The programmable infrastructure powering leading cloud providers’ IaaS/PaaS offers better visibility than enterprise data centers. Through the use of built-in APIs, all cloud workloads, configurations and permissions can be enumerated in real time. All access of any type — administrative or programmatic — should be logged. All network-based access of any type should be logged. This provides unprecedented visibility and the ability to use this to improve security.
6 Cloud Monitoring Best Practices
1. Use the Built-in Activity Monitoring
All leading cloud providers can be set to monitor every cloud activity — human, script or API-based — basically at no cost other than the storage used. These cloud activity logs can be sizable and verbose, so most enterprises keep them in the cloud to reduce bandwidth costs, allowing for larger datasets and longer retention.
2. Activate Logging on Everything You can and Retain it For at Least a Year
In addition to activity logs, the leading cloud providers offer detailed logging for every IaaS/PaaS capability offered — networking, containers, serverless and other services. The best practice is to log everything possible, including network flow logs. This pervasive visibility can be baselined and analyzed for patterns, providing the foundation for behavioral analytics-based threat detection
3. Continuously Scan for Rogue Assets
The entire enterprise cloud infrastructure should be continuously scanned for new and unknown assets (for example, untagged servers). This scanning should extend to scan for unsanctioned (and potentially unsecure) personal use of IaaS by business units and developers. This can be achieved by analyzing network firewall logs, secure web gateway (SWG) logs (the leading CASBs offer this capability) as well as accounting records.
4. Continuously Scan for Vulnerable Systems
The majority of the CSPM tools discussed in the previous section don’t look into the VMs or containers for missing patches or misconfigurations of the OS or system files. These should be scanned at runtime to ensure no vulnerable system has inadvertently been placed into production or become vulnerable since it was placed into production. Several of the leading cloud providers offer agents specifically for this purpose.
5. Continuously Scan for and Investigate any Permissions Granting Outside Access
There are legitimate use cases where IaaS/PaaS resources such as storage, keys or read/only security accounts will have entitlements granted to resources outside of an account. Cross-account permissions represent risk and should be discovered and accepted. There are cases where these were granted by mistake or the need for them has passed. Scanning for these and understanding their justification should be a continuous process.
6. Integrate into Enterprise Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR)
Cloud Monitoring without analysis isn’t useful. The visibility gathered should be integrated with the enterprise SIEM and SOAR. Often, this is in the cloud or via SIEM as a service as the amount of data being generated in public cloud hits a tipping point and exceeds that being created in the enterprise data center. Indeed, leading cloud providers are moving into offering their own SIEM because of their native integration into their own clouds and expertise in managing/analyzing large datasets, including the use of machine learning and AI to identify risk. SOAR, while new, also benefits from being API-based and has capabilities to leverage and wrap policy and automation functions around other third-party APIs, including cloud services.
Visibility is not a capability that is immediately established but is a journey companies must undertake to receive the benefits that visibility provides.
Gartner recommends engaging certified cloud partners early on in your cloud planning process, to ensure that loopholes are identified early and plugged in before it turns out to be a disaster.