Securing cloud workloads can be difficult: You're running applications and processes on a far-off server that your organization doesn't control. Yet there are several initiatives you can take to make your cloud workloads as safe as possible.
Problems with workload security
The primary issue with cloud computing is a lack of visibility. An organization's information-security team won't have direct access to the hardware and infrastructure of a cloud server. Cloud service providers (CSPs) provide application programming interfaces (APIs) and tools to grant some visibility, but their clients must take a CSP's guarantee of security on faith.
Another obstacle is the learning curve that infosec teams face after moving workloads to the cloud. They'll be dealing with a very different beast than an on-prem deployment and will need training and skills to match.
"Having visibility into their workloads and assessing their security posture can be challenging, given that they have less control over these multi-tenant cloud platforms," wrote Qualys' Juan C. Perez in a 2018 blog post. "InfoSec teams also need to figure out which new tools, expertise and staff they may need to acquire."
Any infosec team would ideally use the same monitoring, protection and vulnerability-management tools in the cloud as it did for on-prem assets, but many on-prem tools don't work well in the cloud. Meanwhile, organizations that use more than one CSP to build a multi-cloud environment will find that APIs and other components are often incompatible among cloud providers.
The attack surface in a cloud environment may also be larger than a team is used to. In a 2022 survey of more than 300 IT professionals and cybersecurity decision-makers conducted by CyberRisk Alliance, 37% of respondents said their organizations had suffered a cloud-based attack or data breach in the previous two years, and 55% said their organizations were running up to 50 assets or workloads in public clouds.
Those assets and workloads likely share server space with other clients' data and are protected only by proper configuration and access management. If just a few things go wrong, valuable data might be exposed or stolen.
"When we see cloud workloads being attacked, usually it's through identity — poor passwords or APIs that are exposed to the internet that aren't protected with multifactor authentication," said Jonathan Trull, CISO of Qualys, in a 2022 interview.
Many cloud-data leaks are caused by misconfigurations, which can be hard to get right. Meanwhile, large organizations may have a potentially enormous number of cloud assets to protect — and a potentially huge number of vulnerabilities to patch.
"We also see a lot of misconfigurations because there's a huge shortage of cloud security professionals," Trull added. "The ones working are not malicious, but they do configurations very quickly because there's demand and pressure to get work done."
Finally, there's the shared-responsibility model. Many organizations don't completely understand exactly what they're responsible for in their own cloud workloads, and what the cloud service provider is obligated to handle.
How to improve the security of your workloads
There's no silver-bullet solution to securing your cloud workloads. Making your cloud assets and data safer is a continuous process that moves on many different tracks.
— Reduce your attack surface. Cloud workloads are big juicy targets for anyone to find and probe. Implement vulnerability management, a web application firewall (WAF) and DDoS protection, and scan your container images. But tackle the most important software patches first because you may not be able to handle all of them at once.
"You need to focus on vulnerabilities that are known to be exploited in the wild," Trull said. "We have good threat intelligence that the bad actors are trying to attack those cloud workloads. We know they have them in their payloads because we can see the malware and we can see the different attack frameworks that they're using. That's where we need to prioritize our time."
— Use a cloud security posture management (CSPM) solution to detect misconfigurations and define security policies. Some CSPM solutions do best handling Windows workloads, so be careful if you're running Linux instead.
"Any cloud applications and instances should be as locked down as possible, running a minimum of services," said Dave Shackleford of the SANS Institute in a 2018 white paper. "Configuration requirements should be revisited to ensure any cloud-based infrastructure is as resilient as possible."
— Use a cloud workload protection platform (CWPP) to monitor containers and Kubernetes clusters and detect threats, and agent-based scanners such as the Qualys Cloud Platform to monitor instances and workloads.
— Use infrastructure-as-code (IaC) tools to automate and orchestrate the building of cloud instances and workloads.
If possible, use a cloud-native application protection platform (CNAPP) to bring all the security programs together. A CNAPP may bundle in CWPP, CPSM, IaC, a cloud-access security broker (CASB) and cloud infrastructure entitlement management (CIEM).
"Because containers require access to code repositories to install and configure software packages," said Perez, "security teams need tools that can scan container environments, as well as test the container daemon and its configuration, validate the containers running on the container host, and review the container security operations."
— Use your cloud service provider's security tools when available, but don't assume they're all that you can use. Third-party solutions will work better across multiple public clouds.
— Give your infosec team the proper training and skillset to manage a cloud environment and the required tools.
"A single person can spin up a new server in almost no time at all," said Brad Beaulieu of Booz Allen Hamilton in a 2020 blog post. "But unless project teams are perfectly in sync with their agency's cyber operations, that kind of velocity can easily lead to isolated environments and blind spots, creating substantial risk."
— Segment your networks to block lateral movement by attackers and properly silo workloads and containers.
— Minimize mean time to respond (MTTR) by subscribing to threat intelligence and using a security automation, automation and response (SOAR) solution to deal with many attacks and vulnerabilities.
— Secure your cloud-management, SaaS-management and DevOps consoles, as all are prime targets for attack.
— "Shift left" in your code development by integrating security into your continuous integration/continuous development (CI/CD) pipeline.
"In a true shift left model, security teams need to integrate with the developers promoting code to cloud-based applications," said Shackleford. "To help shift the culture toward one that is more collaborative, security engineers and architects should be embedded full-time into the development and operational teams building and deploying cloud workloads."
— Implement a cloud-ready or cloud-native IAM system to tightly control access to workloads, and implement MFA to access all cloud assets.
— Whitelist/allowlist applications so that nothing unauthorized can be loaded into your cloud instances.
— Secure the API access credentials to workloads, and make sure SSH keys aren't embedded in code.
"Key management is a very big focus for cloud security," said Trull. "Depending on how you view risk, you need to determine whether you want to store your keys and if you're comfortable with the cloud provider storing the keys."
— Analyze, review and update your own security policies, practices and tools, as well as your cloud service providers', and thoroughly understand the CSP's shared-responsibility model.
"After risk reviews, and keeping the 'shared responsibility' model in mind," said Shackleford, "security teams should have a better understanding of what controls they currently have. Teams should also have a greater understanding of what controls they will have to modify to successfully operate in the cloud, and what the most pressing concerns are (as they change)."