It’s not always easy to wrap your mind around the various layers of cloud security and how they differ from conventional on-premises computing. Fortunately, we’ve formulated a simple (and delicious) metaphor for your consumption: A pizza dinner.
First, think of conventional on-premises computing as the “at home” version of a pizza dinner. You manage the entire cooking environment: The pizza ingredients, the oven, the electricity or gas, the beverage and the dining table. Nothing is outsourced, everything is made and hosted at home. That’s the “on-prem” version of a pizza dinner.
Now let’s look at the Infrastructure-as-a-service (IaaS) version of the pizza dinner. In this case, you still manage the dining table, the beverage, the oven, and the gas or electric, but a vendor takes care of the ingredients: The dough, sauce, toppings, and cheese. This is the “take and bake” version of cloud security; part of it is managed onsite, and part of it involves a vendor.
Platform-as-a-Service (PaaS) offerings take the process of making a pizza dinner even further out of the kitchen and off your premises. It’s the equivalent of pizza delivered right to your door. You take the pizza, place it on the dining table and grab a beverage, while the vendor takes care of everything else. It’s a largely off-site, vendor-managed experience.
Finally, we have Software-as-a-Service (SaaS) offerings. Here, the vendor takes care of it all: Toppings, drinks, oven, table, electricity, etc. It’s the cloud security equivalent of dining out — everything is handled off-prem.
To extend this metaphor a bit further, “dining out” has never been more popular in the enterprise realm. Cloud migration continues at an aggressive pace, as organizations seek to move forward with digital transformation initiatives.
According to a recent research report cited by Forbes, 83% of enterprise workloads will be either in a public, private or hybrid cloud by the end of 2020, while on-prem workloads decline sharply.
Yet while these projections (and the adoption that has already occurred) leave little doubt about the future primacy of cloud computing, organizational security leaders have one significant reservation: Security. That same research report showed that two-thirds of IT leaders cited security as their greatest concern when pursuing a cloud strategy.
If one reads the headlines, that concern seems well justified. It seems like new, high-profile cloud security breaches come with alarming consistency. Today’s organizations are racing to migrate in order to stay competitive and relying on their security professionals to maintain robust security during this typically challenging period of migration.
Compounding this challenge, cloud environments are growing more complex, attackers are growing more sophisticated, and even one small misconfiguration or endpoint security lapse can endanger the assets that an organization holds most precious.
In other words, dining out for pizza has never been more popular, but you’re going to navigate a few potholes on the way to the restaurant.
Fortunately, defenders have a powerful new tool that helps even the pavement (and the playing field): Breach and attack simulation (BAS) platforms.
How Breach and Attack Simulation Helps Mitigate the Risk of Cloud Cyber Attacks
Here’s the truth about any security environment, cloud or otherwise: Over a long enough time frame, attackers will be able to defeat it. Perfect security does not exist. To deal with this challenge, organizations deploy cloud penetration testing and other tools to determine whether their cloud environments security is up to the task.
Red team/blue team testing is another entrenched approach to maintaining security. These are exercises where ethical hackers (the red team) pose as attackers and attempt to breach an environment, while an opposing group (the blue team) works to defend the environment. By simulating these attack-and-defend scenarios, red and blue teams can work together to provide a clearer picture of organizational security.
This approach has drawbacks, however: It’s manual, reliant on human skill, and resource-intensive. This means these exercises can only be run periodically. In the absence of continuous coverage, undetected vulnerabilities can arise and compromise cloud security.
Breach and attack simulations are designed to take the benefits of penetration testing and red teaming and enhance them by making them automated and continuous. A BAS platform can launch and run attack simulations continuously and identify the defensive measures/remediation steps needed to close any vulnerabilities. BAS platforms allow defenders to shed their reactive posture, assume the mindset of the attacker, and probe for vulnerabilities on a 24/7 basis, making them the gold standard for securing cloud environments and safely managing migration periods.
Simulate Attacks on Amazon Web Services (AWS)
Organizations need a fully automated BAS solution for hybrid cloud environments, as it can simulate attacks on Amazon Web Services, the dominant player in cloud computing.
A BAS simulation solution for AWS cybersecurity addresses one of the critical gaps in cloud security: assessing cloud and on-prem security in a vacuum. To fully protect critical assets, it’s imperative to assess the risks cloud and on-prem pose to each other, and identify and recommend remediation for hybrid environment risks, closing this crucial gap.
AWS public API layer is the layer below the AWS entities which in most cases has broad authorization permission, a sophisticated attacker can leverage them to exploit resources over the cloud.
The right platform must audit AWS configurations via API and use this data to calculate possible attack vectors. By simulating attacks on AWS infrastructure, misconfigurations and other problems — many of the same vulnerabilities that have unleashed a torrent of high-profile cloud security breaches in recent years — can be rooted out.
In the language of our pizza metaphor, you need to be protected not only when you’re dining out but also while you’re traveling to the restaurant.
Creating a simple pizza dinner may be the key to understanding cloud security, but learning how to protect your “pizza” from thieves requires a few added ingredients: automation, continuous monitoring and AWS integration. Find a cloud security solution that offers this unique recipe.
Yohanan Berros, Customer Operation Managers, XM Cyber
PS: This article was originally published by Cyber Defense Magazine.