What You Need to Get Right for Secure IaaS and PaaS
Gartner’s May 2020 market analysis recommends security and risk management leaders implement the following for a comprehensive IaaS/PaaS security strategy:
- Get identity and access management (IAM) permissions right by using cloud-native controls to maintain least privilege access to sensitive data.
- Encrypt all data at rest using customer-controlled keys.
-Use zero trust network access (ZTNA) and micro-segmentation to reduce risk and contain breaches.
-Scan continuously for unsecure conﬁgurations using cloud security posture management (CSPM) tools.
- Capture and analyze all logs using cloud-native threat detection and enterprise security information and event management (SIEM) tools.
Native-cloud and Cloud migrations demand a different Trust Model and a different data protection strategy. Gartner is predicting the vast majority of data breaches occurring on Cloud environments will be the result of misconfigured security controls by Cloud customers, not security gaps in the Cloud provider’s services. Implementing a comprehensive, centrally managed, consistently applied, fine-grained access controls, data protection (encryption, dynamic masking), accountability, audit trail and advanced User Behavior Analytics (UBA) is essential to addressing each of these recommendations.
Many of the traditional data security and privacy controls organizations have relied on for years no longer apply when migrating to new Cloud-based Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) Cloud environments. In public Cloud SaaS deployments, User Identity and the Data itself are things organizations still control. With IaaS, and PaaS Cloud Services customers also have control over the Applications, Middleware, Virtual Private Cloud (VPC) and sometimes the underlying Operating System (OS). Everything else down to the physical network components are all managed (or dictated) by the Cloud provider.
SecuPi Powered Centrally Managed IAM
Identity and access management (IAM) strategies must ensure that the right people only have access to the data they need at the time it is needed. SecuPi Overlays and transparent Gateways deployed across cloud-native workloads ensure that all applications used to access sensitive or regulated data On-Prem or within any Hybrid Cloud environment consistently anonymize, filter or mask sensitive data according to the end-user and IT admin IAM authorizations. Data mobility is further enabled when the policies follow the data wherever it is copied On-Prem or to hybrid Cloud environments.
SecuPi Overlays installed on Java application servers and Gateways in between Qlik / Tableau and their data sources (e.g., Snowflake and Redshift) capture data flows and full data lineage between the various cloud native sources to the end-user or system admin regardless of the data consumption layer (Java apps, Glue, SageMaker worker nodes, Tableau, Qlik or Lambda functions).
SecuPi policies apply Privileged Access Management (PAM), Role or Attribute Based Access Controls (RBAC/ABAC) using multi-layered dynamic Views based on the user’s Cloud or On-Prem IAM attributes. Detailed data access activity logs can be sent to a Cloud-native SIEM service in real-time for further analysis or event correlation.
Encrypt All Data at Rest Using Customer-Controlled Keys (HYOK) with SecuPi
To address the gap of preventing access to physical infrastructure by the cloud service provider admins and other IT privileged users, security and risk management leaders must ensure data stored in the public cloud is protected at rest using strong encryption and an effective key management strategy that enables data encryption using customer controlled keys segregated from the Cloud infrastructure. A Hold Your Own Key (HYOK) methodology is the only satisfactory way to achieve this for most Trust Models. Any solution that stores and accessing the keys in the Cloud including Bring Your Own Key (BYOK) will not satisfy this requirement and be unacceptable to most risk and privacy compliance requirements.
HYOK ensures that data stored in IaaS/PaaS/SaaS Cloud environments cannot be compromised or exploited in the event of any security breach or incident at the CSP and tightly controls access to encrypted Columns at run-time based on specific End-User attributes and authorization(s).
Guardicore Helps You Log and Analyze Everything Using Enterprise SIEM and Cloud-Native Threat Detection Tools
Activity log data is only as valuable as the analysis, reporting, alerting and insight gained from analyzing the log data. Log data is reduced in value to the point where it is only useful for additional forensic analysis and only IF and WHEN a potential data breach or security violation is detected or discovered through some other means. The costs of storing and copying large volumes of log data cannot be justified by this minimal value.
A much better approach is to apply advanced User Behavior Analytics (UBA) on all access to sensitive or regulated data in Near Real Time (NRT) that automatically alerts on, blocks detects almost any suspicious, anomalous, abnormal or excessive access to regulated data. 95% of data access is benign, low risk access to less sensitive data. SecuPi enables organizations to focus on that 5% that matters, fully leverage the value of collected log data, dramatically improve detection of unauthorized or anomalous access and reduce the costs associated with collecting and managing activity log data. This data-centric UBA and anomaly detection augments the risk management and reporting capabilities of Cloud Security Posture Management (CSPM) tools providing an invaluable new perspective and insight.
Additional controls to reduce risk and contain breaches are provided using Guardicore Centra by implementing zero trust network access (ZTNA) and micro-segmentation: Zero trust networks refers to the ability to segment networks or isolate networks assets and control communications among them – a critical defining characteristic of a Zero Trust Strategy. Micro-segmentation offers high granularity security policies for data center and cloud applications, down to the individual workload, application and user identity.
Guardicore accelerates Zero Trust security adoption & streamlines compliance by providing the fastest and simplest way to segment your critical assets and data, anywhere.
- Surpass the limitations of firewalls, VLANs, and ACLS
- Reveal application flows across the infrastructure
- Gain deep visibility down to the process level
- Segment with a powerful policy engine
- Detect threats faster and simplify response
Guardicore also controls users’ access to workloads and applications using Centra’s user-based policies. We do this by integrating with Active Directory security groups. Based on user memberships in those security groups, we allow users different access to different resources. This way users only access what they are entitled to. For example, this can help allow just the Billing users in your environment to access Billing resources and just the HR users to access their HR resources. See this video to learn more about Centra’s user-based rules.
Last but not least, integrating with our ecosystem partners from AWS, Azure, GCP and Oracle for CSPM findings, we can implement ZTNA policies to take action when unsecure conﬁgurations are detected. One can also use our free, open source Breach and Attack Simulation tool the Guardicore Infection Monkey https://www.guardicore.com/2020/02/how-to-assess-your-zero-trust-status-monkey-see-centra-do/
For more information, and to get your extensive white-paper on protecting your IAAS & PAAS environment, please reach out by email to firstname.lastname@example.org