Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more
Even with all the challenges of securing the cloud, cybersecurity has actually evolved into one of the advantages of migrating to public cloud platforms such as Amazon Web Services (AWS). When you approach cloud security the right way, at least.
That’s the message from 10 cybersecurity startups that provided their perspective on the state of AWS cloud security to VentureBeat this week.
“By approaching cloud security in a cloud-first way, organizations can accelerate how IT aligns to business agility,” said Douglas Murray, CEO at Valtix, in an email.
With the AWS re:Invent 2021 conference taking place this week, the 10 startups shared what they see as the biggest AWS cloud security challenges and how they aim to solve them for customers.
The challenges are all intertwined—but generally break down to struggles with identity management, access controls, and configuration; visibility and detection; complexity and the skills gap; “shared responsibility” confusion; and overall mindset, according to the executives.
VentureBeat has reached out to AWS for comment. The company, which pioneered the concept of cloud infrastructure services, continues to maintain its significant lead in the market with a 33% share as of the third quarter, according to Synergy Research Group. That’s compared to 20% for Microsoft Azure and 10% for Google Cloud.
While many view cloud security as a barrier to cloud migrations, the cloud holds the potential to offer a security advantage for many types of businesses compared to on-premises environments, according to executives at the startups.
Security is “at the forefront of value propositions for the cloud, particularly for organizations that are in the midst of their digital transformation and are not cloud native,” said Or Azarzar, cofounder and chief technology officer at Lightspin, in an email.
Cloud security benefits
Advantages of cloud security can include lower cost and lower demand on resources than on-prem, as well as a more “holistic” approach to security, he said.
“With cloud-native security solutions that provide agentless experiences, organizations can more efficiently stay one step ahead of security requirements, minimize the resources they require to do so, and more effectively scale their solutions,” Azarzar said.
Cloud security solutions also offer something that on-prem offerings never could: “a holistic perspective across the cloud from the infrastructure layer, through to the platform and native services in use, and up to the running microservices in the cloud,” he said.
This means an ability to offer “one platform to fix all issues by connecting everything built for and running in the cloud,” Azarzar said. “Whether it’s a vulnerability generating a new risk, exposed secrets, public assets in risk, or a misconfiguration – just a single pane of glass is needed to remediate the risks that matter most. And [the cloud] reduces the time it would otherwise take to do so.”
Neil MacDonald, a vice president and analyst at Gartner who follows the cloud security market, agrees that security can be a benefit rather than a barrier when it comes to cloud.
Ultimately, “cloud gives us the opportunity to do security right, if we embrace it—and embrace these changes and embrace new tools and processes and mindsets,” MacDonald said during the research firm’s Security & Risk Management Summit — Americas virtual conference last month.
AWS, which announced a number of security enhancements this week at re:Invent 2021, has been upping its game in security for years, executives said.
“AWS and other cloud providers have made huge strides in creating a secure infrastructure baseline, compared to the alternative of manually securing an on-premises infrastructure deployment,” said Sandeep Lahane, founder and CEO of Deepfence.
Still, “while security is increasingly becoming a value proposition of the cloud, new attack vectors targeted at cloud workloads are also on the rise,” Lahane said. “And that is leading to major innovations in this space.”
What follows are five Amazon Web Services cloud security issues that startups are aiming to fix. (Quotes provided via email.)
1. Identity management, access controls, configuration
As enterprises have accelerated their shift to the cloud during the pandemic, struggles with achieving proper identity management, access controls, and configuration have increased, executives said.
A recent survey of cloud engineering professionals found that 36% of organizations suffered a serious cloud security data leak or a breach in the past 12 months, typically the result of misconfiguration.
Within AWS, “configuration can get super complex,” said Shauli Rozen, CEO and cofounder of Armo. “There are so many things that you can do wrong. There are so many things that you can misconfigure. And that’s still—and probably will remain—the biggest challenge for users.”
Many companies find it extremely difficult to implement the right access controls and approvals management processes, in order to both ensure security and enable the engineering teams to be agile, said Manav Mital, CEO and cofounder of Cyral.
“This is especially hard for companies that are embracing data democratization and leveraging their data to build new products and services,” Mital said. “Data that used to sit in a few database servers is now scattered across S3 [Simple Storage Service], Redshift, Snowflake, and a myriad of database services within the AWS platform. And instead of a handful of database administrators, the entire engineering, data, and business teams have access to this data.”
