Today’s security landscape
The rapidly evolving threat landscape has created significant security implications for consumers and businesses. Cloud development has reached the inevitable point where a new, unified approach becomes necessary to face a dynamic set of security challenges. Within a cloud hyperscaler ecosystem, security methods are evolving toward developments intended to centralize several distinct security domains that apply to specific software products or applications.
Recent attacks by the Sandworm group on Ukraine’s infrastructure (first reported by CERT-UA and ESET in April 2022) have used malware vectors like the IndustroyerV2 framework. This framework is compatible with ICS technologies like IEC-104, and enables the outputs of compromised industrial devices to be modified. The attacks also used CaddyWiper and AwfulShred to corrupt industrial machine files, overwriting them with null byte characters and destroying data irreversibly.
To mitigate this particular security threat requires minimizing the external attack surface — such as by separating and categorizing specific networks — and increasingly isolating functionality and network services, completely disabling them in as many scenarios as possible.
The multitude of attack vectors such as malware, web pages, text messages as well as the multitude of attack types (ARP cache poisoning, Man-in-the-Browser, etc.) call for complex, intelligent, dynamic security solutions which should also account for deep and dark web security awareness such as threat detection for Tor nodes.
Here are a few features that these types of security solutions have in common:
Distinct security domains
Ad hoc security domains and modules should be centralized and managed in an abstract manner to address separate security concerns — as they apply to SDN/NFVs, APIs, containers and other individual attack surface groups and categories. Each security management domain is part of an automated security management framework (ASMF), depicted below. The domains integrate with intelligent security automation for their respective infrastructure, network or service, as well as for the related virtualized resources provisioned in the cloud. The ASMF is responsible for automated secure data collection, analytics and decision engine, security orchestration as well as for managing trust and other policies. Based on this architecture, security modules are easily scalable and security can be applied consistently throughout the network, providing a holistic and completely new approach.
Emerging technologies (SDSec, DevSecOps, SaC )
Software-defined security (SDSec) enables the creation of dynamic security measures or policies that adapt easily to changes in the security landscape. Complex software-defined controllers — with integrated security implementations — are part of evolving software-defined networking (SDN) architectures. SDSec controllers are aware of the relevant network topology and infrastructure while integrating security policies for routing and firewalling. They enable complex network function deployment and service chaining capabilities for virtual network traffic flow automation — to dynamically compute decisions (about security relevance, requirements, etc.) on traffic flows and direct them only to their previously designated network elements.
Evolved cloud security solutions such as DevSecOps-based hyperautomation — with absolutely no manual intervention — make use of infrastructure configuration files for dynamic orchestration instead of manual resource provisioning. These configuration files, together with configuration scripts for related tools and application runtime, are components of the Infrastructure-as-Code (IaC) virtualization technology.
Security-as-code (SaC) employs the same approach to codifying security policies and auditing modules directly into the configuration code, including build artifact integrity validation, security service level agreements (SSLAs) or other regulatory elements. Centralized DevSecOps approaches will evolve in order to enable secure software production automation as part an enterprise software factory model or architecture — benefiting from integrated security process orchestration. Within such a complex and automated ecosystem, security architects must also mitigate automation-based security risks, such as those endangering critical elements of the ecosystem by some rapidly automated propagation and replication of attacks to the entire cloud infrastructure, networks, services and operations.
Evolved security platform centralization
Rather than categorization by security domain, cloud security centralization will eventually evolve towards platforms that instead categorize attack types at a high level, using AI/ML in to identify and recognize each attack type and respond with hyper-automated risk mitigation.
Many different types of attacks (see sidebar for a minimal number of examples) can be individually categorized and managed in an attack-centralized AI-driven SDSec engine, with automated attack-specific mitigations.
Thus, we can secure the cloud ecosystem from all known types of attack, as well as zero-day attacks, creating the most securely comprehensive approach. If all known types of attack are accounted for and mitigated, then the ecosystem will be 100% protected.
Security platform centralization is desirable and recommended for all complex ecosystems and architectures, including for 5G mobile networks, Industrial Control Systems as well as for robotic vehicles systems, with security implementations integrated into the fabric and addressing each phase of the SSDLC, while facilitating easy monitoring, automated risk characterization and risk mitigation across the whole cloud system.
If you are considering implementing a platform like this, check the next part of the article on how to take the first step.
About the author
Mihai Lucian Belu
Lead Cybersecurity Products and Services Architect, Atos’