Cloud Security Principles

1.Cloud Security Overview

---

What is cloud security?

Cloud security is a cybersecurity discipline and includes all of the tools, resources, processes, and policies used to protect your cloud infrastructure including data, systems, applications, and resources stored in the cloud. You can also apply cloud security practices to elements of a hybrid environment where you have a mix of both on-prem and cloud-based systems.

With a cloud security program, you can assess all of the assets within your cloud infrastructure so you can discover, mitigate and remediate all vulnerabilities, weaknesses, misconfigurations, and other security issues to keep your cloud infrastructure safe.

Cloud security is also known as cloud computing security. The goal is to protect all of your data in the cloud and help you meet your regulatory, legal, compliance and other standards.

You can use cloud security to limit and control who has access to your cloud systems and manage other security and configuration rules for your cloud environment.

Cloud security responsibility, which we’ll talk about more in depth later, varies depending on your chosen infrastructure, but in general, both your organization and your cloud security solution provider should work together to protect your cloud environment.

How does cloud security work?

Cloud security works by applying various controls, processes, and policies to protect your cloud environment and prevent unauthorized access to all of your systems, data and applications that reside there.

For effective cybersecurity, you need complete visibility into your entire cloud infrastructure including serverless computing, containers, and microservices, and you should have a cloud security solution that enables you to continuously monitor and analyze all of your cloud assets.

You can personalize your cloud security approach based on a number of factors specifically related to your organization’s unique characteristics and needs. While not exhaustive, here are some strategies you might choose to deploy for cloud security:

• Network monitoring and next-generation firewalls to control the flow of data into and out of your cloud environment. The goal is to create a defense that prevents unauthorized users on an external network from accessing your data.
• Continuous asset discovery, assessment, and threat intelligence to uncover vulnerabilities, weaknesses and other security issues. The goal is to discover vulnerabilities so you can prioritize them and make plans to fix them.
• Identity and access management to ensure that only authorized users can access data in the cloud.
• Encryption to encode your data while it’s moving and at rest.
• Segmentation to isolate specific data sets or systems to help decrease what attackers might be able to access in a successful attack.
• Penetration testing to determine if you can get unauthorized access into your cloud environment so you can remediate those issues and prevent a breach.
• Logging and reporting of all activities
• Data loss prevention to prohibit access when you detect suspicious data activity
• Configuration reviews and configuration hardening
• Antivirus programs to prevent malware infection and spread

How is cloud security different from traditional IT cybersecurity?

While cloud security and traditional IT cybersecurity share some common goals, like keeping your data, systems, and applications safe, the two practices have many differences.

Traditional IT security practices don’t work well within cloud environments, leaving you with blind spots that can put your organization at risk. Por quê? Because unlike many traditional IT environments (think servers and computers within a controlled environment) that you can more easily protect with a security perimeter, the cloud is dynamic and frequently changes. In general, it’s easier to protect access points within a controlled on-premises environment than it is in a dynamic cloud.

The cloud is also increasingly interconnected meaning security issues that originate in the cloud could traverse into your on-prem environment and vice versa. Additionally, if not well-protected, security issues that originate in a shared or public cloud space could traverse into your systems and data without your knowledge. If a bad actor gets access to a component within shared space, you could be at risk.

While there are many benefits for cloud security, the same things that make it affordable, scalable and accessible can contribute to security issues. The cloud is at risk from a variety of issues from weak identity and access management, to the use of default passwords, lateral movement from breach, weaknesses in application code, vulnerabilities, and other risks.

Also, because attackers know many cloud environments host a vast amount of data, they’re prime targets for attackers.

And while there are a number of differences between cloud security and traditional information security as it relates to risks, there are also a number of differences with benefits of cloud security compared to traditional cybersecurity.