Infamous AWS security issues such as misconfigured S3 buckets still continue be a problem in some cases, Azarzar said.
“AWS offers four different access options, but the four options don’t necessarily allow you to provide definitive answers to whether your objects are public or not, and which buckets are secure,” he said. “This leaves your organization’s security team in the dark regarding whether your business assets are accessible or not.”
When it comes to securing identities and entitlements, AWS includes an identity and access management (IAM) service that is one of the first things a developer will use when creating an environment, said Shai Morag, CEO of Ermetic.
These are the “ultimate privileged users – people who can literally do anything in your cloud,” he said.
This is OK in the beginning, Morag said. “But the problem is that these identities generally roll over into production where they represent a very high risk.”
The issue of “over-reaching and improperly configured identities and access” is a major one, said Tyler Shields, chief marketing officer at JupiterOne.
This includes the over-extension of authorization and account access, stemming from “not knowing what access is in place at any given time and having policies and tools to automate the detection of asset permissions sprawl,” Shields said.
Other struggles for customers include securing the link between AWS and on-premises systems, specifically around identity management, said Eric Olden, CEO of Strata Identity.
AWS offers capabilities for identity management that are “often more advanced than what customers run on-premises, and this leads to a gap in capabilities between the two worlds,” Olden said.
Addressing the issues
Solutions to these issues can include platforms that bring cyber asset management and governance to a customer’s whole technology landscape, including across identities, cloud instances, containers, and git repositories.
“Understanding the relationship between all of your cyber and cloud assets provides the context to secure your technology stack no matter where it resides,” Shields said.
Cloud IAM solutions that make it simpler to specify who has access to what data, based on the user’s identity, can ensure a consistent security posture across a customer’s data estate.
And identity orchestration software can offer an easier way to upgrade identity management, as well—potentially eliminating the need to rewrite apps.
The key is to enable customers to “secure and govern their data in the simplest way possible,” Mital said.
Meanwhile, specific tools for addressing the issue of S3 bucket misconfigurations are also available, which can reveal which S3 buckets are publicly accessible.
A general rule of thumb: To avoid S3 misconfiguration issues in the future, “try to make the policies for your org as specific as possible,” Azarzar said.
2. Visibility and detection
A related issue for customers is having a lack of visibility across their AWS environment. “Not knowing what you have” is a common security pitfall with AWS usage, startup executives told VentureBeat.
Of course, “knowing what you have is a fundamental building block for cybersecurity in general,” Shields said. But rapid cloud adoption has meant an “exponentially expanding size of the threat landscape,” he said.
Customers need to have some form of runtime visibility and protection to mitigate exposure from exfiltration, web attacks, malware, lateral movement, or other exploit attempts, Murray noted.
With tools for discovering all assets and gaining real-time visibility into a customer’s cloud environment, customers can understand their risks and prioritize threats, executives said.
For instance, by scanning a customer’s entire cloud environment and making connections between the findings and their potential impact on the business, customers can intelligently prioritize what to tackle in security, executives said.
Improving visibility helps to enable detection of attacks as they’re happening in an AWS environment.
In AWS, “the biggest challenge that has yet to have proper solutions is with detection of cyber attacks at runtime,” said John Morgan, CEO at Confluera. “Many organizations have gaps in being able to detect and remediate threats during runtime in AWS as well as other cloud infrastructures.”
With the ephemeral nature of cloud environments like AWS, as well as cyberattacks designed specifically for the cloud, there is “less than adequate security coverage from traditional security solutions,” Morgan said. “Tracking cyber threats in the cloud is impossible for many organizations.”
And when it comes to runtime security observability, “no cloud provider has a capable solution [with the ability] to tell the story of an attack as it unfolds,” Lahane said.
Platforms for cloud extended detection and response (XDR), cloud network security, cloud-native security observability, and automated security operations are among the options for addressing this issue of AWS visibility and detection.
AWS itself provides some security monitoring capabilities, such as AWS Detective and AWS GuardDuty, “but these services are not able to integrate the customer organization context,” said Augusto Barros, vice president at Securonix.
Available capabilities for deeper detection that fall outside what AWS offers can include performing traffic inspection at a per process level at runtime; tracking of events such as file system and resource access anomalies; and correlation of threats with runtime signals.
