Cyber Security Spotlight Series: Time for Gen II Cloud Security

The Spotlight Series on Cyber Security is our new feature by resident expert, James Holton, Trustmarque’s Cyber Security Sales Lead. In this series, James will share the latest trends, insights and his personal reflections and advice on issues affecting the security landscape in 2020.

For his inaugural post, James discusses the era of GEN II Security as more and more companies look to protect their assets as they move from on-premises infrastructures and applications to the cloud.

What do we mean by GEN II security?

Many of the earlier adopters of public cloud took a lift and shift approach to migration. This means that the traditional security applications that we saw in the on-premise world have often found their way to public cloud environments. Because controls have been applied that were not designed with cloud in mind, there have been numerous breaches. This is partly because the challenge of securing the cloud wasn’t yet mature, but also because the tools to do it properly didn’t exist.

It is fair to say that attackers have been thriving in the past few years. Wherever there is uncertainty and complexity, attackers flourish. And that is certainly true in the cloud. Over the last 18 months, we have seen a vast array of both new attacks and new breaches.

Some attacks are born from attacker ingenuity – think Tesla’s, Aviva and Gemalto’s Amazon account getting cryptojacked. Some are born from companies struggling to successfully implement new ways of working and modernise their software development process securely, like Heartbleed. And others breaches are born from a combination of the two. For example, the all too common AWS storage misconfigurations like Lion Air.

We are now reaching a point where we are seeing security applications that are born in the cloud. But don’t let the “marketing jargon” fool you. The reason these exist is to address the quickly evolving but specific cloud security risks that we face.

I want to talk about a few examples that we’re seeing and why I believe they’re worth consideration. In true security language, all three are acronyms – don’t shoot the messenger.

CSPM or Cloud Security Posture Management

Against a backdrop of ever increasing security standards like NIST, CIS, PCI, SOC2, HIPAA and GDPR, organisations are under pressure to ensure they are compliant across all of their cloud environments. Answering the question “are we using the cloud securely?” is becoming even harder for most organisations and this is where CSPM comes in.

Normally deployed as a SaaS tool, utilising the API’s from most IaaS platforms (Azure, AWS, GCP), a CSPM solution will:

1. Improve visibility in a rapidly changing environment
2. Highlight where your own deployments either breach a standard or are deemed “risky” or not aligned to best practice
3. Highlight risky user behaviour, regardless of whether it is malicious or accidental
4. Support your test and dev environment to ensure your developers stay within “guard rails” before publishing into your live environment
5. Identify misses – vulnerabilities, malware, data

AST or Application Security Testing

While a CSPM tool should be deployed across your development pipeline, it won’t prevent bad and malicious code finding its way into your applications. That is where AST comes in. Also known as “shifting security to the left”.

As cloud migration continues to mature, companies are looking to cloud primarily as a way of achieving better agility. However, agility can present other challenges and headaches. For example, if you’re looking to push out applications and development faster – how do you ensure that it’s clean? Luckily, the products within this set are keeping up. Regardless of whether you simply want to check that you’re not copying and pasting bad code into development (Source Code Analysis) or you want to perform Dynamic or Static testing before release, as an absolute rule, the cleaner your releases are of vulnerabilities, the less likely you are to be breached. Relying on a Web Application Firewall (WAF) to act as a bandaid over bad code releases is no alternative.

CWP or Cloud Workload Protection

Anti-virus used to be the most boring area of security, resigned to a commodity discussions that all anti-viruses do the same thing. Vendors were therefore forced to differentiate purely on price. However, now it is one of the most dynamic and interesting developments . Workload protection in the cloud is no different. As your workloads run on VMs, containers, and PaaS, ensuring you have the appropriate type of security for the workloads you’re running is of high importance.

Additional thoughts

As a final note, it’s predicated that these technologies alongside FireWall as a Service (FWAAS), Cloud Access Security Brokers (CASB) and your Web Gateway will like a security optimix, prime into a single offering over the next five years. It therefore makes sense to look at vendors that have a breadth of coverage through all of these areas.

At Trustmarque we are committed to making security simple. We work with respected vendors across the security landscape to find the right solutions for your organisation. If you want to talk to us about any of the points in this blog or to discuss your Cyber Security needs you can contact myself and the team via [email protected]