Understand CNAPPs with Our Guide
Understand CNAPPs with Our Guide
What is cloud computing?
Cloud computing, commonly referred to as “the cloud", provides easy online access to a shared pool of configurable computing resources such as servers, storage, applications, and services. Almost anything you can imagine doing with on-premises IT you can duplicate in the cloud — with a number of significant added benefits that we’ll explore in a moment.
The Complete Guide to CNAPPs
Download CrowdStrike's Complete Guide to CNAPPs to understand why Cloud-Native Application Protection Platforms are a critical component of modern cloud security strategies and how to best integrate them to development lifecycles.
Download NowThe importance of cloud-based architecture
It’s easy to see the appeal of the cloud: You gain the ability to innovate fast; flexible, near-infinite computing resources; and economies of scale. In other words, it lets you access all your data whenever and from wherever.
Also, the payment structure for cloud services is typically based only on actual use, which can help lower operating costs and lead to efficiencies when it comes to running your infrastructure and scaling as your business needs change.
Some capabilities that make this possible include:
1. Single, lightweight agent
Endpoint protection is complicated, but the solution should not be. A single lightweight agent that can be deployed immediately and scaled quickly with little effect on endpoint performance is the best approach.
2. Machine learning
The solution should incorporate machine learning that provides the ability to record and learn from new attacks. This ability makes it possible to crowdsource intelligence about attack techniques on a massive scale and in real-time. Using machine learning on the local host, the agent can protect against known and unknown malware, zero-day exploits, and hash blocking.
3. Enhanced manageability
Cloud-based endpoint security reduces management overhead in a number of ways. For example, the upgrade process for a traditional solution depends on the vendor’s schedule, which can occur over a timeframe as long as a year.
Over that year, attackers are continuing to evolve their techniques, so by the time the upgrade is implemented on customer systems, it is already out of date. Cloud-based platforms are updated in real time and their algorithms are adjusted constantly. The version in use is always the latest version.
4. Protection on or off network
With remote workers, virtualization, and the cloud, assets are not always connected directly to the corporate network. That’s why it’s more important than ever for a complete endpoint solution to be capable of detecting threats even when the device is off-network or offline. Without full visibility across on- and off-network devices, your defense will be riddled with blind spots and numerous opportunities for adversaries to fly under the radar.
5. Keep tabs on adversaries
Today’s attackers are well-funded and business-like. They buy traditional endpoint security solutions and install them in mock environments so they can figure out how to bypass their defenses.
But they can’t do the same with a solution built on a cloud-based architecture because, even if the attackers acquire and install the solution’s endpoint sensors, their attempts to break the system will be observed by the solution provider. The tables are turned – instead of the attackers figuring out how the solution works, the defenders are learning how the attackers think.
Customer Story: CoreWeave
Watch this case study to learn how CoreWeave, a high-performance cloud provider, relies on CrowdStrike for endpoint-to-cloud visibility and protection at scale.
Watch NowCloud computing benefits
Cloud computing lets you improve your IT infrastructure and save money while also creating other benefits for your organization.
Agility
One of the most important reasons for adopting cloud is that it enables organizations to become more agile. At all stages — from development through deployment and production — cloud computing generally makes it easier to release and iterate new and existing applications and services. With the speed of today’s development cycles, it’s become almost impossible to keep up without utilizing the cloud.
Cost savings
This is another reason for most companies moving some or all of their computing operations into the cloud. Cloud lets you save money on hardware, software, and IT staff. These savings come about through reduced capital expenditures (“CapEx”), since there’s no need for organizations to purchase and maintain their own hardware and software.
Obviously, cost savings will vary, but are generally greater for larger organizations. Having said that, because cloud’s benefits include elasticity and near-infinite expandability, organizations need to keep an eye on cloud spending to ensure that their cloud resources are being optimized and not going to waste; this is especially true given that cloud spend can quickly add up.
Collaboration
Cloud computing can greatly simplify collaboration by making it easier for employees and third parties, such as vendors, to share files and work on projects. In fact, cloud-based collaboration tools, such as Google Docs and Microsoft Teams, are often among organizations’ first forays into the realm of cloud. These ready-to-go applications are known as software-as-a-service (SaaS) tools; the importance of SaaS and other models will be discussed below.
Scalability
Cloud computing can help organizations scale their IT resources up or down on demand. This helps you save money and improve efficiency while eliminating wasted resources.
Although cloud environments can be scaled, organizations need to be very meticulous about how they scale it to avoid cloud sprawl, which usually happens when cloud environments are mismanaged or misconfigured.
Security
While there is a big appeal to the cloud, there are still a few important cloud security considerations you need to be aware of to make sure your data and private information is not exposed or stolen, and nothing falls through the cracks.
