Cloud Security 101

David Puzas - April 22, 2021

What is Cloud Security?

Cloud security, cloud computing security, is the protection of everything within a cloud environment, including the cloud infrastructure, cloud data, and cloud applications.

Cloud Security Resources

Types of Cloud Environments

Cloud environments fall into three categories: public, private or hybrid. Each cloud platform serves the same purpose — to share computing resources across a network and enable the delivery of cloud-based services.

A Public cloud can deliver and support technology services via the public internet through a third-party cloud provider. Public cloud access is provided through a subscription model, such as Platform-as-a-Service (PaaS), Infrastructure-as-a-Service (IaaS), or Software-as-a-Service (SaaS). Examples of prominent public cloud providers include Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure.

Private clouds serve the same purpose as public clouds but are dedicated to just one customer. They provide a cloud infrastructure for exclusive use by one business, organization or government entity. Because the private cloud is not shared with any other users, this type of network tends to provide far greater control, privacy and security — as long as the user has adopted a comprehensive security strategy specifically designed for the cloud.

With a Hybrid cloud model, organizations are often able to leverage the cost savings of a public cloud while maintaining a higher level of security for select functions through a private cloud. For example, in a hybrid model, a company can leverage a public cloud for high-volume, low-risk activity, such as hosting web-based applications like email or instant messaging, while a private cloud can be reserved for functions that require more security, such as processing payments or storing personal data.

How Cloud Security Works

Cloud security often follows what is known as the “shared responsibility model.” A cloud service provider (CSP) — the business or entity that provides infrastructure as a service — must monitor and respond to security threats related to the cloud’s underlying infrastructure.

Meanwhile, end users, including individuals and companies, are responsible for protecting the data and other assets they store in the cloud from theft, leakage or other means of compromise.

cloud security shared responsibility model

For organizations that use a cloud-based model or are transitioning to the cloud, it is important to develop and deploy a comprehensive security strategy that is specifically designed to protect and defend cloud-based assets.

3 Core Principles of Cloud Security

The benefit of cloud computing is also its main drawback: Users can access cloud environments from anywhere with an internet connection — but so can cybercriminals and adversaries.

For businesses shifting to a cloud-based model, security is a top concern. Organizations must design and implement a comprehensive security solution to protect against an expanding array of threats and increasingly sophisticated attacks within the cloud environment. To do this, a cloud security strategy should adhere to following principles:

1. Focus on the Adversary

In all areas of security, including the cloud, it is critical to understand your adversaries and their modus operandi: who they are, what they want, what they must accomplish to get it and how that maps to an attack surface. CrowdStrike has observed that many of the same adversaries are active in the cloud and in other parts of the IT landscape.

The difference is that the cloud offers adversaries the opportunity to use a new set of tactics, techniques and procedures (TTPs).

CrowdStrike continues to research these cloud-native threats and has found that TTPs are maturing for AWS users and emerging across Google Cloud Platform (GCP) and Microsoft Azure. Most current techniques involve adapting traditional attack modes for the cloud, although cloud-only techniques are likely to emerge in the hands of sophisticated adversaries.

Current state-of-the-art techniques include:

  • Attack tools and post-exploitation frameworks: These are now available for public cloud providers with software such as Pacu and Barq that can use IAM for privilege escalation or use lambda functions for persistence and evasion.
  • S3 ransomware: There is published research around S3 ransomware, which could be theoretically expanded to any cloud service that offers bring-your-own-key and easy rotation, as those could be potentially vulnerable as well.
  • Traffic sniffing: Some public cloud providers have recently introduced capabilities in network mirroring, which in addition to improving network monitoring can also allow new paths for packet sniffing and bulk data exfiltration.

Staying informed about these threats can be challenging. That is why having strong partners for threat and situational intelligence helps. Third-party testing, internal red teaming and bug bounty programs are also valuable when implementing an adversary-focused approach.

2. Reduce the Risk of Exposure

CrowdStrike strives to drive down the risk of exposure, so that it is limited to what is needed to run the business. This includes continually searching for and removing unnecessary attack surfaces. As an organization, CrowdStrike cultivates a “security first” culture that is embraced at all levels of the company — from the C-suite to the newest engineer.

Examples of tactics CrowdStrike uses to reduce the attack surface include:

Segmenting where possible to reduce a potential attack blast radius. This entails using different cloud accounts, virtual private clouds (VPCs), subnets and roles for different types of workloads. Strive to avoid overlapping production, development and integration workloads.

Using cloud-native encryption where available for data in flight and at rest in the cloud, and being proactive when it comes to ciphers, protocols, keys and certificates — including having a suite of internal tools to help.

Securing earlier in the process — a practice also known as “shift left” — by implementing tools, automation and standards to enable engineers to easily follow the desired security behavior. These tools reduce developer friction as well as diminish the likelihood that unsafe or default configurations in the wild will be used.

Using MFA where available and hard tokens for high-impact environments such as GovCloud deployments.

Proactively maintaining good IT hygiene by automatically discovering the cloud workload footprint.

3. Monitor the Attack Surface

Always look for ways to improve visibility into the necessary attack surface. This makes it more challenging for adversaries to hide and also drives up their attack costs. The CrowdStrike Falcon platform provides comprehensive visibility across CrowdStrike’s cloud infrastructure. In fact, the cornerstone of CrowdStrike’s internal cloud visibility strategy can be summed up as “Falcon everywhere.”

