0% found this document useful (0 votes)
30 views10 pages

SANS Cloud Security Convergence Report How Control Models For A Robust Cloud Security Stack Are Changing

Uploaded by

Елена О
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
30 views10 pages

SANS Cloud Security Convergence Report How Control Models For A Robust Cloud Security Stack Are Changing

Uploaded by

Елена О
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

White Paper

Cloud Security
Convergence Report:
How Control Models for
a Robust Cloud Security
Stack Are Changing
Written by Matt Bromiley
December 2024

©2024 SANS™ Institute


Cloud Security Evolution
As cloud adoption continues to accelerate, organizations face a threat landscape that is ever-
increasing in complexity and scale. The benefits of cloud computing—scalability and cost
efficiency—come at the cost of this rapidly expanding attack surface. Many organizations continue
to maintain multicloud and/or hybrid environments, containerized applications, and ephemeral
workloads. Over the years, these architectures have introduced new challenges that traditional
“legacy” security measures were unable to effectively address.

In response, the cybersecurity industry is witnessing a shift in the world of cloud security.
Today, cloud-native and cloud-first technologies thrive, converging into unified platforms. These
technologies include:

• Cloud-native application protection platforms (CNAPPs)


As cloud adoption grew, security teams found
• Cloud security posture management (CSPM) themselves struggling to cope with even simple
security measures in cloud environments. A
• Cloud workload protection platforms (CWPPs) consistent point of failure in cloud environments
These integrated solutions offer simplified operations and enhanced has been misconfigurations. According to Gartner,
by 2025, 99% of cloud security failures will stem
visibility, and bolster security postures across complex cloud
from misconfigurations rather than security
ecosystems. vulnerabilities.1
In this white paper, we will explore this shift in cloud security. We aim Cloud computing requires that organizations secure
to examine the evolution of security controls, emerging trends that are their data, applications, and configurations, while
cloud service providers manage the underlying
driving this cloud convergence, and critical capabilities that security
infrastructure. This marks yet another shift in
teams must adopt to stay secure in 2025 and beyond. By understanding security and technology needs.
the intersection of CNAPPs, CSPM, and CWPPs, security leaders can
position their organizations to confidently navigate cloud complexities.

The Convergence of Security Platforms


The journey of cloud security is one that has reflected the revolution of IT environments over
the past two decades. In the early days of enterprise security, the idea of a “perimeter” was
centralized. Security strategies and tech stacks revolved around well-defined boundaries that
separated trusted, internal networks from untrusted external traffic. This yielded a plethora of
tools and technologies that became central to many security strategies.

However, with the growth and adoption of cloud computing, this “perimeter-focused” model
was disrupted. Organizations began migrating workloads to the cloud, drawn to the promise of
scalability, cost efficiency, and operational flexibility. However, far too often, organizations have
attempted to simply “migrate” perimeter-based defenses to the cloud and expect the same
result. Unlike on-prem, centralized systems, cloud environments are inherently dynamic and
decentralized, relying on (1) elasticity, (2) global reach, and (3) third-party dependencies.

Traditional, perimeter-based tools simply don’t cut it for cloud-enhanced environments.

1
“Is the Cloud Secure?” October 2019, www.gartner.com/smarterwithgartner/is-the-cloud-secure

Cloud Security Convergence Report: How Control Models for a Robust Cloud Security Stack Are Changing 2
Hybrid and Multicloud Security Complexity
The rise of hybrid and multicloud environments only adds to the complexity of the
security landscape. According to Flexera’s 2024 State of the Cloud Report,2 89% of
enterprises utilize multicloud strategies with 73% maintaining hybrid-cloud environments.
Although these architectures may offer flexibility and redundancy, they also introduce
complex security challenges, including the following:

• V
 isibility gaps can stem from monitoring assets across multiple clouds, requiring
consolidating data from diverse telemetry sources.

• O
 perational burdens force security teams to manage tools tailored to each
environment, increasing overhead and reducing efficiency.

