Safet Acifovic

The (non)sense of traditional security in the public cloud

14/10/2020

Traditional security solutions, such as network scanners need an overhaul when it comes to cloud security. The cloud is different and requires solutions that are specifically built for the cloud. Ideally something that delivers visibility across the whole stack.

When trying to secure their public cloud environments, organizations often apply their legacy security solutions. Not surprising at all, since traditional security is everything they have and know. But traditional security and the public cloud do not form a happy marriage. Frustrations and outright security issues abound. Cloud misconfigurations (number one cause of data breaches in the cloud, remember?) are near to impossible to detect using traditional security tools.

 

Traditional security won’t make it in the long run, especially now network and security perimeters disappear in thin air due to the rapid cloud adoption. All hail zero trust, right? Traditional security solutions need a serious overhaul.

 

Frustrations and outright security issues abound.

 

Network scanners are such solutions that need an overhaul. These scanners were designed to assess computers, networks, or applications for known weaknesses. They have been around for quite a while and are still going strong; Tenable (Nessus) and Qualys are well-known example of powerful network scanners. However, in my opinion, they are falling behind the times in their ability to detect vulnerabilities, especially in cloud environments.

 

When used in the cloud, network scanners have some serious drawbacks. For example, network scanners will examine only publicly visible information. Contextual information about assets is missing, thus providing only partial visibility. Network scanners also use heuristic techniques in order to detect which applications are configured on the server. False negatives are thus a common side effect.

 

When used in the cloud, network scanners have some serious drawbacks.

 

Another drawback is that vulnerability scanning can seriously disrupt business operations and wreak havoc in your network. Systems will crash when you don't expect it. Everyone who has run a vulnerability scan has experienced this at least once. So, it’s always a balance act between detecting all vulnerabilities and not disrupting the environment. Remember that by playing it safe, attackers are most likely not, which puts defenders at a disadvantage.

 

Also, keep in mind that network scanners require a lot of manual work to make sure scans are completed correctly and that no scans are blocked by firewalls and IPSs. This is impractical due to the large number of networks, security groups and VLANs within the cloud.

 

Solution must be aware of the cloud.

 

Another aspect that is often not taken into account by traditional security solutions is the agility and scalability of cloud computing. The frequent and sudden changes would make life very hard for many tools that were built for traditional environments. Assets come and go. Moreover, assets are less likely to exist at static IP addresses and different assets may share the same IP address within a short period of time. Solutions must account for this. Solution must be aware of the cloud.

 

And what about environments running as serverless or in containers? Threats would go undetected since many network scanners and other traditional security solutions are not equipped to handle these relatively new technologies.

 

Does this mean network scanners are useless in the public cloud? Absolutely not. Initial costs are low for partial visibility and they offer the ability to gain data on vulnerabilities without on-asset installation or authentication. However,  scanners only provide a partial solution to cloud security.

 

Securing the cloud requires complete visibility.

 

Securing the cloud requires complete visibility into compromised resources, vulnerable software, and misconfigurations without the cost, complexity, and limitations of agents and network scanners. In our search for a cloud-focused security solution that can do all this, we came across Orca Security.

Delivered as a SaaS solution, Orca Security uses its patent-pending SideScanning™ technology to deliver instant and agentless deeper visibility into your cloud environment and ease compliance efforts. The solution works out-of-band and scans the entire cloud estate, down to the data layer to identify malware, vulnerabilities, misconfigurations, leaked passwords, sensitive data (PII) and more.

 

We are excited to announce that we have partnered with Orca Security to help you achieve full-stack visibility across your cloud environments, such as AWS, Azure and GCP.

 

Free trial with our HealthCheck

Each CloudNation HealthCheck comes with a free trial1 of Orca Security to give you the opportunity to experience full-stack visibility yourself. The CloudNation HealthCheck is a security assessment we have developed to help you identify misconfigurations and other security risks within your cloud environment. It's quick, complete and comes with actionable recommendations to help you start fixing right away.

Interested? For more information on Orca Security or our HealthCheck, please leave your contact information below or gives us a call.

 

Contact us

 

 

 

1Terms and conditions may apply