Story image

How to achieve secure, flexible and scalable IaaS - Bitglass

17 Oct 2019
Twitter
Facebook

Article by Bitglass CTO Anurag Kahol

In today's cloud-first world, more and more enterprises are utilising infrastructure as a service (IaaS) to enhance their operations.

IaaS offerings like AWS, GCP and Azure allow enterprises to focus on business growth, gain flexibility and scalability, and to achieve significant cost savings.

However, while using IaaS brings many advantages, it also raises unique data leakage concerns that must be addressed in order to maintain robust cybersecurity.

There are three cornerstones of security for those considering IaaS platforms, and the use of cloud access security brokers (CASBs) can help to ensure that sensitive data to remain protected at all times.

The building blocks of IaaS security

1. Data at rest 

IaaS platforms house massive volumes of sensitive data that can become vulnerable to theft unless proper controls are in place. Threats to this data at rest typically fall into two categories:

  • External attacks that infiltrate the cloud environment and often stem from the abuse of compromised credentials.
  • Insider threats that entail malicious or rogue employees accessing or exfiltrating sensitive data from within.

To maintain security in both of these scenarios, organisations must first confirm that they can accurately detect sensitive data patterns at rest.

They must then ensure that robust controls are placed around the data at all times.

2. Custom applications 

Enterprises today often use IaaS platforms to build internally and externally facing custom apps that are used by their employees, customers, partners, and more.

Many organisations do this because they wish to have niche tools that are not readily available off-the-shelf in a SaaS format, and also because they want greater control over their apps and the underlying cloud infrastructure.

Yet together with the increase in control comes a greater level of responsibility for security.

When using SaaS apps in the cloud, it is the app vendor who assumes responsibility for ensuring that the app and the underlying infrastructure are properly configured and secured.

For IaaS customers, this responsibility falls to them.

As a result, often they aren’t secured properly, leaving them vulnerable to attack unless access is properly safeguarded.

3. Cloud Security Posture Management (CSPM)

To protect data at rest and the applications that access it, organisations must ensure that underlying IaaS settings are correctly configured for continuous security, as well as for compliance with frameworks like the CIS Benchmark, HIPAA, and PCI DSS.

Accomplishing this requires an effective cloud security posture management (CSPM) solution that can analyse an enterprise’s IaaS instances and check for misconfigurations.

In something like AWS, these misconfigurations can take a variety of forms: for example, multi-factor authentication not being enabled for users, CloudTrail being disabled, or public-facing S3 buckets.

Time and again, these issues expose sensitive data that may not be protected or encrypted, enabling unauthorised access and a host of other headaches for the enterprise and its data subjects.

Keeping sensitive data safe

While the challenges surrounding IaaS can seem varied and complex, there are highly effective security solutions available that offer the all-in-one protection that enterprises seek.

Chief amongst them is the cloud access security broker (CASB), which secures data at rest and proxies traffic between end users and the cloud, providing a central point of visibility and control for any IaaS platform.

CASBs offer a variety of helpful capabilities.

For example, encryption which renders data at rest completely unreadable and indecipherable to external prying eyes as well as unauthorised internal personnel. Unless an authorised user is accessing the application securely through the CASB, they will see nothing but meaningless encrypted pointers, significantly reducing the risk of data exfiltration.

Select CASBs also provide the real-time, inline protections necessary for securing access to custom applications.

For example, leading agentless CASBs boast advanced threat protection (ATP) that can halt the upload of malware from any device, as well as contextual access control, which governs data access by a variety of factors, including users’ geographic locations, device types, job functions, and even behaviours in real-time.

Finally, some CASB vendors also incorporate CSPM capabilities into their solutions.

In this way, they can find misconfigurations, notify admins and tell them how issues can be fixed.

Leading CASBs also offer automatic remediation of uncovered issues, providing the continuous assessment and compliance monitoring that companies need when making use of IaaS.

While the benefits of migrating to an IaaS environment are clear, enterprises contemplating the move must consider the security implications of doing so, and take steps to address them before it’s too late.

While this can seem daunting, the careful deployment of technologies such as CASBs allows enterprises to enjoy the myriad of benefits that the cloud has to offer – all while remaining confident that corporate data and IT resources are fully protected.

Story image
08 Nov
Enterprises look to zero trust network access to thwart VPN attacks
“Though it is encouraging to see so many organisations are pursuing ZTNA to close gaps created by VPNs, I am surprised that more than half of those surveyed believe their current infrastructure is reliable enough to protect the enterprise."More
Story image
06 Nov
Barracuda Networks integrates WAF into cloud platform
 Barracuda Networks announced a new Cloud Application Platform (CAP), which provides security, as well as a new web application firewall (WAF) as a service solution built on Microsoft Azure.More
Story image
14 Nov
Lack of PCI DSS compliance putting payment security at risk
Organisations across Asia Pacific are demonstrating stronger payments security compliance compared to other parts of the world, however global trends indicate that payments security compliance has dropped for the second year in a row.More
Story image
14 Oct
IBM announces z15 with new data privacy capabilities
The IBM z15 is a new enterprise platform delivering the ability to manage the privacy of customer data across hybrid multicloud environments.More
Story image
23 Oct
Pulse Secure launches new access management and threat mitigation features
Pulse Secure aims to enable enterprise and service provider organisations to progress Zero Trust security and mitigate hybrid IT risks.More
Story image
05 Nov
Microsoft's new security innovations at Ignite 2019
Microsoft 365 and Security corporate vice president Kirk Koenigsbauer outlined 10 major security announcements across Azure, Microsoft 365, Office, and Microsoft Defender ATP. More