AlgoBuzz Blog

Everything you ever wanted to know about security policy management, and much more.

Remediating misconfiguration risks in public clouds

by

Omer Ganot, Cloud Security Product Manager at AlgoSec, explains why misconfigurations continue to plague public cloud network services and how organizations can address these shortfalls with AlgoSec Cloud  

 

The use of public cloud IaaS platforms such as Amazon Web Services (AWS) has become ubiquitous, with the worldwide IaaS market growing by 37.5% in 2019 to a total $44.5bn, up from $32.4bn in 2018. 

It is easy to see why public clouds are so appealing. Unlike private clouds, public clouds allow organizations to provision business applications fast and reduce the costs associated with having to purchase, manage, and maintain on-premise hardware and application infrastructure. Public clouds allow businesses to setup the required infrastructure much faster than on-premise and provide unmatched scalability, as well as extra security capabilities. 

While there are benefits of public cloud platforms, there are also challenges that organizations need to overcome. According to a recent global survey of enterprises on the topic of cloud security, 75% of respondents were ‘very concerned’ or ‘extremely concerned’ about public cloud security. When asked to name what they felt was the biggest public cloud security threat, misconfiguration of the cloud platform was the clear leader, cited by 68% of respondents. This challenge is made more complex with 68% of respondents stating their organization uses two or more different public cloud providers. This means that security teams often have to manage multiple native security and management consoles to enforce security and compliance across the different environments. 

A single hole can have serious consequences  

It is no surprise that enterprise IT teams find it difficult to keep their applications secure; 

migration of applications to public cloud platforms involves many potential pitfalls. Misconfiguration errors can occur at many different points on the network as part of the migration process, especially when moving from traditional firewalls to cloud security controls.  

Ongoing management of applications and workflows within the public cloud is also a challenge. Many organizations have multiple teams using different methods to manage the applications and the security controls that should protect them like Ansible, Chef and Terraform, in addition to manual changes. 

Even if you are using a single public cloud platform, you still need to manage multiple security controls protecting a multitude of applications. Organizations may have hundreds of separate public cloud accounts, each with multiple VPCs, spread across different regions. These VPCs are protected by multi-layered security controls, from Cloud Infrastructure such as security groups and network ACLs, cloud-native advanced network firewalls, to Security Products offered by ISVs, such as NG Firewalls.  

It is easy to see why misconfiguration occurs if IT teams attempt to take on this complex, tedious and labour-intensive process themselves. A single mistake can cause outages, compliance violations and holes in your security perimeter. Misconfigured storage services have exposed more than 30 billion records and contributed to more than 200 breaches over the past two years. A recent AlgoSec survey found that two-thirds of application outages last more than an hour and in 10% of cases longer than a full working day to resolve. 

Avoiding misconfiguration risks 

Given that organisations are so concerned about misconfiguration risks, what steps can they take to avoid making them? 

There are some basic principles which should be followed, such as ensuring that only authorized, qualified personnel can make network or security control changes, and following a clearly defined change process, with mandatory review and approval for each stage. 

Although these are all good practices, if you’re still carrying out your processes manually, errors are still highly likely. Luckily, there is an easy solution – hybrid network-aware automation. Employing network change automation eliminates guesswork and error-prone manual input, whilst also simplifying large-scale, complex application migration projects and security change management. 

Meet AlgoSec cloud offering 

AlgoSec seamlessly integrates with all leading brands of cloud security controls, firewalls (including NGFWs deployed in cloud), routers, and load balancers, to deliver unified security policy management. With the AlgoSec Security Management Solution, users benefit from holistic management and automation spanning on-premise, SDN and public cloud. 

AlgoSec cloud offering, including CloudFlow, allows organizations to seamlessly manage security control layers across the hybrid network in three key areas:

1. Visibility across your hybrid network

With our cloud offering, you can obtain a full network map of your entire hybrid network security estate and identify risks and correlate them to the assets they impactYou can also achieve instant visibility of cloud assets and security controls, pinpointing and troubleshooting application and network connectivity issues resulting from security policies.

2. Change management

Organizations can leverage a uniformed network model and change-management framework that covers the hybrid and multi-cloud environment, with automated policy push for “zero-touch” automation. You can securely migrate workloads from on-prem to public cloud and discover the power of CloudFlow’s central policy management, allowing you to orchestrate multiple similar security controls in a single policy.

3. Cloud-centric risk analysis and remediation

You can proactively detect misconfigurations to protect cloud assets including cloud instances, databases and serverless functions and also easily identify risky security policy rules, the assets they expose and whether they are in use. You can also remediate risk, including cleaning up bloated and risky policies and enjoy audit-ready compliance reporting including vast support for diverse regulations. 

Find out more about AlgoSec cloud offering and CloudFlow. 

 

Subscribe to Blog

Receive notifications of new posts by email.

Loading