SANS Cloud Security Convergence Report How Control Models For A Robust Cloud Security Stack Are Changing
SANS Cloud Security Convergence Report How Control Models For A Robust Cloud Security Stack Are Changing
Cloud Security
Convergence Report:
How Control Models for
a Robust Cloud Security
Stack Are Changing
Written by Matt Bromiley
December 2024
In response, the cybersecurity industry is witnessing a shift in the world of cloud security.
Today, cloud-native and cloud-first technologies thrive, converging into unified platforms. These
technologies include:
However, with the growth and adoption of cloud computing, this “perimeter-focused” model
was disrupted. Organizations began migrating workloads to the cloud, drawn to the promise of
scalability, cost efficiency, and operational flexibility. However, far too often, organizations have
attempted to simply “migrate” perimeter-based defenses to the cloud and expect the same
result. Unlike on-prem, centralized systems, cloud environments are inherently dynamic and
decentralized, relying on (1) elasticity, (2) global reach, and (3) third-party dependencies.
1
“Is the Cloud Secure?” October 2019, www.gartner.com/smarterwithgartner/is-the-cloud-secure
Cloud Security Convergence Report: How Control Models for a Robust Cloud Security Stack Are Changing 2
Hybrid and Multicloud Security Complexity
The rise of hybrid and multicloud environments only adds to the complexity of the
security landscape. According to Flexera’s 2024 State of the Cloud Report,2 89% of
enterprises utilize multicloud strategies with 73% maintaining hybrid-cloud environments.
Although these architectures may offer flexibility and redundancy, they also introduce
complex security challenges, including the following:
• V
isibility gaps can stem from monitoring assets across multiple clouds, requiring
consolidating data from diverse telemetry sources.
• O
perational burdens force security teams to manage tools tailored to each
environment, increasing overhead and reducing efficiency.
• P
olicy fragmentation is natural, because cloud providers have unique security
models and APIs, making it difficult to maintain consistent controls.
• C
loud security posture management (CSPM)—Designed to detect and remediate
misconfigurations in cloud environments, CSPM tools continuously monitor
complications with security benchmarks, best practices, and regulatory standards.
• C
loud workload protection platforms (CWPPs)—With their focus on securing
workloads such as virtual machines, containers, and serverless applications, CWPPs
provide deep visibility and advanced threat detection.
• C
loud-native application protection platforms (CNAPPs)—These combine workload
protection, posture management, runtime security, and DevOps/DevSecOps
integrations into a single, unified platform.
Cloud-native tools and platforms also represent a shift from reactive to proactive
security, emphasizing automation, integration, and real-time visibility. Recognizing that
the largest risks posed to cloud environments stem from the users themselves, gaining
visibility and insight is a critical step to minimizing internal risk while defending against
external attacks.
Like most technologies today, cloud security reaps the benefits of technological
advancements. The evolution of cloud-first security is not static. Often, cloud-native
security products progress at the same rate as cloud platforms, taking advantage of
scalability, quick implementations, and strong DevSecOps practices.
2
“2024 State of the Cloud Report,” https://info.flexera.com/CM-REPORT-State-of-the-Cloud
Cloud Security Convergence Report: How Control Models for a Robust Cloud Security Stack Are Changing 3
Key advancements in cloud-native security technologies include:
• A
rtificial intelligence (AI) and machine learning (ML)—Cloud security tools are
increasingly leveraging the explosion of AI to identify anomalies, predict threats, and
automate responses.
• Z
ero trust architectures—As organizations adopt zero trust principles, across private
and public sectors, access management in cloud environments is critical. Cloud-
native tools help implement and supervise these needs.
• S
hift-left security—Embedding security into the development life cycle minimizes
internal risks, such as misconfigurations, and ensures that vulnerabilities are
addressed before deployment.
The evolution of cloud security has culminated in the need for integrated platforms
capable of addressing multiple aspects of security within a single solution. This
convergence of CNAPPs, CSPM, and CWPPs reflects the growing demand from any security
team: simplicity, efficiency, and comprehensive protection in the face of fragmented and
dynamic landscapes.
