The benefits of cloud computing are undeniable. Compared to on-premises servers and data centers, cloud assets offer incredible flexibility and scalability, plus greater reliability. The cost of cloud computing is a predictable operating expense that doesn't require the large capital expenditures associated with acquiring and building out network hardware.
An April 2024 CyberRisk Alliance (CRA) Business Intelligence survey of 202 security and IT managers, executives and practitioners found that in the previous 12 months, 93% of respondents migrated some share of their workloads to the cloud. Forty-two percent said more than half their workloads were cloud-based, while 16% said more than three-quarters were.
Likewise, in Check Point's 2022 Cloud Security Report, 98% of respondents said their organizations used "some form of cloud-based infrastructure," and 76% used more than one cloud service provider (CSP), including private cloud deployments.
"The cloud gives us scalability," said one CRA survey respondent. "If we need a new server, we can spin that up in minutes rather than waiting on equipment purchase for on-prem. It lets us focus more on application support ... rather than focusing on worrying about infrastructure."
Risks of adapting to cloud and hybrid networks
But securing a cloud-based network, or more commonly a hybrid network with both cloud and on-premises elements, is vastly different from securing a strictly on-prem network. Assets, application servers, and databases are often scattered among different cloud instances, or between cloud and on-prem servers, sometimes even with the same asset sharing space in multiple environments.
Network-security practitioners can no longer draw a ring around a core group of assets and declare that they are protected. Instead, security tools and personnel have to follow each asset, each set of data and each user and create protections around them individually.
This leads to a radically different concept of network topology and security and requires drastic retraining of security personnel. It also may require that security and application-development teams become more tightly integrated, as cloud logical infrastructure is mainly software that is often developed in-house.
Often, the biggest risks are human ones, stemming from failures to fully comprehend how to properly configure a cloud asset, or from misunderstanding the shared-responsibility model that dictates where a CSP's responsibility ends and the client's begins. It doesn't help matters that configuration tools and shared-responsibility models differ from one CSP to the next.
Misconfigurations are among the top risks facing cloud users. Check Point's 2022 Cloud Security Report found that, "for 33% of organizations, the complexity of their cloud environments makes it challenging to rapidly identify and correct misconfigurations before they can be exploited by an attacker."
Likewise, CRA's 2024 report put misconfiguration vulnerabilities at the top of the list of common cloud security-related incidents, with 35% of respondents citing such an incident in the past year.
"The thing that really makes me lose sleep at night is the misconfiguration," said one CRA respondent. "We're not mature enough to be able to easily see what's not set up properly."
Slow uptake of cloud-native security tools
Mature cloud-using organizations often purchase or license of "cloud-native" security tools and services such as zero-trust network access (ZTNA), cloud security-posture management (CSPM), a cloud access security broker (CASB), a cloud workload protection platform (CWPP) or more encompassing cloud-native application protection platform (CNAPP).
Organizations that have many remote workers often completely abandon the on-premises security model and migrate to a zero-trust model, often using secure access service edge (SASE) or security service edge (SSE) deployments.
Yet in the April 2024 CRA report, fewer than half (46%) of respondents said they used cloud-native security monitoring tools. One-third (33%) said they used ZTNA. One-quarter (24%) used secure application development. And only one-fifth (20%) said they used SASE or SSE.
"I have a dedicated team for cloud deployments, but I don't have a dedicated team for cloud monitoring and cloud security," said one CRA survey respondent. "There's a big gap there. They wear a security hat and operate in a security-minded way, but I don't feel we're as mature as we can be given the complexity and growth and the speed of that growth."
The fundamental differences between on-prem and cloud networks
Many of the differences between on-premises and cloud networks are obvious, but they bear repeating. First, on-prem networks are a combination of hardware and software, with servers and data centers in physical locations. The organization using the network usually owns or leases the hardware and the locations.
The network topology roughly corresponds to the physical infrastructure of high-speed connections among the various servers, routers and other networking gear. Managing workloads involves load balancing among servers. Enforcing security rules often means routing traffic through monitored choke points.
