As organizations and individuals alike have transitioned to the cloud over the past 15 years, this has led to an incredible transformation across the global business landscape. At the same time, however, this has resulted in disruption. Cloud computing is no longer a myth or buzzword; it has become the cornerstone of technological innovation in our daily lives.
Even the more traditional, non-tech-oriented industries, such as banking and manufacturing are taking the plunge and migrating to the cloud in order to reap the numerous benefits it offers. In addition, the current COVID-19 pandemic has accelerated the adoption process across all industries.
As the cloud revolution continues at full speed, not only has the tooling changed; the long-established tech culture and the processes that go along with this have also shifted significantly. Security, for example, is one area that has changed dramatically since the global adoption of cloud.
The Security Paradigm Shift with Cloud
There are a number of key differences between the security of traditional IT systems, often deployed on-premises, and that of cloud workloads.
The rapid adoption of public cloud has created new security challenges. Cloud computing has changed the way we build and operate infrastructure and applications. On-premises servers (virtual or physical) are fairly static and run for long periods of time. In the cloud, however, a virtual machine is often ephemeral and may have a very short lifecycle, hence the well-known saying: “Treat your servers like cattle not pets.”
The fast-paced dynamic of cloud, both in terms of infrastructure as well as on the application and CI/CD level, yields an architecture that can scale elastically based on demand, and one that is built to tolerate failure. This enables organizations to move fast and adapt quickly to both business constraints and opportunities. However, from a technical perspective, such unpredictability and short-lived resources present a major security challenge.
With such versatile technology capabilities at the core levels (compute, network, and storage), such as Kubernetes, containers, VPCs, SDNs, and object storage, implementing the same security mechanisms and processes that were in place beforehand became quite difficult. The traditional security models were built based on a network-perimeter defense. All resources that were isolated from the outside and were within a private network were considered secure, and organizations were focused on protecting assets that were connected to the internet—typically Windows workstations. In the cloud era, however, the goal is to protect the assets inside our VPC, which are usually Linux based. This has required a shift in security strategy and a need for platforms and personnel with expertise in Linux operating systems.
As previously noted, the software development world has also undergone a major transformation. Traditionally, security was handled exclusively by dedicated information security specialists, meaning security was often only addressed at the end of the development cycle, just before releasing to production.
Yet today, DevOps engineers are empowered to build and operate infrastructure resources on their own. This new flexibility has also placed greater responsibility on engineers, forcing them to become more involved in security practices. In information security, this principle is referred to as “Shift Left,” meaning the security culture, processes, and tools need to exist and take place earlier in the software development cycle, not just at the end.
The “Shift Left” movement has also redefined the roles and responsibilities of security teams. It is now even more crucial that security teams be able to secure the runtime environment and detect and respond to attacks, while also providing guidelines and technology for developers and DevOps engineers. Regardless of the workload type (cloud-native applications with CI/CD pipelines, third-party software, or legacy systems), ensuring everything is secure is ultimately the responsibility of the security team.
Explaining Cloud Workload Protection
As cloud security is a broad topic, the challenges exist at multiple levels. First and foremost, it is important to understand the division of responsibilities between you, as an organization and public cloud customer, and the cloud provider (e.g., AWS, Google Cloud, or Microsoft Azure).
According to the shared responsibility model, the cloud provider is responsible for the security of the cloud, meaning the physical infrastructure (e.g., data centers, network, and server equipment) and for operating that infrastructure (e.g., physical security, power redundancy, connectivity between facilities, etc.). In turn, the customer is responsible for security in the cloud, meaning the workloads running on top of the virtual resources created in the cloud provider’s platform.
With a virtual machine (or instance), for example, the customer (organization) is responsible for various aspects of security, including securing the applications running, keeping the operating system up to date, and restricting inbound and outbound network connectivity as needed. In addition, in the case of a security incident, the customer is also responsible for detecting and responding to actual breaches.
Cloud Workload Protection (CWP) refers to the protection and overall security of workloads running in the cloud in any type of computing environment (e.g., physical servers, virtual instances, or containers). For cloud customers, this is a core responsibility and is thus one of the most critical aspects to consider in your security and compliance strategy.
While cloud providers offer many different features and managed services to help customers with security, Cloud Workload Protection Platforms are rarely offered by cloud providers (with MS Defender ATP in Azure being the only exception). Each cloud provider has its own security offerings, and though valuable, they focus on important yet non-CWP security aspects. Industry analysts highlight only CWPP products from third-party providers and note that organizations using traditional endpoint protection platforms (EPP) in the cloud are putting enterprise data and applications at risk. Further, most enterprises are now purposely using more than one public cloud IaaS. Bottom line, if your organization wants to protect and secure its cloud applications and infrastructure, it will need a dedicated Cloud Workload Protection solution from a third-party provider that focuses on that.
How Do Cloud Workload Protection Platforms Work?
A Cloud Workload Protection Platform monitors the infrastructure in runtime and ensures that every application running is trusted and under your organization’s control. This allows you to protect your organization from cyber attacks and other security threats, without compromising the performance and reliability of your application and infrastructure. Without protection, breaches can go completely undetected. A good example of this was HiddenWasp, a remote control trojan targeting Linux systems, that we at Intezer discovered last year.
Key Features of a Cloud Workload Protection Platform
Choosing the right Cloud Workload Protection Platform for your needs requires an understanding of both the modern security capabilities the platform offers as well as any other key features that can bring value to your business.
It’s important to find a solution that is feature-rich but can fit within your existing infrastructure with minimal disruption. An ideal solution should offer the following key features:
- Enable quick onboarding using automated deployments, without the need to create policies or rules.
- Support different runtime environments using automation with lightweight agents that won’t impact your infrastructure and application performance.
- Capable of detecting unauthorized and malicious code; it should also be able to indicate if the environment is clean and trusted in order to enforce good behavior. In addition, having in-memory threat protection capabilities enables you to detect exploitation of unknown vulnerabilities and to cover a wider range of threats.
- Provide application control and visibility, giving you the ability to see all running code, applications, OS, services, systems, and executed commands in your environment. This delivers immediate business value beyond security, with alerts and out-of-the-box visibility across the entire cloud environment.
- Since most cloud infrastructure is Linux-based, while traditional security vendors are only focused on Windows, you will want a CWPP that has a strong expertise and a proven track record in detecting Linux attacks.
- Support for vendor-neutral supporting workloads in AWS, Google Cloud, Microsoft Azure, and private Cloud, whether they be physical servers, virtual instances, with strong Kubernetes and container support.
In the rapidly evolving threat landscape where organizations increasingly face advanced targeted attacks, leveraging the cloud provider’s managed security services is critical. Businesses must also be clear on the division of security responsibility between the cloud vendor and themselves. As noted, the built-in security capabilities cloud vendors offer do not protect workloads.
For every organization using public cloud—regardless of maturity level—infrastructure and application security is a crucial part of technology governance. Both companies with cloud-native expertise and those that have just embarked on their cloud journeys can benefit from a Cloud Workload Protection Platform.
A third-party CWPP solution should offer easy set up and protection capabilities to deal with a wide range of threats. The Intezer Protect Cloud Workload Protection Platform delivers exceptional threat protection with low maintenance and overhead. It enables you to detect sophisticated cyber attacks while producing meaningful alerts and recommendations.
Take control of your infrastructure and protect your workloads in the cloud. Get your free trial of Intezer Protect today.