Public Cloud Security: Running Private Workloads in the Public Cloud
Cloud Workload Protection Platforms (CWPPs) are specifically designed for the operational security requirements of running software and database applications on public cloud hardware. Around 95% of enterprise business organizations have already adopted PaaS/IaaS products from AWS, Google Cloud, and Microsoft Azure as part of their cloud deployments. Flexera analysts estimate 50-60% of all enterprise workloads run on public cloud resources in 2020.
This article reviews security solutions for managing private workloads on public cloud architecture. According to Gartner’s Report, Trend Micro, Symantec, Sophos, Kaspersky, Radware, VMware, Palo Alto Networks, Check Point, Bitdefender, & Microsoft are the industry leaders for workload security protection in enterprise cloud adoption. These CWPP & CNAPP solutions work with all public cloud providers to provide continual security monitoring services.
In addition, AWS offers a suite of security tools as part of its shared responsibility model for cloud security. The shared responsibility model stipulates that the burden of securing cloud environments is shared by both the customer and the cloud provider.
Critical AWS Tools for Public Cloud Security
AWS offers a range of tools that your organization can use to help ensure the security of your public cloud architecture. These tools fall into a few broad categories and include IAM tools such as AWS IAM Access Manager, Encryption (AWS KMS), Compliance (AWS Artifact), and Data Protection (Amazon GuardDuty). So without further ado, let’s dive into AWS security tools.
AWS IAM Access Analysis
AWS IAM Access Analysis is perhaps one of the most useful tools in AWS’s security stack. IAM stands for identity and access management, and governs how users are able to access, modify, and view your public cloud environment. Access analyzer monitors your environment for how users are using services under your account, and also alerts you to new or changed access management policies.
AWS’s IAM Access Analysis feature allows you to get a granular view of how users access and use services on your account. In addition, if your IAM policies are changed Access Analysis can provide an automated alert that your resources are accessible to external users. Amazon IAM should be configured based on the principle of least privilege, essentially meaning that employees should have the least access necessary to successfully complete their jobs. AWS IAM Access Analysis can help you find areas to reduce or modify permissions in order to increase security and trust.
AWS GuardDuty
Amazon GuardDuty is Amazon’s threat detection platform. GuardDuty analyzes data from across AWS services and includes VPC Flow Logs, DNS logs, and CloudTrail Event Logs. It correlates data and uses machine learning to identify anomalous behavior across your account. AWS GuardDuty is a fully automated threat detection capability and can easily integrate with existing workflows and third party threat detection capabilities.
AWS Security Hub
AWS Security Hub serves as the focal point for AWS Security Related matters. In the security hub you can view alerts and findings from various AWS Security services including GuardDuty, IAM Access Analyzer, Firewall Manager, and other crucial security services. In addition you can view security configurations across multiple AWS accounts. Security Hub continuously monitors your environment using automated checks to identify vulnerabilities.
AWS Artifact
For many organizations, compliance can be a key-driver of security efforts. AWS offers Artifact, which provides detailed and customizable compliance reporting across several cybersecurity frameworks including SOC, PCI, ISO and FedRamp. Artifacts makes reporting on complex security controls across a variety of services and accounts far simpler than it otherwise would be and can report against the controls of most common compliance requirements.
Cloud Workload Protection: CWPPs, CNAPPs, & CSPM
Enterprise cloud workloads are defined as the computing, storage, and networking resources that are required to run software applications & databases on remote hardware. There are four levels of abstraction for cloud workloads: dedicated hardware, virtual machines (VMs), containers, and serverless platforms. Businesses running private workloads on public cloud architecture need to take action to secure each of these abstraction levels with CWPP solutions.
Dedicated hardware in a public cloud data center can be configured for enterprise IT use with solutions like Azure Stack, VMware vSphere, OpenStack, AWS Outposts, & Red Hat OpenShift. The use of hypervisor platforms based on Hyper-V, KVM, and ESXi allows shared kernel support for VMs to run Windows or Linux OS distros together on the same hardware. Kubernetes offers container virtualization to orchestrate elastic cluster server automation. Serverless platforms provide compute resources for any programming language on-demand in parallel processing.
To run private workloads on public cloud hardware securely at these four levels of abstraction, enterprise IT groups choose Cloud Workload Protection Platforms (CWPPs). Best practices now involve the use of Cloud Security Posture Management (CSPM) platforms for the verification of compliance on remote data center hardware with regulatory statutes for consumer data privacy. CSPM software allows IT departments to audit public cloud resources with continual monitoring.
Cloud Workload Protection Platforms (CWPPs): Features
The key to running private workloads securely on public cloud hardware is to adopt a Cloud Workload Protection Platform (CWPP). Some of the main features provided by CWPPs are:
- Unified security policies applied to all SDN resources in cloud architecture.
- Customized firewall protection for computing, storage, and network resources.
- Automated security scanning for malware, exploits, and computer viruses.
- Hardened security through privilege escalation on files, folders, & logs.