This approach consists of deploying the Falcon agent on all cloud workloads and containers and employing the Falcon OverWatch team to proactively hunt for threats 24/7. In addition, CrowdStrike uses specific cloud-native indicators of atack (IOA), analyzes machine learning (ML) patterns and performs free-form threat hunting, looking for hands-onkeyboard activity by adversaries within CrowdStrike’s cloud workloads and control plane.

This level of visibility coupled with proactive threat hunting has allowed CrowdStrike to detect subtle, nearly imperceptible behaviors with uncanny accuracy, such as an incident in which an adversary was probing for the existence of certain S3 buckets. Those buckets were not publicly accessible, and they were named in a way that made using brute force impossible, which prompted CrowdStrike analysts to investigate how the adversary could have obtained a list of the S3 buckets.

After considerable research, CrowdStrike intelligence sources surmised that the adversary was probably pulling S3 bucket names from sampled DNS request data they had gathered from multiple public feeds. That type of data is easily obtained by accessing resources from public Wi-Fi. The lesson here is that the adversary sometimes has more knowledge of and visibility into an organization’s cloud footprint than you might think.

What makes Cloud Security Different?

The Cloud is Dynamic

Providers and consumers of cloud services are moving fast with dozens of new cloud native services being introduced each year. These services are often aimed at busy developers who are focused on keeping friction low and their velocity high.

While most security teams understand their roles in the shared responsibility model, it can be difficult for them to keep up with the changing landscape. Even companies with a strong security program and demonstrated expertise can be at risk of not having sufficient security.

For example, a large financial services company with sophisticated cloud security capabilities suffered a breach involving its cloud infrastructure, even though it had previously contributed to an open-source cloud security toolkit. Since the cloud is dynamic, the tools used to secure it must be dynamic and portable in order to work in multi-cloud environments.

Multi-Cloud Environments and Varied Workloads

Attacks can traverse multiple planes and involve different types of workloads. The attack against the financial services company involved tactics that spanned traditional web applications, endpoints and cloud-native resources. Reports about the data breach mentioned that an application flaw was exploited to pull a temporary station-to-station (STS) key from the underlying host’s EC2 (Amazon Elastic Compute Cloud) metadata service. The key was then used externally to access sensitive cloud resources including S3 buckets.

CrowdStrike investigated an incident that started with an insider threat, with the perpetrator running an exploit on Amazon Web Services (AWS) resources. Leveraging a vulnerability in AWS, the attacker was able to obtain data that was stored in S3 buckets. CrowdStrike expects attacks involving multiple types of workloads and the cloud to become more common going forward.

The visibility needed to see the type of attack that traverses from an endpoint to different cloud services is not possible with siloed security products that only focus on a specific niche. Only a combination of endpoint and cloud-native security tools working together can see attacks of that nature. Organizations often have more than one cloud to support. Companies running workloads in the public cloud look to improve reliability and availability by adopting a multi-cloud strategy. While definitely a step in the right direction, these companies are finding that not every cloud vendor offers the same security features.

Security Control Differences Can Lead to Misconfigurations

Security controls differ from cloud to cloud. Even when cloud service providers offer similar security control set, their behaviors and implementations can vary. Even elements as simple as the log trails needed to support threat hunting, and the design patterns for retrieving them vary from cloud to cloud.

These variations make for a steep learning curve, with each public cloud provider offering different sets of security controls. Default configuration settings also vary by provider. Even where there is some overlap, there are different implementations and nuances to deployment. Until organizations become proficient at securing all of their different clouds, adversaries will continue to take advantage of misconfigurations.

ESG Report: The Maturation of Cloud Native Security

Learn about cloud-native security challenges and how maturity gaps result in inconsistency, misconfigurations and visibility gaps.

Download Now

CrowdStrike’s Cloud Security Solutions

Stopping breaches using cloud-scale data and analytics requires a tightly integrated platform. Each of the following functions plays a crucial part in detecting modern threats, and must be designed and built for speed, scale and reliability.

Modern cloud security goes beyond ad-hoc approaches by unifying everything you need in a single platform:

  • Falcon Horizon (CSPM): Falcon Horizon automates the identification and remediation of risks across cloud infrastructures, including IaaS, SaaS, and PaaS.
  • Falcon Cloud Workload Protection: Falcon Cloud Workload Protection provides visibility and protection against advanced threats while integrating seamlessly with DevOps and CI/CD pipelines, delivering an immutable infrastructure that optimizes cloud resources and ensures applications are always secure.
  • Falcon Container Security: Falcon Container Security continuously protects containers from vulnerabilities. This includes the container pipeline, deployment infrastructure, and supply chain.

How to Uplevel Cloud Infrastructure

Learn how a modern cloud security platform must provide a holistic solution that effectively blends traditional security capabilities with ones required by modern environments.

Download Now

Get to Know the Author

David Puzas is a proven cybersecurity, cloud and IT services marketer and business leader with over two decades of experience. Charged with building client value and innovative outcomes for companies such as CrowdStrike, Dell SecureWorks and IBM clients world-wide. He focuses on the optimization of computing innovation, trends, and their business implications for market expansion and growth. David is responsible for strategically bringing to market CrowdStrike’s global cloud security portfolio as well as driving customer retention.