Securing Cloud Workloads

Posted on December 4, 2020
Author: RunSafe Security

How to Spend Less on Remediation Resources and More on New Features for Cloud Deployment

The migration to the cloud continues to accelerate, as public cloud spending will grow by 18% to over $300B in 2021. The COVID-19 pandemic in 2020 did not slow this migration, and 2021 will see an even more rapid move to the cloud. Beyond this, the proliferation of cloud computing at the edge will also see significant growth, representing nearly 5% of the overall growth. This will bring forth new levels of complexity in both the number of players and the services they offer.

Addressing the Vulnerabilities of Distributed Assets

With the increase of edge computing options, deployments will become more fragmented and distributed across multiple cloud providers in multiple geographies. This will inevitably make it much more difficult for enterprises to maintain visibility and control over a multitude of workloads. It will also make it more challenging to properly secure these workloads. Even more modern cloud security solutions like Web Application Firewalls, Cloud Access Security Brokers, and Threat Detection solutions will struggle to cover these patchwork architectures. The traditional approaches of scanning and patching for vulnerabilities after deployment will consume increasingly scarce resources, leaving security teams overwhelmed and at much higher risk to attack.

The move to cloud itself brings its own set of security concerns. While the shared security model of cloud has its benefits, given the ability to rely on the public cloud provider’s robust security tools and best-in-class practices, it also brings: 

  • Increased risk with workloads being more exposed than they would be in a fully-controlled environment. 
  • A need for security teams to rethink their security architecture and the solutions required to reduce their increasing cyber risk, especially when enterprises have multi-cloud or hybrid-cloud environments

Securing the perimeter is now reliant on a third-party service provider and identity, and access management is a shared responsibility. Securing data at rest and in transit must be fastidiously managed. 

The list goes on. 

Knowing that regardless of how meticulously these requirements are met and managed, there will inevitably be weaknesses that attackers will leverage to go after the workload itself. Companies will need to start thinking about how they want to secure the actual code that comprises their various workloads. If they can move upstream and harden the actual application code itself, it becomes less of a risk when deployed to cloud environments.

Navigating Code Security

So, which code should be secured first? Given that most of the code that finds its way into cloud based applications is open source, that’s a logical place to start. Scanning and patching open-source packages is the typical approach, but this is far from comprehensive. It will only scan what it can see, and only alert on known vulnerabilities and misconfigurations. Unknown vulnerabilities are left unaddressed, leaving users and their infrastructure exposed. 

In some cases, patching may not even be an option given the reliance on a specific version of an open source component. A deeper and more advanced approach is warranted.

Modern code security solutions seek to do more than just identify open source vulnerabilities and alert their presence. Instead, they will take a proactive approach and eliminate the underlying risk of being attacked altogether. RunSafe Security is squarely focused in this arena.  

Rather than force the developer or administrator to manually remediate each and every weakness in the system (a losing proposition), RunSafe offers an alternative to release open source software impervious to an entire class of deployment vulnerabilities, reducing the attack surface by approximately 40%. Gartner has called memory protections for Cloud Workloads a foundational strategy and recognized RunSafe Security as a leader in this area.

Alkemist:Repo

RunSafe’s Alkemist:Repo offering is a library of common open source application components and tools that are pre-hardened from memory-based attacks. This attack method represents approximately 40% of all open source vulnerabilities and is found in web servers, database servers and other open source tools and components. Rather than continuously patching Apache for example, enterprises can simply deploy a hardened version of Apache from Alkemist:Repo. Available as both Docker Images and Virtual Machines, Alkemist:Repo will support most Cloud architectures.  

With Alkemist:Repo hardened images as a core component of the Cloud Workload architecture, enterprises will be able to worry less about the inevitable cracks in their existing security architecture. They’ll enjoy a layer of protection within their open source code that proactively and passively protects against both known and unknown vulnerabilities, thus allowing the enterprise to realize the true flexibility and agility of cloud by spending fewer resources on remediation and more resources on new products and features for their customers.

To learn more about RunSafe Security’s Alkemist Family of solutions, please email us at sales@runsfesecurity.com.