Interview with a customer: Assessing your Infrastructure-as-a-Service (IaaS) Security

Cloud security is top of mind for CISOs and a discussion in many boardrooms, and every enterprise needs to plan for an effective cloud security program. When it comes to protecting not just your SaaS applications, but also your IaaS environment, while enabling your business to still be productive, what are the key elements?

Take a few minutes to read a short interview with a cybersecurity leader, responsible for technology planning at a global oil and gas company, on how organizations should assess IaaS security programs and plan for the future.

What’s your point of view on security within your IaaS environment?

Like many organizations, we’re looking at adopting Amazon Web Services (AWS) and Microsoft Azure.  However, we also understand our part in the shared responsibility model and the new set of security challenges it presents. In order to enable and accelerate our adoption of AWS and Microsoft Azure, we also need to explore security tools to build out visibility, control and security of our IaaS environment. Microsoft Azure security and AWS security is a priority.  

What concerns you?

As we grow globally we need to get more business done in the cloud. We started embracing the cloud and then realized it’s not going to be so simple. We need a single platform to enforce security policies across all cloud applications, including SaaS and IaaS. We need a simple view of what’s happening. If a user is running a new instance, we need to tap into this view. If a custom application hosted in AWS is storing sensitive data in an S3 bucket, we need to know about it and depending on the sensitivity level, put controls in place to protect against data loss.

What are your top 3 security considerations for IaaS?

• Access Control: We need visibility and control across our IaaS environment and the enforcement of granular policies with context is important. For example, admins need to create different policies for sanctioned vs. unsanctioned AWS instances. We need to create different policies for certain corporate AWS instances (i.e differentiate between development and production instances) vs. blocking access to personal AWS instances.
• Granular auditing capabilities are a priority: We need visibility in order to investigate audit trails for non-compliant activities, prevent configuration changes and to run real-time reports. Our admins need to be able to quickly query and look at events specific to all AWS instances, and investigate audit trails to determine unusual usage.This is critical for our business. We follow internal compliance mandates and industry best practices. If a rogue user is performing an unwarranted activity, we need the audit trail. A CASB can help with this.
• Securing users and application data in AWS: We need to secure our sensitive data and prevent it from leaking out of the organization, and prevent malware from proliferating in our cloud environment.  Alerts on DLP violations for files stored in S3 and the ability to find users or applications storing confidential or sensitive data like personally identifiable information (PII) is a requirement.

It’s imperative to manage multiple IaaS instances via a single interface. We use Netskope for our SaaS applications and can extend the capabilities to IaaS. Netskope can help us solve for the requirements we’re looking for.