The cloud is made up of extremely dynamic environments that undergo constant expansion, updating, and change. As such, securing these cloud environments requires an equally dynamic solution, uniquely differentiated from that of traditional, on-premises computing environments. Yet a recent study suggests that 32% of organizations use the same rules, processes, and tools for both on-premises and cloud security.
Using the same rules-based security approaches for the cloud is like trying to force a square peg into a round hole — it won't fit no matter how you spin it, yet far too many enterprises still try. Given their disappointing track record in securing corporate computing, rules-based systems cannot be expected to be effective in the cloud, which is both different and more challenging. The dynamic and vulnerable nature of the cloud requires enterprises to take a new approach: one that views security as a data problem whose solution provides both safety and agility.
Accept Cloud Security for What It Is: Never the Same Day as Before
Unprecedented data growth is forcing enterprises around the world to reconsider their data storage infrastructure, forgoing legacy architecture and migrating to cloud platforms. While the cloud promises new levels of efficiency and scale, one of its defining characteristics is constant change. The pace of software iteration is supercharged, with open source building blocks constantly churning, underlying platforms rapidly evolving, and operations horizontally scaling out and vertically tailing. As more computing moves to the cloud, the faster the potential attack surface increases, resulting in more risks and vulnerabilities. Long story short: running an operation in the cloud is an exercise in frantic change management.
The world of traditional business computing no longer exists. The cloud environment is far removed from on-premise's closed-off walls (and soft squishy center) guarded by multiple layers of defense. According to O'Reilly, 90% of organizations use the cloud, and Gartner estimates that over 95% of new digital workloads will be deployed on cloud-native platforms by 2025. Security professionals are facing a completely new landscape. And outdated rules-based approaches to security are only guaranteed to flood operations teams with contextless alerts, leading to poor visibility, guesswork, and fear of the unknown.
Protecting operations in the cloud is fundamentally different from protecting traditional, on-premises computing. The security industry needs to accept this fact and prioritize providing visibility and stability to its customers. By understanding the unique construction of each customer's cloud operations, the defining characteristics of their workload, and the specifics of their computing environment, security professionals can provide the foundation for customers to operate with confidence and agility as they adapt safely to each change. But such a foundation can only be achieved by data-driven techniques and comprehensive analysis.
Monitoring and Analyzing Anomalies, Not Rules
Traditional monitoring relies on rules that trigger alerts based on known security-related issues, whether or not those issues are relevant to an organization's operations or workload. It's a somewhat backward paradigm: Rather than working to comprehend the organization's operations and maintaining their health, the rule-based paradigm focuses on understanding potential threats, based on general-purpose knowledge of the threat ecosystem. Not only does this approach require security expertise (which can be hard to find), but it also fails to make the security team an enabler that helps corporations be agile by maintaining stability in the face of changes.
When a doctor prescribes medication, a treatment that works for one patient might not work for another. Just as every patient is unique, so is every cloud environment. An organization's cloud operations are not a cookie-cutter concern, but rather a conglomeration of configurations, technologies, tools, and processes that have evolved over time, often with many detours and dusty corners. Therefore, there can be no one-size-fits-all solution to cloud security: What should be permitted, and what should be flagged as a threat or high-risk anomaly, must be based on what constitutes normal behavior in each unique cloud environment.
Fortunately, using modern data processing and machine learning techniques makes it possible to learn the salient, stable aspects of each customer's operations. These techniques mine the torrent of data about customers' cloud activities and separate out the irrelevant, ephemeral noise caused by the cloud's constant churn. From that foundation, the customer can understand the normal, healthy behavior of their operations and highlight any anomalies that might pose a threat, whether to the security or to the stability of their operations.
In particular, this approach can be highly effective in uncovering new threats before they become known, or identifying new threat variants as they appear — since exploit attempts will trigger anomalies, whether successful or not. This last benefit is of critical use in cases such as last year's Log4j vulnerability, where, over weeks and months, a succession of rapidly evolving exploits were reported by 44% of worldwide networks, as corporations struggled to remedy the vulnerability.
Taking a different approach to security in the cloud is not only a technical necessity but also a requirement from a personnel standpoint. Security teams are strapped, with alert fatigue and burnout running rampant. For even the most prepared teams, the operational and maintenance effort can be overwhelming, especially since the results are often dishearteningly lackluster. Any approach that significantly reduces the number of daily alerts can greatly improve morale and productivity. The benefits are even greater if the alerts comprise a handful of security-critical issues and data-driven anomalies, presented in an easy-to-understand context of normal operations.
It's time to let go of the past. Organizations need to say goodbye to traditional, manual rules-based security approaches and adjust for the cloud. Security should be a key concern throughout all stages of cloud software development, from build time to runtime. But cloud security should also not be a barrier that blocks agility. Rather, cloud security should be a foundation that helps maintain stability in the face of change. The best way to ensure this is via a data-driven approach to cloud security that fully accounts for the unique characteristics, structure, and dynamic behavior of each cloud environment.