CISOs: How to Maintain your Security (and Sanity) in a Hybrid Cloud World

CISOs: How to Maintain your Security (and Sanity) in a Hybrid Cloud World

The cloud isn’t going anywhere.  By 2020, Forbes says 83 percent of enterprise workloads will be in the cloud. Gartner agrees, stating that by 2021, over 75 percent of midsize and large organizations will have adopted a multicloud and/or hybrid IT strategy. 

While cloud computing has become the new normal for modern IT environments, hybrid and multicloud are the reality when driving business transformation initiatives. While some CISOs will favor multi-cloud computing, others will choose a hybrid cloud model that “allows for scenarios where customers can keep their most sensitive data on their own servers while sending workloads to the private or public cloud for improved accuracy and productivity,” said technology analyst Beth Kindig.  

Both options provide cost optimization, agility, flexibility, scalability and elasticity benefits along with control, compliance, security, and reliability. Cloud also enables a CISO to draw together all of these key benefits ensuring the optimal cloud solution despite changing security needs or requirements. 

Regardless of whether you choose a multi-cloud or hybrid cloud, adequately securing your applications in a cloud environment can be a challenge without being able to properly understand application relationships, communications, and behaviors in your environment. 

For the sake of this blog, we will use the terms hybrid and multi-cloud interchangeably.

Building an Accurate Application Inventory of Your Cloud

In order to understand an application well enough to start to identify where the risk lies, we must first understand precisely what applications exist and what comprises them.  When we think about cloud applications, we define an application as a piece of distributed software designed to fulfill a business purpose delivered through a series of interconnected workload relationships - often between clouds distributed across the business. The larger and more complex these applications are, the more difficult it is to gain the necessary understanding of their communications, behaviors, dependencies and in turn- risk.

Exacerbating the complexity, modern cloud environments can make it even more difficult to achieve an understanding of applications and relationships – as they are often geographically dispersed, frequently changing, diverse, and managed through multiple interfaces that require different knowledge and skills.

This lack of understanding of exactly what comprises the application, how it functions, and the associated relationships are the core problems for CISOs when it comes to securing complex applications inside and across these cloud platforms. In order to answer those questions, security teams are tasked with identifying and deciphering thousands of application communications between workloads just to understand precisely what makes up that “application”. Gathering this information is required before teams can even begin to define a policy of what “Known Good” communications are so they can leverage controls that enforce a policy blueprint.

Assessing Application Risk

In order to understand your risk exposure within your cloud environment, one must first  understand the east-west paths available to an attacker once the perimeter has been breached or an asset has been compromised.  Tools that enable deep application discovery are needed in order to investigate available lateral paths through workload relationships across applications.

Here is a scenario to help explain this: Security teams need application-level relationship visibility in order to understand how workload A connects to B, and B connects to C for a given application. That connectivity enables an attacker to move laterally along that path through those relationships to get to C starting from A. These types of relationships and their associated risk radius are very difficult for humans to discover at scale but become as easy as a few clicks with purpose-built discovery tools.

An appropriate discovery tool will help you understand your exposure by helping you answer questions such as:

  • Are my applications communicating as intended? 
  • Are my critical assets at risk?
  • Am I under attack?
  • What is the size and scope of my blast radius for a given application?
  • Once compromised, what lateral paths exist through my network for each application? 

 

Once you’ve identified the risks, you must now gain a deeper understanding of the application relationships. As mentioned prior, we find that the most critical applications are often the most complex ones to secure. Further complicating things, the most complex applications have the most relationships, and as a result, are the most difficult to understand. Fortunately, with recent advances in technology, tools such as (Artificial Intelligence) AI and (Machine Learning) ML, tasks that were once nearly impossible, can now be accomplished in seconds instead of months.

To understand the risks associated with that A-B-C relationship discussed above, AI and ML must be used to discover and understand the potential of tens or hundreds of thousands of relationships in order to reduce the attack surface of an application to only what is necessary for the application to function. 

Combining Intelligence to Accelerate Risk Management

When you combine what administrators and app owners know about how an app should behave with what AI/ML models that tell us what is actually occurring, the result is a solution that has the ability to:

  • Visualize applications and discover relationships 
  • Monitor and detect threats and respond to incidents rapidly
  • Automatically generate and then test policies to isolate applications, separate environments and enforce compliance

 

Armed with the capabilities listed above, security teams now have a complete contextual understanding of how the application should behave and the AI/ML information of what is happening that is required to accelerate risk mitigation. These two intelligence sources enable automated policy generation capabilities providing a blueprint for precisely how an application is allowed to behave.  In the previous world, without the AI/ML context this would have been nearly impossible.

Security teams can now use their knowledge coupled with AI/ML models to easily generate and test policies that monitor and control application relationship communications.  This prevents attackers from exploiting these previously unknown and undefined relationships between workloads within the blast radius of a given application. The reduced threat surface is no longer a vulnerable ocean of opportunity in a cloud environment without controls governing traffic. Once these policies have been deployed to the cloud platforms, unused native controls such as AWS Security Groups or Azure Network Security Groups no longer lie dormant, and the previous wild west for an attacker who has breached the perimeter has been eliminated.

Take the Next Step to Secure your Cloud with vArmour Application Controller vArmour Application Controller’s Security Graph technology has enabled hundreds of security and infrastructure teams to gain visibility and control of application relationships across their public and private cloud environments. As a result, security teams are able to understand the scope of the blast radius and see where critical applications are at risk - centralizing all of the interactive relationship maps. 

One of the key benefits of the Application Controller is that it allows CISOs to capitalize on the investments they already made in their cloud platforms.  As a cloud customer, you’ve already purchased embedded native controls and telemetry capabilities, but actually enabling them in a useful way can be challenging. By connecting a cloud or leveraging the SDK, existing telemetry can be ingested into the AI/ML enabled Security Graph providing a centralized view of all your critical applications.

 

Get started today with a free trial to fully understand the risk in your environment, available to deploy in Amazon Web Services (AWS), Microsoft Azure and VMware NSX.

 

Image source: business vector created by freepik - www.freepik.com