Cloud workload security: Should you worry about it?

Cloud workload security: Should you worry about it?

Due to the increasing use of the cloud, organizations find themselves dealing with hybrid environments and nebulous workloads to secure. Containerization and cloud-stored data have provided the industry with a new challenge. And while you can try to make the provider of cloud data storage responsible for the security of the data, you will have a hard time trying to convince the provider that they are responsible for your cloud workload security.

What are you talking about?

Let us explain some of the less common terms for those that are unfamiliar with them.

The goal of containerization is to allow applications to run in an efficient and bug-free way across different computing environments, whether that is a desktop or virtual machine or Windows or Linux operating system. The demand for applications to run consistently among different systems and infrastructures has moved development of this technology along at a rapid pace. The use of different platforms within business organizations and the move to the cloud are undoubtedly huge contributors to this demand. Containerization is almost always conducted in a cloud environment, which contributes to its scalability.

While there are many providers of cloud data storage, providers that offer containerization services for the moment are almost exclusively the big players, like Amazon Web Services, Oracle, and Microsoft Azure.

Static, or even constantly changing, data are easier to protect than active processes. And a cloud workload can range from simple web applications to complex organization-specific workflow management systems.

Cloud workload security

From a security standpoint, the isolation between containers is a good thing. If one container is compromised, it is almost impossible for any malware to cross over to another container, as the top layer operating system has separate namespaces for each of the containers. But as you can imagine, this separation also makes it harder to devise a security solution for the whole complex of containers that are in use.

Traditionally, security software was designed to keep your IT environment protected from the outside world. Nowadays cutting the environment off from the outside world would mean cloud resources to become unavailable and remote workers to be disconnected from the company network. Because security was one of the major concerns holding organizations back from moving their data and workload to the cloud, a lot of attention has been given to cloud workload security.

The first step to expand your security perimeter to include the cloud workload is to make the cloud environment secure-by-design. Which means that attention has been given to security implications during every step of the design.

Your IT department and cloud resources

One common mistake is that organizations or teams within the organization start using cloud resources without involving their in-house IT/security department. While this may seem trivial or they may not even be thinking of the new “app” as a cloud resource, it does have an impact on the security perimeter and the responsible team should be aware of the change.

Organization of cloud security

The way cloud security is organized depends very much on where the responsibility for the security of the cloud resources lie. They vary from a completely in-house model to a fully external model where the cloud security provider takes full responsibility for all the resources and provides the necessary security layers.

Application layer

Web applications are secured in the application layer. This layer generally consists of a few elements designed to protect the applications from outside threats. The main element can be a customized firewall combined with end-to- end encryption. This will shield the applications from threats and protect the data-stream from being intercepted and read.

Hypervisor layer

Another important layer for cloud workload security is the hypervisor layer. The security setup in this layer will be designed to keep the cloud server’s virtualization environment safe. In this environment you will find the guest operating systems and virtual networks. This layers’ security will also take care of the containers that are running in virtual machines. The main component for the security in this layer will be application hardening. In-house apps need to be coded with security in mind and third-party software needs to be updated and patched in a timely manner.

Security orchestration

In such a layered and complex environment another important element is the security orchestration. Orchestration in this context implies:

  • Solutions working together without interrupting each other.
  • Streamlining workflow processes so that each component does what it does best.
  • Unification so that data is exported in a user-friendly and organized manner.

Security orchestration is ideally possible even when security software comes from different vendors. However, it often needs to be modified to get the most out of what the solutions have to offer, without one interfering with the effectivity of another.

In general, it’s easier to effectively orchestrate specialized applications from different vendors than it is to orchestrate overlapping applications from different vendors. The overlap between rivalling applications tends to be the field where the accidents happen. Either because features are disabled so they do not cause interference, or because one application is expected to catch something and the other doesn’t need to watch that area.

Rise in importance

As cloud applications continue to grow in absolute numbers and relative size for your organization it is imperative to look at the structure and organization of your security perimeter and into the way you want to secure that perimeter. Some points of attention as your organization grows in this direction:

  • Stay on top of the awareness of the security and IT teams of all cloud applications.
  • Scout the possibilities of security applications from different vendors and how you can best manage and orchestrate them.
  • Inform yourself about the different types of cloud-based applications you are using and whether they need a specific security approach.
  • Do not rely on your cloud provider to have security automatically arranged for you. If you do decide to rely on the cloud services provider for security arrangement as well, make sure you and your IT staff are aware of the boundaries and limitations of their coverage.

Stay safe everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.