Beyond the Shared Responsibility Model - Best Practices for Cloud Account and Workload Visibility for the Hybrid Cloud - Cavirin

Page created by Leon Larson
Business
English
 
CONTINUE READING
Page content transcription
If your browser does not render page correctly, please read the page content below
Beyond the Shared Responsibility Model - Best Practices for Cloud Account and Workload Visibility for the Hybrid Cloud - Cavirin
Beyond the Shared
Responsibility Model
Best Practices for Cloud Account and Workload
Visibility for the Hybrid Cloud
Beyond the Shared Responsibility Model - Best Practices for Cloud Account and Workload Visibility for the Hybrid Cloud - Cavirin
CyberPosture Intelligence
                                                                                    for Hybrid Clouds

Responsibility Across the Hybrid Cloud
Many organizations now understand the shared responsibility
model, with the major cloud providers going out of their way to
educate their customers and prospects. But it is not as simple as
just drawing a line and stating that the customer’s role is ‘above
                                                                                            Through 2020,
the line’ and the provider’s role is ‘below the line.’ It is different                      95% of cloud
for SaaS, PaaS, and IaaS, and within each, the choice of pro-
vider-based services vs those offered by 3rd parties can seem
                                                                                            security failures
confusing. And, understanding what exactly the different layers                             will be the
of the model entail many times takes an equal analysis of the spe-
cific service in question. Given that organizations are adopting a
                                                                                            customer’s
multi and hybrid cloud approach, the IT team must take into                                 fault.
account the different services and monitoring interfaces across
the different providers, and plan accordingly. Correlating data
                                                                                            Gartner

across multiple clouds, and introducing containers, yet adds
another layer of complexity.

                                                                         © 2022 Cavirin Systems, Inc. All rights reserved.
Beyond the Shared Responsibility Model - Best Practices for Cloud Account and Workload Visibility for the Hybrid Cloud - Cavirin
CyberPosture Intelligence
                                                                                 for Hybrid Clouds

IaaS, PaaS, and SaaS Security
Within IaaS, the enterprise has the most control over their security
                                                                                         By 2018, 60%
posture,responsible for accreditation, certifications, and external
audits. An organization on IaaS has the greatest responsibility                          of enterprises
for securing the bare-metal or virtualized OS, containers, as
                                                                                         that implement
well as their applications and data.
                                                                                         appropriate
Under a PaaS model, the enterprise relies on the cloud provider
for OS security, responsible only for the applications and data,
                                                                                         cloud visibility
and must check that the CSP’s services follow best practices.                            and control tools
Finally, within a SaaS deployment, the application is the service.                       will experience
Though the enterprise itself has less of a security role, SaaS,
                                                                                         one-third fewer
in general introduces additional concerns in that the enterprise
needs assurance that the SaaS operator is following best prac-                           security failures.
tices. Within both PaaS and SaaS, the enterprise relies on their
                                                                                         Gartner
platform or software partners to carry out OS hardening and
maintain compliance.

                                                                      © 2022 Cavirin Systems, Inc. All rights reserved.
Beyond the Shared Responsibility Model - Best Practices for Cloud Account and Workload Visibility for the Hybrid Cloud - Cavirin
CyberPosture Intelligence
                                                                              for Hybrid Clouds

2018 Cloud Security Report Findings

Produced by the Information Security Community on LinkedIn in partnership with Cybersecurity
Insiders, this report highlights how organizations are responding to security threats in the cloud, and
what tools and best practices IT cybersecurity leaders are considering in their move to the cloud.
Some of the findings:

               Cloud security concerns – While adoption of cloud computing continues to surge,
               security concerns are showing no signs of abating. Reversing a multi-year downward
               trend, nine out of ten cybersecurity professionals confirm they are concerned about
               cloud security, up 11 percentage points from last year’s cloud security survey. The top
               three cloud security challenges include protecting against data loss and leakage (67
               percent), threats to data privacy (61 percent), and breaches of confidentiality (53 per-
               cent).

               Biggest threats to cloud security – Misconfiguration of cloud platforms jumped to the
               number one spot in this year’s survey as the single biggest threat to cloud security (62
               percent). This is followed by unauthorized access through misuse of employee creden-
               tials and improper access controls (55 percent), and insecure interfaces/APIs (50 per-
               cent).

               Cloud security headaches – As more workloads move to the cloud, cybersecurity pro-
               fessionals are increasingly realizing the complications to protect these workloads. The
               top three security control challenges SOCs are struggling with are visibility into infra-
               structure security (43 percent), compliance (38 percent), and setting consistent security
               policies across cloud and on-premises environments (35 percent).

