We’re in the middle of a shift between on-premises server workloads and cloud workloads. The shift started around 10 years ago and will likely continue for the next two decades. After the past decade of cloud adoption, according to 451 Research, 90 percent of all organizations are using cloud technology and 60 percent of all IT workloads are conducted in the cloud.
These cloud workloads need to be secured. In many cases, organizations are using client-grade security solutions—like signature and machine learning-based antivirus and endpoint detection and response (EDR)—to secure their cloud infrastructure. This isn’t a feasible strategy, even in the short term, because servers have different constraints and vulnerabilities than the workstations that AV and EDR aren’t designed for and as a result leave those critical assets exposed to attack.
Cloud Workloads are More Attractive to Attackers
The desktops and laptops that are typically secured with EDR and AV have a different risk profile than cloud workloads. The servers that underpin cloud workloads often hold the most critical assets in the company. If a ransomware like GandCrab locks up a desktop or laptop, for example, the attacker will get a small handful of files. If ransomware attacks a server, they can feasibly cost a company thousands or even millions of dollars by locking up business-critical data.
As a result, a cloud workload needs different kinds of protection. For two reasons: the business risk of a server experiencing an attack are higher, and the agents that come along with client-grade antivirus are too heavy for cloud workloads that are often already resource-constrained. As signature-based antivirus needs frequent updates to keep up with the latest malware, and cloud workloads are not always readily available for updates, it quickly becomes unwieldy for a new cloud instance to wait until a signature database can be updated.
What’s also interesting here is that half of all companies use between two to six distinct cloud providers, according to the 2019 SANS Cloud Security survey. With that many cloud solutions deployed within the average organization, the risk of an attack increases even more. IT professionals largely understand this risk, as 55 percent of respondents to the SANS survey are concerned with unauthorized outsiders accessing their cloud infrastructure.
The Key Features of Cloud Workload Protection
Accurate cloud workload protection has a few major requirements. According to Gartner in their recent Market Guide for Cloud Workload Protection Platforms*, “Security and risk management leaders responsible for cloud workload security should replace antivirus (AV)-centric strategies with a “zero-trust execution”/default deny/application control approach to workload protection where possible, even if used only in detection mode.” What we believe this means in practice is that no configuration changes are allowed on production systems. There is a base image and layer that is patched and updated, and then production systems are copied from that base layer. This results in deploying application control and whitelisting on servers to protect cloud workloads.
The good news is that many organizations are heading in this direction already. According to Gartner Market Guide for Workload Protection Platforms, “By 2022, 60% of server workloads will use application control in lieu of antivirus, which is an increase from 35% at YE18”. We believe that application control and whitelisting are foundational to securing servers, especially when taking a zero trust/default deny approach.
Further, we believe that two core cloud workload protection layers that enterprises often miss are exploit prevention and memory protection. IT and security teams in charge of protecting cloud workloads often already emphasize hardening, network protections, and application control as part of their security practices. Memory protection and exploit prevention are often missed, however, from a belief that application control and whitelisting activities are sufficient to guard cloud workloads against traditional and fileless malware. If organizations go beyond that, it’s often with a stripped-down version of a client-grade antivirus solution.
Neil MacDonald writes in the Gartner Market Guide for Cloud Workload Protection Platforms, “Application control solutions are fallible and must be combined with exploit prevention and memory protection capabilities either from the OS — for example, address space layout randomization (ASLR) and seccomp — or with supplemental capabilities from the CWPP vendor. We consider this a mandatory capability to protect from the scenario in which a vulnerability in a whitelisted application is attacked. The injected code runs entirely from memory and doesn’t manifest itself as a separately executed and controllable file (referred to as “fileless malware”). In addition, exploit prevention and memory protection solutions can provide broad protection against attacks, without the overhead of traditional, signature-based antivirus solutions. They can also be used as mitigating controls when patches are not available. Another powerful memory protection approach used by some CWPP offerings is referred to as moving target defense — randomizing the OS kernel, libraries and applications so that each system differs in its memory layout to prevent memory-based attacks.”
Exploit prevention and memory protection help secure your most critical assets against zero days and fileless malware. The consequences of a new zero day breaking through to your server—either through lateral movement or infecting the server directly—are more damaging than if the same zero day infected a desktop or laptop. It’s because of the high level of consequences that exploit prevention, which often doesn’t come packaged with client-grade technology, is crucial for the servers that underpin cloud workloads.
According to data from Cisco Systems, cloud data centers will process 94 percent of workloads by 2021. With that wholesale shift to the cloud, it’s imperative that organizations secure their servers with security technologies that are architected to protect critical assets against all forms of risk. Client-grade solutions can’t provide the level of protection that servers and cloud workloads require to be truly secure against advanced persistent threats. The only way to do that is to deploy one or more solutions that feature application control, exploit prevention, and memory protection. Only then can organizations be confident that their servers will be secure.
*Gartner, Market Guide for Cloud Workload Protection Platforms, Neil MacDonald, 8 April 2019