow up with secondary attacks including lateral movement, privilege escalation and data exfiltration. They could also hijack our cloud-computing resources and install cryptomining malware more quietly than they could in the data center.

How Organizations Can Gain the Necessary Visibility in the Cloud

We need to have a strategy for gaining the necessary degree of visibility in the cloud. This strategy should include collecting and analyzing data that traverses north-south and east-west network traffic flows. North-south (ingress/egress) is traffic between the Internet or your on-premises environment and your cloud workloads. East-west traffic flows between virtual networks or between subnets.

Image credit: everythingposs/depositphotos.com

Suresh Kasinathan, is Principal Cloud Security Architect/Product Manager at Lastline. He has more than 20 years of experience in design, development, integration and deployment of cutting-edge products in the areas of public cloud, storage, virtualization and networking products.In his current role, Suresh drives the strategy, roadmap and feature definitions for Lastline’s Network Detection and Response solution for public cloud.Before joining Lastline, Suresh was a Principal Cloud Security Architect at Cavirin where he architected and implemented a public cloud cyberposture intelligence and continuous closed-loop security solution.