Pipeline Security
The adoption of DevOps and continuous integration/continuous delivery (CI/CD) processes
has accelerated software development cycles but also increased the attack surface. CI/CD
pipelines have become attractive targets for attackers seeking to inject malicious code or
compromise application dependencies.
• C
ode scanning—Automated tools analyze source code for vulnerabilities, insecure
dependencies, and potential compliance issues.
• C
redential management—Security checks identify and mitigate risks posed by hard-
coded secrets, such as API keys and access tokens.
• P
ipeline integration—Security processes are embedded directly into CI/CD workflows,
ensuring vulnerabilities are detected before deployment.
A development team who integrates automated checks into its CI/CD pipeline can quickly
identify risks and remediate code vulnerabilities early in the development life cycle,
reducing the risk of exposure in production.
Cloud Security Convergence Report: How Control Models for a Robust Cloud Security Stack Are Changing 4
Workload Protection: Securing VMs, Containers,
and Serverless Functions
Cloud workloads—whether virtual machines, containers, or serverless functions—are the
backbone of cloud-native environments. Each workload type introduces unique security
challenges that require robust monitoring and threat detection mechanisms.
• E
ndpoint security for workloads—Behavioral analysis and anomaly detection are
employed to identify unusual activity across workloads.
• C
ontainer security—Runtime monitoring ensures that containerized applications
operate within expected boundaries, preventing unauthorized actions and malicious
execution.
• S
erverless function protection—Automated configuration checks verify that
serverless functions adhere to security best practices.
• C
onfiguration auditing—Automated tools assess cloud resources against security
benchmarks, identifying and prioritizing benchmarks.
• C
ompliance monitoring—Continuous assessments ensure adherence to industry
standards and regulatory frameworks.
• C
hange detection—Alerts for configuration changes that deviate from approved or
business-centric settings enable quick remediation by DevSecOps team(s).
Cloud Security Convergence Report: How Control Models for a Robust Cloud Security Stack Are Changing 5
Infrastructure as Code: Securing Deployments by Design
Infrastructure as code (IaC) allows organizations to define and deploy cloud resources
programmatically. This can improve efficiency, but easily introduces misconfiguration risks.
Securing IaC ensures that vulnerabilities are addressed prior to deployment.
• T
emplate scanning—Automated validation tools check IaC templates for insecure
configurations and potential vulnerabilities.
• P
olicy enforcement—IaC and deployment policies can be codified to ensure that all
deployed resources meet organization requirements and standards.
• D
rift management—Continuous monitoring also detects deviation between
deployed resources and defined configurations.
Organizations using IaC to deploy cloud infrastructure can utilize automated tools to
examine build templates and identify weaknesses such as misconfigurations or insecure
access controls. Furthermore, standardized IaC practices can help eliminate shadow cloud
deployments that may cause further security concerns.
• A
nomaly detection—Behavioral analytics identify deviations from normal activity,
such as unexpected process execution or unauthorized access attempts.
Organizations with cloud-native or hybrid cloud environments can utilize active runtime
monitoring to detect unusual behavior in applications, such as processes attempting to
access sensitive files or execute commands. Runtime monitoring tools can automatically
detect these actions and start containment measures.
Cloud Security Convergence Report: How Control Models for a Robust Cloud Security Stack Are Changing 6
Bringing It All Together: Unified Security Platforms
Unified platforms bring together critical controls, offering centralized visibility, improved
threat detection, and streamlined workflows. By integrating workload protection,
configuration management, IaC validation, and runtime security, organizations can find
several benefits to enhance their security posture.
• C
omprehensive coverage—Unified platforms offer security across all aspects of
cloud-native environments, from development pipelines to deployed workloads.
• O
perational efficiency—Centralized dashboards and automated workflows provide
simplified management.
• E
nhanced threat detection—Improved correlation of data from multiple sources
leads to faster and more accurate detection of risks.
Unified platforms can provide the convergence that security teams need to address cloud-
focused risks. Expanding beyond the perimeter requires tools and platforms that also step
outside of the perimeter.
Looking Ahead
Effective cloud security requires that organizations be able to correctly use the available
tools and platforms. Cloud-native tooling is an important piece, but it is only “half the
battle.” Correctly navigating security for cloud-first and complex environments also
requires addressing emerging organizational challenges, including the following.
