Security of virtual machines and containers (and code in serverless PaaS) is the customer’s responsibility, not the cloud provider. Like VMs and containers in enterprise data centers, the optimal place for security visibility and control is from within the workload itself.
5 Best Practices for Cloud Workload Security
1.Start with Correct Configuration/Vulnerability Management of Cloud Workloads
Hardening and patch management discipline is as critical to cloud security posture as it is in an enterprise data center. Unpatched and exposed systems will be attacked. Fortunately, the software-driven nature of the cloud simplifies many once-arduous patch management tasks. Even with VMs, enterprise patching processes can be improved and more automated. For example, using the cloud-provider’s updated images as the starting point for automatically rebuilding VMs versus your own gold images.
2. Expect to Use Third-party CWPP Offerings
Microsoft is the only leading IaaS/PaaS provider that offers its own separately charged set of protection agents for Windows and Linux (under its Azure Security Center offering). For other cloud providers, third-party CWPP (cloud workload protection platform) offerings provide a layered set of protection capabilities.
Role of CWPP in Overall Cloud Infrastructure and Platform Services Hierarchy
3. Adopt a Security Strategy Rooted in Default Deny Application Control
On a well-managed server workload, it is much more effective to control what is allowed to execute. The use of application control (also referred to as “allow-listing”) to control what executables are run provides an extremely powerful security protection strategy. This allows enterprises to adopt a default deny/zero trust security posture for executables. All malware that manifests itself as a file to be executed is blocked by default.
4. Extend the Workload Security Strategy to Containers and Managed Container Services
Whatever workload protection strategy or offering is selected, the strategy must extend to protect Linux containers and managed container offerings from the leading IaaS/PaaS providers. Specifically, containers running in Kubernetes and managed Kubernetes services from the major cloud providers must be explicitly supported.
5. Extend the Scope of your Workload Security Strategy to Serverless Paas
Like VMs and containers, serverless PaaS is a logical progression in the abstraction of a developer’s work from the underlying infrastructure. Workload protection starts in development and the same is true of serverless PaaS, which is a subset of overall PaaS services.
Avoid a blanket approach and ensure only the most appropriate mission-critical workloads are migrated to the public cloud. Minimize the risk of failure by selecting the simplest combination of approaches to a targeted workload modernization.
Gartner recommends engaging certified cloud partners early on in your cloud planning process, to ensure that loopholes are identified early and plugged in before it turns out to be a disaster.