This post is the first in a series of eight on the five pillars to actionable cloud security. For the rest of the series, visit the Five Pillars blog page here.
“The number of records breached due to misconfigured cloud servers, in particular, shot up by 424 percent compared to the previous year,” IBM concluded in its X-Force Threat Intelligence Index 2018. It’s a sobering statistic – but not one which surprises us.
As one of Microsoft’s top security providers, we’ve protected a lot of Azure workloads. As an AWS supplier with two security competencies, we’ve protected a lot of AWS workloads. So as they say in those catchy insurance commercials, we know a thing or two because we’ve seen a thing or two.
One thing we see is that organizations tend to silo security – in our case, they are looking at NetSec and leveraging firewalls and WAFs to protect workloads, users, and networks – and missing issues in the bigger picture. In other words, organizations are still just protecting the management plane.Many organizations are still focused on protecting the management plane. That's fine on-premises, but it doesn't work in the cloud. ~Rich TurnerClick To Tweet
That worked in the days of on-premise data centers – IT had full visibility to the data plane, so all they really needed to protect was the management plane. In the cloud, not only does IT lose visibility to the data plane, but as developers construct new apps that take advantage of native cloud services, it’s not even clear where those native services reside. In fact, it’s a misnomer to even refer to these as “planes” any longer since the cloud, if anything, is multi-dimensional.
A further complication for organizations is compliance: because of the preponderance of cyberattacks, compliance frameworks are now requiring that companies maintain specific “best practices” to thwart such attacks, and when one occurs, be able to demonstrate they had appropriate protections and practices in place at the time.'Compliance frameworks now require that companies maintain specific “best practices” to thwart cyberattacks. If attacked, companies have to demonstrate they had appropriate protections and practices in place at the time.' ~Rich TurnerClick To Tweet
We have been working with cloud providers and benchmark providers to develop security that focuses on that data “plane.” We believe it is the next big thing customers need to care about, and we believe organizations who can realize security at this level will avoid many of the threats – often self-caused – inherent in modern infrastructures. We also maintain that protection, audit, remediation, and compliance are very closely aligned, which helps companies address these concerns when they are approached in a cohesive strategy.
During the next few months you’ll see a series of blogs from us on how companies are architecting cloud security. We’ll discuss what we believe are the key pillars for well-architected cloud security, and how organizations can protect their cloud infrastructures, their cloud data, and most important, remain protected and compliant with mandated best practices. Meanwhile, feel free to send us any questions you have on this topic and we'll cover them in the series.
For more information on Barracuda security solutions for Azure and AWS, visit our corporate website here.
In the next blog in this series, we will introduce the five pillars to a well-architected Azure security framework.
Rich est directeur marketing pour les produits de cloud public chez Barracuda. Il a rejoint l'équipe dans le cadre de l'acquisition de C2C Systems en 2014. Rich est l'un des experts du cloud public de Barracuda. Il travaille directement sur les écosystèmes cloud et est cité dans des ebooks de Microsoft sur la sécurisation du cloud public. Il est également contributeur régulier des blogs thématiques sur le cloud de Barracuda. Dans le cadre de notre travail sur le cloud, il aide au développement de stratégies et à leur exécution avec nos partenaires et nos équipes commerciales.
Vous pouvez contacter Rich par e-mail à l'adresse firstname.lastname@example.org.