How Does Endpoint Security Work in the Cloud?
Endpoint security and cloud security were once separate domains, but as these technologies converge, the requirements and solutions for securing endpoints in the cloud have changed. Traditional endpoint security solutions worked well when all employees worked on company workstations at specific times.
However, today employees access cloud systems anytime, anywhere, often from unmanaged personal devices. There are also new types of endpoints to secure within the cloud environment itself, including virtual machines, containers, server-less functions, and storage volumes or buckets.
As organizations migrate to the public cloud, administrators must handle endpoint security assuming that all endpoint devices are accessible to external parties. It is also important to consider how cloud services create new attack surfaces.
Cloud Endpoint Security Challenges
Endpoint Security in the Public Cloud
Public clouds are largely invisible to in-house IT and security staff and accessible to attackers over public networks. This already creates multiple new attack surfaces that did not exist in an on-premise environment.
In addition, cloud security is based on a shared responsibility model, where cloud providers are responsible for securing cloud infrastructure, while cloud users are responsible for securing their workloads and configuring access in a secure way. This creates additional security weaknesses:
- The organization is dependent on the security practices of the cloud provider, which are outside its control.
- Cloud resources must be properly configured and secured by the organization, creating the risk of misconfigurations that leave doors wide open to attackers.
Another dimension of complexity is that organizations use several operating models in the cloud:
- Infrastructure as a service (IaaS) like Amazon EC2
- Platform as a service (PaaS) like Amazon Relational Database Service (RDS)
- Software as a service (SaaS) like Microsoft Office 365
An organization and its IT staff must understand these platforms and the access controls for each cloud provider and workload. It becomes very challenging to discover all endpoints and ensure that they are configured correctly. Without specialized tools, public cloud endpoints cannot be centrally monitored and controlled.
Endpoint Security in the Private Cloud
Since the private cloud is completely under the control of the organization, it may appear to be inherently more secure. However, private cloud endpoints are still vulnerable to:
- Insider Threats—a malicious employee or compromised account can launch a cyberattack within a private cloud. Endpoints are often connected to other endpoints and sensitive control systems, and threats can spread to more sensitive resources through lateral movement and privilege escalation.
- Social Engineering—for example, spear phishing is a common way to compromise endpoints. Attackers investigate victim behavior in organizations, send crafted emails that appear to come from trusted parties, and trick employees into divulging credentials or clicking unsafe links.
- Compliance Risks—organizations must ensure that endpoint controls are properly configured and sensitive data is adequately protected. Organizations risk losing certifications or being subject to fines if required controls are not implemented.
- Data Leakage—this can occur when intellectual property or sensitive data are leaked to unauthorized third parties. This is commonly caused by the compromise of an insecure endpoint. Data can be stolen by malware installed on systems by attackers, tunneled through traditional communication protocols such as DNS, and transmitted by malicious users using cloud storage, FTP, Tor, or other methods.
Organizations must determine how private cloud security will interoperate with security strategies for non-cloud resources and external public cloud resources. As in any hybrid cloud architecture, when data is shared or exchanged, additional measures must be implemented, such as integrating endpoint security management with the security tools used elsewhere in the organization or in the public cloud.
Endpoint Security Solutions
Here are several types of endpoint security solutions that are being used successfully to address endpoint security challenges in the cloud.
EDR tools collect and analyze threat information from identified endpoints, look for anomalous behavior indicative of security breaches, improve response times, and help security teams mitigate and eradicate threats. All major vendors providing EDR technology provide agents that can be deployed on a range of cloud endpoints.
However, EDR tools have some drawbacks. It requires an in-house security team with time and specialized expertise, both of which are often in short supply.
MDR services are a collection of network-based, host-based, and endpoint-based security technologies managed by third-party providers for client organizations. MDR solutions are inherently cloud-based because they need to be managed by a third-party provider, and so they are highly suited to securing cloud endpoints.
MDR services are primarily focused on detecting and responding to threats. They can also complement in-house security capabilities by providing access to outsourced security experts. This makes it ideal for companies that do not have a designated incident response team within the company.
For many organizations, MDR bridges the ongoing cybersecurity skills gap while providing the endpoint security technology needed to protect the network.
An XDR platform provides integrated security on a single platform to detect and respond to threats across endpoints and networks. It eliminates data silos, detecting sophisticated attacks by automatically collecting and correlating data from all connected security layers.
XDR enhances endpoint security by combining endpoint monitoring with network monitoring and additional data from cloud environments. It goes far beyond actively managed endpoints, to provide more robust security capabilities. When a threat is detected, an automated process can automatically respond and alert the security team to enable further investigation.
XDR platforms capture data from the entire IT environment, both on-premises and in the cloud, enabling holistic protection for endpoints wherever they are deployed.
In this article, I explained the basics of endpoint security in the public cloud and private cloud, and showed how modern endpoint security solutions can help secure cloud resources:
- Endpoint Detection and Response (EDR) Tools – deployed on cloud resources, enabling rapid investigation and response to breaches as they happen.
- Managed Detection and Response (MDR) Services – supporting in-house security teams with threat hunting and incident response services.
- Extended Detection and Response (XDR) Platforms – collecting and analyzing data from across a cloud environment to identify evasive threats affecting endpoints and other systems.
I hope this will be useful as you improve the security posture of your cloud-based and cloud-connected endpoints.