Eis alguns exemplos:

• Cloud security is easier and faster to deploy. With a software as a service (SaaS) model, you don’t need to purchase additional hardware or other appliances to protect your cloud infrastructure. Conversely, on-site IT often requires the expensive and time-consuming process of evaluating hardware and software, purchasing it, waiting for it to arrive, set up, configure and training. 
• Cloud security solutions are more cost-friendly than complex on-premises solutions, which in addition to purchase prices, often include additional costs such as maintenance and upgrade fees, plus the time and resources expended by your IT and security team to implement and manage. With a subscription model for cloud security, for example, these costs can be considerably reduced and can easily be adjusted as your organization scales.
• Traditional IT cybersecurity is taxing on internal resources, which today is complicated further by a lack of available skilled professionals to fill critical roles. With cloud security, depending on if you’re using a public, private or hybrid cloud model, security responsibilities can be shared between your IT team and the cloud provider, or shifted to management by an outside provider.
• We mentioned this earlier, but it’s important to point out again, that cloud security solutions are better for comprehensive visibility into your cloud infrastructure and on-premises environments. Traditional IT cybersecurity is limited to monitoring on-site and across your network.

Why is cloud security important?

As more organizations adopt more cloud computing solutions, cloud security becomes increasingly important. That’s because many of the traditional security practices employed for on-premises infrastructure don’t provide the comprehensive insight you need for rapidly changing cloud environments.

Because of the volume of data stored there, cloud environments are in the crosshairs for cyber attackers, and as a result, security threats constantly evolve. That’s why, if you’re using a public, private or hybrid cloud model, you need cloud security.

Here are some of the many reasons why cloud security is important:

• Security threats are increasing and constantly changing
• You can more easily manage your integrated security practices in a centralized location
• Cloud security gives you insight you wouldn’t have with traditional IT security, including visibility into short-lived and transient assets such as serverless computing, containers and microservices
• Cloud security can scale and change as your organization evolves and changes
• Cloud security can help you reduce costs and decrease the strain on your already busy IT staff
• You can automate many of your common security practices and eliminate time-consuming, repetitive, manual tasks
• You can ensure your data is safe and you can access it from a variety of authorized devices and users from any location
• You can have the same level of security and experience for all users accessing your cloud—wherever they are—unlike traditional IT that often requires security stacks for remote sites and other locations

What’s the difference between public cloud and private cloud?

Public and private clouds have some similarities, but are different. The core difference is that a public cloud is shared by more than one organization via the internet, whereas a private cloud is dedicated to one organization and shared through a private network.

Some organizations choose to adopt a hybrid cloud model with both public and private cloud services, often choosing to put the operation’s most critical data and applications in a private cloud and the rest in a public cloud.

Here are some of the other ways public and private clouds are different:

• Private clouds are dedicated and secure and often have maintenance costs directly related to that
• Public clouds, because they’re shared, generally do not have additional maintenance costs
• Public cloud models come with a variety of pricing options for expense flexibility
• Private clouds can be customized to meet your organization’s specific needs, which can bring additional benefits relating to compliance and regulatory requirements
• Public cloud is good for software development, application usage, and communications services, whereas a private cloud may be better suited for sensitive data like personally identifiable information (PII) and protected health information (PHI)
• You can employ customized security solutions for a private cloud, which may be better for compliance, but you may have less security options in a private cloud

What’s a hybrid cloud?

Hybrid cloud computing offers organizations flexibility when deploying solutions off-premises. Some hybrid cloud models use a mix of public and private cloud, while some may also include some on-prem resources.

There are a variety of reasons your organization may choose a hybrid cloud model. Often, it’s a decision driven by regulatory and compliance requirements, where some data may need to have specific security protocols that are executable in a private cloud but not in a public one. Other data and applications may have more security flexibility and they’re well-suited for a public cloud. A hybrid cloud solution is a good option to help you mitigate risks. You can put your most sensitive data in a controlled environment, and then use the public cloud for workloads that don’t need as stringent security measures.

Here are some of the many benefits of choosing a hybrid cloud option:

• You remain in control of the security you want, helping to ensure regulatory compliance
• May be more cost effective than putting all your data in a private cloud
• Flexible and scalable alternative that you can adapt as your organization changes and evolves
• Enables planned, scaled migration to the cloud without having to move everything all at once

Are public clouds secure?

Yes, public clouds are secure. The nuance here is what type of security you need to deploy, especially for compliance and regulatory standards, which may be more difficult to do in a public cloud environment compared to a private cloud. Public clouds are not for every organization or every data type, but they do offer secure alternatives to on-site hosting.

Just like your on-premises environment, no environment is 100 percent secure. There are always risks. However, most public cloud providers are continuously improving their security practices and learning from exploits that put data at risk.