                                                                  © 2022 Cavirin Systems, Inc. All rights reserved.
Beyond the Shared Responsibility Model - Best Practices for Cloud Account and Workload Visibility for the Hybrid Cloud - Cavirin
CyberPosture Intelligence
                                                                 for Hybrid Clouds

Legacy security tools limited in the cloud – Only 16 percent of organizations report
that the capabilities of traditional security tools are sufficient to manage security across
the cloud, a 6 percentage point drop from our previous survey. Eighty four percent say
traditional security solutions either don’t work at all in cloud environments or have only
limited functionality.

Public cloud providers have continued to mature and expand their service offerings
– The two biggest cloud providers continue to compete for the lead in our survey:
Amazon Web Services (72 percent) and Microsoft Azure (71 percent). Interestingly,
Rackspace Cloud (67 percent) displaced Google Cloud Platform (54 percent) among
our survey participants to claim third place this year.

Forty percent of organizations primary cloud deployment strategy is a hybrid cloud
– optimizing their investment by integrating multiple cloud providers to work together as
a single, seamless environment. The remaining respondents equally said their cloud de-
ployment of choice is either a single cloud (30 percent) or a non integrated, multi-cloud
solution (30 percent).

                                                   © 2022 Cavirin Systems, Inc. All rights reserved.
Beyond the Shared Responsibility Model - Best Practices for Cloud Account and Workload Visibility for the Hybrid Cloud - Cavirin
CyberPosture Intelligence
                                                                             for Hybrid Clouds

Iaas Best Practices
According to Gartner, the highest revenue growth in 2017 came
from IaaS, which grew by over 35 percent. Here are some of the
best IaaS practices when migrating to the cloud:

•   Use a hardened OS image provided by AWS, CIS, or an off-
    the-shelf image then hardened via one of the CIS benchmarks.

•   Automate the compliance of critical workloads running on the
    OS via a system that can conduct continuous assessments,
    against regulations such as PCI, SOC2, HIPAA, GDPR, and
    others. Mechanize patching and restrict access.

•   Utilize the added layer of security provided by AWS Cloud
    Formation templates for PCI and HIPAA.

•   Confirm network and firewall configuration applying to the
    customer’s AWS account and VPC(s).

•   Ensure proper account, security group, and IAM management.

•   Monitor the various AWS services utilized via CloudTrail,
    CloudWatch, Inspector, or GuardDuty.

•   Set policies correctly based on applications and data, UEBA
    and implement least privilege.

•   Implement data encryption, SLP, secure access, logging, and
    SIM/FIM

                                                                 © 2022 Cavirin Systems, Inc. All rights reserved.
Beyond the Shared Responsibility Model - Best Practices for Cloud Account and Workload Visibility for the Hybrid Cloud - Cavirin
CyberPosture Intelligence
                                                                            for Hybrid Clouds

The Different Shared Reponsibility Models
AWS has broken down the Shared Responsibility of their services into three models: infrastructure ser-
vices, container services and abstract services. Azure and Google Cloud utilize similiar models.

                                                                                      Shared Responsibility
                                                                                     Model for Infrastructure
                                                                                              Services.

                                                                                      Shared Responsibility
                                                                                       Model for Container
                                                                                              Services.

                                                                                      Shared Responsibility
                                                                                        Model for Abstract
                                                                                              Services.

                                                                 © 2022 Cavirin Systems, Inc. All rights reserved.
Beyond the Shared Responsibility Model - Best Practices for Cloud Account and Workload Visibility for the Hybrid Cloud - Cavirin
CyberPosture Intelligence
                                                                              for Hybrid Clouds

Introducing Containers
The Shared Responsibility also applies to container services.                        24 billions
According to AWS, they are responsible for the platform (RDS),
Guest OS, AWS infrastructure, as well as AWS foundation ser-
                                                                                     containers
vices. You are responsible for the data, the firewall rules and                      have been
network access to the container service.
                                                                                     downloaded &
Containers invite the most concerning level of security from                         there has been a
improper deployment and SQL injections. SQL injections are
the insertion of unwanted/malicious code into poorly-designed
                                                                                     77,000% growth
applications and then passed to a backend database. It is the                        in Docker job
customers’ responsibility to ensure that they are following best
practices when introducing containers into their infrastructure.
                                                                                     listings.
                                                                                     DockerCon Europe
                                                                                     October, 2017

Securing the container lifecycle

                                                                  © 2022 Cavirin Systems, Inc. All rights reserved.
Beyond the Shared Responsibility Model - Best Practices for Cloud Account and Workload Visibility for the Hybrid Cloud - Cavirin
CyberPosture Intelligence
                                                                              for Hybrid Clouds

