Host Security 101

Understanding Requirements to Protect Cloud Workloads

Virtualization continues to play a key part in organizations’ move to the cloud

According to Cisco, 94 percent of workloads and compute instances will be processed by cloud data centers by 2021.* Organizations are pursuing public cloud, private cloud, and hybrid cloud configurations as they modernize legacy applications and infrastructure.

VM technologies, like VMware vSphere, Microsoft Hyper-V, and the instances provided by virtually every IaaS cloud provider, such as Amazon EC2, have allowed today’s enterprises to embrace the cloud better than ever before and are still a critical deployment model. As we look at the Continuum of Cloud Native Topologies, VMs are placed on the far left because they provide the greatest levels of isolation, compatibility, and control suitable for running nearly any type of workload.

What about Thin VMs and VM-Integrated Containers

Thin VMs differ from pure VMs in their intentional focus on data separation, automation, and disposability of any given instance. Additionally, they do not have a container runtime. Thin VMs have apps installed directly on their OS file system and executed directly by the host OS kernel without any intermediary runtime. Thin VMs represent an operating methodology, rather than a distinct technology. They allow infrastructure teams to to deploy VMs in a more stateless manner, leverage automation without human involvement, and operate them as fleets rather than individual entities, while prioritizing separation of OS, app and data.

For some organizations, especially large enterprises, containers provide an attractive app deployment and operational approach but lack sufficient isolation to mix workloads of varying sensitivity levels. VM-integrated containers are explicitly designed to solely run containers and tightly integrate VM provisioning with container runtime actions.

Defining requirements for Cloud Workload Protection Platforms (CWPPs)

Leading industry research groups like Gartner continue to define the core requirements for securing cloud workloads with tools they call Cloud Workload Protection Platforms. In the March 2018 Market Guide for Cloud Workload Protection Platforms, Gartner identifies trends in cloud security, recommendations for securing cloud workloads, and details about specific vendors addressing the needs around containers, cloud native applications, and serverless applications.

In the Market Guide for Cloud Workload Protection Platforms, Gartner states:

“Server workloads in hybrid data centers spanning private and public clouds require a protection strategy different from end-user-facing devices. Security and risk management leaders should evaluate and deploy offerings specifically designed for cloud workload protection.”*

Core security requirements to protect cloud workloads

Hardening the host OS: The OS that hosts your workloads is perhaps the most important layer of the stack because an attack that compromises the host environment could provide intruders with access to everything else in your stack — that’s why hosts need to be scanned for vulnerabilities, hardened based on specific CIS Benchmarks, and protected to prevent improper access control or file tampering.

Application control, whitelisting, and intrusion detection systems (IDS): Cloud workloads present incredible opportunities for automation and machine learning to model behavior across process, network, file system, and system call sensors. As development and devops teams race to deploy applications more quickly, behavioral whitelisting scales security by preventing anomalous behavior and next generation attacks, a capability the industry refers to as intrusion detection / intrusion prevention systems (IDS/IPS). By incorporating additional runtime rule actions, security teams can specify exact conditions to watch for and the exact actions to take when they’re encountered.

Forensics: Security teams are responsible for protecting cloud workloads and working with incident responders to diagnose potential compromises. IR teams need to be able to gather attack telemetry to quickly diagnose and remediate modern threats by automating forensic collection and correlating host and application metrics.

File Integrity Monitoring (FIM): File integrity monitoring is a central control in many organizations’ security and compliance policy. FIM enables monitoring of host file systems for specific changes to directories and files by specific users.

For example, your security policy may require that only certain users are able to access /var/customer-data and that you will be alerted on any unauthorized access attempts. Organizations need to be able to set policies to monitor for any access to a path and get alerts any time an unauthorized user attempts to access it.

Network protection: Infrastructure and security teams need to be able to visualize network connections, prevent unwanted network access, and block other modern network attacks — a significant challenge at scale. Border firewalls are part of the strategy but aren’t alone sufficient, particularly as organizations adopt more virtual and cloud networks.

Internal and external compliance: Emerging laws and compliance regulations like GDPR require organizations to audit how data is accessed across different regions and environments with the ability to continuously monitor any changes and identify issues for remediation. Whether you’re looking to stay compliant with external regimes like HIPAA and PCI-DSS or other internal requirements, cloud native workloads need be monitored and audited based on each organization’s requirements.

*Gartner, Inc., Market Guide for Cloud Workload Protection Platforms, Neil MacDonald, 26 March 2018.


2019 Gartner Market Guide for Cloud Workload Protection Platforms

Download now

Secure Your Hosts with Twistlock

Twistlock is the world’s first truly comprehensive cloud native security platform—providing holistic coverage across hosts, containers, and serverless in a single platform. Twistlock is cloud native and API-enabled itself, protecting all your workloads regardless of what underlying compute technology powers them.

  • Automation. Twistlock scales security thru automatic learning of normal app behavior and communication with other cloud services and automated creation of ‘allow list’ runtime models for every version of every application. Everything is API enabled, programmable, and easily integrated with existing tools and services for your automation pipelines.

  • Visibility. Twistlock provides dynamic displays of your environments with live, interactive, multilayered maps of every application component and real time security health. Clear insights beyond generic vulnerability ratings to rank risks based on your unique use cases Flight data recorders for every host and container; real time event stream processing of activity across your clusters.

  • Prevention. Twistlock ensures complete runtime prevention with automatic, active blocking of anomalous activity and explicitly blocked processes, network traffic, and file activity. Only allow known-good applications that meet your compliance and vulnerability requirements from trusted sources and enforce least privilege networking and microsegmentation across your environments preventing service account sprawl.