When you establish your relationship with a public cloud provider, it’s likely you’ll sign a service level agreement (SLA) or other contract, which should outline who is responsible for which security components. Make sure both parties have a clear understanding of expectations and be sure to routinely follow-up throughout the course of your relationship and any time you have a contract or other similar renewal. If you’re using a public cloud provider that is compliant with your organization’s regulatory requirements, ask to see compliance audit documentation.

Is the cloud more secure than on-premises?

In one study, almost 90% of respondents said their organization uses some type of public cloud infrastructure. About 40% believe public clouds are more secure than security they can deliver in their on-prem environments, with an additional 35% saying public cloud is somewhat more secure than on-prem.

With that confidence and reliability, an increasing number of organizations are moving business critical applications to the cloud, with nine out of 10 adopting software as a service (SaaS). Another 76% of respondents use infrastructure as a service (IaaS) and 70% use platform as a service (PaaS).

Aligning cloud security with the cybersecurity lifecycle

Your cloud security program can reap many benefits from alignment with the cybersecurity lifecycle.

According to Ponemon’s “The Economic Value of Prevention in the Cybersecurity Lifecycle” survey, when attacks are prevented from entering your environment and can’t cause damage, you can save costs, resources, damage, time, and reputation.

Although prevention is one of the most difficult components of the cybersecurity lifecycle, it’s imperative. Preventing a zero-day attack, for example, can save organizations nearly $1 million (an average of $775,000). And having an insecure cloud platform, according to almost 20% of respondents, is among top security concerns.

NIST’s cybersecurity framework identifies five core functions of the cybersecurity lifecycle: identify, protect, detect, respond, and recover. Each function consists of categories and subcategories that align to these functions to activities you can use to build and improve your cloud security processes.

Let’s take a closer look at each function and what’s included:

• Identify: Asset management, business environment, governance, risk assessment, risk management strategy, and supply chain risk management
• Protect: Identity management and access control, awareness and training, data security, information protection processes and procedures, maintenance and protective technology
• Detect: Anomalies and events, security continuous monitoring and detection processes
• Respond: Response planning, communications, analysis, mitigation and improvements
• Recover: Recovery planning, improvements, communications

So how can you effectively apply components of the lifecycle to your cloud security approach? See. Predict. Act.

Tenable’s Cyber Exposure Management platform, which includes a number of solutions and resources for cloud-based security, can give you increased visibility into your cloud assets, including exposures, so you can prioritize cyber risk and make plans to remediate security issues within your cloud environment. It’s rooted in Tenable’s unique approach that enables you to see everything, predict what matters, and act to address risks.

For example, in AWS Tenable’s Frictionless Assessment can help you continuously assess all of your cloud instances, and you can do it without having to deploy agents, scanners or other software. With Frictionless Assessment, you can quickly uncover newly discovered vulnerabilities, even in a fluid and ever-changing cloud environment. Learn more about how Tenable can help you protect your cloud infrastructure at https://www.tenable.com/exposure-management.

2.Cloud Attacks and Related Risks

---

What security risks and challenges exist for cloud computing?

While cloud computing brings a lot of flexibility and scalability to your organization, there are a number of security risks. Any time you move your data and workloads off on-premises, you lose some control.

For example, Amazon Web Services (AWS) has a shared responsibility model that means AWS is responsible for physical security of the cloud, but you are responsible for your data and workloads.

Also, most cloud providers aggregate data and services into their systems, meaning attackers can often access more data with less work. That means cloud environments can increase the value of a hacking target.

Other potential risks include blind spots in your cloud environment, not meeting legal requirements or compliance obligations, losing service if your cloud provider goes down or you lose connectivity to your cloud, unauthorized access to your data by your cloud provider’s employees, or the potential your data stored in the cloud and could be lost.

