How to achieve secure, flexible and scalable IaaS - Bitglass
Article by Bitglass CTO Anurag Kahol
In today's cloud-first world, more and more enterprises are utilising infrastructure as a service (IaaS) to enhance their operations.
IaaS offerings like AWS, GCP and Azure allow enterprises to focus on business growth, gain flexibility and scalability, and to achieve significant cost savings.
However, while using IaaS brings many advantages, it also raises unique data leakage concerns that must be addressed in order to maintain robust cybersecurity.
There are three cornerstones of security for those considering IaaS platforms, and the use of cloud access security brokers (CASBs) can help to ensure that sensitive data to remain protected at all times.
The building blocks of IaaS security
1. Data at rest
IaaS platforms house massive volumes of sensitive data that can become vulnerable to theft unless proper controls are in place. Threats to this data at rest typically fall into two categories:
- External attacks that infiltrate the cloud environment and often stem from the abuse of compromised credentials.
- Insider threats that entail malicious or rogue employees accessing or exfiltrating sensitive data from within.
To maintain security in both of these scenarios, organisations must first confirm that they can accurately detect sensitive data patterns at rest.
They must then ensure that robust controls are placed around the data at all times.
2. Custom applications
Enterprises today often use IaaS platforms to build internally and externally facing custom apps that are used by their employees, customers, partners, and more.
Many organisations do this because they wish to have niche tools that are not readily available off-the-shelf in a SaaS format, and also because they want greater control over their apps and the underlying cloud infrastructure.
Yet together with the increase in control comes a greater level of responsibility for security.
When using SaaS apps in the cloud, it is the app vendor who assumes responsibility for ensuring that the app and the underlying infrastructure are properly configured and secured.
For IaaS customers, this responsibility falls to them.
As a result, often they aren’t secured properly, leaving them vulnerable to attack unless access is properly safeguarded.
3. Cloud Security Posture Management (CSPM)
To protect data at rest and the applications that access it, organisations must ensure that underlying IaaS settings are correctly configured for continuous security, as well as for compliance with frameworks like the CIS Benchmark, HIPAA, and PCI DSS.
Accomplishing this requires an effective cloud security posture management (CSPM) solution that can analyse an enterprise’s IaaS instances and check for misconfigurations.
In something like AWS, these misconfigurations can take a variety of forms: for example, multi-factor authentication not being enabled for users, CloudTrail being disabled, or public-facing S3 buckets.
Time and again, these issues expose sensitive data that may not be protected or encrypted, enabling unauthorised access and a host of other headaches for the enterprise and its data subjects.
Keeping sensitive data safe
While the challenges surrounding IaaS can seem varied and complex, there are highly effective security solutions available that offer the all-in-one protection that enterprises seek.
Chief amongst them is the cloud access security broker (CASB), which secures data at rest and proxies traffic between end users and the cloud, providing a central point of visibility and control for any IaaS platform.
CASBs offer a variety of helpful capabilities.
For example, encryption which renders data at rest completely unreadable and indecipherable to external prying eyes as well as unauthorised internal personnel. Unless an authorised user is accessing the application securely through the CASB, they will see nothing but meaningless encrypted pointers, significantly reducing the risk of data exfiltration.
Select CASBs also provide the real-time, inline protections necessary for securing access to custom applications.
For example, leading agentless CASBs boast advanced threat protection (ATP) that can halt the upload of malware from any device, as well as contextual access control, which governs data access by a variety of factors, including users’ geographic locations, device types, job functions, and even behaviours in real-time.
Finally, some CASB vendors also incorporate CSPM capabilities into their solutions.
In this way, they can find misconfigurations, notify admins and tell them how issues can be fixed.
Leading CASBs also offer automatic remediation of uncovered issues, providing the continuous assessment and compliance monitoring that companies need when making use of IaaS.
While the benefits of migrating to an IaaS environment are clear, enterprises contemplating the move must consider the security implications of doing so, and take steps to address them before it’s too late.
While this can seem daunting, the careful deployment of technologies such as CASBs allows enterprises to enjoy the myriad of benefits that the cloud has to offer – all while remaining confident that corporate data and IT resources are fully protected.