About a decade ago, organizations were hesitant to adopt cloud solutions, with many citing security concerns. Fast forward to 2019, and 81% of organizations have a multi-cloud strategy, spurred on by the desire for increased flexibility, usage-based spending and desire to respond to market opportunity with greater agility. In fact, organizations are embracing cloud solutions so much so that Gartner predicts that by 2022, the public cloud services market will grow by 17.5% in 2019 alone; by 2022, the total market will be $331.2B. According to the Gartner report, of the different segments within the cloud services market, Platform-as-a-service (PaaS) and Infrastructure-as-a-Service (IaaS) are growing the fastest. IaaS is projected to reach $38.9B in 2019, up from $30.5B in 2018 -- a 27.5% growth. Similarly, PaaS is projected to grow by 21.8%. This appears to be a sustained trend as more than a third of all organizations regard cloud investment as a top three investment priority. However, due to organizational structures, many times the cybersecurity team does not have exclusive responsibility for driving the adoption of cloud solutions or DevOps tools and are often not engaged in deciding which cloud solutions or DevOps solutions to adopt and deploy. A recent GitLab study showed that while 69% of developers recognize that they are expected to write secure code, 49% of security professionals say it is a challenge getting developers to make vulnerability remediation a priority. Thus, many IT cybersecurity departments struggle to ensure that cloud adoption is not undertaken at the expense of security. This common dynamic leads to security gaps in organizations. For example, Vitagene, Inc. a DNA-testing service exposed thousands of client health reports online for years. This breach involved 3,000 user records that were publicly available on AWS for several years. These user records included information such as date of birth, gene-based health information and medical conditions. These kinds of highly personal information can be used for identity theft and blackmail. Interestingly, Vitagene did not detect this breach itself, and external access was only remediated after it was notified. Unfortunately, this story is not unique. This case, sadly, is one of the thousands of security breaches that result from misconfigured cloud servers and accounts. Given the trends in cloud adoption, it is clear that there is no going back on cloud adoption; therefore, organizations need to adapt their approach to security and adopt solutions that will help them secure their hybrid enterprise. Although organizations are adopting cloud solutions at a growing pace, with 30% of organizations expected to adopt a cloud-only approach for new software, many organizations still have on-prem assets to manage. So many organizations, despite their adoption of cloud solutions, are effectively hybrid enterprises with both on-prem and cloud assets to secure. This leads to a situation of expanding threat attack surface area and increasing risks to manage. Many organizations have tried to address this risk, albeit with limited success, by trying to apply the old principles of vulnerability management to these new environments. However, to successfully secure the hybrid enterprise, organizations need to abide by the following best practices.
1. Vulnerability Scanning For Cloud Environments
Vulnerability scans can identify known vulnerabilities, misconfigured assets, un-inventoried endpoints, slips in compliance and many other network instances which hackers see as an invitation. Agent and agentless scanning are two valid approaches for vulnerability scans. Agents can provide access to environments, including some cloud environments, where remote network scanning is difficult or prohibited. They also reduce the requirement to maintain and track endpoint credentials required for agentless scanning, and they may provide better tracking in a dynamic IP environment. Conversely, agentless scans can identify information that isn’t stored on network devices, like SSL certificates. However, it’s not a matter of choosing one over the other. The strongest vulnerability management strategy will employ both types of vulnerability assessment. Therefore, you’ll want a solution that builds agents into the deployment pipeline for virtual images. That means a robust vulnerability management solution will already be present when an image spins up to feed scan results back to your device profiler. It’s crucial that your vulnerability management solution delivers your scan results in order of priority so you know which vulnerabilities to tackle first.
2. Secure Configuration For Cloud Assets
As mentioned earlier, 81% of organizations have a multi-cloud strategy. This is an intentional cloud adoption strategy to prevent inordinate dependency on any one vendor, to take advantage of unique features and to prevent data loss or downtime. However, as a result of using multiple IaaS and PaaS solutions, it becomes increasingly difficult to manage the security of these cloud accounts. This can quickly lead to misconfigured cloud accounts or misconfigured storage buckets. Additionally, for organizations who have invested in aligning their on-prem environment to compliance regulations or standards like CIS, it is similarly important that these controls are extended into the cloud. It is therefore crucial that you utilize a solution that can not only assess your cloud environment for vulnerabilities but can also assess those cloud environments for compliance to standards like the CIS policy. Furthermore, you’ll also want a solution that ensures that all cloud management accounts on the different cloud platforms are securely configured.
3. Managed Security Services
Unfortunately, as cloud adoption increases and the attack surface area broadens, the technical skills gap continues to grow. Organizations are increasingly challenged with hiring, retaining and training cybersecurity professionals. Recent statistics show that there will be 3.5 million unfilled cybersecurity positions globally by 2021. To help combat the growing attack surface area and growing cyber risk with the adoption of cloud, it is important that organizations extend their security teams with managed security service. A managed security service can help to grow your vulnerability maturity, provide the expertise to secure cloud environments and insulate your organization from the technical skills gap. Tripwire has robust solutions to help you extend the same security in your on-prem environment to the cloud. Our Cloud Management Assessor helps organizations ensure that their AWS, Azure and Google cloud storage accounts are securely configured and in compliance with the CIS policy. Our vulnerability management solutions, IP360 and Tripwire for DevOps, provide end-to-end vulnerability assessment for images and containers pre-deployment and in production. Our solution will also build agents into the deployment pipeline for virtual images. Lastly, to help you address the technical skills gap, we offer managed security services -- ExpertOps -- for vulnerability management, secure configuration management and file integrity monitoring. With these solutions in place, your organization will be ready to mitigate the risk that arises in an increasingly cloud-first world.