Cloud Security Posture Best Practices
Beyond protecting one’s workloads, ensuring the proper security
posture of the cloud account is critical. This includes not only
locking down account access, but also monitoring any services
consumed for unexpected events that could indicate an attack.
Some best practices, focusing mainly on AWS but extensible to
other providers, include:

•   Comprehensive account level control: MFA, proper credential
    use, monitor and restrict services access, role-based access
    to applications

•   Robust Identity and Access Management (IAM): timeouts,
    password policies, reduce groups in use, terminate inactive or
    unused groups, users, and roles

•   Extensive security groups and network security: confirm proper configuration,
    lock down access to business requirements, network access control lists, restrict uncommon
    ports and unneeded common ports, cross-account access management

•   Ensure Account ‘Hardening: CIS AWS Foundations, Three-tier Web Architecture
•   Continuos Monitoring: CloudWatch, CloudTrail, GuardDuty, active logging, validation, and access
    control, encrypt logs, audit, flow, and access logging

•   Monitor the various AWS services utilized via CloudTrail, CloudWatch, Inspector, and GuardDuty.
•   Utilize Trusted Advisor, particalurly for AWS, to check the state of security groups, permissions,
    IAM use, MFA, as well as EBS and RDS public snapshots.

                                                                   © 2022 Cavirin Systems, Inc. All rights reserved.
Beyond the Shared Responsibility Model - Best Practices for Cloud Account and Workload Visibility for the Hybrid Cloud - Cavirin
CyberPosture Intelligence
                                                                                     for Hybrid Clouds

Beyond The Shared Responsibility Model(s)
The shared responsibility model is a great place to start, but it’s
                                                                                            Data security,
just a starting point for building and securing hybrid workloads.                           compliance/
Enterprises need to leverage the NIST Cybersecurity Framework
(CSF). The NIST CSF provides a good framework as to how to
                                                                                            goverance,
ultimately reach better security, in this case within the Hybrid Cloud,                     and cloud pro-
but leaves it to the organization to decide upon what steps to take,
and how. It also references a wealth of external guidelines and best
                                                                                            vider lock-in
practices but does not dictate which to use and to what extent.                             are the top
Finally, when trying to secure your hybrid cloud environment, it’s
important to adopt a defensive posture. Since data flows through
                                                                                            three cloud
the network as the lifeblood of your business, you now need to                              migration
learn how to adopt an effective CyberPosture that defends you from
today’s security threats.
                                                                                            concerns

Just as it’s important to understand and address the customers                              Bain and Morgan
responsibilities in the shared responsibility models, it’s just as critical                 Stanley, 2016
to seek CyberPosture platforms and tools that verify public cloud
security, protect private cloud assets and workloads, ensure your
compliance audit preparedness and constantly deliver the status of
your CyberPostureto to your CISO in great detail using rapidly
understood dashboards.

                                                                         © 2022 Cavirin Systems, Inc. All rights reserved.
About Cavirin Systems
Cavirin delivers cyberposture intelligence for the hybrid cloud by
providing real-time risk & cybersecurity posture management,
JVU[PU\V\ZJVTWSPHUJLHUKI`PU[LNYH[PUNZLJ\YP[`PU[V+L]6WZ
The Cavirin platform combines automated discovery, infrastructure
risk scoring, predictive analytics, and intelligent remediation to help
organizations of all sizes leverage the cost savings and agility of the
cloud without increasing operational risk or reducing their security
posture. For more information, visit www.cavirin.com or follow us
at www.twitter.com/cavirin.

