Cloud Security Monitoring … Revisited (aka It Is Not 2012 Anymore!)

Tuesday, May 26, 2015

Anton Chuvakin

Ebb72d4bfba370aecb29bc7519c9dac2

My next project, now that I am done with security analytics for now, is to revisit our cloud security monitoring work. Specifically, some of you remember my 2012 (!) paper “Security Monitoring of Public Cloud Assets”, where I presented these three monitoring architecture choices for your public cloud assets:

  1. Most Monitoring On-Premises – this is essentially about monitoring the cloud environments by using your traditional on-premise tools, sending cloud logs to yourSIEM, etc.
  2. Most Monitoring on Monitored IaaS – this is about deploying your monitoring tools inside the monitored cloud (only works for IaaS, naturally)
  3. Most Monitoring via SaaS or Other Third Party [or another cloud] – this one is about using another cloud to monitor your cloud, such as cloud log manager or another monitoring tool (like cloud SWG?)

In reality, back in 2012-2013, by far the most common approach to security monitoring of the public cloud assets was … not to do any. Indeed, while we have seen a tiny number of clients who practiced one or more of the above architectural approaches, most of the rest practiced cloud computing with no security – and thus with no security monitoring. While loud, obnoxious screams “Security FAIL!!” may be heard, the reality is that many organizations used public clouds for stuff that just didn’t matter much, and “no security” was probably about the right amount of security needed. At the same time, industry research seemed to confirm that CSPs were not the source of damaging incidents and “data breaches.”

Boy, have the times changed! The IT media would have us believe that 2010-2012 was the time when “everybody flocked to the cloud” – and I can tell you right away that this is a complete lie. Even now is not the time when everybody uses public cloud computing, and it is most definitely NOT the time when everybody uses cloud for important and business critical stuff. Sure, make no mistake, the use of cloud computing has grown, but mature approaches to security monitoring of the cloud assets are still really, really rare…

Still, I think this research is worth a revisit. Here is what I think really changed – and I would very much welcome your feedback:

  • CASB has risen [no, this is not related to Easter at all :-)] – overall cloud monitoring using the “in-between approach” has matured and has (I think) become a primary approach to be added to the above 3, especially for SaaS
  • Cloud logging has improved: one word – CloudTrail (one SIEM vendor told me that this was the most requested data sources to integrate in the entire history of their device integration team)
  • Monitoring agents to be baked into cloud instances have not become mainstream – while I intend to do more research on this, it seems like “monitor IaaS from the agent” has fizzled [it seemed very promising to me in 2012; BTW, if you are a vendor who can prove me wrong on this one, I am happy to be so proven]

So, got more ideas? Thoughts?

Vendors, want to showcase your relevant technology? Enterprises, got a fun “how I monitored the cloud?” story?

This was cross-posted from the Gartner blog.

6011
Cloud Security Budgets Enterprise Security Policy Security Awareness Security Training
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.