Cloud providers, such as Amazon AWS, Microsoft Azure, and Google Cloud Platform, usually bundle a range of security features to help businesses protect cloud infrastructure and data from attack. As we will see below, however, while cloud providers’ security features are designed to simplify the task of keeping your entire organization secure, there are a few ways your applications, workloads, and critical information can be susceptible to a breach, such as misconfigurations, overly permissive access, and supply chain attacks.
According to the shared responsibility model, while cloud providers are responsible to secure the infrastructure, it’s the customer's responsibility to secure critical data and address misconfigurations or any issue running an application in the cloud. So at every stage, you need to ensure you have a comprehensive cloud security strategy in place. There are cyber security offerings, like CrowdStrike Falcon® Cloud Security, that remove the “burn” from organizations, securing their entire application lifecycle, workloads, and critical data, stopping breaches, and addressing vulnerabilities and misconfigurations in public and multi-cloud environments.
Insider's Guide to Defending the Cloud
Download this guide to learn the top 5 best practices for defending the cloud to safeguard your organization’s most valuable assets with confidence.
Download NowHow exactly does cloud computing work?
Cloud computing uses the internet to deliver computing services to users. The types of services available range from storage and processing (“compute”) to software and applications. Essentially, everything you’d find in a physical data center and network, including servers, networking, storage, and software, are all available in cloud-based versions.
Cloud service providers (CSPs) are the organizations that own and maintain the physical hardware and software that make cloud operations possible. CSPs make these resources available to users, usually on a pay-as-you-go basis.
Because you’re not paying upfront, meaning you don’t have to invest in racks and racks of servers for sites, applications, databases, and more, you will probably save money initially. But as mentioned, cloud costs can quickly start climbing, so it’s a good idea to keep track of your cloud presence to ensure that costs stay under control. (Cloud infrastructure optimization and cost control is sometimes referred to as financial operations, or FinOps.)
Cloud computing deployment models
When you’re looking at moving into the cloud, you’ll discover three primary deployment models: public, private, and hybrid. The choice for each organization depends on a few factors including price and the need to control data. For example, some highly regulated industries such as banking or healthcare have traditionally opted for private cloud to ensure that their data stays safe.
However, this is changing quickly as more and more businesses, including those in regulated industries such as finance, have started moving to the public cloud. That’s because public cloud providers are also offering more options, including ones that provide greater security, for those who would traditionally have chosen hybrid or private cloud.
Here are a few things you need to know about each cloud computing deployment model:
- Public Cloud: The CSP provides services over the internet to the general public. Examples of public cloud providers include Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
- Private Cloud: The CSP uses a private network to deliver services to one particular organization. Private cloud is typically more expensive than public cloud, but it offers a greater degree of control and security.
- Hybrid Cloud: This combines the public cloud and private cloud models. It allows organizations to enjoy the best of both worlds: the lower cost of public cloud along with the security and privacy benefits of private cloud.
The following table displays cloud computing deployment models listed by cost, security, and control factors.
Factor | Public | Private | Hybrid |
---|---|---|---|
Cost | Least Expensive | Most Expensive | Varies |
Security | Less Secure | Most Secure | Varies |
Control | Less Control | Most Control | Varies |
Types of Cloud Computing Services
It goes without saying that not all organizations have the same cloud needs. That’s why cloud service providers (CSPs) offer a range of cloud computing services. Cloud computing services are identified by the term “as a Service,” abbreviated as “aaS.”
All these services provide different levels of abstraction and control over the underlying infrastructure, and they can be used to deliver a variety of applications and services.
For example, one organization may want a simple turnkey cloud solution; in this case, they might choose a SaaS solution that lets their users get up and running fast. Another might choose an IaaS solution that requires extensive training and tweaking by their team but provides a great deal of control and granularity.
The following table displays cloud computing services listed by cost, use case, and other important factors.
SaaS | FaaS | PaaS | IaaS | |
---|---|---|---|---|
Cost | Lower | Lower | Midrange | High |
Business Size | Small to enterprise | Medium to enterprise | Large to enterprise | Large to enterprise |
Primary Use | Business applications | Event-driven computing | App development | Infrastructure |
Control | Low | Low | Medium | High |
Degree of Action | High | High | Less | Least |
Here is a more detailed description of each cloud computing service.
Software as a service (SaaS)
Software vendors host, manage, and maintain SaaS applications; users within customer organizations have direct access to these apps. The customer organization typically pays a subscription fee to access the vendor’s platform. We’ve already mentioned Google Docs and Microsoft Teams as examples here. SaaS is ideal for day-to-day productivity apps, along with ERP or CRM apps that are used by your entire team, like Salesforce, SAP, and more.