Here are some common security risks and challenges associated with cloud computing environments:

• Lack of visibility: Organizations that apply traditional IT cybersecurity practices to their cloud environments often suffer from lack of visibility, which creates blind spots and increases cyber risk.
• Lack of alignment: Whether it’s a disparate approach between assets or environments, or a lack of understanding of how business and cybersecurity goals should work together, a lack of alignment across your organization and throughout your processes can leave you vulnerable to cloud risks.
• Broadening attack surfaces: A growing number of organizations are adopting cloud solutions such as SaaS and PaaS without fully understanding the shared security responsibility model used by cloud resources. A lack of understanding of who is responsible for what—and which risks should be addressed first and how—creates risks for cloud environments.
• Environmental complexities: Cloud environments are complex—whether it’s a public, private, community or hybrid cloud solution. While the cloud is a great alternative for enterprises that need seamless integration and operations for a variety of services and applications, these complexities require cloud-specific security measures.
• Increased attacker interest: Most hackers have a common goal—to reap as much money as possible from an attack. Because shared public clouds often house more data and critical systems than an on-prem server, attackers increasingly focus their attention on attacking cloud environments.
• Increased chance of lateral attack movement: Traditional IT security works by creating a perimeter around your data and assets. If you successfully protect your network, you decrease a chance of attack. However, because there are shared components within public clouds, a weakness or vulnerability exploit for an organization in that shared space could increase risk for your organization.
• DevOps and DevSecOps risks: One of the benefits of the cloud is the ability for organizations to automate and quickly spin up DevOps and DevSecOps workloads; however, if you don’t implement proper security controls during the early phases of the development lifecycle, it can increase security risks once it migrates into production.
• Shifting responsibility confusion: Because of the shared security responsibility model created by cloud environments, there can sometimes be confusion about who is responsible for which security role. This is a critical issue when it comes to compliance and regulatory standards, where your organization cannot shift compliance responsibility to your third-party partners.
• Challenges for access control: Whenever you move your data and applications off-site, you increase your risks related to who can access your data. In a cloud environment, in addition to hacking risks, there may also be risks associated with the CSP employees getting unauthorized access to your information.

What are cloud attacks?

A cloud attack is a way an attacker attempts to exploit vulnerabilities or other security weaknesses within your cloud environment.

There are a number of ways attackers can attempt to exploit your cloud environment. For example, an attacker can inject malware to access information stored in the cloud. Once inside your cloud environment, the attacker can move laterally through other components and affect other systems.

Here are some other types of cloud attacks and vectors:

• Negação de serviço (DoS)
• Brute force attacks
• Wrapping attacks
• Service hijacking
• No encryption or weak encryption
• Man-in-the-middle attacks
• Advanced persistent threats (APTs)
• Malicious insider threats
• Malicious scripts
• Phishing, malware, ransomware
• Unauthorized access or credential stealing
• Configurações incorretas
• Malware injection

Who is responsible for cloud security?

Who is responsible for cloud security depends on which model you adopt, but in general, all cloud service providers (CSP) attempt to provide secure cloud environments for their customers. In all cloud environments, however, you are responsible for securing your data and managing who has access to your cloud assets.

Depending on which service or model you select, you should anticipate a shared responsibility for your cloud security. For example, if you’re relying on a CSP for IaaS, then the CSP is responsible for protecting the facilities, hardware, software, infrastructure and access, while you are responsible for ensuring your data and applications are secure, as well as controlling who has access and which operating systems you use. If you’re a PaaS customer, then you have the responsibility of ensuring your data, systems and applications are secure, as well as controlling user access. In a SaaS model, the responsibility for controlling user access and securing data falls to you.

3.Cloud Security Layers and Tools

---

What are the layers of cloud computing?

There are several layers of cloud computing, which contribute to the complexity of cloud security. Understanding these layers and selecting the appropriate controls to secure them can help keep your cloud environment safe. Here’s a quick look at some of these layers:

• Policies and procedures: Policies and procedures are at the core of your cloud security program. You may find it helpful to use a cloud security compliance framework, for example, the Cloud Security Alliance Cloud Controls Matrix (CCM), to help establish your policies and build your controls.
• Physical security: This includes physical access controls that prevent unauthorized access into your facilities, for example keys, multi-factor authentication, or other security measures
• Network security: You can approach network security from two levels: perimeter security and internal security. Perimeter security ensures all network traffic traverses specific monitored points into your environment, whereas your internal security measures focus on data transmitted into and out of your cloud environment.
• Segurança de aplicações:As we mentioned earlier, even if you use SaaS, you have a responsibility to ensure your data is secure and limit unauthorized access. This can happen at the application level, where you can use controls like firewalls, encryption, and other intrusion detection methods to protect your applications and data.
• Virtualization: At this layer are the virtual machines and software you use to run virtual machines in the cloud. It’s imperative to secure this layer throughout the entire lifecycle, including access controls and continuous monitoring of your cloud attack vectors.
• Orchestration: This is the layer where you automate your workflows and processes, generally ensuring effective and safe interactions between disparate systems that live in or flow through your cloud.

