Cloud security management for software-as-a-service (SaaS)
In our latest study of cloud application use, we found that on average, organizations are using 1,427 distinct cloud applications1—most of which are software-as-a-service (SaaS) applications, such as Microsoft Office 365, Box, and many other productivity apps that employees sign up for, often without IT approval. For SaaS applications, it is widely understood that as a customer, you are responsible for the security of your data and who can access it.
Figure 1. Customer responsibility for security in the cloud, software-as-a-service (SaaS).
For the use of software-as-a-service applications in your organization, you are responsible for data security and access control across every application. Managing security for hundreds of SaaS applications individually is an extremely inefficient task, and in many cases, impossible due to limitations of the SaaS provider on what you can actually control. The most common way to manage data security and user access in cloud computing is through the use of a Cloud Access Security Broker (CASB). This technology allows you to see all your cloud applications in use and to apply security policy across them. When using a CASB, your security management can consist of the following primary tasks:
- View all cloud services in use and assess their risk. CASB technology uses network log data from secure web gateways, firewalls, or security incident and event management (SIEM) products to show all the cloud services being accessed from your network and managed devices, including those that employees sign up for without IT, like shadow IT services. It then displays a risk rating, so you can decide whether to continue to allow access or not.
- Audit and adjust native security settings. Many SaaS applications, including Office 365, come with native settings like access and sharing permissions. From a single console, you can set policies for how you want to set permissions across multiple cloud services.
- Use Data Loss Prevention to prevent theft. Some of your intellectual property or regulated data will most likely make it into a cloud service like Dropbox. Through an API connection to the service itself, you can classify data and set policy to remove, quarantine, or encrypt it based on your chosen policy. This applies to all data in the service, whether it comes from a device or network you know about, or from any unmanaged device you can’t see.
- Encrypt data with your own keys. Depending on your risk tolerance, you may not want to trust the cloud provider’s native encryption to protect your data. If you do, the provider will have your encryption keys and technically could access your data. Instead, you have the option to use your own encryption keys and manage them yourself, blocking access from any third party but allowing authorized users to use the application with normal functionality.
- Block sharing with unknown devices or unauthorized users. One of the most common security gaps in cloud computing is someone signing into a cloud service from an unmanaged device and accessing data without your visibility. To stop that, you can set requirements for the devices that can access data within the cloud services you manage, so only the devices you know are allowed to download anything. You can similarly control sharing of information to unauthorized users by changing their permissions or “role” such as owner, editor, or viewer, and revoking shared links.
Cloud security management for infrastructure-as-a-service (IaaS)
Infrastructure-as-a-service (IaaS) resembles the data center and server environments that many IT teams are used to managing on their own physical sites. In this case, providers like Amazon Web Services (AWS) or Microsoft Azure host the physical infrastructure, and lease out virtualized networks and operating systems for you to use as your own. With IaaS, you are responsible for several additional layers of security as compared to SaaS, starting with the virtual network traffic and operating systems you use.
Figure 2. Customer responsibility for security in the cloud, infrastructure-as-a-service (IaaS).
Platform-as-a-service (PaaS) environments available from the same providers are similar but exist as predefined operating environments for you to run your applications. Most IT teams today use IaaS, as it allows an easier transition from on-premises server environments, where they can run the same Linux or Windows server operating systems they used on-premises or build cloud-native ones with containers or serverless functions.
In a recent study, it was found that 50% of organizations use more than one IaaS vendor,2 choosing not just AWS, but also Microsoft Azure or Google Cloud Platform, each for their unique ability to support various project requirements. Managing security for IaaS therefore brings a similar challenge as SaaS, where security policy needs to be applied to multiple cloud service providers, each with their own native settings available to configure. The most common approach to managing security across multiple IaaS cloud providers is to use a Cloud Workload Protection Platform, which abstracts a layer of security above the providers, similar to a CASB, but suited for protecting networks, operating systems, and applications. When using a Cloud Workload Protection Platform, your cloud security management can encompass the following tasks:
- View all infrastructure in use across multiple providers and assess its current security configuration. Simply by entering account credentials for your IaaS providers like AWS and Azure, you can see all the cloud workloads being created, and assess their security policy. Connecting to a virtual data center running VMware also provides a “private cloud” view.
- View your network traffic and control it at the virtual machine (VM) level. In a fully virtualized environment like AWS, you have network traffic coming in and out from the public internet, and also travelling between your VMs in the cloud. It’s important to see everything, scan for malicious access, and set your policies at the VM (aka micro-segmentation) so you can have fine-tuned security over certain assets.
- Harden your workloads with whitelisting. Most workloads running in IaaS have a single purpose and don’t need to change much. As opposed to allowing new applications to run on your operating systems, whitelist only what you need, and default-deny the rest. This stops all malware except for memory-exploit based attacks.
- Stop fileless attacks that target operating system memory. If you default-deny all new files entering your operating systems, you are left with one critical vulnerability, which is memory exploits that can bypass your whitelist. Memory exploit prevention, part of an agent you deploy to your workloads, can monitor for these attacks (e.g., buffer overflow) and stop them before they execute.
- Deploy agent-based security as code, using DevOps tools. The last thing you want to do in a cloud environment is tack on agent-based security after workloads have been deployed, putting you in a constant catch-up mode. Instead, agents can be deployed through tools like Chef or Puppet as code in the same package as the workload itself. Once you decide what your security configuration should be, export the code from your Cloud Workload Protection Platform management console and share with your DevOps or infrastructure teams so they can include it as part of their deployment process.
Managing SaaS and IaaS together
While SaaS and IaaS have different security requirements, there is overlap in the assessment of security configuration, access control, and data protection. Depending on your team structure, these elements of cloud security can be managed from a Cloud Access Security Broker (CASB) for both IaaS and SaaS.
Cloud computing is all about moving your organization faster, since so many tasks are taken care of by the cloud provider. Scaling to a worldwide customer base or all of your employees is generally seamless, and allows for business acceleration. Choose your approach to cloud security management to best meet your risk tolerance, and ensure your most critical data remains secure, so you can reap the benefits of the cloud without compromise.