• P
 olicy fragmentation is natural, because cloud providers have unique security
models and APIs, making it difficult to maintain consistent controls.

Recognizing these challenges, the security industry developed cloud-native security


solutions. These tools and platforms take a cloud-native approach to security to address
the unique demands of cloud environments. Some of the key platforms and tools include:

• C
 loud security posture management (CSPM)—Designed to detect and remediate
misconfigurations in cloud environments, CSPM tools continuously monitor
complications with security benchmarks, best practices, and regulatory standards.

• C
 loud workload protection platforms (CWPPs)—With their focus on securing
workloads such as virtual machines, containers, and serverless applications, CWPPs
provide deep visibility and advanced threat detection.

• C
 loud-native application protection platforms (CNAPPs)—These combine workload
protection, posture management, runtime security, and DevOps/DevSecOps
integrations into a single, unified platform.

Cloud-native tools and platforms also represent a shift from reactive to proactive
security, emphasizing automation, integration, and real-time visibility. Recognizing that
the largest risks posed to cloud environments stem from the users themselves, gaining
visibility and insight is a critical step to minimizing internal risk while defending against
external attacks.

Like most technologies today, cloud security reaps the benefits of technological
advancements. The evolution of cloud-first security is not static. Often, cloud-native
security products progress at the same rate as cloud platforms, taking advantage of
scalability, quick implementations, and strong DevSecOps practices.

2
“2024 State of the Cloud Report,” https://info.flexera.com/CM-REPORT-State-of-the-Cloud

Cloud Security Convergence Report: How Control Models for a Robust Cloud Security Stack Are Changing 3
Key advancements in cloud-native security technologies include:

• A
 rtificial intelligence (AI) and machine learning (ML)—Cloud security tools are
increasingly leveraging the explosion of AI to identify anomalies, predict threats, and
automate responses.

• Z
 ero trust architectures—As organizations adopt zero trust principles, across private
and public sectors, access management in cloud environments is critical. Cloud-
native tools help implement and supervise these needs.

• S
 hift-left security—Embedding security into the development life cycle minimizes
internal risks, such as misconfigurations, and ensures that vulnerabilities are
addressed before deployment.

The evolution of cloud security has culminated in the need for integrated platforms
capable of addressing multiple aspects of security within a single solution. This
convergence of CNAPPs, CSPM, and CWPPs reflects the growing demand from any security
team: simplicity, efficiency, and comprehensive protection in the face of fragmented and
dynamic landscapes.

Security Controls and Coverage


As previously mentioned, securing cloud environments requires a comprehensive approach
that addresses the entire life cycle of cloud-native applications, from development to
deployment to runtime. Unified security platforms enable organizations to manage risks
effectively, ensure compliance, and maintain operational confidence. Let’s examine some of
the core areas of security coverage provided by CNAPPs, CWPP, and CSPMs.

Pipeline Security
The adoption of DevOps and continuous integration/continuous delivery (CI/CD) processes
has accelerated software development cycles but also increased the attack surface. CI/CD
pipelines have become attractive targets for attackers seeking to inject malicious code or
compromise application dependencies.

Key capabilities for security teams include:

• C
 ode scanning—Automated tools analyze source code for vulnerabilities, insecure
dependencies, and potential compliance issues.

• C
 redential management—Security checks identify and mitigate risks posed by hard-
coded secrets, such as API keys and access tokens.

• P
 ipeline integration—Security processes are embedded directly into CI/CD workflows,
ensuring vulnerabilities are detected before deployment.

A development team who integrates automated checks into its CI/CD pipeline can quickly
identify risks and remediate code vulnerabilities early in the development life cycle,
reducing the risk of exposure in production.

Cloud Security Convergence Report: How Control Models for a Robust Cloud Security Stack Are Changing 4
Workload Protection: Securing VMs, Containers,
and Serverless Functions
Cloud workloads—whether virtual machines, containers, or serverless functions—are the
backbone of cloud-native environments. Each workload type introduces unique security
challenges that require robust monitoring and threat detection mechanisms.

