A sound stack of controls and tools for cloud workload protection is necessary in digital business, but there are a number of best practices that all organizations should consider when implementing them.
Securing your VM-based workloads
To ensure virtual machine cloud workload protection, organizations should do the following:
- Ensure that there are configuration standards in place for all the various operating system and build varieties you want in the cloud. These may align with the Center for Internet Security benchmarks or some other industry guidelines, but defining formal standards for the organization is a good start. Next, create virtual machine image templates that have base standards in place, and save these as cloud VM formats like Amazon Machine Images or Azure VM templates.
- For hybrid cloud models, it's usually best to try and implement a uniform tool like Chef or Puppet that can be used both in-house and in the cloud to automatically configure virtual machines and then continuously monitor the configurations. If you're already using Chef cookbooks or Ansible playbooks, for example, you can simply extend your configuration templates to cloud workloads. Categorize these templates assigned to workloads with tags or other metadata identifiers.
- If possible, only patch and update VM templates instead of running systems, then deploy new virtual machines and terminate the old ones. This kind of progressive update cycle can take time to put in place, however.
- Make use of cloud-native systems management tools like AWS Systems Manager for non-hybrid cloud implementations, but remember that these services are a form of vendor lock-in and will not translate to multi-cloud deployment models.
How to improve endpoint cloud workload protection
For endpoint security, look at cloud-friendly and cloud-native options first, if possible. Many endpoint detection and response (EDR) vendors have adapted their agents to be supported in all cloud platforms, and these are good choices. Antimalware technology should be selected from the cloud provider marketplaces and integrated with all images stored in the cloud provider environment.
Cloud-focused endpoint posture management tools like Dome9 and Cloud Passage should also be integrated with all images to ensure they're active for any new workload deployments.
Choices for container-based security
For container-based controls that enable cloud workload protection, implement any cloud-native container image scanning that your cloud provider makes available, such as the Google Cloud Platform image scanner or AWS Elastic Container Registry image scanning. These tools have native integration with the cloud provider environments, and they are often easy to automate for image check-in scans -- and all new images should definitely be scanned immediately for vulnerabilities.
For runtime security, however, you'll likely need a third-party tool, available from providers like Aqua Security, Sysdig, Palo Alto (Twistlock) and others. Enable a virtual appliance or install a runtime agent into all container images for these tools to monitor runtime behavior and protect against malware infections and other attacks.
Serverless function fixes for cloud workload protection
There are very few tools and controls available specifically for protecting serverless functions. Security professionals should monitor all logs related to updates and changes to serverless function code and configuration. They should also make certain that the principle of "least privilege" is assigned to serverless code as well as to all access to and from serverless functions, both within the cloud and from admins. Some providers like Aqua Security, as well as Twistlock and PureSec (both part of Palo Alto), can monitor and protect serverless functions by monitoring runtime behavior as well. Security teams may want to consider these tools if serverless functions are a key element of deployment models.
As you get started with cloud workload protection, keep the following in mind to help build a positive and productive feedback loop:
- Ensure that periodic reviews of the overall risk posture within cloud environments are performed to guarantee continued alignment of security and the other DevOps teams involved.
- Keep system instances in the cloud as locked down as you can, commensurate with the exposure and data classification types involved.
- Pay careful attention to privilege allocation and user-, group- and role-management associated with workloads. This can easily "creep" over time in a dynamic environment.
- Commit to a culture of continuous monitoring, helping to automate detection and scripted response activities that minimize manual intervention wherever possible.
- Discuss vulnerabilities detected in cloud deployments with all team members and make sure DevOps teams are involved in vulnerability, patch and configuration management discussions and policy creation.
- Discuss the changing threat landscape with DevOps teams, and solicit their feedback on practical measures that can be taken to implement the most effective security without impeding progress or slowing down the pace of business activities.
How you approach cloud workload protection depends in large part on where your cloud workloads are based. But wherever they are, follow these best practices, and set up an ongoing system of monitoring security to keep your cloud-based workloads secure.