3. Complexity and the skills gap
The complexity of security settings and privileges management in the cloud is something that “always becomes a problem to organizations adopting cloud services,” Barros said.
The lack of specialized skills, meanwhile, makes it even harder to ensure the appropriate security posture is applied, he said.
“The most common challenge these days is keeping up with the complexity of the security settings, exacerbated by the skills shortage. Many vulnerabilities are the result of lack of understanding the effect of certain settings and no visibility of all the utilized resources,” Barros said.
“The other major factor is that cloud services are also exposed to new threat scenarios,” he said. “Some security teams have good awareness of the threat scenarios a traditional IT environment faces, but they often lack the understanding of new threat scenarios that only exist in cloud environments.”
With moving to cloud environments such as AWS, there is frequently a need to relearn how to use the underlying technology, as well as to learn how to utilize the vendor-specific APIs and use cases, Lahane said.
A related issue is the “inevitable” outcome of users breaking the rules and using un-sanctioned shadow IT, he said.
“Smart developers are constantly bumping up against the limitations of a particular process or procedure, and are reluctant to learn a specific implementation when they can ‘build it themselves,’” Lahane said. “We often see examples of individual teams [using] alternative secret stores, SSH tunnels, over-privileged accounts, use of third-party services. But the security team is unaware. Rule-breaking measures that cannot be seen, cannot be secured.”
4. “Shared responsibility” confusion
An underlying issue for many of the other challenges with AWS is misunderstanding and confusion about the “shared responsibility” model that underpins the use of public cloud.
The shared responsibility model— a concept that is not unique to AWS—divvies up who is responsible for what when it comes to security. AWS summarizes its share of the responsibility as the “security of the cloud,” including the infrastructure such as compute, storage, and networking. Customers are responsible for everything else—i.e., the “security of the cloud.”
“AWS will not take responsibility for your mistakes, your misconfigurations, your vulnerabilities, or things that you did not do right. They take care of the infrastructure and the security of the cloud,” Rozen said.
However, the shared responsibility model “isn’t always straightforward,” Murray said. “And it gets more confusing as enterprises use a variable application architecture in the cloud using IaaS, PaaS, and managed services to build their applications in the cloud. Many of the gray areas of shared responsibility are where we’ve seen recent security incidents. In the end, much of the security for workloads running in the public cloud is on the customer.”
There has been some improvement in this regard lately, however, according to Barros. “The lack of understanding of the shared responsibility model is still there, but it’s getting better,” he said.
Ultimately, the role of cybersecurity vendors is to help “fulfill the shared responsibility model,” including by providing customers with “more advanced pure play security measures which are outside the scope of cloud providers,” Lahane said.
“Everybody understands that it is the customers’ responsibility to protect applications and data,” Morag said. “But breaking that down into concrete projects and daily tasks is not trivial. There are hundreds of services in AWS, and hundreds of different security tools, both native and third party.”
Customers can find it difficult to know where to begin, and what projects to prioritized, he noted.
“Fortunately, a new generation of cloud security platforms strive to provide a holistic view of risk across the environment, and identify the scenarios that pose the greatest threat,” Morag said.
5. Overall mindset
The final AWS security issue is a tougher one for cloud security vendors to address—but still one that needs to be recognized.
“The primary security challenge customers moving to AWS face is one of mindset. Do they see AWS as an extension of their datacenter or do they view cloud security requirements as different?” Murray said.
“For customers who see AWS as an extension of their data center, most try to bring the same on-prem tools to the cloud,” he said. “This lift and shift approach, in the best case, can lead to a lengthy project and security blindspots. In the worst case, lift and shift leads to potential for security errors that could lead to incidents, as many aspects are manual and difficult to automate.”
The flipside is that many customers might attempt to build a completely native security stack in AWS, he said.
“In this case, these organizations face a dilemma of having to stitch together many different capabilities to create a good enough security stack,” Murray said.
The bottom line, though, is that cloud-native security solutions can abstract much of the security complexity that can be introduced by cloud initiatives, he said.
“Security tasks and rollouts that might have taken weeks to complete before can now be automated and delivered in minutes,” Murray said. “Better security operations leads to better security outcomes through more complete coverage of the environment— and much less likelihood that configuration errors can lead to incidents.”