What are cloud connectors?

Cloud connectors link the cloud, other applications and on-prem assets. Tenable uses cloud connectors to import information from assets into Tenable solutions. In Tenable.io, for example, you can use cloud connectors for asset scanning. It’s easy to do. First, configure the platform for connector integration, create the connector, and then manage it. Tenable.io uses connectors for container security and vulnerability management.

Tenable.io has vulnerability management connectors for AWS, GCP and Azure.

Tenable for AWS

Amazon Web Services has a shared responsibility model for cloud security. To keep your AWS environment secure, you’ll need clear visibility into all of your assets and vulnerabilities. This can be challenging to do because cloud instances and workflows are often fast moving in the cloud and they can spin up and go away quickly. If you’re using only periodic active scans and not continuous monitoring, you’ll miss short-lived assets and have blind spots within your environment.

You can use Tenable.io in your AWS environment to discover and inventory all of your cloud and on-prem assets and then centrally manage them in a single platform so you can get better insight into actual cyber threats and prioritize how to remediate them.

Here are some of the vulnerability management tasks you can tackle with the support of Tenable.io and the AWS connector:

• Automatically discover all of your assets within AWS
• Import and manage those assets within Tenable.io
• Assess your AWS environment to uncover vulnerabilities, compliance issues, malware or other malicious activities
• Use Nessus agent for assessments
• Harden configurations and identify misconfigurations

You can also use Nessus Professional within AWS to scan all of your Amazon Elastic Compute Cloud (Amazon EC2) instances.

Frictionless Assessment para AWS

In addition to using Nessus Pro to scan your EC2 instances, Tenable recently launched Frictionless Assessment. Tenable Frictionless Assessment uses the AWS Systems Manager (SSM) agent to continuously discover the state of all of your EC2 instances so you can assess them. It’s easy to set up and you can see your assessment information within minutes so you can prioritize and discover issues for remediation.

Tenable for Azure

Tenable also has connectors for Microsoft Azure. You can use Tenable Azure connectors for continuous monitoring into your Azure environment to keep your attack surface safe.

Here are some of the benefits of using the Tenable.io connector for Azure:

• Continuous visibility and monitoring
• System and configuration hardening
• Elimination of manual verifications for misconfigurations for virtual machines
• Increased vulnerability prioritization and reduced cyber risk exposures

Tenable for Google Cloud Platform (GCP)

Tenable.io also has connectors for Google Cloud Platform (GCP). This connector can help you with vulnerability management within Google Cloud Security Command Center (Cloud SCC).

Here are some benefits of Tenable’s cloud connector for GCP:

• Enhanced visibility into all of your GCP assets
• Insight into your public, private and hybrid environments within a single dashboard
• Manage Cyber Exposure across your entire attack surface—both on-prem and cloud
• Reduza o risco cibernético
• Control your cloud resources
• Insight into vulnerabilities and threats
• Unified view of all your assets

Google GCP does not do vulnerability scanning or assessments. It’s exclusively a tool for asset discovery, where asset information can be imported directly into Tenable.io.

Here are some of the asset information you can discover with Tenable’s GCP connector:

• Instance ID
• Project ID
• Zone
• DNS entry
• IP address
• Sistema operacional
• Details

What is a container?

A container is similar to a virtual machine. Within the cloud, you can use a container to create an isolated environment to package and run your application along with its libraries and dependencies. In simple terms, containers are self-contained packages that have everything you need to run an application.

Containers are lightweight and easy to deploy. They are often used because they help developers speed up software deployment. You can use containers to silo your applications from others within a dedicated environment. It’s a great working environment for developers because it eliminates that chance for dependency or resource issues.

The average container lasts about two-and-a-half days, a time period that is constantly decreasing. Because containers are short-lived, traditional IT cybersecurity processes, for example, periodic scans instead of continuous monitoring, may miss containers and leave you with exposures within your cloud environment.

When it comes to cloud security, you can use Tenable.io to assess your containers and discover vulnerabilities while your application is in development.

Containers virtualize at the OS level and separate applications, so there aren’t conflicting dependencies or resource issues, unless you set it up that way.

