This is a question that I have been asked a lot lately, and especially now when I’ve been doing talks about Azure Sentinel. Therefore I wanted to write to blogpost for, to essentially get down my thoughts and ideas but also try to give some good descriptions about this topic, because right now there is a lot of vendor specific content and sales material which doesn’t give a understanding on what it is, more aimed at “HOW CAN YOU SECURE YOUR DATA IN THE CLOUD?” is not a good description and there is no magic solution or silverbullet that can solve all your problems or remove risk entierly here.
1: Security in Public Cloud is dependent upon the delivery model
First of is that talking about the security model in public cloud is also all dependant on the delivery model. Businesses that are adopting public cloud platform for doing lift-and-shift to move virtual machines out to the public cloud have an entirely other aspect on how they should manage the security in their enviroment compared to a company which does not have any infrastructure but just consuming applications as SaaS services. So regardless of vendor there is no ‘Silver Bullet’ here that can solve all your security issues.
2: Security in Public Cloud is dependent upon if you are building applications or consuming applications
There is also a big difference between if a company is just consuming resources in the cloud as SaaS applications compared to a vendor that is building applications on a public cloud platform. If I had a company that was building web applications and services I will need to have a security stack which can monitoring the different components and infrastructure that I use and the application itself, while the responsbility of the users are more about defining user access and controlling who has access to the data the application I’m building can provide.
3: Security in Public Cloud is based upon what is your responsibility
Regardless of which delivery model you choose or how you choose to build your applications in a cloud enviroment, it is as with most solutions a shared responsbiility model. The first aspect is to understand what is the provider taking care of? what is my responsbility as a customer of this service?
I like this drawing from AWS which gives a good overview of the shared model in an IaaS model. Consuming Infrastructure from AWS still requires us to management network access on the virtual level, doing backup, patching machines, ensuring proper access while AWS is just providing the foundation and automation/managmenet layer to make this easy for us as customers ot the platform.
Now all the biggest cloud vendors have a set of additional services which you can choose to use to add more security into the services that you are using.
Now depending on if you are an company just consuming or building your own services or doing a combination of both where you are using SaaS services but also building IaaS to host other systems or applications, I’ve essentially split this up into the different delivery models and responsbility. The next section is about showing capabilities that the cloud providers have which you can choose the utilize, first aspect is for those that are building services.
The Cloud vendors got your back
Now all the Cloud vendors have different services and tools that can reduce the security risk when you are building services in the clouds, of course most of these services are only relevant if you are using IaaS or PaaS services on their platforms.
You can view the table in full scale here –> https://i.imgur.com/am6ZN8c.png
It is an important aspect to understand that while many security vendors today are trying to provide security functionality on top of the different cloud providers, they are limited to the API’s that the different cloud vendors are providing them.
First aspect is IaaS, this mostly applies to NVA (Network Virtual Appliances) where the different vendors have a bit more control/options. The first piece to understand is that since all cloud platforms are running network virtualization, most of the NVA will lose some capabillity since many of the rely on protoocols/services which are on layer 2 or 3 which are not available in public cloud, an example of this is RSPAN to do remote packet capture of traffic for IDS/IPS functionality. This is a layer 2 feature and not directly available as the same feature in the cloud vendors. Now it should be noted that from a firewall functionality level, none of the Cloud vendors provide a firewall capability that can do proper IPS/IDS capability.
The second aspect is PaaS where you have the capabilities and access which the cloud providers gives us as customers. Most of the cloud platforms also have security mechanisms that works on top of their own PaaS services such as log collecting/auditing/threat detection and such.
Can 3.parties add something here that the cloud providers cannot do themselves? Sure they can, we have seen solutions where a 3.party utilizies the APIs to visualize and control policy and governance and provide their “IP” on top of the same capabilities, but in many cases that is something we can also do ourselves using our own code or something that the cloud provider is already providing.
Do we need 3.party for PaaS and IaaS Security in the public clouds? Depends, it is dependant on what kind of compliance and security policies you have in place, but be sure to evaluate what the cloud provider can provide of security mechanisms before looking at 3.parties.Also understanding how the features work, in most cases the 3.parties are using the same API’s to do the same.
What about SaaS and Security?
When it comes to SaaS and security, essentially comsuming services from a 3.party provider which is the common use-cases for most companies these days, how to we secure access to these? This is a different ballgame, why?
I like this visualization as a base. Essentially you have multiple security layers that you need to maintain, first of is the device that the user is sitting on to ensure the device is patched, has security policies inplace, encryption and such, then also browser which is being used to ensure that you have security mechanisms to avoid user visiting phising sites or running malware from a unknown site also utilizing the newest encryption protocols such as TLS 1.3 . Then you have the local network which the user is connected to which needs to be secure such as the wireless network to ensure that traffic is encrypted. Next it is the connectivity to ensure that traffic outbound is secure and optimized.
The most common aspect here is using services such as SD-WAN to ensure optimizied traffic flow to SaaS services. Also you have the more SD-WAN based proxy solutions as with this visualization where using SD-WAN from VMware and ZScaler, where all internet traffic is encrypted to the cloud based proxy solution and then you have internet breakout to SaaS services from there.
All these different solutions are just the first aspect of SaaS services, when it comes to securing SaaS services you have CASB which is most cases has an API based access to the different SaaS services to provide monitoring and access policies agains the different SaaS services. Some CASB services also provide some in-based proxy solution as such to restrict certain actions against the SaaS service. It is also often used for SaaS discovery. As such with Microsoft they have their own CASB solution called Cloud App Security, which provides API integration to some SaaS services and web proxy solution. But what about where we don’t have API access or the cloud provider does not have any API available for the solution that we can plug into?
Now the CASB market has evolved and Gartner is now stating that this should converge looking into SD-WAN and CASB solutions into a new “all-in-one” solution named SASE.
What is Secure Access Service Edge (SASE)?
“The secure access service edge is an emerging offering combining comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS, and ZTNA) to support the dynamic, secure access needs of digital enterprises.
SASE capabilities are delivered as a service-based upon the identity of the entity, real-time context, enterprise security/compliance policies, and continuous assessment of risk/trust throughout the sessions. Identities of entities can be associated with people, groups of people (branch offices), devices, applications, services, IoT systems, or edge computing locations.”
You can view the report after registering here at Palo Alto (https://start.paloaltonetworks.com/sase-the-future-of-network-security.html)
Moving forward it seems like SASE or a combination of CASB and Proxy solutions can be part of the security ecosystem to ensure secure SaaS based services.
Now once we have control of the network flow and traffic. The final aspect is within the SaaS services, now depending on the SaaS service the biggest resposibility from a customer perspective is controlling identity and the data. Now just by looking at the trends we see that identity based attacks are one of the most common attack vector.
Source: Microsoft Ignite 2018
When adopting SaaS services you should ensure that you can standarize on providers that allow you to use federated based credentials to ensure that you have a master identity source which handles all authentication. Also seeing that this identity source has mechansims to enfore MFA also having identity comproise detection. This are just some part of what you need to protect when it comes to SaaS based identity, but again access to SaaS service should not just be based upon the identity you need to have control of the entire value chain, and this is where zero-trust comes in –> https://msandbu.org/demystify-zero-trust-design-never-trust-always-verify/
So just to summarize, looking into the cloud security ecosystem there is a big difference between if you are building or consuming ( in most cases it’s both) and there is no single solution that can solve all your issues here, secondly when it comes to SaaS based access identity, data, devices and network is important aspects that you need to be in control of when looking at risks. SaaS based security should be based upon a zero-trust model, but also combining this with solutions for identity protection and network optimization.