It is no secret that organizations are increasingly placing their security sensitive applications and data into the hands of public cloud service providers, whether via SaaS, PaaS, or IaaS-based cloud infrastructures. But what does this mean for an organization's security monitoring program, namely their security focused detection, investigation, & response capabilities? How can an organization's security operations team do the job of protecting the organization against cyber attacks if they can't "see" everywhere their applications and data reside? If an attack starts in or traverses from the premises to a public cloud service, how is the team going to detect and respond when some of the data and/or applications reside in systems and networks that they don't own, manage, or control - or have any visibility into? Tough questions I realize. It is an area on which RSA is very much focused.
Some of the principles that are guiding us in this area:
- Public clouds cannot become the latest security silos - Effective security monitoring systems must address the hybrid reality of most organizations. Given that most organizations will have a mix of on-premises and public cloud deployed applications until the end-of-times, the security monitoring capabilities of the organization must be able to detect and respond to security incidents without regard to where the applications and data actually reside. How to do this? It starts with getting access to logs, events, and network traffic that provide the relevant activities in the cloud and combine it with the same data from the traditional premises based applications and infrastructure. With this data, detective analytics and investigative views can be setup centrally to aid the security team in their responses.
- Visibility should be all the way up the IT stack: From network packets up to the application and user activity - Currently easier said than done. But given the signal or indicator of an attack can show up at any level of the IT stack, from the network up to the application's or user's activity, doesn't it stand to reason that the same indicators would be important when monitoring applications in the public cloud? Yes, I know that the level of security instrumentation that a customer organization can apply (or get access to) greatly varies when IaaS (here you have much greater access) is in use versus SaaS (not so much here today). But do you think the attackers care about that? The ability to capture network packets in addition to logs from within the public cloud is increasingly becoming a reality, so some good news here.
- Detection, investigation, and response processes need to work from the premises to the cloud and back. The purpose of the comprehensive public cloud/on-premises, up-the-stack visibility discussed above is to enable detection and response processes to cross over as well. How best to do this today depends greatly on the type of public cloud service that is in play (SaaS, PaaS, or IaaS), what level of access the individual cloud provider enables, and the capabilities of the security monitoring system that is in use - such as RSA Security Analytics & RSA ECAT. But to us, given the application reality is hybrid, so must be the detection and response procedures.
RSA is investing significantly in this space! Clearly where our customer's are heading we are heading. If you want to learn more about the current capability to monitor AWS-based applications with RSA Security Analytics, check out this video. This will give you a sense of what is to come!