The 7 Pillars of Robust Cloud Security
February 16, 2023

Omer Dembinsky
Check Point Software Technologies

While cloud providers offer many cloud native security features and services, supplementary third-party solutions are essential to achieve enterprise-grade cloud workload protection from breaches, data leaks, and targeted attacks in the cloud environment. The following are some industry best practices recommended:

1. Zero-trust cloud network security controls across logically isolated networks and micro-segments

Deploy business-critical resources and apps in logically isolated sections of the provider's cloud network, such as Virtual Private Clouds (AWS and Google) or vNET (Azure). Use subnets to micro-segment workloads from each other, with granular security policies at subnet gateways. Use dedicated WAN links in hybrid architectures and use static user-defined routing configurations to customize access to virtual devices, virtual networks and their gateways, and public IP addresses.

2. Shift your security left

Incorporate security and compliance protection early into the development lifecycle. With security checks integrated continuously into the deployment pipeline, rather than at the end, DevSecOps are able to find and fix security vulnerabilities early, accelerating an organization's time-to-market.

3. Keep code securely hygenic with vulnerability management

Set guardrails polices ensuring your deployment meets the corporate code hygiene policies. These policies will alert on deviation from the policy and can block deployments of non-compliant artifacts. Build remediation processes by alerting the development team on non- compliant artifacts with appropriate remediation.

Incorporate tools which provide the ability to explore vulnerabilities and SBOM (Software Bill of Materials) to quickly identify resources with critical vulnerabilities.

4. Avoid misconfiguration with continuous posture scanning

Cloud security vendors provide robust Cloud Security Posture Management, consistently applying governance and compliance rules to virtual servers. This helps to ensure they are configured to the best practices and properly segregated with access control rules.

5. Safeguarding all applications (and especially cloud-native distributed apps) with active prevention via IPS (Intrusion Prevention System) and next-generation web application firewall

Stop malicious traffic from reaching your web application servers. It automatically updates WAF rules in response to traffic behavior changes and is deployed closer to microservices that are running workloads.

6. Enhanced data protection with multi-layers

Enhanced data protection with encryption at all transport layers, secured file shares and communications, continuous compliance risk management, and maintaining good data storage resource hygiene such as detecting misconfigured buckets and terminating orphan resources will provide that additional security layer for an organization's cloud landscape.

7. Threat intelligence that detects and remediates known and unknown threats in real-time

Third-party cloud security vendors add context to the large and diverse streams of cloud-native logs by intelligently cross-referencing aggregated log data with internal data such as asset and configuration management systems, vulnerability scanners, etc. and external data such as public threat intelligence feeds, geolocation databases, etc. They also provide tools that help visualize and query the threat landscape and promote quicker incident response times. AI-based anomaly detection algorithms are applied to catch unknown threats, which then undergo forensics analysis to determine their risk profile. Real-time alerts on intrusions and policy violations shorten times to remediation, sometimes even triggering auto-remediation workflows.

Omer Dembinsky, Data Group Manager at Check Point Software Technologies
Share this

Industry News

March 30, 2023

CloudBees announced the integration of CloudBees’ continuous delivery and release orchestration solution, CloudBees CD/RO, with Argo Rollouts.

March 30, 2023

amazee.io, a Mirantis company, announced that its fully-managed application delivery platform is available in AWS Marketplace.

March 30, 2023

env0 secured an additional $18.1 million of funding to conclude its Series A investment round with a total of $35.1 million.

March 29, 2023

Planview announced a new strategic collaboration with UiPath. The integration is designed to fuse the UiPath Business Automation Platform with the Planview Value Stream Management (VSM) solution Planview® Tasktop Hub.

March 29, 2023

Noname Security announced major enhancements to its API security platform to help organizations protect their API ecosystem, secure their applications, and increase cyber resilience.

March 28, 2023

Mirantis announced the latest version of Mirantis Container Cloud -- MCC 2.23 -- that simplifies operations with the ability to monitor applications performance with a new Grafana dashboard and to make updates to Kubernetes clusters with a one-click “upgrade” button from a web interface.

March 28, 2023

Pegasystems announced updates to Pega Cloud supported by an enhanced Global Operations Center to deliver a more scalable, reliable, and secure foundation for its suite of AI-powered decisioning and workflow automation solutions.

March 28, 2023

D2iQ announced the launch of DKP Gov, a new container-management solution optimized for deployment within the government sector.

March 28, 2023

StackHawk announced the availability of StackHawk Pro and StackHawk Enterprise for trial and purchase through the Amazon Web Services (AWS) Marketplace.

March 27, 2023

Octopus Deploy announced the results KinderSystems has seen working with Octopus. Through the use of Octopus, KinderSystems automates its software deployment processes to meet the complex needs of its customers and reduce the time to deploy software.

March 27, 2023

Elastic Path announced Integrations Hub, a library of instant-on, no-code integrations that are fully managed and hosted by Elastic Path.

March 27, 2023

Yugabyte announced key updates to YugabyteDB Managed, including the launch of the YugabyteDB Managed Command Line Interface (CLI).

March 23, 2023

Ambassador Labs released Telepresence for Docker, designed to make it easy for developer teams to build, test and deliver apps at scale across Kubernetes.

March 23, 2023

Fermyon Technologies introduced Spin 1.0, a major new release of the serverless functions framework based on WebAssembly.

March 23, 2023

Torc announced the acquisition of coding performance measurement application Codealike to empower software developers with even more data that increases skills, job opportunities and enterprise value.