Traditional solutions still rely on being in the path of traffic, deployed inside the application or operating system, or use network scanning techniques. But in the cloud, application stacks run on abstracted services or PaaS layers, or leverage API-driven services like Amazon’s S3/Redshift/DynamoDB, which render conventional scanning solutions ineffective.
Because legacy security tools were not designed to support API-centric infrastructure we must now turn to purpose-built tools that can monitor and manage security and compliance along the API control plane. To our advantage, the API allows us to remove the human element from some processes and enables complete visibility, reliable deployments, consistent duplication of environments (development, staging, production), and numerous other consistencies that didn’t exist in the legacy datacenter world.
The old security model is unsustainable.
Coupled with the flexibility of the cloud, Agile development and the DevOps movement have accelerated the speed of development cycles. Security teams can no longer depend on pre-deployment scanning, penetration tests, or presence-based discovery methods, and instead will need to rely on automated, API-centric tools that can handle the fire-hose of data that the cloud produces. DevOps and SecOps need to collaborate, and “security needs to be part of the fabric,” as explained by Shannon Lietz of Intuit.
With more and more people pushing code and making changes to your environment how can you be certain that they are all adhering to security best practices and policy? The best cloud practitioners are embedding security experts within product teams so they can work side-by-side from the start. This approach enables DevOps to maintain their rapid pace of innovation while security ensures that risks are mitigated.
Security efforts will have to accelerate because the attacks on cloud environments are becoming more automated and sophisticated every day, and the depth and breadth of these attacks will continue to increase as the value of data being stored in the cloud grows. If defenders don’t get the near-real-time alerting and incident response capabilities in place now, they will be repeatedly victimized by these automated attacks through the control plane.
Traditional network perimeters that only extend to physical firewalls and office locations were much easier to maintain than what we need to defend in the cloud. Your organization’s cloud perimeter may now extend all the way to end user devices. While leading IaaS providers provide strong security, you need to complement their efforts with cloud-specific controls and monitoring.
Back when IT controlled every component of the data center from servers to network, admins could control what kind of infrastructure developers could use and when. In today’s services-centric cloud new storage, databases, networking, machine learning, and more can be spun up on demand and implemented without security administrators even knowing it’s happening. Cloud security tools need to be able to support the ever-growing number of services that modern IT now has available to them.
Real-time & continuous monitoring to detect changes as they happen.
Easily produce compliance reports with latest results from continuous security monitoring.
Automate security throughout every stage of the development and deployment process.
AWS Security automation that helps you detect, assess and remediate incidents quickly.