The right way to IaaS: achieving secure flexibility and scalability
- Published: Wednesday, 02 October 2019 08:23
Infrastructure as a service (IaaS) offerings allow enterprises to focus on business growth, gain flexibility and scalability, as well as achieve significant cost savings. However, IaaS also raises some unique data leakage concerns that must be addressed. Anurag Kahol looks at three cornerstones of security when considering IaaS platforms and how the use of cloud access security brokers (CASBs) can help ensure that sensitive data remains protected at all times.
The building blocks of IaaS security
Data at rest
IaaS platforms house massive amounts of sensitive data that can become vulnerable to theft when proper controls are not put in place. Threats to this data at rest typically fall into two categories:
- External attacks that infiltrate the cloud environment and often stem from the abuse of compromised credentials;
- Insider threats that entail malicious or rogue employees accessing or exfiltrating sensitive data from within.
In order to maintain security in both of these scenarios, organizations must first confirm that they can accurately detect sensitive data patterns at rest; they must then ensure that robust controls are placed around said data at all times.
Enterprises today will often use IaaS platforms to build internally and externally facing custom apps that are used by their employees, customers, partners, and more. Many organizations do this because they desire to have niche tools that are not readily available off the shelf in a SaaS (Software as a Service) format, as well as because they desire greater control over their apps and the underlying infrastructure in the cloud.
However, with the aforementioned increase in control comes a greater level of responsibility for security. When using SaaS apps in the cloud, it is the app vendor who assumes responsibility for ensuring that the app and the underlying infrastructure are properly configured and secured. For IaaS customers, this responsibility falls to them. As a result, they often aren’t secured properly, leaving them vulnerable to attack unless access is properly safeguarded.
Cloud security posture management (CSPM)
To protect data at rest and the applications that access it, organizations must ensure that underlying IaaS settings are configured properly for continuous security as well as compliance with frameworks like the CIS Benchmark, HIPAA, and PCI DSS.
Accomplishing the above requires an effective cloud security posture management (CSPM) solution that can analyse an enterprise’s IaaS instances and check for misconfigurations. In something like AWS, these misconfigurations can take a variety of forms; for example, multi-factor authentication not being enabled for users, CloudTrail being disabled, or public-facing S3 buckets.
Time and again, these issues expose sensitive data that may not be protected or encrypted, enabling unauthorised access and a host of other headaches for the enterprise and its data subjects.
Keeping sensitive data safe with cloud access security brokers (CASBs)
While the challenges surrounding IaaS can seem varied and complex, there are highly effective security solutions now available that offer the all-in-one protection that enterprises seek. Chief amongst them is the CASB, which secures data at rest and proxies traffic between end users and the cloud, providing a central point of visibility and control for any IaaS platform.
CASBs offer a variety of helpful capabilities; for example, encryption which renders data at rest completely unreadable and indecipherable to external prying eyes as well as unauthorised internal personnel. Unless an authorised user is accessing the application securely through the CASB, they will see nothing but meaningless encrypted pointers, significantly reducing the risk of data exfiltration.
In addition to the above, select CASBs provide the real-time, inline protections necessary for securing access to custom applications. For example, leading agentless CASBs boast advanced threat protection (ATP) that can halt the upload of malware from any device, as well as contextual access control, which governs data access by a variety of factors, including users’ geographic locations, device types, job functions, and even behaviours in real time.
Finally, some CASB vendors also incorporate CSPM capabilities into their solutions. In this way, they can find misconfigurations, notify admins, and tell them how said issues can be fixed. Leading CASBs also offer automatic remediation of uncovered issues, providing the continuous assessment and compliance monitoring that companies need when making use of IaaS.
While the benefits of migrating to an IaaS environment are clear, enterprises contemplating the move must also consider the security implications of doing so (and take steps to address them before it’s too late). While this can seem daunting, the careful deployment of technologies such as CASBs allows enterprises to enjoy the myriad of benefits that the cloud has to offer – all while remaining confident that corporate data and IT resources are fully protected.
Anurag Kahol, Founder & CTO at Bitglass.