momius - Fotolia


How to secure a cloud workload as it travels between CSPs

Typically a cloud workload doesn't stay in one spot. Expert Dave Shackleford discusses the best ways to secure traveling cloud workloads as they move across environments.

Cloud workloads will often move between cloud services. It's rare that a cloud workload will be uploaded to Amazon Web Services, for instance, and sit there without being touched or moved to another cloud service or cloud app. Cloud access security brokers provide visibility into individual access and data within a cloud app, but what happens when a workload begins to move across other cloud services? This tip explores the challenges of monitoring and tracking cloud workloads as they move through different cloud service environments.

While there are many tools and controls available that can help monitor a cloud workload and data moving between cloud service environments, enterprises need to adopt one overarching theme when designing a dynamic cloud security model -- one of zero trust. In order to implement a zero trust model, security and operations teams will need to focus on two key concepts. First, security will need to be integrated into the cloud workloads themselves, and move with the instances and data as they migrate between environments. Second, the available security and monitoring controls within each cloud service provider environment will need to be understood and leveraged as much as possible to ensure security is implemented and maintained regardless of where the cloud workload operates.

A critical element of any cloud security strategy -- and one that needs to be implemented prior to others -- is inventory discovery and management. As a cloud workload moves, it needs to be automatically catalogued and tracked within the particular cloud environment it is running in. By leveraging network scanners, system-level scanners and specialized scanning tools that can peruse files and storage infrastructure, all active cloud assets can be discovered and placed into a dynamic, continually updated inventory.

By integrating security controls directly into cloud instances, or virtual machines, organizations have a much stronger chance of protecting data regardless of where the instance runs. Some of the most critical host-based controls that need to be implemented within each instance include:

  • Patch and configuration management: An agent on each instance should be able to locally scan the system for configuration posture, patch status and potentially any other vulnerabilities that may be present.
  • A critical element of any cloud security strategy -- and one that needs to be implemented prior to others -- is inventory discovery and management.
    Local accounts: All local OS and application accounts should be reported on a regular basis to ensure no new or unauthorized accounts have been added.
  • Change detection: File integrity monitoring should be enabled if possible for any cloud instance, allowing critical system components to be monitored and rolled back automatically.
  • Encryption: All sensitive data within cloud instances should be encrypted with keys managed by the organization, and key stores should be established within each cloud provider to ensure continuity of encryption and decryption operations.

In addition to these local controls, organizations should focus on securing the data or systems in transit between provider environments. Unless a dedicated VPN tunnel can be established between the providers via cloud access, or encryption gateways or brokering services, assets would need to be sent back to the enterprise on-premises data center through a VPN tunnel, and then sent on to the next location through a second tunnel. This is definitely not ideal, so organizations may have to resort to encrypting data prior to transmitting it across untrusted networks.

Numerous monitoring tools exist within cloud provider environments. In AWS, CloudWatch can monitor for changes and log files generated within the AWS account, and trigger alarms and alerts for security teams to investigate where appropriate. In Microsoft Azure, Azure Diagnostics can be configured to monitor cloud instances. Other multicloud workload management tools like Apache Mesos and services like Xervmon can also help to provide more in-depth visibility and continuous monitoring across all cloud service environments assets may reside in. Whatever combination of cloud provider, open source and commercial vendor tools an organization selects to help with continuous monitoring and data protection, make sure to focus first on inventory monitoring and updates, along with zero trust controls built into a cloud workload as it moves.

Next Steps

Find out how cloud monitoring tools are key to enterprise security

Learn how third-party network monitoring tools keep the cloud safe

Discover how to keep your cloud costs down with monitoring tools

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices