As organisations embark on or expand their digital transformation programs, it’s likely that they will migrate to a multi-cloud or poly-cloud environment to leverage the benefits afforded by cloud-native and dedicated services. In a multi-cloud world, organisations consume cloud platforms from different providers, with service transformation and application migration growing and changing organically. In a poly-cloud world, organisations take a more strategic approach, carefully curating cloud service platforms for the specific capabilities that they offer, and then integrating them to deliver a seamless user experience.
The challenge with these complex cloud environments is that if organisations don’t understand the extent of their risk exposure, vulnerabilities can be introduced, and cloud-specific threats can go unchecked. However, in contrast, these environments also allow for the creation of a more comprehensive approach to cost-effective, adaptive cloud security management.
In the CSA’s Top Threats to Cloud Computing: Pandemic 11 report, threats compounded by multi- and poly-cloud adoption include insufficient management of identity, credential, access and key management; insecure interfaces and APIs; and Misconfiguration and inadequate change control.
Another often unconsidered threat is that in the cloud environment, it’s harder to create a defined ‘perimeter’ around critical services, and business and customer data, than with traditional on-premise approaches.
Turning risk into opportunity
Despite the potential risks in adopting a complex cloud environment, it is also possible to take advantage of cloud-native capabilities to build an even more comprehensive threat detection and mitigation program than was previously possible in traditional on-premise environments.
The key to developing a cloud-native detection and response strategy is taking a ‘federated approach’ to event data acquisition, analysis and intervention. A federated approach begins by understanding the threat monitoring and control capabilities that each cloud platform inherently provides, and leveraging those capabilities within their unique environment. Then, it involves promoting selected event data from each platform into a centralised Security Operations platform for investigation and decision making. This may be a third-party threat monitoring tool or managed service. At this point, Security Operations professionals can enrich the data with other non-security related data – such as threat intelligence and emerging adversary trends specific to an industry or region of operations – to provide context and to help judge the relevance of this information and its timely use within an adaptive response agenda. This information can then help with analysis of the individual threats, and to build a hierarchy of related threats for monitoring and response across the entire cloud environment.
Ideally, a Security Operations team can build an environment to observe, protect, and mitigate threats, and scale this insight across the suite of adopted cloud platforms and services.
Embracing automation for efficiency
To make this process as efficient and cost-effective as possible, it’s helpful to fully engage the automated threat detection and control capabilities that each cloud platform provides. Aligned to risk strategy and an informed level of confidence in automation, operations teams can task each protected environment to detect targeted behaviours within a defined and well-exercised threat model, and instruct selected controls on what to do if those behaviours are observed.
Automated detection and response techniques can be enhanced by adopting a ‘human in the loop’ approach, with analysts reviewing recommended response actions based on predicted outcomes that consider attacker objectives and optimal methods of prevention and intervention. This creates a feedback loop which in turn trains the algorithms within the automation pipeline to know what to look for, and what to do with similar and subsequently observed events of interest. As processed event data and playbook execution is repeated and refined, cloud security operations move closer to real-time threat response and proactive intervention, as well as creating greater trust and confidence in automation techniques.
An issue traditionally associated with multi- or poly-cloud environments when focusing on security is that organisations may need to move large amounts of data to a central monitoring environment, which can be ineffective and cost prohibitive. By leveraging the security and automation capabilities of each cloud platform, and only elevating specific event data for threat hunting and centralised correlation and decision making, it’s much more efficient, cost effective and scalable.