Function as a service (FaaS)
FaaS can be viewed as a subset of serverless cloud computing, which lets users deploy code quickly and easily without having to provision or manage servers. (In large organizations, these requests can take a long time and create bottlenecks in the development cycle). FaaS enables developers to focus on writing code, while the cloud provider handles all the rest. FaaS is sometimes used for processing fluctuating, unpredictable data streams, such as from IoT, or connecting APIs with web or mobile apps.
Platform as a service (PaaS)
With PaaS, the CSP provides the hardware and software you need to develop, run, test, deliver, and manage applications. That way, users can focus on developing applications without worrying about the underlying infrastructure, again, saving time and eliminating bottlenecks. This makes it ideal for application development, where developers can take advantage of more affordable public cloud PaaS offerings.
Infrastructure as a service (IaaS)
IaaS enables developers to access virtualized computing resources. Here, the CSP provides the hardware infrastructure, such as servers, storage, and networking, needed to run applications. Users must install and manage their own operating systems and apps, which is ideal for those with custom configurations or specific configuration requirements. IaaS is often used for hosting web applications or databases, especially when an organization wants a simple “lift and shift” cloud migration path.
Cloud computing security concerns
Modernizing security is one reason organizations make the move to cloud, and CSPs provide a number of tools to help make security management simpler. Still, headlines like “A massive ransomware attack hit hundreds of businesses” prove that cloud computing comes with many security risks:
- Data Breaches: Cloud providers are constantly under attack from hackers who are trying to steal data.
- Account Hijacking: Hackers are developing ever more sophisticated methods to gain access to cloud accounts by stealing user credentials.
- Data Loss: A hardware failure in the CSP’s data center, software bugs, or even human error, such as misconfigurations, could lead to the loss of essential data and valuable intellectual property.
- Compliance Issues: Cloud providers must ensure they're in compliance with a growing number of local and international regulations, such as the General Data Protection Regulation (GDPR).
- Security Gaps: Under the shared responsibility model, sometimes it’s not clear which aspects of the cloud environment the CSP, the vendor, or the organization itself is responsible for securing.
- Misconfigurations: Probably the biggest security issue with the cloud is misconfigurations; for instance, excessive permissions, which then provide access to unauthorized parties or simply configuration errors.
How is the cloud kept safe? Top cloud best practices include implementing strong identity control, not only for your own users but for third parties along with nonhuman entities (known as “service accounts”) like applications, APIs, and other automated processes.
Data protection is also critical, including encryption of data both at rest (in cloud storage) and in transit, when it’s being moved around and vulnerable to interception.
Finally, you need a security vendor that offers unified and automated security that includes threat detection and response, workload protection, compliance and security posture management, along with a well-defined incident response and disaster recovery plan, including real-time monitoring and alerts, so you’re aware the second an attempt is made to breach your cloud security.
As your organization weighs the benefits of cloud, including scalability, cost savings, and flexibility, it’s never too early or too late to start planning security measures and ensure that the benefits aren’t outweighed by data breaches, downtime, and regulatory violations. Effective cloud security ensures that you can reap all the benefits while minimizing risk and maintaining the trust of customers and stakeholders.
CrowdStrike’s Approach to Cloud Security
CrowdStrike delivers the world’s most comprehensive cloud detection and response that:
- Stops active cloud breaches with the world’s most deployed CWPP: We started with the hardest problem first, and the one most cloud security companies fail at: building an agent that is easy to deploy, easy to manage, doesn’t bring down critical workloads with every update, and doesn't require a reboot. We extended 10+ years of pioneering innovation building an elegant agent that just works to workloads, containers, and serverless applications — with the same unified agent. Without these foundational capabilities, you can’t build the agent into your DevOps/DevSecOps processes. And, our customers can easily extend their existing endpoint estate into the cloud: one agent, one platform, one console — stopping adversaries with consistent protection whether they start in the endpoint or the cloud.
- Shuts down misconfigurations, accidental exposure, and human error with natively integrated agentless capabilities: As an extension of our unified agent and agentless platform, we proactively reduce the cloud attack surface with frictionless CSPM and CIEM to stop so if they adversaries earlier in their malicious lifecycle, before they land on a workload. As every vendor has access to the same cloud APIs, we believe the difference maker provides a unified platform for visibility, protection and response across runtime and agentless capabilities. It’s only through this unification that you can find, stop, and respond to an adversary across the entire cloud attack lifecycle.
- Powered by industry-leading threat intelligence: With the 75% increase in cloud environment intrusions, complete understanding of adversary tactics, tools and procedures is required for effective automated prevention, staying ahead of emerging techniques, and deep context for accurate, rapid investigation and response. Only CrowdStrike provides the world’s highest fidelity threat intelligence on cloud adversaries to inform protection and accelerate security analysts operations with the right content, at the right time, natively within the platform.