Do You Need Specialized Security Tools to Protect the Cloud?
Most cloud vendors provide their customers with security controls, but are they sufficient enough to protect the critical data? Is there a place on the market for third-party information security solutions focused on protecting cloud data and what are their strengths and weaknesses? What features of such systems are in demand these days?
Cloud data cybersecurity tools
Let us start with the main questions that arise among corporate users of cloud services:
- Do we really need third-party solutions to secure the cloud?
- Most providers offer their own security tools. Aren’t they enough for us?
- What additional protection do customers who use cloud infrastructure offered by Azure, AWS, Google Cloud need?
- How are cloud service providers doing in terms of out-of-the-box security?
Most experts observe that security tools built into cloud services often provide only a basic level of protection. Developers of specialized security systems can offer a higher degree of security than default services.
In three to five years, built-in cloud security features are going to improve and hopefully will be enough to keep things safe. However, in the era of digital transformation, when the multi-cloud approach evolves (when one company uses services from different vendors, as well as its own cloud environment) the need for a single solution for managing security issues increases.
Customers choose security solutions based on their business needs. For some of them, the basic level of protection provided by the built-in services may be sufficient; for others, more advanced systems from specialized vendors are required.
According to experts, the largest number of security incidents in cloud environments are caused by users and inexperienced admins. The threat landscape creates the need to use additional solutions that allow you to control, for example, the correct configuration of access rights in several environments at once. At the same time, the scope of tasks solved by means of cloud systems is important: the more virtual machines a customer has, the more services he uses, and the more accounts he creates, the more critical becomes the need for additional protection.
Another problem is the fragmentation of built-in security tools that solve various tasks within the framework of a single service. An external system may help to correctly configure all the components of cloud protection tools. Besides, in the event of transferring the infrastructure to another service, it may speed up the configuration process.
Here are two main criteria that dictate the need for additional third-party cloud security tools:
- Working in a multi-cloud environment.
- High level of penetration of cloud technologies into the organization’s business processes.
One more question arises: What data do third-party security solutions operate on, and does the cloud provider send enough accurate telemetry to them? If embedded security is getting more data then it goes into the API, then third-party solutions fall into a losing position. Another problem in the provider-vendor relationship is the regular change in API specifications.
What cloud services are easier for third-party security vendors to work with?
- What is the best cloud provider to add specialized security solutions?
The most promising cloud services, from the point of view of developers of additional cloud security products, are those that have a significant market share, understandable documentation, and API with rich functionality. These are primarily Azure, AWS, and Google Cloud. Alibaba Cloud is catchin up with the leaders very quickly. The maturity of the cloud provider is especially important for the security vendor.
How is a responsibility shared between the cloud provider, the vendor, and the customer?
Often third-party security vendors depend on the stability and performance of cloud providers. The customer, buying a product or service, pays for the vendor’s involvement — his willingness to quickly solve security problems. The developer cannot guarantee that his solution will protect against all possible threats, but he can guarantee that he will deal with all security problems with full responsibility. By transferring business processes to the cloud, the user shares with the provider the responsibility for the security of data and access to it. Depending on the model (IaaS, SaaS, PaaS), the level of customer responsibility may vary.
What can cloud security services do?
Here are the main features of cloud security solutions:
- Workload Security — protection of the operating system, control of its integrity, antivirus monitoring, and other means of ensuring endpoint machines’ security.
- Network Security — intrusion prevention systems that monitor every incoming packet.
- Cloud storage protection and control systems.
- Protection technologies that are integrated into standard (Office 365 and others) and custom applications.
- Solutions that control the correctness of security settings in public clouds.
There are practically no cloud security solutions on the market for protecting public repositories specializing in storing code (GitHub and others).
The market of solutions aimed at protecting cloud CRM systems is also relatively underdeveloped.
Is it possible to license cloud cybersecurity tools using the pay-as-you-go model?
Working with cloud services involves options for occasional use of the infrastructure provided. For example, a customer can only host their systems in the cloud during periods of high load, and in off-season use their own hardware. Are vendors ready to meet these customer needs? Can you buy a license for a day, a month, an hour?
Currently, most cloud-based security products have per-minute billing options, where the user only pays for the actual use of the system.
However, annual contracts for renting infrastructure in the cloud are more popular. Some customers are not yet ready to use the pay-as-you-go model.
How to start trusting a cloud provider?
- How to control access to data uploaded to the cloud?
- How can a customer receive information that his confidential data has not fallen into the wrong hands — by legal (by a court decision) or illegal means?
- Security tools can collect telemetry transmitted by a cloud provider, but is there a guarantee that the latter will give all the necessary information?
The most important point in this matter is the creation of a framework for trusting a cloud provider. For these purposes, an audit of the cloud service by the customer or an external consulting company can be used. Besides, a potential client can use specialized surveys and study the provider’s certificates and licenses.
There are also different possible security tools for monitoring the operation of virtual machines and data stored in the cloud. Alibaba Cloud offers Anti-DDoS, Web Application Firewall, Data Encryption Service, Sensitive Data Discovery, and many other security tools.
However, no matter how well the customer wants to protect himself from the provider’s interference, there is always that line beyond which it is necessary to trust your provider. So, it is necessary to learn to trust a cloud provider, and the provider, for its part, needs to develop a sufficient level of authority to earn this trust.
The cloud migration is progressing at an ever-faster pace. Information security issues are becoming paramount for business and government customers who decide to host some of their resources in the cloud. Today, I tried to outline the range of main problems related to third-party cybersecurity tools intended to protect the cloud, figure out what functions of such systems are most popular, and what awaits the market in the future.
About the Author
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.