2114 Ringwood Ave, San Jose, CA
95131 USA
408-200-3544
www.cavirin.com
info.cavirin.com

© 2022 Cavirin Systems, Inc. All rights reserved.
You can also read
State of Enterprise Cloud and Container Adoption and Security - Companies are Quick to Embrace the Cloud, Slow to Secure It - DivvyCloud
State of Enterprise Cloud and Container Adoption and Security - Companies are Quick to Embrace the Cloud, Slow to Secure It - DivvyCloud
DLP @CASB @SD-WAN Protecting your cloud journey - Kfir Mesika Channel Account Manager - Israel & Cyprus - 2o InfoCom ...
DLP @CASB @SD-WAN Protecting your cloud journey - Kfir Mesika Channel Account Manager - Israel & Cyprus - 2o InfoCom ...
The Top 5 Trends for Cloud & Data Centre in 2022 - ECOSYSTM PREDICTS November 2021 - Ecosystm ...
The Top 5 Trends for Cloud & Data Centre in 2022 - ECOSYSTM PREDICTS November 2021 - Ecosystm ...
M/Y CLOUD ATLAS LLOYDS SHIPS AUSTRALIA - 46 m - Mondial Broker
M/Y CLOUD ATLAS LLOYDS SHIPS AUSTRALIA - 46 m - Mondial Broker
NEBRASKA AUDITOR OF PUBLIC ACCOUNTS - Charlie Janssen State Auditor
NEBRASKA AUDITOR OF PUBLIC ACCOUNTS - Charlie Janssen State Auditor
NEXT GENERATION FIREWALL COMPARATIVE REPORT - Fortinet
NEXT GENERATION FIREWALL COMPARATIVE REPORT - Fortinet
Dealing with Technology Evolution: From Policy Development to Implementation Steve Purser| Head of Core Operations CebiT 2017
Dealing with Technology Evolution: From Policy Development to Implementation Steve Purser| Head of Core Operations CebiT 2017
Deutsche Telekom Corporate PKI (DTAG cPKI)
Deutsche Telekom Corporate PKI (DTAG cPKI)
Cyber Security Presenters: Brian Everest, Chief Technology Officer, Starport Managed Services - Susan Pawelek, Accountant, Compliance and ...
Cyber Security Presenters: Brian Everest, Chief Technology Officer, Starport Managed Services - Susan Pawelek, Accountant, Compliance and ...
Autodesk 360: Work Wherever You Are - Safely - Protecting Your Interests While Working on the Web with Autodesk 360
Autodesk 360: Work Wherever You Are - Safely - Protecting Your Interests While Working on the Web with Autodesk 360
BOLSTER YOUR BRAND. BUILD RELATIONSHIPS - BorderSecurityExpo.com - JULY 29, 2021 - Border Security Expo
BOLSTER YOUR BRAND. BUILD RELATIONSHIPS - BorderSecurityExpo.com - JULY 29, 2021 - Border Security Expo
MCAFEE ENTERPRISE PREMIER SUCCESS PLAN
MCAFEE ENTERPRISE PREMIER SUCCESS PLAN
NOTICE OF PRIVACY PRACTICES - Terrebonne General Health System
NOTICE OF PRIVACY PRACTICES - Terrebonne General Health System
An invitation to expanded private club Membership benefits for the Members of Up to Par private golf & country clubs - PRIVATE CLUB and GOLF ...
An invitation to expanded private club Membership benefits for the Members of Up to Par private golf & country clubs - PRIVATE CLUB and GOLF ...
Food for a healthy and active life: New indicators to guide action in the agriculture and food sector - Anna Herforth, Ph.D.
Food for a healthy and active life: New indicators to guide action in the agriculture and food sector - Anna Herforth, Ph.D.
ARubA 130 SERIES ACCESS POINTS - Maximize the performance of mobile devices
ARubA 130 SERIES ACCESS POINTS - Maximize the performance of mobile devices
Summary Report of the Sub-regional Webinars for South, East and Southeast Asia on the Situation Analysis on the Effects of and Responses to ...
Summary Report of the Sub-regional Webinars for South, East and Southeast Asia on the Situation Analysis on the Effects of and Responses to ...
NEWS IN 2017 Key Industry Trends & Tactics - Connexity
NEWS IN 2017 Key Industry Trends & Tactics - Connexity
Sen4CAP Sentinels for CAP monitoring approach - Sen4CAP team European Space Agency, Earth Observation Directorate - Copernicus
Sen4CAP Sentinels for CAP monitoring approach - Sen4CAP team European Space Agency, Earth Observation Directorate - Copernicus
First Report on Severity of Early Blight Disease of Tomato Caused by Alternaria
First Report on Severity of Early Blight Disease of Tomato Caused by Alternaria
The Long Road to Recovery - Indonesia Economic Prospects July 2020 Frederico Gil Sander - Pubdocs.worldbank.org.
The Long Road to Recovery - Indonesia Economic Prospects July 2020 Frederico Gil Sander - Pubdocs.worldbank.org.
2021 TOYOTA RAV4 BUYER'S GUIDE TO THE - FREE EBOOK! - Dealer Inspire
