Securing infrastructure-as-as-service (IaaS) and platform-as-a-service (PaaS) offerings are about having the right tools and the right managed security provider. Cloud computing offers significant advantages to IT who must continuously meet changing business demands and opportunities. IT can recognize economies of scale, save on overhead and staff resources, and scale up or down near-instantly with as-a-service offerings. Moving to the cloud gives IT and security providers the opportunity to refocus limited time and resources on strategic business opportunities instead of managing infrastructure and technology. For most mid-sized organizations and smaller enterprises, freeing-up IT time means faster time-to-market and increased revenue from products and services.
What changes can businesses expect from a security perspective when migrating to IaaS/PaaS?
Fundamentally, none of the security essentials change when migrating to cloud computing. In the IaaS shared security model, the IaaS provider assures the security of the virtual machines, disk storage, and networking, while the IaaS tenant is responsible for the security of the operating system, software stack, and data. The IaaS tenant must now focus on what he or she can control, but must also trust and verify that the IaaS is doing its job correctly. This bifurcation of responsibilities is good because the IaaS tenant's limited security resources will now go a lot further in reducing overall risk.
Is IaaS/PaaS more or less secure than on-prem environments?
A few years ago, the enterprise perception was that cloud computing environments were less secure than on-premise environments. The reality is that for most all organizations IaaS has the potential to be substantially more secure than on-premise environments. Security is an overhead cost, and big organizations with big budgets can spend much more money and time than mid-sized organizations to do security correctly. This trend extends to IaaS/PaaS providers who have the most extensive security budgets and world-class security teams with state-of-the-art security tools and processes. As long as the tenant picks a reputable IaaS/PaaS provider and focuses on what they should be controlling, they will improve their security.
Visit Innovation Enterprise's Chief Technology Officer Summit in San Francisco on November 7 - 8, 2018
What should IaaS/PaaS users be doing to secure their part of the shared security model?
There are a number of controls and best practices you should employ.
Here are some key ones:
- Lock down root account credentials and create access groups and users with limited privileges (based on job responsibilities – monitor all access 24/7 for suspicious activity
- Remove unneeded software and applications from workload images and harden through configuration settings – monitor 24/7 for any configuration drift.
- Scan production workloads in real-time for vulnerabilities and remove potential threats. Replace with new workloads based on the patched image.
- Segment network traffic using Virtual Private Clouds and host firewalls – monitor traffic for malicious activity.
- Encrypt data-at-rest and data-in-motion and monitor for correct crypto configurations
- Monitor logs, processes running, and other workload settings 24/7 for indicators of compromise (IoCs) and take immediate action when incidents happen
How should IaaS customers do this?
It starts with a mature, well-defined process for dev-sec-ops: make sure code is architected and developed securely, well tested along the way, and configured correctly. But it also needs real-time security monitoring, which can't be accomplished with traditional security tools such as software appliances. They don't have enough visibility into workloads and containers, are prone to misconfigurations which cause security issues, and simply do not scale in dynamic cloud environments.
What do you recommend for securing cloud workloads?
Modern networks require solutions specifically designed for cloud computing environments. Solutions need to be able to deploy quickly, scale immediately, and automatically remove human errors. They also must comport with rigorous security requirements, workload integrity controls and monitoring capabilities to address any and all security risk cases. Detection and response tools require continuous monitoring to catch security incidents before they become major issues or breaches.
Why should organizations be interested in managed security infrastructures?
Leveraging a managed security service for tenant-side security gives IT and security teams the opportunity to refocus limited time and resources on strategic business opportunities instead of managing infrastructure and technology. For most mid-sized organizations and smaller enterprises, freeing up the time spent managing IaaS/PaaS alerts and risk means faster time-to-market and increased revenue from products and services.