Key capabilities for security teams include:

• E
 ndpoint security for workloads—Behavioral analysis and anomaly detection are
employed to identify unusual activity across workloads.

• C
 ontainer security—Runtime monitoring ensures that containerized applications
operate within expected boundaries, preventing unauthorized actions and malicious
execution.

• S
 erverless function protection—Automated configuration checks verify that
serverless functions adhere to security best practices.

Organizations running containerized applications in cloud environments cannot rely


on typical endpoint-centric strategies. Containers are often ephemeral, designed for
demand-based scalability. With technologies like runtime monitoring, container-focused
threats can be identified and quickly contained (no pun intended!) before they can impact
performance or costs.

Cloud Environment Configuration: Managing Complexity and


Preventing Misconfigurations
Misconfigurations are one of the leading causes of data breaches in the cloud, often
resulting from overly permissive access controls or improper resource configurations.
Continuous monitoring of cloud environments can help organizations stay secure and
remain compliant.

Key capabilities for security teams include:

• C
 onfiguration auditing—Automated tools assess cloud resources against security
benchmarks, identifying and prioritizing benchmarks.

• C
 ompliance monitoring—Continuous assessments ensure adherence to industry
standards and regulatory frameworks.

• C
 hange detection—Alerts for configuration changes that deviate from approved or
business-centric settings enable quick remediation by DevSecOps team(s).

Organizations utilizing configuration management and alerting can quickly identify


when resources are deployed with too high or out-of-policy permissions. Automated
configuration monitoring can quickly alert the security team, who can issue corrective
actions before the misconfiguration becomes a data breach.

Cloud Security Convergence Report: How Control Models for a Robust Cloud Security Stack Are Changing 5
Infrastructure as Code: Securing Deployments by Design
Infrastructure as code (IaC) allows organizations to define and deploy cloud resources
programmatically. This can improve efficiency, but easily introduces misconfiguration risks.
Securing IaC ensures that vulnerabilities are addressed prior to deployment.

Key capabilities for security teams include:

• T
 emplate scanning—Automated validation tools check IaC templates for insecure
configurations and potential vulnerabilities.

• P
 olicy enforcement—IaC and deployment policies can be codified to ensure that all
deployed resources meet organization requirements and standards.

• D
 rift management—Continuous monitoring also detects deviation between
deployed resources and defined configurations.

Organizations using IaC to deploy cloud infrastructure can utilize automated tools to
examine build templates and identify weaknesses such as misconfigurations or insecure
access controls. Furthermore, standardized IaC practices can help eliminate shadow cloud
deployments that may cause further security concerns.

Runtime Security: Monitoring and Responding to Active Threats


Even with preventive measures in place, real-time detection and response capabilities
are critical for mitigating active threats. Runtime security, for cloud workloads, focuses
on monitoring resources and applications in production. Detections can identify
malicious adversary activity, suspicious behavior, and other potential issues that may
lead to a compromise.

Key capabilities for security teams include:

• A
 nomaly detection—Behavioral analytics identify deviations from normal activity,
such as unexpected process execution or unauthorized access attempts.

• I ntrusion prevention—Runtime tools can automatically block malicious activity, such


as unauthorized file modifications or privilege escalation attempts.

• I ncident investigation(s)—Integrated forensic and response tools enable teams to


quickly analyze the root cause of incidents and respond effectively.

Organizations with cloud-native or hybrid cloud environments can utilize active runtime
monitoring to detect unusual behavior in applications, such as processes attempting to
access sensitive files or execute commands. Runtime monitoring tools can automatically
detect these actions and start containment measures.

