Topic Overview
Cloud network security is an area of cybersecurity focused on minimizing the chances that malicious actors can access, change, 或者破坏公共或私有云网络上的信息. Although the principles for securing cloud networks are similar to those for securing on-premises networks, unique aspects of cloud environments mean different tactics are required.
Cloud network security is important because sensitive information is migrated to the cloud, 它在哪里变得更脆弱. 这些信息需要保护, but the cloud also introduces new challenges that can make security tricky.
The challenges facing cloud network security are also what make operationalizing into the cloud so powerful. For starters, deploying new assets in a cloud network is very easy. 在本地网络中,IT和 SOC 团队对所有新的基础设施进行监督. 这意味着扩展网络是缓慢而费力的, but it also means that all new infrastructure is configured by security experts.
In a cloud network, new infrastructure can be instantly added by any person or system with the right credentials, 没有IT或安全团队的直接参与. 这使得扩展网络变得容易得多, but also increases the chance that new infrastructure isn’t configured securely and thus is vulnerable to attack.
Another unique challenge of network security in cloud computing is the speed of change in cloud environments. Technologies like autoscaling and serverless computing mean that assets in a cloud network are constantly appearing and disappearing.
Traditional security measures like vulnerability scanning are no longer enough because a vulnerable asset might only exist for a few minutes—which is more than enough time for a malicious actor to find and exploit it, but not nearly enough time for a weekly or even daily scan to detect it.
The ease of deployment and high rate of change make it very difficult for security teams to maintain a complete picture of their cloud environment. This is made worse in hybrid environments (IT environments that include both on-premises and cloud networks), where different information is stored in different systems and protected by different security tools.
在这些环境中, the security team needs to bounce back and forth between various systems to manage their security efforts. The lack of unified data makes it difficult (if not impossible) to get an accurate sense of the organization’s overall security posture or track a malicious actor who is moving between cloud and on-premises networks.
Last but not least, when dealing with a network on a public cloud service provider like AWS or Azure, the network’s owner shares responsibility with the provider for securing it. 虽然这个的细节 责任分担模式 根据提供商的不同而有所不同, in general they are responsible for securing the cloud itself, 比如数据中心的物理安全, 硬件的维护和更新, etc. The network owner, on the other hand, is responsible for securing anything they put on that cloud environment.
Many people worry about giving up control of securing the hardware and data centers, 而是像亚马逊这样的公共云服务提供商, Microsoft, and Google can devote more resources to things like physical security. The real risk in the 责任分担模式 is the confusion it can create within an organization. More than a few security incidents have occurred because people incorrectly assumed they didn’t need to worry about cloud security because it was in the cloud, and their cloud provider would take care of everything.
Beyond embracing DevSecOps and educating employees on how to use a cloud network in a secure manner, the most effective thing an organization can do to minimize risk in its cloud network is to define a security baseline for the cloud environment. Ideally, this baseline should be established before an organization starts using a cloud network, 但创造一个永远不会太迟.
The baseline lays out what the cloud network should look like from a security perspective. The objective is to make sure everyone—security, IT, engineering, DevOps, etc.—is aligned on what needs to be done to keep the network secure on an ongoing basis. A properly defined baseline can help address a number of challenges in cloud network security, 包括易于部署, speed of change, 分担责任.
There are some cloud network security best practices organizations can follow to establish this baseline. First, the baseline should specify the architecture of the cloud environment, 每种类型的资产应该如何配置, and who should have read or write access to each part of the environment. Guides like the CIS Benchmarks and the AWS架构良好的框架 也应该用来帮助定义基线吗.
Make sure the baseline applies to pre-production and test environments. In many cases, these environments have been used as an entry point for an attack. 基线是否指定了测试的策略和控制, such as which (if any) production databases can be used or duplicated for testing.
基线也应该绘制出来 事件响应计划, as well as clearly define who in the organization is responsible for which aspects of cloud security on an ongoing basis. It should also be revisited and updated regularly to reflect emerging threats and new best practices.
一旦基线被创建或更新, it needs to be communicated to everyone who will touch the cloud network. In addition, the security team needs to work with DevOps and implement ways to enforce the baseline. This means creating cloud infrastructure templates (using an infrastructure as code solution from the cloud provider or a vendor like Terraform) where everything is properly configured. It also means implementing continuous monitoring to detect when something has become outdated or been changed post-deployment and no longer follows the baseline.
Virtual machine templates should include an embedded agent to allow for continuous monitoring and vulnerability detection from the moment something is deployed.
When it comes to the challenges around visibility into cloud networks, security teams should start by making sure they have (at minimum) read-only access to all the organization’s cloud accounts. Organizations trying to secure and maintain visibility into a hybrid or multi-cloud environment should make sure that a single team is responsible for securing all parts of the IT footprint.
Having one team responsible for for on-premises security and another responsible for cloud security and another responsible for cloud security often leads to silos, blind spots, and difficulty tracking a malicious actor who moves between the networks.
Teams dealing with the security of hybrid or multi-cloud environments should also consider reassessing the tools they use. Many legacy security solutions are not optimized to support cloud networks. This results in teams using different tools to secure its on-premises and cloud environments. Instead, the team should look for tools that let them manage security for the organization’s entire IT footprint in one place.
大多数团队将受益于以下工具:
Security teams should also consider leveraging a security automation tool to help secure cloud networks. Automation can help the team keep up with the rapid pace of change in cloud networks, 通过在系统之间共享数据来增强可见性, 消除繁琐的工作,提高工作效率, and minimize the damage from an incident by instantly responding to detected threats.
One way to leverage automation is by automating the deployment of cloud infrastructure templates (from your security baseline) using a tool like Chef or Puppet. This can simplify the creation of complex architecture as well as minimize the chances of human error. Another way to leverage automation is by using a security orchestration, automation, and response (SOAR) solution.
Such a tool can allow the team to easily exchange data between systems without having to take the time to integrate them using APIs. Even better, a SOAR solution can automate many of the manual processes that can fill up a security analyst’s day or slow down an investigation. For example, the security team can build workflows in the SOAR tool that automatically investigates suspected phishing emails, 当检测到恶意软件时包含它, 提供/去除用户, streamline patching, and much more.
除了到目前为止所提到的一切, there are a few additional best practices for organizations that are looking to build and deploy web applications on their cloud network. These organizations should look to “shift left” and incorporate security as early as possible in their software development lifecycle (SDLC). In other words, security issues should be evaluated as part of pre-deployment testing of code and treated like any other bug.
这不仅确保了部署的代码不受 安全漏洞, 而是通过在测试期间标记安全问题, developers get the opportunity to learn what vulnerabilities exist in their code and how they can avoid them in the future. The types of modern web apps that are currently being deployed on cloud networks are generally pretty complex, so organizations looking for a way to test these sorts of apps should make sure that whatever SAST, DAST, or IAST solution they’re considering can handle the codebase of their apps.
The best way to confirm this is by putting the tool to the test via a free trial. 虽然不是针对云网络的, it’s important to mention that any organization deploying web apps should also seriously consider additional protections like a Web应用防火墙(WAF) to prevent malicious actors from getting access to the app and a Runtime Application Security Protection (RASP) solution to respond to a live attack that manages to get past the WAF.
2022 Cloud Misconfigurations Report: Latest Cloud Security Breaches and Attack Trends