New Google vulnerability: Learn about zero-day CVE-2022-3075 in Chorme web browser  | Fix now >> 

The CyberRisk Summit on-demand: Watch the latest #CRS anytime, anywhere | Watch now  >>

New report: Mapping MITRE ATT&CK framework to CVEs |  Read more  >>

How-to guides

How to integrate risk-based security with your cloud-native infrastructure

Risk-based security in cloud-native infrastructure allows you to reap the benefits of the cloud while protecting data and assets. Here's how.

Roy Horev | April 19, 2022

Cloud-native infrastructures take advantage of all cloud computing has to offer: distributed architecture, scalability, flexibility, and the ability to abstract multiple layers of infrastructure—allowing it to be defined in code. Relying on automation, this code-based configuration approach offers numerous benefits:

  • Easy-to-manage infrastructure
  • Ability to turn features on and off as needed
  • Greater accuracy
  • Improved speed
  • Continuous delivery
  • Enables customers to meet their multi-cloud needs
  • Modernizes and streamlines business and IT processes

While cloud-native infrastructure and applications offer resilience, multi-cloud or hybrid cloud adoption enables the best-of-breed combination tailored to an organization's specific needs. Offering the ability to combine different technologies in order to gain a competitive edge and major cost management benefits, it is clear why an increasing number of organizations are adopting a multi-cloud or hybrid approach as opposed to remaining only in the public or private cloud.

But any complex architecture brings with it security concerns—no matter the infrastructure. Managing the security of your infrastructure, however, will allow you to reap the benefits of cloud without harming availability, integrity, or confidentiality due to vulnerabilities in the system.

Risk-based security management

Every organization faces unique challenges that may require very different security strategies. However, some businesses tend to consider short-term security goals while neglecting to set long-term security, leaving the organization vulnerable. 

But it’s important to understand that security management and maturity is not about meeting a set of security compliance requirements or following ad-hoc practices; rather, it’s about developing a security process.

Adopting a risk-based security management approach that takes into account the organization’s unique operational aspects can significantly improve a company’s security posture. Certain business processes and assets may be more critical, thus taking into account vulnerabilities alone is insufficient. Integrating risk-based security with cloud security provides actionable security risk analytics to better understand and mitigate end-to-end risks.

A threat combined with an identified or potential vulnerability (cyber risk) could adversely affect an organization, harming its reputation and causing other damage. Because the negative impact may be technical or organizational, risk-based security management requires cross-team collaboration as opposed to the involvement of the IT or security teams alone. Once companies understand system weaknesses, they can better understand the risks while also taking into account business and asset values.

The steps of risk management:

  1. The first step of risk management is to identify the assets you need to secure. 
  2. The next step is to understand and assess the security controls that need to be implemented.
  3. When a risk is identified, it needs to be remediated. In some cases, when a third party is involved such as a cloud service provider (CSP) or software as a service (SaaS) provider, some risks can simply be transferred to the other party. However, it’s very important to check what can be transferred according to the cloud shared responsibility model. And in cases when it can’t be remediated, you may simply choose to accept, avoid, or control the risks after evaluating the situation. Risk acceptance is especially relevant in cases where organizations are using legacy systems and old technologies with dependencies that cannot otherwise be supported with new technologies. By prioritizing the risks that are identified so that the higher risks get first priority, you may also be able to avoid or control them. Identified risks need to be addressed whether a public or a multi-cloud environment.
  4. Once these security controls are in place, the information needs to be authorized and continuously monitored

Risk-based security for cloud-native infrastructure

When cloud migrations accelerate, cyber-risk management verticals may change due to the updated infrastructure and shared responsibility model with CSPs.

Meeting security compliance requirements while maintaining the agility, speed, and scalability of your cloud-native infrastructures is challenging. And in many cases, cyber-risk management processes are neglected when they haven’t been properly evaluated and adapted to the cloud. 

While the key focus should be scalability, automation, and infrastructure as a code (IaC), these elements are often neglected when companies migrate to or adopt cloud without proper strategies. In some cases, depending on the infrastructure, mechanism changes, and integrations with multi platforms, new add-ons could result in the attack surface broadening. 

When it comes to risk mitigation, traditional technical controls and compliance mechanisms don’t always fall in line with cloud since cloud-native infrastructure and design principles can be very different. On-premises infrastructure generally focuses on upgrading software and managing access controls lists (ACL), while the cloud-native deals more with managing and maintaining permissions and strong authentication. These differences therefore must be understood properly and specifically addressed.

Cloud security traps

Cloud threats can be internal or external, and when combined with unidentified system vulnerabilities can lead to serious security risks. Cloud security traps may be due to lack of awareness when it comes to cloud security responsibility models with CSP, dark data, access management, and lack of visibility due to complexities. 

Cloud-native infrastructures offer special features such as abstracting layers and enabling repetitive actions through automation and infrastructure as code. When it comes to automation, the principle of least privilege (PoLP) is not always followed: Programs may have root privileges to execute tasks that don’t necessarily require such high privileges. This poses additional risks in the environment.

In order to anticipate risks, vulnerabilities and threats must be identified. Asset management is key here, as unidentified assets can be dangerous in cloud environments. But asset identification can be challenging due to cloud sprawl and limited visibility in multi-cloud environments and cross-collaboration platforms.

No matter which cloud deployment model or cloud service you choose to use, data and access management as well as data protection are always the responsibility of the organization. Multi-tenant, fully distributed infrastructures and rapid migration can change and expand your attack surface. Adopting new security controls and policies following cloud migration is therefore crucial for mitigating issues that may arise.

This involves:

  • Proper asset management
  • Following best practices and guidelines related to system hardening
  • Revising policies and procedures to be streamlined with cloud
  • Use of cloud-native security tools to harden systems
  • Understanding the responsibilities of the CSP and the organization in protecting assets in the cloud

A risk-based security approach enables organizations to identify, understand, and prioritize their risks. With the growth of cloud and its architectural diversity, microservices, and complex cloud setups, traditional security controls and procedures often fall short. Mechanisms such as cloud security posture management and cloud-native security (including containers and cloud workload protection) can provide more comprehensive protection in the cloud.

Streamlining security for cloud-native infrastructure

With today's cloud-native infrastructures, often combined with other hybrid or multi-cloud environments, end-to-end visibility can be difficult to achieve. And without proper visibility, streamlining the environment, applying security policies, and continuous monitoring can prove difficult. Cloud security therefore requires centralization as well as an understanding of responsibilities, assets, and attack surfaces. 

When it comes to cloud-native infrastructures, risk-based security can help identify unique and specific risks in your cloud environment, evaluate your assets, and prioritize and remediate the risks. 

Offering contextual risk-based prioritization with ingested data and integrations with the major cloud platforms, including AWS, Azure, and GCP, as well as Kubernetes and containerized environments, Vulcan Cyber® streamlines your cloud security programs. Gain visibility of your cloud environment and own your risk.