Cloud security raises significant challenges for organizations, as more workloads and mission critical applications move to the cloud. XDR is a new security category that can have a major impact on these challenges, by combining security data from the cloud, corporate networks and endpoints, and visualizing threats present in all three environments.
In this article I’ll introduce the modern cloud security architecture, and explain how XDR can change it for the better.
What is Cloud Security?
Cloud security is a set of practices and technologies that can help organizations secure information, applications and infrastructure, and meet compliance requirements, as they move systems to the cloud. Cloud security is a shared responsibility—typically, cloud providers are responsible for securing their own infrastructure, and organizations are responsible for securing specific workloads, data and applications, and correctly configuring cloud security controls.
Identity management, privacy and access control are especially important due to the nature of the cloud, which is a shared resource. As more and more organizations use cloud computing for sensitive data and applications, organizations are prioritizing cloud security. Critical activities are understanding security measures offered by cloud providers, taking the necessary steps to secure data and applications, and setting up robust backup and business continuity plans.
Cloud Security Architecture Patterns
A cloud security architecture, like a traditional information security architecture, is aimed at protecting confidentiality, integrity and availability (CIA). The main goal of a cloud security architecture is to enable faster, safer migration to the cloud, and reduce the risk of existing cloud deployments.
Security controls and technologies may be built into the public cloud (such as AWS or Azure), or provided by third parties. Third party solutions can be consumed as a SaaS offering, software component installed on cloud systems, or cloud-based appliances.
The cloud security architecture should address the following concerns:
- Define trust boundaries between cloud-based services and integrated systems and coupling methods (loose or tight coupling).
- Define secure protocols to be used in all cloud communication, encryption methods, algorithms and policies.
- Define authentication and authorization mechanisms, management of authentication tokens and secrets, security logging and monitoring.
- Define security checklists for each category of cloud systems, which should be automatically implemented using configuration management or infrastructure as code (IaC) methods.
In the details of a cloud security architecture, each security tool or service used to secure the cloud should be defined as follows:
- Location—is the service native to a public cloud, self-managed on the cloud, or on-premises? If on the cloud, in which geographical region? This can have an impact on governance, performance, and access policies.
- Protocol—how do clients or integrated systems access the service? For example, REST API, HTTPS.
- Function—what is the security purpose of the service? For example, logging, authentication, security monitoring.
- Input and output—what is the nature, data type and format of the inputs the service receives, and what does it return?
- Users—who will operate and own this service in the organization?
What is XDR?
eXtended Detection and Response (XDR) solutions are used to automatically detect and recover from security issues in hybrid systems. They collect data from across the IT environment, including cloud resources, networks, endpoints, email servers and applications.
services and applications.
This is in contrast to traditional security tools, like firewalls, IPS/IDS and endpoint detection and response (EDR), which were limited to one security layer. In particular, network detection and response (NDR) solutions, which are similar to XDR, only work support on-premise security and cannot be used for the cloud or remote endpoints.
XDR provides one system for managing all security incidents, regardless of their source. It simplifies detection and remediation for security teams by allowing them to view the complete attack story in one place, automatically providing the most relevant information to enable fast forensic investigation.
XDR does not replace the existing security stack—rather, it leverages existing tools, extending security coverage to the interface between networks, endpoints, cloud services and
virtual environments.
According to Gartner, a solution must have the following capabilities to be included in the XDR category:
- Ongoing analysis of network, cloud and endpoint activity.
- Ability to establish behavioral baselines using artificial intelligence and machine learning (AI/ML).
- Automated threat and anomaly detection in a hybrid environment.
- Enables forensic investigation immediately on detection of security incidents.
XDR for Cloud Security
Cloud security is no longer an isolated field. In most organizations, the cloud is tightly integrated with on-premise systems, and security incidents in one environment can quickly spread to other environments. It is no longer effective to have separate security controls and monitoring for each environment, and have separate teams analyzing and responding to on-premise and cloud incidents, when many of these will be interconnected.
Another shift is that cloud security is shifting left. Security teams are involved in development sprints, and CIOs are creating “cloud excellence centers”, which include both technical cloud experts and security experts. But this transformation won’t work without a security tool that can provide complete visibility and control over the entire hybrid environment, which is where XDR comes in.
There are three key ways in which XDR will contribute cloud security: identity management, logging, and network traffic analysis.
Cloud Identity Management
Cloud services are accessed by both human and non-human identities (such as service roles). Telemetry must be collected about access to consoles, usage of service accounts, access control lists (ACL), user accounts and privileges on SaaS services, and API access. However, the cloud is not centralized, and the SOC typically does not have visibility over these systems, in particular, which accounts have access to which resources.
This telemetry is critical both for cloud services and SaaS applications, and must be correlated with the type and volume of data being accessed. A user accessing a SaaS application to retrieve one customer record is different from the same user downloading a million customer accounts. Privileged users on public cloud systems are the “holy grail” for attackers and must be watched closely.
XDR can help by correlating all this information—which identities are accessing which services and which data, and what other security-related events occurred in the environment before or after any suspicious activity.
Cloud Security Log Analysis
All cloud service providers provide logging and auditing capabilities. This is a basic feature for organizations operating cloud services in a regulated environment. However, due to the dynamic nature of cloud services, so many events are recorded in these logs that it is difficult to link events to actionable alerts.
XDR can help by removing noise, and using AI/ML algorithms to correlate cloud audit trails with other signals suggesting malicious activity. It can be especially helpful in collecting telemetry from multiple clouds and showing security incidents on one pane of glass.
Network Traffic Flows
In addition to watching NetFlow data on specific cloud instances, the SOC team needs to perform network telemetry to cloud systems, from cloud systems, and between clouds in a multi-cloud environment. Network monitoring can focus on the virtual private cloud (VPC) level on specific subnets.
In a multi-cloud environment, NetFlow monitoring must include both east-west and north-south traffic—in other words, traffic flowing inside the cloud environment, and between the cloud and other environments. XDR can help collect and analyze this data, but it can go beyond monitoring. By integrating XDR with cloud networking automation, it can automatically create network segmentation to isolate infected systems and block lateral movement.
Conclusion
In this article I discussed the challenges of modern cloud security, and a new security system called XDR, which provides a holistic security approach for hybrid environments. I covered three ways XDR can enhance cloud security:
- Analyzing telemetry about cloud identities and access to cloud systems.
- Assisting with analysis of cloud security logs and audit trails.
- Simplifying analysis of network traffic flows to, from, and between clouds.
I hope this will be helpful as you evaluate new security tools to improve security in the new, cloud native world.