- Password-protected accounts with identity verification for admin access.
- Security Posture Management tools for compliance & audited verification.
- Data encryption on network connections, cloud storage, & web servers.
Enterprise organizations running cloud workloads need to ensure continual monitoring of VMs, containers, and serverless operations. Most Cloud Workload Protection Platforms (CWPPs) are developed by firewall, anti-virus, and hybrid cloud specialist companies for integration with their wider suite of products for interoperability. Enterprise software development teams need to build support for unified private, public, and hybrid cloud security policies into their CI/CD pipelines.
The CWPP solutions listed below are the most popular in 2020 for running private workloads on public cloud hardware. The choice of which solution is right for your organization will depend on a combination of licensing cost, platform features, interoperability, system reliability, scalability, and technical support. Use CSPM software to verify remote cloud hardware for compliance.
Top 10 Cloud Workload Protection Platforms (CWPPs)
Check Point CloudGuard IaaS: Provides vulnerability assessment for cloud hardware, VMs, containers, and serverless platforms with automated scanning for malware & virus threats. Works together with the Check Point suite of endpoint and firewall solutions.
Symantec Cloud Workload Protection (CWP): Excellent benchmark testing for cloud workload protection audited for CIS, NIST, SOC2, ISO/IEC, PCI, & HIPAA compliance. Integrates directly with AWS, Microsoft Azure, & Google Cloud for marketplace support.
Trend Micro Deep Security: Cloud runtime security protection that unifies with Trend Micro’s popular endpoint protection and firewall software. This security suite includes dedicated tools for Chef, Puppet, & Ansible to support DevOps pipeline requirements.
VMware Carbon Black Cloud: An integrated EPP & CWP platform that implements AI/ML for network analytics and works with all of VMware’s data center orchestration products. Carbon Black scales to support 1 trillion security event scans per day.
Azure Security Center: Microsoft’s premier security product packaged with Azure Defender to deliver real-time security alerts for cloud workload runtimes with anti-virus, AI-assisted malware detection, and intrusion monitoring from Microsoft threat research.
Palo Alto Networks Prisma Cloud: Available on a subscription basis for AWS, Azure, and Google Cloud with continual monitoring of cloud runtimes and reports on network vulnerabilities. Detect intrusions, suspicious activity, malware, data leaks, and viruses.
Bitdefender GravityZone Security: Risk analytics, full-disk storage encryption, web application firewalls, endpoint security, identity management, email security, anti-virus quarantine, process termination, rollbacks, reporting, and API support for dashboards.
Radware Cloud Workload Protection: Comprehensive cloud security implemented through permission hardening on file access, early identification of intruders, malware and antivirus protection with the continual scanning of cloud workload operations.
Kaspersky Hybrid Cloud Security: Enterprise solutions designed for IT departments with a need for unified security controls on endpoints, public/private cloud resources, and SaaS/PaaS products. Customized cloud runtime protection by industry requirements.
Sophos Central: Use a single pane of glass for the administration of endpoint and firewall security policies with custom rule sets for websites, mobile apps, servers, email, and distributed cloud platforms. Sophos has a strong global reputation for network security.
Cloud Native Application Protection Platforms (CNAPPs)
McAfee’s MVISION is a leading solution for multi-cloud security on the CNAPP model.
Enterprise IT groups are also increasingly adopting Cloud Native Application Protection Platforms (CNAPPs) for better security for private workloads on public cloud architecture. Most CNAPP solutions are designed to scan and protect container runtimes with Kubernetes support.
Hybrid Cloud Solutions for Remote Workload Security
While the CWPPs listed above are ideal for the public cloud security management of remote workloads, many enterprise organizations have adopted a hybrid cloud approach for compliance requirements. The advantage of the hybrid cloud model for cloud workloads is that some admin servers and databases can be operated on-premises with fewer security challenges.
Third-party integrator solutions optimize private connectivity between public cloud resources, API service providers, and SaaS vendors for increased options on data security measures.
Recommended AWS Platform Solutions for Hybrid Cloud:
- AWS Direct Connect allows businesses to set up dedicated, high-speed fiber-optic connections between private and public cloud resources.
- AWS Private Link facilitates private connectivity using SDN/SDDC resources with SaaS application support for unified network and endpoint policies.
- AWS Outposts can be installed to run EC2, EKS, & other Amazon Web Services solutions like databases in a local data center for private/hybrid cloud.
Public cloud environments can be as secure or even more secure than on-premises hardware when IT teams adopt security tools like CWPPs & CNAPPs for the continual monitoring of cloud workload runtime operations. Automate multiple layers of scanning to protect sensitive data from security risks.
About ThorTech Solutions:
ThorTech Solutions specializes in helping companies leverage AWS to drive improved scalability, eliminate bottlenecks, and increase productivity. Our team’s deep experience in managing software development pipelines with AWS public cloud resources allows us to efficiently bring together business and technology to drive innovation in local operations.