Your choice for security monitoring and/or threat detection technologies for different cloud models (SaaS, PaaS, IaaS) is, essentially:
- Use the security controls that your cloud service provider (CSP) offers … but for many CSPs these are really shitty [or worse!], and even if they are great – they only work for this one provider. Does anybody who uses cloud use just ONE provider?
- Use legacy controls that you have deployed on-premise (SIEM, DLP, NIPS, EDR, UEBA, etc)… but prepare to fight many technology and process hurdles and incompatibilities. If you think vendors will adapt to cloud technology peculiarities, do you think them won’t trip over devops and cloud-style operational processes?
- Use native “built for the cloud” security tools (CASB, CWPP, cloud log management, etc)…. but accept that you will lose the single view across old and new environments. Would you like to check 2 consoles for every task and have little visibility across?
Naturally, in reality, the combinations are very likely. Just as naturally, for every organization it depends on its approach to cloud adoption and usage (e.g. “fork-lifters” tend to like #2, while some “cloud-firsters” may gravitate to #3)
But, overall, are we thinking about it the right / useful way? What do you think? Vendors, you are also welcome to argue your position here in comments or here.
Related blog posts on cloud security:
- Cloud Threat Detection Research (2017)
- Cloud Security Monitoring … Revisited (aka It Is Not 2012 Anymore!) (2015)
- My Cloud Security Monitoring Paper Publishes! (2012 – as are all the posts below)
- Cloud Security Monitoring: The “Who” Question
- Is Cloud Secure? WTFC!
- Cloud Security Monitoring: IaaS Conundrum
- Cloud Security Monitoring for IaaS, PaaS, SaaS
- More On Security Monitoring of Public Cloud Assets
- Cloud Security Monitoring!
- Cloud IS Different: So Monitoring Must Be Different?
- Many Faces of Application Security Monitoring