Three Generations of Cloud Security Evolution
Posted by: Jonathan Villa
Cloud computing and in turn, cloud security, is continuously evolving. Years ago, it was about moving to the cloud, whereas now it’s more about Cloud 2.0 with a focus on cloud observability, integrating multiple layers, and the security strategies employed by organizations. This article will look at the three generations of cloud security technology, both from a vendor perspective and cloud-native capability. Understanding how the services evolved and why they were developed is essential to understanding your current state and making informed decisions when purchasing or adopting cloud security technology.
The Early Adopters
In what we’ll refer to as Generation I, these early cloud adopters were just figuring things out as they built their environments. Cloud computing, being an API-driven infrastructure, enabled anyone with programming or application development experience to write code that requests information (metadata) and processes the responses. It was incumbent on the teams who leverage the cloud to use these APIs to build tools for themselves in order to understand the overall security posture of their cloud footprint.
These “in-house” tools were useful, but let’s be honest. They were fairly basic. As these solutions improved over time, they could ultimately provide continuous compliance and visibility of a public cloud environment’s current state. During this first generation, security was focused on network security and configuration best practices.
From a services perspective, once an instance was launched, it was live on the internet. The introduction of virtual private clouds improved the secure usage of native cloud compute services available at the time as you could now create your private zones with centralized ingress and egress points. However, egress traffic would leverage NAT Gateways with limited functionality to centralize outbound response traffic or initiate new outbound traffic. While that design pattern was functional, there weren’t many options available to create a centralized point of egress traffic that provided the inspection and analysis needed from a security perspective. The cloud service provider made some network traffic information available, but not the deep packet inspection required for threat analysis. It was simple, high-level visibility into the traffic flow between your hosts with basic insight into traffic traveling north to south.
During this time, a new perimeter formed that many did not recognize as being a perimeter – the highly-privileged role of the cloud identity. Although not widely implemented one positive capability provided by the Cloud Service Providers was a means to control and centralize access by supporting federated identities. However, there remained a wide gap between authorization security and the security fundamental of least privilege. And so this leads us into generation two.
The Enlightened
This period is when some began to understand that despite the strength of network security in the cloud and deploying secure configurations at the cloud management layer, more analysis was needed at the cloud provider API layer. While API logs were being captured to monitor and report on cloud activity, the analysis was not in-depth. Platforms that leveraged machine learning started to surface, informing cloud customers of anomalies within their environments. This helped cloud customers recognize that they also needed to emphasize securing their cloud platforms in addition to their workloads and network.
Additionally, new serverless architectures were introduced, causing a significant shift for those accustomed to checking off the boxes for anti-virus, IDS, IPS, and standard server hardening. This generation of cloud security platforms arose because even in a serverless environment, the API logs were being recorded and analysis was needed. This meant that in settings where only cloud PaaS offerings were used, capturing and analyzing the activity of a cloud customer’s environment was possible.
Cloud Everywhere
It’s impressive to see where we are today in the architecture and operations of cloud environments—both from a business solution and security perspective. Today we have containers, server-less, infrastructure-as-code, platform-as-a-service, deployment and management of third-party infrastructure solutions and more becoming available at a rapid pace. DevSecOps patterns have matured to automate and secure the complete lifecycle from development to infrastructure and include operations pipeline with security at its core. For example:
- Developers have the tools to build and deploy secure cloud infrastructure across multiple cloud providers.
- Site Reliability Engineers provide the building blocks to leverage infrastructure-as-code to build massively scalable architectures.
- Firewall administrators are deploying and managing cloud-native appliances within the CI/CD process (a nod to “shift-right” in moving more automation to the traditional security solutions).
Conclusion
Despite the growing maturity of cloud security as a dedicated discipline, customers are often left asking which is more effective: cloud-native services or third party solutions. There are now third-party cloud security platforms with new features and capabilities, mature and cost-effective native cloud security services, and the traditional security platforms have introduced new capabilities and first-class support for the public cloud.
While all of these tools are great and the trajectory shows constant maturity, do we understand what we’re looking at? For example, we can get Terabytes of data into a SIEM, but we need to know what we are looking for – what are the indicators of compromise within an API-driven-infrastructure?
Another aspect of security maturity in the public cloud is how cloud customers have adopted event-driven-security. More cloud customers are employing preventative and corrective measures than ever before. It can be said that adopting the event-driven approach has matured alongside cloud security technology efforts, partly because solution providers have evolved through each of the generations, as mentioned earlier.
Cloud security continues to evolve, and it has required a different way of thinking. Not only from a cloud customer’s perspective but also from vendors and the cloud service providers. Those that have been the most successful have retrained their problem-solving approach during each of these generations. As cloud continues to evolve, the pattern of being able to quickly adapt to the changing landscape will ensure success for many customers and vendors.
Jonathan Villa
Practice Director - Cloud Security ,
GuidePoint Security
Jonathan Villa has worked as a technology consultant since 2000 and has worked in the information security field since 2003. For more than 10 years, Jonathan worked with a large municipality as a senior consultant in several competencies including PCI compliance and training, web application architecture and security, vulnerability assessments and developer training, and web application firewall administration. Jonathan also co-architected and managed an automated continuous integration environment that included static and dynamic code analysis for over 150 applications deployed to several distinct environments and platforms.
Jonathan has worked with virtualization and cloud technologies since 2005, and since 2010 has focused primarily on cloud security. Jonathan has worked with clients in various verticals across North America, South America and Asia to design and implement secured public and hybrid cloud environments, integrate security into continuous integration and delivery methodologies and develop custom application and security solutions using the AWS SDK. He has also provided guidance to customers in understanding how to manage their environments under the Shared Responsibility Model.
In addition to providing PCI training, Jonathan also has presented to law enforcement on cybersecurity and was a speaker at the Cloud Security Alliance New York City Summit. Jonathan holds the following certifications: CISSP, CCSP, C|EH, PCIP, AWS Certified Solutions Architect – Professional, AWS Certified SysOps Administrator, AWS Certified Developer, AWS Certified DevOps Professional and Security+ certifications including the CSA Certificate of Cloud Security Knowledge.