A cloud environment is not a replica of an on-premises network or a data center. Unlike traditional data centers which have a rigid IT architecture blueprint, the cloud comes with flexibility that allows users to architect their infrastructure and resources. Within this dynamic space, users can change their infrastructure or decide to go with a different architecture altogether. Further, the way the data transfers and systems communicate differs largely between the cloud and on-premises networks. In the cloud, applications interact with each other using application programming interfaces (APIs). Vendors provide various APIs, such as platform-as-a-service APIs, software-as-a-service APIs and infrastructure-as-a-service APIs for users to connect to their service, transfer data and to manage access to their data and systems hosted in the cloud. These stark differences in IT architecture mean a different approach is necessary when considering cloud and network security.

Traditional Network Security Models Don’t Work in the Cloud

Intrusions are one of the most common threats to on-premises networks. Adversaries try to exploit open ports, vulnerabilities in internet-facing endpoints and more to break into the network. Later, if they’re successful in infiltrating the network, they move laterally to high-profile accounts or critical resources to carry out attacks. They also employ slow exfiltration tactics and techniques to sneak sensitive data out of the network without being detected. Such risks—network penetration and slow exfiltration of data—are irrelevant with regard to cloud security. With the cloud, all that adversaries have to do is take control of the APIs to hijack the resources and steer the sensitive data to their command-and-control server.

According to the 2021 IBM Security X-Force Cloud Threat Landscape Report, two-thirds of cloud incidents can be attributed to misconfigured APIs that allow unauthorized access. As businesses rush to the cloud, many will likely fall victim to misconfigurations and subsequent breaches in 2022. Gartner expects that through 2023, at least 99% of cloud security failures will be through cloud resource misconfigurations.

What’s the Fix?

Every cloud vendor has its own resource types, configuration attributes, APIs and interfaces. If an organization adopts a multi-cloud environment, the complexity of governing the many APIs and interfaces becomes overwhelming. Setting up cloud policies, controls and configuration attributes isn’t a one-time effort. Post-deployment configuration changes, or drift, can also lead to huge data leaks if not monitored constantly.

Here are two major ways to avoid security threats:

Get to know your cloud: Most misconfigurations occur due to a lack of visibility. Gain visibility into the different communication points by constantly auditing security policies and controls. Looking out for major changes and analyzing the legitimacy of a policy change can save you from disastrous misconfigurations.

Get to know your users: Monitor all users who have access to your cloud resources and data. With increased cloud adoption, malicious API traffic has also increased. So it’s important to understand cloud traffic patterns, the services or applications employees use and the source of incoming cloud traffic.

While visibility, shadow IT and traffic monitoring concerns can be addressed using a robust cloud access security broker (CASB) solution, detecting and fixing misconfigurations across the infrastructure, platform and software hosted on the cloud can be done using cloud security posture management (CSPM) tools. A security information and event management (SIEM) tool, with its behavioral analytics and extended detection and response (XDR) component, can complement CASB and CSPM solutions in ensuring cloud security.

A Unified Console

Organizations are adopting different tools to address security concerns, such as keeping shadow IT in check, stopping malicious API traffic, ensuring that the right security policies and controls are employed and detecting and fixing misconfigurations. When these tools are disjointed and don’t communicate with each other, it adds more complexity. A unified console can seamlessly orchestrate different security events and tools, display applicable metrics that help resolve these issues and is both efficient and cost-effective.

The cybersecurity market has already learned the importance of security tool convergence. User and entity behavioral analytics, which was a standalone component for quite some time, converged predominantly with SIEM. Other security tools, such as threat intelligence platforms, security orchestration, automation and response (SOAR) and XDR are also getting consolidated within the bigger platform, SIEM. Such consolidation helps businesses formulate stronger security strategies and defense systems to keep attackers at bay.

SIEM tools act as a platform where all security data are consolidated and analyzed. Contextual security inputs such as threat feeds, malware data points and vulnerability scanners’ inferences are fed to the system for effective analysis. With an artificial intelligence or machine-learning-based behavioral analytical component, security events are better analyzed and any red flags are spotted more accurately. With an effective SOAR or XDR component integrated with the SIEM tool, incident resolution becomes easier and the security operations center (SOC) can keep track of its key metrics. The cybersecurity market has learned from the past and, with the increase in cloud adoption, tools such as CSPM and CASBs are also taking their place in bigger platforms such as SIEM.