What is cloud network security?
What is the difference between network security and cloud security?
Think of network security as protecting physical assets and cloud network security as protecting services.
Network security focuses on the usability and integrity of a network and its data. It is comprised of multiple layers of defenses at the perimeter and its own policies and controls inside the network. Traditional network security involves buying, installing, and maintaining devices in the datacenter and implementing a plan for data security. The network operator maintains a great deal of control over the environment. The downside is that network security stacks are expensive to implement and operate. They also need to be scaled when demand increases and updated as devices age. And, of course, a staff of security experts is needed to perform all this work.
In cloud network security, the infrastructure is somebody else’s problem. The cloud service provider protects their own infrastructure, right-sizes, updates it as necessary and maintains their own staff. Be aware, however, that customers still have to protect their own workloads.
Different Clouds Require Different Security
Public Cloud Security
In a public cloud, a third-party – the cloud service provider – is responsible for securing the infrastructure. The most popular providers (AWS, Google, and Azure) provide advanced data security controls that include data encryption, monitoring, and access control.
However, that doesn’t mean that their customers don’t have to worry about security. Public clouds use a shared responsibility model, in which the provider is responsible for the infrastructure but the customer is still responsible for securing their own workloads. While these providers offer helpful security tools, customers can still make the mistake of misconfiguring controls, leaving sensitive data in unprotected locations, granting access to the wrong users, or granting too much access to authorized users.
An organization that uses more than one public cloud is running a multi-cloud environment.
Private Cloud Security
A private cloud is a collection of services that are only available to a specific group of users, usually the employees of the organization that operates the private cloud. Users gain the benefits of self-service and access from anywhere, while the network operators gain the benefits of elasticity and scalability – with the caveat that capacity is limited to that which is available on systems possessed by the network operator. Private clouds are more secure than public clouds, but they require the same staffing, management, and maintenance as a traditional network.
Hybrid Cloud Security
A hybrid cloud is a blend of public clouds, private clouds, and often on-premise infrastructure as well. Data, workloads, applications, and services can be shared between the infrastructures, but sensitive data or other critical assets can be kept off the public cloud for added security. Hybrid clouds also accommodate cloud bursting, in which spikes in demands are temporarily supplied by the public cloud when private cloud resources reach peak capacity.
Hybrid clouds add complexity, but they also offer the benefits of greater security as sensitive assets are restricted to the private cloud or datacenter, while regular workloads can run on the less-expensive public cloud.
5 Top Challenges in Cloud Security
“Our Security Strategy? Ummm….”
Because it’s so easy to make changes to elements of a cloud infrastructure, they may not be subjected to a proper change request process. That leads to misconfigurations, which lead to security gaps. Hackers don’t even have to hack to break into enterprises anymore – they use automated tools to search for misconfigured endpoints and they walk on in.
“We’ll Fix That Later”
The ease of spinning new instances causes other problems as well. Businesses with a pressing need add instances without subjecting them to proper testing or equipping them with appropriate security controls. They think they’ll come back to fix them later, but they don’t. The technical debt builds and the environment becomes ridden with holes that nobody knows exist.
“But This Was Supposed to Be Easy”
The cloud is advertised as an easier way to run the technical side of a business, and that’s true in many ways. However, businesses tend to add a lot of security complexity when they don’t have all the information they need. A lack of understanding leads to excess rules, non-compliant applications, and conflicts in security configurations.
“I Thought the Other Guy Did It”
Organizations report difficulties in coordinating security operations consistently across all areas. Communications and collaboration isn’t easy when multiple IT and operations teams with different priorities have to work together – and when one hand doesn’t know what the other is doing, vulnerabilities can be left exposed.
“I Thought the Cloud Vendor Was Doing It”
Inadequate security protocols on the cloud provider’s infrastructure can cause data loss. Never assume a cloud services provider is securing data. It has to be in writing in the service level agreement.
6 Best Practices to Secure Your Cloud
1. Use Zero Trust
Least privilege only allows a user, device, or account to access the parts of a system that are necessary to perform work. That sounds great, but it won’t stop someone using stolen or shared credentials – which is over 80% of hacking-related breaches.
Zero Trust is similar to least privilege, only more stringent. In Zero Trust, access is granted based on content: Who is requesting access, what is the context of the request, and what is the risk of granting the access. A request for access from the CEO’s office is treated the same as a request for access by an API coming from foreign land.
2. Secure all endpoints
A cloud is only as secure as its endpoints, so endpoints need to be as secure as those connecting to on-premise environments. Use a network security automation tool to monitor endpoints, employ an endpoint protection platform, train users on security awareness, and implement a comprehensive security program.
3. Segment the network
Prevent intruders from moving laterally around the network by setting up a lot of network zones – even to the point of segmenting down to individual workloads. This is possible with virtualization, and it can be automated to function properly as the cloud expands and shrinks.
4. Encrypt data
Data should be encrypted whether in transit or at rest. Encryption may be included as part of a cloud provider’s service, but don’t assume it will be adequate for your purposes. Data encryption solutions are available that offer a greater level of security.
5. Back up and test regularly
Enterprises say they back up their data, but if they don’t test their backups regularly, they might as well not have bothered. Just ask Maersk.
6. Plan for business continuity and disaster recovery
Security teams are typically short-staffed on a normal day, and in the haste to resume operations, manual errors are unavoidable. Don’t depend on the knowledge of people who may no longer be available to share it. Use automation and logs to gather insight into how and why recovery tasks are performed.
Simplify Security in Your Complex Environments
The hybrid cloud requires a hybrid solution, but mixed environments are hard to manage, cleanup and audit because poor visibility makes it hard to know what is on the network, where it is, and what rules are associated with each device and endpoint. Complicating matters further, hybrid clouds rarely have centralized security management. This leaves security teams working through multiple consoles to gather disparate data and keep security policies up to date.
The end result? The environment the business chose to help it achieve its goals can end up putting it at risk.
Automated risk analysis and change management eliminates misconfigurations and delivers tight control over the security policies that are essential to your hybrid cloud’s health. FireMon delivers complete visibility and control of your security policy management across your hybrid cloud with real-time situational awareness and continuous compliance of your security policies from a single pane of glass.
*** This is a Security Bloggers Network syndicated blog from FireMon authored by FireMon. Read the original post at: https://www.firemon.com/cloud-network-security-basics-guide/