Security tools can be hardware devices such as firewalls, but also software such as identity-and-access-management (IAM) or endpoint-protection programs. Adding new servers, bandwidth and appliances takes time and money, but so does removing or idling hardware. Reconfiguring the infrastructure or changing the network topology can be expensive and time-consuming.
By contrast, cloud networks are mostly software. While they do require physical servers, which can be anywhere in the world, the infrastructure and topology of cloud networks are mostly logical and can be changed quickly and cheaply. Bandwidth and computing power can be rapidly added to heavy workloads; scaling them back when demand lessens is quick and provides instant cost benefits.
The biggest difference between cloud and on-prem networking is that in many instances, cloud-using organizations don't own the servers or the hardware on which their programs and assets are running or stored. As the adage goes, "cloud" means "your data on someone else's computer."
Many organizations do develop their own "private" clouds and own or lease the physical infrastructure. But even huge companies avail themselves of public cloud service providers like Amazon Web Services (AWS), Microsoft Azure or Google Cloud Platform, the "big three" of public CSPs.
The benefits of using large public CSPs is that they're very well protected, seem to never go offline and are cheap and flexible. But your assets may very well be running in a logical container alongside another company's assets in a different container on the same machine.
In reality, most organizations are neither all cloud nor all on-prem, but "hybrids" in that they have some digital assets in their physical locations and others in a public or private cloud. They've got the best, or perhaps the worst, of both worlds.
"Everyone is using a hybrid model," explained Aviv Abramovich, head of security services product management at Check Point, in a recent conversation with SC Media. "Ninety-nine-point-nine percent of the organizations out there were not born yesterday. They already have an on-prem, they have data centers, these are not going away."
Network-security tools are also mostly software. Physical firewalls can be replaced by virtual firewalls or cloud-based firewalls as a service (FWaaS). The network perimeter is replaced by the aforementioned cloud-native security tools that protect workloads and other cloud assets and control user access to cloud resources.
"You can now have the same physical security as you have with a firewall," Abramovich told us. "You can have a virtual firewall, and you can put it in a cloud service. ... You can have other form factors of security, like having firewall as a service. So that's a way of using the cloud to also deliver security and not just protecting the cloud."
Because access to cloud application and services is based upon identity rather than location, among the most important security tools are IAM systems that authenticate, monitor and track users across an organization's cloud and on-prem assets.
The challenges and solutions of cloud-based network security
We have several guides on how to secure cloud migrations and protect resources during the process, so let's focus here on the ongoing challenges and risks of protecting cloud assets, as well as several solutions.
Challenge: Network-security staffers trained for and comfortable with on-premises networks may not understand cloud/hybrid security.
Solution: Security retraining so that staff can understand how cloud networking operates, how shared-responsibility models work and how to properly configure cloud assets.
Challenge: Lack of visibility into cloud assets, especially those that were spun up without proper documentation or procedures. Also, CSPs may not give you visibility beyond your area of responsibility.
Solution: Make sure network-security and IT staff understand which cloud assets are in platform-as-a-service (PaaS), infrastructure-as-a-service (IaaS) and software-as-a-service models (SaaS), as the responsibilities, visibility and tools are different for each.
Challenge: Rapid speed and ease of deployment of cloud assets, especially by non-IT or non-security staffers, greatly increases risk of misconfiguration and of losing track of assets.
Solution: Use the cloud to secure the cloud. Implement cloud-native security tools such as cloud security-posture management (CSPM) to monitor the creation and management of cloud assets. Limit who can spin up cloud assets. Research and implement automated tools such as security orchestration, automation and response (SOAR) platforms.
Challenge: Loss of control by network-security team due to shared-responsibility model.
Solution: Avail yourselves of your CSPs' built-in security tools. Also implement a multi-layered defense strategy that protects everything from on-prem hardware to cloud workloads and applications.
Challenge: Risk of not having a strong enough identity and access management (IAM) system, which is even more important in the cloud than it is on-prem.
Solution: Consider replacing your existing or in-house IAM system with a cloud-native IAM platform.
For more on how Check Point can protect cloud assets, check out CloudGuard Network Security and Hybrid Data Center Security, and take Check Point's Data Center & Cloud Assessment.