Rainbow Protection for Full Spectrum Cloud Security

A comprehensive approach from extreme-Left to far-Right security controls in the cloud

Co-Authored by: Parthasarathi Chakraborty & Sunil Arora

The digital transformation market will grow from USD 521.5 billion in ’21 to USD 1247.5 billion by ’26, as per Research and Markets, one of the top market research agencies [1]. COVID-19 pandemic-driven changes in working culture have added fuel to digital transformation and rapid cloud adaption. According to the Foundry 2022 Cloud Computing Survey, 72% of IT decision-makers see their organizations’ default to cloud-based technology as the new standard [2]. Ensuring security amid rapid cloud adoption by enterprises makes it a daunting task for security professionals. Cloud service providers adding attractive services at a faster pace or organizations embracing a multi-cloud strategy make it even harder to identify and protect against security gaps.

Organizations with a multi-cloud footprint face additional challenges with distributed data and services. It makes security teams’ jobs more difficult with distributed security controls and a lack of a cohesive security posture. As per the 2021 Thales’s Cloud Security study, 57% of respondents indicated they use multi-cloud service providers for Infrastructure and Platforms (IaaS/PaaS). In addition, 46% of respondents agreed that managing privacy and data protection regulations in a cloud environment are more complex than on-premises. Yet, the vast majority (83%) of businesses still fail to encrypt half of the sensitive data they store in the cloud [3].

Public Cloud Service providers enable their customers for ease, speed, and automation of cloud services deployment. But if cloud customers do not architect, build, and implement cloud applications well, vulnerabilities and security gaps can be introduced to the environment at the same speed & ease. Therefore, cloud Service Providers (CSPs) supply security tools and services to secure the cloud applications as part of their platform and automation. However, using these tools appropriately is the customer’s responsibility as part of the shared responsibility model.

Per the Eremetic IDC cloud security survey report, more than 79% of the companies participating in the study reported facing a cloud data security issue in the last 18 months. Forty-three percent (43%) of respondents said they had experienced ten or more incidents triggering a breach or borderline breach alert. In the same survey, more than 63% of the survey respondents highlighted the lack of adequate visibility of access in cloud production environments is an extremely significant security threat to their cloud environments [4].

Cloud Security is the major challenge and concern for risk-aware organizations and cybersecurity leaders. Security must be in all parts of the cloud technology lifecycle, including cloud strategy, architecture, design, application development, implementation, operation, maintenance, decommissioning, or removing obsolete services and data. The technology industry has adapted to various cybersecurity and cloud security frameworks. Numerous cloud security frameworks, principles, guidelines, and models have been proposed and introduced. Shift left, and zero trust is the latest principles applicable to cloud security. These frameworks and policies undoubtedly help secure the cloud customer environments but do not solve all the problems. We still have new evolving threats, breaches and compromises, and new approaches for data leakage. Hence, cloud customer needs holistic 180-degree rainbow protection of a full-spectrum coverage approach to tackle the cloud security challenges.

The Cloud Security industry needs a holistic security framework that spans from extreme Left to extreme Right as a rainbow type layered protection model.

Rainbow Protection Model

The Rainbow Protection Model has the following key components:

1. Extreme-Left
2. Left
3. Middle
4. Right
5. Far-Right

Each of the above components is equally critical and plays a distinct role in the overall security posture of the cloud environment.

Extreme-Left- covers security requirements, secure architecture, and design for cloud applications and workloads. Cloud customers’ security objectives must align with business objectives and goals. On the extreme Left, security requirements should be part of functional requirements such as authentication, wrong password lockouts, access controls, data security, data integrity, etc. Cloud applications and workloads must have a solid architecture to ensure identified security requirements are part of the application foundation. E.g., Patterns, blueprints, and secure architecture policies and standards.

Left- covers secure development and testing. First, let us get the fact straight, secure development is not easy. But, with good training, policies, awareness, and framework, developers can build secure software with early detection and prevention can help to remove security bugs and flaws. E.g., tools integrated with IDE to detect and remediate bad and lousy coding practice.

Middle — portion of the rainbow protection model covers secure deployment and continuous security monitoring. In this phase of the rainbow protection model, the cloud application and security team focus on the deployment aspects of the cloud applications and workload. These include final security assessments, secure network configurations, Ingress and Egress protections, Web and API protection controls such as DDOS, WAF, secure API management, continuous security monitoring including vulnerability assessment, fixes, etc. E.g., security scans in CI/CD pipeline for detecting and remediating IaC (Infrastructure as code) issues before deployment.

Right — portion of the rainbow protection model covers continuous drift detection remediation, audit, and compliance. This phase primarily focuses on drift monitoring activities to ensure effective governance, compliance, and regulatory needs are met. E.g., Cloud Security Posture Management tools.

Far-Right — portion of the rainbow protection model covers the non-negotiable security mechanisms set at the organization level. These controls function as a last resort and can include ransomware protection, command & control channels, a high volume of data movements to unknown devices or out of the cloud environment, and more, depending on the environment. Therefore, these controls must be part of the cloud environment foundation. Additionally, these controls can be part of the CSPs and/or cloud customers’ level.

The security industry is flooded with solutions addressing a specific area of cloud-like CSPM (Cloud Security Posture Management), CASB (Cloud Access Security Broker), CWPP (Cloud Workload Protection Platform), and CIEM (Cloud Infrastructure Entitle Management. These are all siloed controls. Recently CNAPP is a concept introduced by Gartner that brings all the siloed solutions under one integrated offering. Many vendors started using CNAPP as the new buzzword like what Gartner did with SASE, which eventually broke out with the security portion remaining under SSE. While it is a great concept but the availability of a pure CNAPP solution is yet to be materialized. But even if CNAP becomes a reality, it covers 3/4th of the total protection needed; the remaining 1/4th will be non-negotiable last resort security forcefully applied when all previous phases fail to protect against serious security issues and threats to the cloud. Other evolving technologies such as DSPM or data security posture management provide a portion of the far-right controls based on data type, data activity type, and identity. However, our need for rainbow protection is beyond CNAPP and DSPM combination.

In the next installment of this series, we will elaborate and provide more details on Rainbow Protection Model with examples of each of these controls and requirements for far-right security.

References:
[1] https://www.researchandmarkets.com/reports/5136097/digital-transformation-market-by-technology
[2] https://resources.foundryco.com/download/cloud-computing-executive-summary
[3] https://cpl.thalesgroup.com/cloud-security-research
[4] https://l.ermetic.com/wp-idc-survey-results