What is container security?

Container security encompasses all of the processes, tools, policies, and resources you employ to ensure that your container operates securely as intended. With container security, you get seamless and secure access into container images, including visibility into if there are any malware, configuration, vulnerability or security issues.

Because containers are generally short-lived, traditional IT security processes, like periodic scanning, often miss container discovery, leaving you with blind spots in your attack surface. Containers create other security challenges such as lack of credentialed scanning, issues remediating vulnerabilities during production and a lack of IP addresses.

Effective container security should include the ability to:

• Discover and remediate vulnerabilities before app deployment
• Complete insight into container security
• Empower DevOps with security tests that run in less than 30 seconds
• Give developers confidence their code is high-quality
• Enable developers to discover security issues and fix them before deployment
• Increased productivity with time and cost-savings

What is cloud encryption?

Cloud encryption is a process you can use to encode data before it’s transmitted into and out of the cloud. You can also use cloud encryption to encrypt your data at rest, while it’s stored on the cloud.

Cloud encryption is a good security practice because it prevents unauthorized users from accessing your data without a decryption key. It ensures end-point protection, meaning your data is secure as it moves in and out of the cloud.

If you’re in a public or community cloud, cloud encryption can also be used to ensure that other tenants within that shared space cannot access your data.

Many compliance and regulatory requirements include a level of cloud encryption for data security (for example, HIPAA and PCI DSS), which can help prevent data exfiltration and theft and also minimize the likelihood a bad actor can alter or corrupt your data.

Most well-known CSPs offer cloud encryption as a layer of security, but you can also add your own encryption protocols for extra security.

What is a cloud security gateway?

A cloud security gateway is a cloud-hosted solution that lives between your cloud applications and your users.

You can configure a cloud security gateway to enforce policies between your cloud applications and your enterprise, ensuring your security team has insight into how you’re using the cloud, which cloud security practices you have in place, and how those practices align with your on-premises controls. Cloud security gateways are also referred to as cloud access security brokers.

You can employ cloud security gateways to filter traffic so that breaches, for example, malware, can’t move through your systems and infect other assets.

Cloud security gateways enforce all of your policies, and because everything from filtering to enforcement can happen within the cloud, you don’t need additional on-premises appliances for this security layer.

Identify and Access Management (IAM) in the cloud

As we’ve discussed cloud security, we’ve focused many times on the shared responsibility security model created by cloud environments, and if you remember, protecting your data and controlling access to that data and cloud environments is among the many responsibilities for your organization.

Cloud identity and access management (IAM) is similar to on-prem IAM, except that it focuses specifically on controls related to your cloud environments. With cloud IAM, you can get unified visibility into your cloud security policies to control who can access your cloud, what they can access, and how you terminate that access as needed.

Cloud IAM is all about establishing and managing roles and accessibility. You want to ensure you’re giving the right users the right access to only the information they need to carry out their roles.

When choosing a cloud security solution, look for a provider that enables you to see into and manage IAM within the platform. And look for a solution that enables this at a granular level so you can go deep into your access controls, for example, insight into resource types and IP addresses, as well as device security information and more. The solution should enable you to create new user roles, change roles, track everything a user does and then review reports about those actions.

4. Cloud Security Solutions

---

Choosing a cloud security solution

Adopting a new software or security solution has long been a drawn-out, tedious process—one that without proper research and planning, can result in a number of obstacles that inhibit implementation and decrease adoption and usage rates. But, choosing a cloud security solution doesn’t have to be so frustrating.

With forethought and planning, you can quickly get on the right path for choosing the best cloud security solution for your organization.

Here are a few tips:

• Set a goal: What do you want your solution to do? How does that goal align with your business goals and objectives?
• Know your “must-haves:” What does the solution have to do to ensure you meet all your goals?
• Dig into product capabilities: How does the solution improve security and reduce risk?
• Understand your compliance and other regulatory requirements: Can the solution give you visibility into how you’re meeting requirements, where you have gaps, identify weaknesses and help you prioritize plans for remediation?
• Inquire about scalability and research: Can the solution scale with your organization and how does it ensure it continuously delivers accurate, timely risk data as your needs change over time?