Cloud Security Convergence Report: How Control Models for a Robust Cloud Security Stack Are Changing 6
Bringing It All Together: Unified Security Platforms
Unified platforms bring together critical controls, offering centralized visibility, improved
threat detection, and streamlined workflows. By integrating workload protection,
configuration management, IaC validation, and runtime security, organizations can find
several benefits to enhance their security posture.

Key capabilities for security teams include:

• C
 omprehensive coverage—Unified platforms offer security across all aspects of
cloud-native environments, from development pipelines to deployed workloads.

• O
 perational efficiency—Centralized dashboards and automated workflows provide
simplified management.

• E
 nhanced threat detection—Improved correlation of data from multiple sources
leads to faster and more accurate detection of risks.

Unified platforms can provide the convergence that security teams need to address cloud-
focused risks. Expanding beyond the perimeter requires tools and platforms that also step
outside of the perimeter.

Looking Ahead
Effective cloud security requires that organizations be able to correctly use the available
tools and platforms. Cloud-native tooling is an important piece, but it is only “half the
battle.” Correctly navigating security for cloud-first and complex environments also
requires addressing emerging organizational challenges, including the following.

Increasingly Sophisticated Attack Techniques


As organizations enhance their cloud defenses, adversaries continue to devise more
sophisticated strategies to exploit weaknesses in hybrid and multicloud environments. Key
attack types include:

• S
 upply chain attacks—Threat actors are increasingly targeting CI/CD pipelines and
third-party dependencies, as seen in the SolarWinds breach. These attacks exploit
the interconnected nature of modern software ecosystems to infiltrate organizations
directly and indirectly.

• L
 ateral movement in cloud environments—Attacks are leveraging misconfigured
identity and access management (IAM) roles or exposed APIs to move laterally
across endpoints, cloud platforms, and/or third-party providers.

Security teams must prioritize proactive measures, such as regular security assessments,
automated configuration checks, and monitoring of lateral movement patterns, to combat
these threats.

Cloud Security Convergence Report: How Control Models for a Robust Cloud Security Stack Are Changing 7
Managing Complexity in Multicloud Environments
The adoption of multicloud strategies introduces operational and security complexity.
Each cloud provider has its own set of tools, APIs, and configurations, making it difficult
to maintain consistent security policies. Fragmented visibility across providers can lead to
blind spots and inconsistent enforcement of security measures.

A unified platform can help bridge this gap, providing seamless integration with multiple
cloud providers. This provides security (and development) teams centralized management
and consistent control across all environments.

The Expanding Attack Surface


With the growth of cloud and other technologies, such as IoT, edge computing, and
serverless architecture, the cloud attack surface continues to grow. This also includes
third-party providers that may connect into your organization, providing another avenue
of access for adversaries or data breaches. Security teams must be prepared to navigate
the expanding attack surface and monitor activity across diverse workloads.

Collaboration Between Security and Cloud Teams


Another critical element to successful, cloud-first security will be the collaboration
between security, DevOps, and cloud engineering teams. Traditional silos between these
groups will continue to foster visibility gaps, delays in remediation, and conflicting
priorities. A culture of shared responsibility—and shared security—is essential.

Embracing DevSecOps within an organization promotes integrating security into every


phase of the development life cycle. By embedding security practices early in the CI/CD
pipeline, organizations can ensure that vulnerabilities and misconfigurations are captured
early on. These types of shift-left strategies empower developers to take ownership of
security, reducing the reliance on after-the-fact reviews by security teams.

Fostering collaboration between security and cloud teams ensures that security ideals
align with operational realities. Security teams often can work with cloud engineers to
design secure configurations and templates, reducing the risk of future misconfigured
deployments. Policy-as-code solutions allow teams to enforce consistent security
standards programmatically, thus removing user friction.

Future Innovations
Although current tools and practices provide a strong foundation, the future of cloud
security will be shaped by emerging technologies and capabilities. Some key technologies
we see on the horizon include the following:

AI-Driven Threat Detection and Response


It should come as no surprise that AI-driven technologies will play a prominent role
in cloud security, enabling organizations to detect and respond to threats faster and
more effectively. AI and ML will enable real-time analysis of vast amounts of telemetry,
uncovering patterns and anomalies that otherwise may go unnoticed.

