Last updated August 28th, 2024 by Erez Tadmor

• Cloud
• Cybersecurity

As cloud adoption grows, so too does the complexity of managing sensitive dataand fortifying hybrid cloudcybersecurityacross vast and dynamic environments. One of the most pressing threats I see today is the improper management of network access that crosses various teams, such as DevOps, application developers, and network securitypractitioners.

Unlike the well established controlled access in on-premisesinfrastructure networks and data centers-where network securityteams have centralized control- cloud environmentsdistribute access responsibilities across multiple roles. This shift brings with it the increased risk of human error, misconfigurations, and overly permissive access that may result in data loss, and more. Imagine a developer, without specialized security training, unintentionally granting overly broad permissionsto a cloud storagebucket using Infrastructure asCode (IaC) approach. It's a naive mistake, but it can have devastating consequences.

What makes this threat particularly dangerous is its nature. It doesn't stem from external hackerstrying to breach the perimeter; instead, it exploits the trust and access already granted to insiders. These insider threatsare a significant security issuebecause they often involve unauthorized accessthat blends into the organization's everyday activities, making detection and mitigation challenging. Additionally, the rise of cloud security riskshas further complicated efforts to safeguard against these internal threats.

So, the key question is: how do we address this and protect cloud-based systems?

I believe that the answer lies in implementing strict and clear network access controlspolicies, including the use of next-gen firewallsdeployed in public cloud, and/or cloud service providersfirewalls, that adhere to the required security policy of the organization. These security measuresshould be complemented by comprehensive security training for everyone involved in managing multi-cloud environments. By doing so, we can better protect cloud resources, address cloud security issues, and ensure data securityand data protectionacross all platforms.

It's crucial to establish guardrails that allow DevOpsteams and application developers to work within their expertise while still enabling network securityteams to have the necessary oversight to maintain security and compliance.

Managing cloud network securitypolicy through an abstraction layer is another effective strategy. This makes it easier for non-security experts to understand and adhere to security requirements, minimizing the risk of misconfigurations.

This abstraction layer should be attentive to the infrastructure layer, enabling real-timealerts for policy violations and ensuring timely remediation. The goal is to balance operational functionalitywith stringent oversight in cloud computingenvironments to effectively mitigate external and internal threats, such as lateral movement, within the organizational network allowance boundaries.

The Need for Definitions

While improper access management is a significant concern, it's not the only one. The second-greatest cloud security threattoday stems from the lack of clear definitions around roles and responsibilities at the boundary points between different siloes in the cloud.

These boundaries, such as those between data centersand the cloud, or between edge computing and the cloud, are particularly sensitive. These are the "gray areas"; the areas where the responsibility definition is the most controversial.

The ambiguity in roles and responsibilities at these boundary points can create a sort of an unmanaged "DMZ" (demilitarized zone) that adversaries can exploit. Without clear ownership and security controls, these areas become vulnerable to attacks.

The lack of a unified approach to securing cloud infrastructureboundaries leads to significant security gaps, making it easier for attackers to exploit weak access controlsand carry out cyberattacks, allowing them to infiltrate and move laterally across the network.

This threat is particularly dangerous because these weak points are easily exploitable by cybercriminals. Adversaries target these unmanaged "DMZ" areas, exploiting the absence of clear ownership and accountability. Vulnerabilitiesmay go unaddressed, allowing attackers to gain access and move undetected, leading to data breaches, loss of sensitive information, and other severe security incidents.

To counter this threat, we must ensure holistic visibility into network access controlsacross the entire organization. Integrating tools and processes that provide a comprehensive view of access controlsin all areas, including the cloud, data centers, and edge computing, is crucial.

Beyond having specialized security teams for designated areas, it's vital to establish a dedicated team with global oversight of the cloud platform. This approach helps to effectively manage the attack surfaceand ensure that comprehensive security solutionsare in place across the entire environment.

This team should monitor and manage the organization's security posturefrom a centralized platform to ensure consistent policies and rapid responses to any detected vulnerabilitiesor misconfigurations.

Conclusion

Cloud security challenges, new and old, will continue to present themselves-but by implementing a comprehensive security strategy, focusing on proper access management, and clearly defining teams' roles and responsibilities, especially at critical boundary points, we can better protect workloadsfrom potential security breaches.

Additionally, leveraging automationin these processes will further fortify your attack surfaceagainst even the most pressing threats.

For more information on how Tufin elevates, secures, and optimizes the network security, book a demo.

Don't miss out on more Tufin blogs

Subscribe to our weekly blog digest