And finally, here are some other questions to consider as you create your short list of potential cloud security solution vendors:

• How does the solution perform assessments such as malware detection, web app scanning, vulnerability scans, configuration audits, etc.?
• How does the vendor handle licensing? Does the license fee include everything or does it require additional fees based on the modules you may need?
• What are the solution’s asset scanning capabilities? Which asset types can it scan?
• Can the solution prioritize vulnerabilities?
• Does the solution have an easy-to-understand dashboard with comprehensive visibility into your attack surface?
• Does the solution offer a variety of customizable reporting capabilities?
• How does the solution manage credentials?
• Does the solution rely primarily on CVSS for vulnerability prioritization or does it have additional tools to give you insight into which vulnerabilities pose an actual risk to your organization?
• What does the vendor’s vulnerability coverage look like? Can it discover new vulnerabilities and make appropriate updates as they are found?
• How does the vendor handle product updates and upgrades? Are they automatic? How frequently do they occur?
• How does the solution work in specific cloud-hosted environments such as AWS, Azure, or GCP?
• Does the vendor allow test periods or product trials to try the product before you buy it?
• What type of support does the vendor provide to help you meet your cloud security goals?

If you’d like to explore these questions and issues deeper, check out, “What to Look for in a Cloud Vulnerability Management Solution.”

5. Cloud Security Processes

---

Implementing a cloud security program

When implementing a cloud security program, there are five steps you can take to adopt a risk-based vulnerability management approach, which aligns directly with the Cyber Exposure lifecycle.

Etapa 1: Descobrir

• Get complete visibility into ephemeral assets with cloud connectors for cloud service providers such as AWS, Azure, and GCP. Cloud connectors ensure you can detect all short-lived assets in your cloud environments.
• Detect assets early in your software development lifecycle so you can discover vulnerabilities or other security issues before deployment.
• Scan your entire cloud infrastructure to build a comprehensive inventory of all of your assets and automatically reallocate asset licenses 24 hours after termination of a cloud instance.

Etapa 2: Avaliar

• Assess your cloud environment using cloud security best practices.
• Uncover vulnerabilities across your entire cloud stack.
• Use multiple sensor types to ensure complete visibility including active scanners, passive monitors, agents and image assessments.

Etapa 3: Priorizar

• Analyze your vulnerabilities using a risk-based approach that goes beyond traditional CVSS, for example Predictive Scoring and Predictive Prioritization, so you can more accurately pinpoint vulnerabilities that put your organization at risk and make plans to address them.
• Share vulnerability priority information directly with your DevOps team.
• Automatically send vulnerability and misconfiguration information to your SIEM.

Etapa 4: Corrigir

• Shift left to remediate vulnerabilities before they reach production.
• Create secure machine and container images before deployment.
• Integrate risk-based vulnerability management into your CI/CD systems.
• Assign and track vulnerabilities with bug-tracking and remediation tools.

Etapa 5: Calcular

• Share information about your cloud security program with your tech teams and key stakeholders, using a language they understand.
• Calculate and share information about your Cyber Exposure using advanced analysis and risk-based exposure scoring.
• Compare your Cyber Exposure Score with other units within your organization or against similar peer organizations.

To learn more about how to implement cloud security for your organization and how Tenable can help, visit our Cloud Security Posture Management Solution page.

Cloud security best practices

If you’re using a public, private, hybrid or community cloud solution, it’s imperative that you incorporate cloud security into your cybersecurity program. That’s because with today’s expanding and interconnected attack surfaces, a breach that begins in one can quickly spread through others.

On top of that, traditional vulnerability management, like processes you might use in your on-premises environment, don’t work well (or at all) in the cloud. Cloud assets are dynamic and they can exist in your environment for minutes, hours or days. If you’re using periodic asset scanning for vulnerability management, you’re likely to miss these short-lived assets.

Cloud security is further complicated by the shared security responsibilities between you and your cloud provider, depending on which services and models you employ.

So where do you begin? Here are five tips for some cloud security best practices you can adopt and implement today:

1. Leverage cloud connectors for continuous visibility into all of your cloud computing assets
2. Deploy multiple sensors for deeper assessments
3. Configure your cloud infrastructure using best practices
4. Predict critical vulnerabilities to remediate first
5. Drive process improvements and communicate cyber risk

Would you like to explore these five best practices in more detail? Check out this presentation from Nate Dyer, Tenable director of product marketing, to learn more.