Cloud Security Convergence Report: How Control Models for a Robust Cloud Security Stack Are Changing 8
Key features and benefits of AI/ML-led detection and response include:

• E
 nhanced threat detection via analysis of telemetry from multiple sources can
help detect subtle indicators of compromise, such as unusual API calls or lateral
movement attempts via lesser-known techniques.

• A
 daptive response via data evolution and ML models, aids in adapting to new attack
vectors and minimizing false positives.

• A
 utomated incident handling with native cloud integration, allows for easy workload
isolation and credential revocation, as well as significantly reducing response time.

Policy-as-Code for Consistent Enforcement


Policy-as-code frameworks are becoming integral to cloud security, allowing organizations
to define and enforce security policies programmatically. These frameworks ensure
consistency across multicloud and hybrid environments, automating compliance checks
and significantly reducing human error.

Key features and benefits include:

• A
 utomated compliance enforcement—With polices written as code, they are
subject to continuous evaluation against security benchmarks, best practices, and
regulatory requirements.

• S
 calability—Policy-as-code solutions promote scalability in large, dynamic
environments where manual enforcement is unpractical.

• I ntegration across workflows—Policies also can be embedded into CI/CD pipelines,


ensuring compliance and security checks are integrated across workflows before
resources are deployed.

Advancements in Zero Trust Implementations


Zero trust architecture (ZTA) is no longer “emerging tech” but rather a foundational model
for cloud security. Advancements in ZTA implementation are making it even more practical
for dynamic environments.

Key features and benefits include:

• G
 ranular access controls—These controls enable precise permission models to
adapt to contextual factors and limit account “over-permission.”

• M
 icrosegmentation—Dividing cloud environments into smaller zones limits the
potential damage of lateral movement and other adversary abuse. This is useful in
workloads within container clusters or multicloud architectures.

• I dentity-centric security—ZTA promotes the enforcement of identity-based access at


all levels, from endpoints to cloud services.

Cloud Security Convergence Report: How Control Models for a Robust Cloud Security Stack Are Changing 9
Enhanced Runtime Protection
Runtime security is critical for identifying and mitigating threats as they occur in
production environments. Advancements in runtime protection are enabling deeper
visibility and faster responses.

Key features and benefits include:

• R
 eal-time behavioral analytics—Provides granular monitoring of workloads,
identifying deviations from established baselines and expected norms, such as
unwanted processes or network connections.

• W
 orkload isolation—Prevents unauthorized processes from accessing sensitive data
or escalating privileges.

• I ntegrated threat intelligence—Allows for real-time updates to detection rules and


monitoring systems, reflecting the latest in adversary knowledge.

Unified Visibility Across Multicloud Environments


Achieving centralized visibility is a systemic challenge in multicloud environments,
where each provider offers different tools and formats. Advances in unified observability
platforms enable seamless integration of telemetry from diverse sources.

Key features and benefits include:

• C
 entralized dashboards and reporting, to aggregate data from cloud platforms and
providers, offers a single point of monitoring, detection, and analysis.

• E
 nhanced correlation across platforms limits adversary ability to find weaknesses
and gaps.

• S
 implified compliance reporting streamlines audits and compliance checks, even
across multicloud or hybrid environments.

Closing Thoughts
Organizations today face a multitude of challenges when it comes to securing cloud
environments. Unlike traditional, on-premises environments, where security boundaries
are well-defined, the cloud introduces an ever-changing attack surface. Hybrid and
multicloud architectures, containerization, serverless computing, and infrastructure as
code have become commonplace. However, they also introduce new risks.

Sponsor

SANS would like to thank this paper’s sponsor:

Cloud Security Convergence Report: How Control Models for a Robust Cloud Security Stack Are Changing 10

You might also like