• S
upply chain attacks—Threat actors are increasingly targeting CI/CD pipelines and
third-party dependencies, as seen in the SolarWinds breach. These attacks exploit
the interconnected nature of modern software ecosystems to infiltrate organizations
directly and indirectly.
• L
ateral movement in cloud environments—Attacks are leveraging misconfigured
identity and access management (IAM) roles or exposed APIs to move laterally
across endpoints, cloud platforms, and/or third-party providers.
Security teams must prioritize proactive measures, such as regular security assessments,
automated configuration checks, and monitoring of lateral movement patterns, to combat
these threats.
Cloud Security Convergence Report: How Control Models for a Robust Cloud Security Stack Are Changing 7
Managing Complexity in Multicloud Environments
The adoption of multicloud strategies introduces operational and security complexity.
Each cloud provider has its own set of tools, APIs, and configurations, making it difficult
to maintain consistent security policies. Fragmented visibility across providers can lead to
blind spots and inconsistent enforcement of security measures.
A unified platform can help bridge this gap, providing seamless integration with multiple
cloud providers. This provides security (and development) teams centralized management
and consistent control across all environments.
Fostering collaboration between security and cloud teams ensures that security ideals
align with operational realities. Security teams often can work with cloud engineers to
design secure configurations and templates, reducing the risk of future misconfigured
deployments. Policy-as-code solutions allow teams to enforce consistent security
standards programmatically, thus removing user friction.
Future Innovations
Although current tools and practices provide a strong foundation, the future of cloud
security will be shaped by emerging technologies and capabilities. Some key technologies
we see on the horizon include the following:
Cloud Security Convergence Report: How Control Models for a Robust Cloud Security Stack Are Changing 8
Key features and benefits of AI/ML-led detection and response include:
• E
nhanced threat detection via analysis of telemetry from multiple sources can
help detect subtle indicators of compromise, such as unusual API calls or lateral
movement attempts via lesser-known techniques.
• A
daptive response via data evolution and ML models, aids in adapting to new attack
vectors and minimizing false positives.
• A
utomated incident handling with native cloud integration, allows for easy workload
isolation and credential revocation, as well as significantly reducing response time.
• A
utomated compliance enforcement—With polices written as code, they are
subject to continuous evaluation against security benchmarks, best practices, and
regulatory requirements.
• S
calability—Policy-as-code solutions promote scalability in large, dynamic
environments where manual enforcement is unpractical.
• G
ranular access controls—These controls enable precise permission models to
adapt to contextual factors and limit account “over-permission.”
• M
icrosegmentation—Dividing cloud environments into smaller zones limits the
potential damage of lateral movement and other adversary abuse. This is useful in
workloads within container clusters or multicloud architectures.
Cloud Security Convergence Report: How Control Models for a Robust Cloud Security Stack Are Changing 9
Enhanced Runtime Protection
Runtime security is critical for identifying and mitigating threats as they occur in
production environments. Advancements in runtime protection are enabling deeper
visibility and faster responses.
• R
eal-time behavioral analytics—Provides granular monitoring of workloads,
identifying deviations from established baselines and expected norms, such as
unwanted processes or network connections.
• W
orkload isolation—Prevents unauthorized processes from accessing sensitive data
or escalating privileges.
• C
entralized dashboards and reporting, to aggregate data from cloud platforms and
providers, offers a single point of monitoring, detection, and analysis.
• E
nhanced correlation across platforms limits adversary ability to find weaknesses
and gaps.
• S
implified compliance reporting streamlines audits and compliance checks, even
across multicloud or hybrid environments.
Closing Thoughts
Organizations today face a multitude of challenges when it comes to securing cloud
environments. Unlike traditional, on-premises environments, where security boundaries
are well-defined, the cloud introduces an ever-changing attack surface. Hybrid and
multicloud architectures, containerization, serverless computing, and infrastructure as
code have become commonplace. However, they also introduce new risks.
Sponsor
Cloud Security Convergence Report: How Control Models for a Robust Cloud Security Stack Are Changing 10