2021 TOYOTA RAV4 BUYER'S GUIDE TO THE - FREE EBOOK! - Dealer Inspire
Are you a Hybrid? Yes, of course, everyone is a Hybrid nowadays! - FedCSIS
Are you a Hybrid? Yes, of course, everyone is a Hybrid nowadays! - FedCSIS
Effect of Subaru EyeSight on pedestrian-related bodily injury liability claim frequencies - IIHS
Effect of Subaru EyeSight on pedestrian-related bodily injury liability claim frequencies - IIHS
Increasing Competition on the Exchanges to Improve Consumer Choice and Affordability - CMS
Increasing Competition on the Exchanges to Improve Consumer Choice and Affordability - CMS
Mapping Maximum Biological Containment Labs Globally
Mapping Maximum Biological Containment Labs Globally
2021 CIGNA HEALTH PLANS - Things to consider when shopping for a plan - UTAH
2021 CIGNA HEALTH PLANS - Things to consider when shopping for a plan - UTAH
10 Best Practices for Google Apps Script - White Stratus May 15, 2014
10 Best Practices for Google Apps Script - White Stratus May 15, 2014
Thank you for joining today's webinar. We will begin promptly at 1:00 pm Central - Rural Health Information Hub
Thank you for joining today's webinar. We will begin promptly at 1:00 pm Central - Rural Health Information Hub
Survey Results on the Relationship between Coping Capability, Family Well-Being, and Innovative Family Services in Times of Adversity
Survey Results on the Relationship between Coping Capability, Family Well-Being, and Innovative Family Services in Times of Adversity
City of Cornwall Fire Services Probationary Firefighter Eligibility List Recruitment 2018
City of Cornwall Fire Services Probationary Firefighter Eligibility List Recruitment 2018
CARPENTRY, JOINERY & FURNITURE COURSE GUIDE - EXPLORE.ENQUIRE.ENROL. TAFENSW.EDU.AU 131 601
CARPENTRY, JOINERY & FURNITURE COURSE GUIDE - EXPLORE.ENQUIRE.ENROL. TAFENSW.EDU.AU 131 601
New York State Department of Financial Services Instructions for the Submission of New York State of Health (NYSOH)- Certified Individual and ...
New York State Department of Financial Services Instructions for the Submission of New York State of Health (NYSOH)- Certified Individual and ...
IOT PROFESSIONAL SERVICES - PART OF THE VODAFONE IOT "ONE STOP SHOP" - GRANDCENTRIX
IOT PROFESSIONAL SERVICES - PART OF THE VODAFONE IOT "ONE STOP SHOP" - GRANDCENTRIX
Hernia & Surgical Reimbursement & Coding Guide - ACell
Hernia & Surgical Reimbursement & Coding Guide - ACell
The Green Party Manifesto 2015 - Easy Read
The Green Party Manifesto 2015 - Easy Read
Taxnotes - Reed Smith LLP
Taxnotes - Reed Smith LLP
MENTAL HEALTH RESPONSES TO COVID-19 PANDEMIC AND IMPLICATIONS FOR SOCIAL WORK - Gov
MENTAL HEALTH RESPONSES TO COVID-19 PANDEMIC AND IMPLICATIONS FOR SOCIAL WORK - Gov
CPPDSM3002A Assist in listing properties for sale
CPPDSM3002A Assist in listing properties for sale
ENROLLMENT APPLICATION - 2022 PPO PLANS CDPHP Medicare Advantage - Y0019_22_16892_C
ENROLLMENT APPLICATION - 2022 PPO PLANS CDPHP Medicare Advantage - Y0019_22_16892_C
Western Region Local Workforce Development Board 2017-2020 Regional Workforce Plan
Western Region Local Workforce Development Board 2017-2020 Regional Workforce Plan
OTRA INFORMACIÓN RELEVANTE - BME Growth
OTRA INFORMACIÓN RELEVANTE - BME Growth
The Right Fit The Edge Mission Services of Hamilton
The Right Fit The Edge Mission Services of Hamilton
Introduction to Oracle Solaris 11.4 Administration
Introduction to Oracle Solaris 11.4 Administration
Customer Engagement Strategy 2016 2020
Customer Engagement Strategy 2016 2020
Customer Service Department 2020 Year End Results
Customer Service Department 2020 Year End Results
Expanded Learning Opportunities Grant Plan - Alameda ...
Expanded Learning Opportunities Grant Plan - Alameda ...
ENROLLMENT APPLICATION - 2021 PPO PLANS CDPHP Medicare Advantage - Y0019_21_13690_File & Use 09022020
ENROLLMENT APPLICATION - 2021 PPO PLANS CDPHP Medicare Advantage - Y0019_21_13690_File & Use 09022020
Wisconsin State Budget training for disability advocates
Wisconsin State Budget training for disability advocates
Health Policy Oversight Committee - Iowa Medicaid Program Updates December 21, 2020
Health Policy Oversight Committee - Iowa Medicaid Program Updates December 21, 2020
We use cookies. Please refer to the Privacy Policy.