Cloud security vs. on-prem security
The security threats businesses contend with today can affect workloads hosted both on-prem and in the cloud. A Distributed Denial of Service (DDoS) attack can take on-prem applications offline just as well as it can target a cloud-based environment. If attackers bypass your data access controls, ransomware and malware can strike data hosted on your servers or managed in cloud services like AWS S3.
While the types of attacks aren’t fundamentally different in the cloud, workloads hosted there are subject to unique security challenges:
Compared to on-prem, where it’s likely that your tech stack is more straightforward, cloud environments typically carry more significant security risks. Cloud environments tend to be more complex. You may run virtual machines alongside containers and serverless functions, even adding an orchestration layer like Kubernetes.
Exposure to the Internet
Since cloud environments rely on the Internet to connect workloads to users, applications and data running in the cloud generally have wider exposure to the Internet than workloads hosted on-prem. It’s possible to use resources like Virtual Private Clouds (VPCs) or network ingress filtering to isolate workloads from the Internet, but default configurations in the cloud usually leave Internet connectivity on.
Borderless cloud networks
Similarly, you can’t define network boundaries in the cloud in the way you can on-prem. Although you can create isolation between your cloud environment and the Internet, you'll still need to leave some connections open for administrators to access your cloud environment. This differs from an on-prem environment where you could completely isolate data behind a firewall and enable access only through a local intranet.
Complex and fragmented access controls
In an on-prem environment, systems like Active Directory and OpenLDAP typically manage user identities and permissions. Managing access controls in the cloud is more difficult because there is no central access control system that applies across all cloud environments.
Instead, you can define a variety of different access control policies using each vendor’s Identity and Access Management (IAM) system, which varies between clouds. Juggling multiple IAM systems increases the risk of configuration errors or oversights that open the door to attack.
Stricter compliance controls
In some cases, businesses may be subject to compliance rules that impose special security requirements over data or applications hosted in the cloud, but not those that run on-premises. For example, cloud data centers located in a different country than on-prem servers may need to comply with that country’s local data privacy laws.
Limited control and visibility
For on-prem workloads, there is no limit on how much data you can gather to detect and monitor security breaches because you have total control over your infrastructure and hosting environments. The amount of network monitoring data available in the cloud is limited to what your cloud provider offers, leaving you with less visibility. For example, in serverless compute services like AWS Lambda, you can’t view operating system logs or collect low-level kernel monitoring data using a framework like eBPF.
Best practices for optimizing cloud security
Security challenges shouldn’t prevent you from using the cloud. If you adhere to standard best practices for securing cloud workloads, you can enjoy its flexibility without compromising security.
Scan IAM configurations
To protect against the risk of access control misconfigurations, you should scan your cloud IAM policies using tools that automatically detect problems, such as controls that allow anyone to view sensitive cloud-based data.
Tag cloud resources
You can tag cloud resources like VMs and databases in most cloud environments by creating descriptive labels. From a security perspective, tagging is valuable because it helps you track which cloud workloads you have running. By extension, tags help to identify workloads that should be shut down, reducing your attack surface.
Establish strong cloud governance
You should define and enforce governance policies to minimize the risk that employees will create insecure cloud workloads that go unmonitored. Guidelines should stipulate who can create workloads and delineate a procedure for ensuring that those workloads are appropriately tagged and monitored. The goal is to avoid spinning up resources without your IT or security team’s knowledge and oversight.
Don’t settle for security defaults
Default security policies are often not secure. Typically, newly created cloud workloads are configured with default policies that define access control and networking. You can go further by allowing only specific users to interact with a virtual machine and create resources like VPCs to restrict network access to workloads that don’t require direct interfaces with the Internet.
Make your cloud flexible and secure
The cloud is flexible and powerful, which is why most businesses use cloud services today. If you settle for default security configurations and tools, however, your cloud isn’t necessarily secure. To ensure that you can safely take full advantage of cloud computing, invest in practices that harden your cloud environment against security risks.