Less visibility means harder cloud security
In an on-prem environment, you have full access to all of the hardware and software resources that your workloads depend on. You can monitor network traffic at the hardware level, view every log file in every operating system running on your servers, and you can retain log and metrics data for as long as you want. You have full security visibility.
In the cloud, however, visibility tends to be more limited since you can’t access physical hardware. You may only be able to collect certain types of metrics or view certain logs, depending on what your cloud provider makes available. Even the security monitoring tools you can use may be limited. Having less data to work with when using the cloud puts you at a lower level of visibility when searching for risks.
Cloud environments are usually more complex
Unless you’ve built a private cloud using a platform like OpenStack or Kubernetes, it’s likely that your workloads consist mostly of virtual machines in an on-prem environment. This creates very few layers in your technology stack, and less complexity to manage.
When you move away from on-prem, it becomes much easier to take advantage of multiple types of cloud services such as AWS, GCP, Azure, and OCI to build complex environments. You might run some workloads on VMs, while hosting others using serverless functions, containers, or a mix thereof.
Combined with the fact that resources in the cloud are constantly changing, it’s easy to recognize how much more complex the cloud can be.
With this complexity comes security challenges. The more moving parts you have in your cloud environment, and the more dependencies that exist between them, the higher the risk that you’ll have a misconfiguration or introduce a vulnerability into your workloads.
One of the reasons businesses turn to the cloud to host workloads is that it’s easy to spin up cloud resources quickly. That simplicity also creates risks. When anyone can deploy new cloud workloads, it’s easy to end up with VMs, containers, data storage buckets or other resources running in your cloud environment that your central IT department doesn’t know about and can’t oversee.
Multiple clouds may mean multiple security tools
A majority of businesses today are using more than one cloud. While adopting a multi-cloud strategy can save money and improve reliability, it also creates new security risks. Chief among them is the fact that you may end up deploying different security tools for each cloud, because the security monitoring and auditing solutions that each cloud provider offers don’t typically work on other clouds. You end up juggling multiple security tools, and it becomes harder to leverage each tool effectively and detect critical risks.
Everything in the cloud is connected to the Internet
When you run workloads on-premises, you can isolate them from the Internet by protecting them behind firewalls or even unplugging them. In the cloud, however, unplugging from the network is never an option. The best you can do is deploy network filtering or Virtual Private Cloud (VPC) environments. While they provide some level of isolation between your workloads and the network, you can’t turn off the network completely, and there is a risk that misconfigurations in your cloud network settings will allow outsiders to access your cloud resources.
Complex cloud access controls
In the cloud, you typically need to rely on Identity and Access Management (IAM) frameworks to define access rights to each resource running in your environment. Each cloud vendor’s IAM system works differently from the others, and requires mastery of a complex set of configuration options. This makes it easy to make mistakes that could expose cloud data to third-party access.
Configuring access controls on-premises is not always easy, but it tends to be more standardized than in the cloud. For instance, Active Directory can manage permissions across most of your resources on-premises. There are also usually fewer resources to secure if your on-prem environment consists only of VMs and applications instead of disparate cloud services.
Default cloud security settings may be insecure
To make the deployment of cloud workloads easier, cloud vendors typically provide a default set of configurations that define access controls and network rules for a new cloud resource. While having default settings is convenient because it saves you from having to create configuration policies from scratch for each deployment, the defaults are not necessarily secure, and may not be tailored for your business’s specific requirements. Businesses may assume that whichever configurations their workloads receive by default are secure, but that is rarely the case.
Making the most of cloud security
Once you understand these risks, you can address them. For example, you may choose to deploy a Cloud-Native Application Protection Platform (CNAPP). CNAPPs secure cloud environments at multiple levels by scanning configurations, workloads, and orchestration tooling like Kubernetes for security risks. They also help you centralize your security tooling around a single platform, instead of having to use different tools for each cloud.