How one multicloud-based business manages security controls

Among the biggest cybersecurity challenges CISOs are facing is how to maintain data protection and privacy when their organizations shift workloads to the cloud. In particular, how can they manage security controls in a cloud-only environment?

This has become more important as organizations migrate to cloud services because of the COVID-19 pandemic and the resulting shift to a work-from-home model. As research firm International Data Corp. (IDC) notes in an October 2020 report, the pandemic “has largely proven to be an accelerator of cloud adoption and extension and will continue to drive a faster conversion to cloud-centric IT.”

IDC forecasts that worldwide spending on cloud services, the hardware and software components underpinning cloud services, and the professional and managed services opportunities around cloud services will surpass $1 trillion in 2024, while sustaining a double-digit compound annual growth rate of 16%.

The cloud in all its permutations will play ever greater, and even dominant, roles across the IT industry for the foreseeable future, says Richard Villars, group vice president, worldwide research at IDC. By the end of 2021, most enterprises will put a mechanism in place to accelerate their shift to cloud-centric digital infrastructure and application services, he says.

Given the cloud’s growing importance, companies need to figure out how to effectively maintain a high level of security in this changing environment.

AppsFlyer, a mobile marketing analytics and attribution platform provider, offers a good example of how this can be done.

Scaling security in a large multicloud environment

The company’s IT environment is 100% cloud native with no on-premises servers. Its platform uses multiple cloud services from providers including Amazon Web Services (AWS), Google Cloud, Microsoft Azure and Alibaba Cloud. The cloud environment extends across five countries and has more than 15,000 servers that process more than 80 terabytes of data per day. AppsFlyer operates one of the largest AWS deployments outside the US with tens of thousands of resources.

“Since AppsFlyer is a cloud-based company, the biggest threat and concerns we have is how to scale security to manage and validate all the different components that we have inside our environment, including identities, the infrastructure, and the networking and everything around it,” says Guy Flechter, who served as CISO at the company until he recently left to work for a startup.

“This is important, since we need to be able to support all the security needs within the organization, which span engineering and DevOps teams, and more,” Flechter says. “If we are unable to scale our security, we will eventually be forced to tell some of the teams within our organization that we can’t support certain initiatives.”

Identity governance, access entitlement are priorities

The AppsFlyer security team made identity governance and access entitlement management a priority for 2020. For developers, DevOps, and data scientists, the goal was to make sure that least-privilege access was enforced and that policies were appropriate for each user profile.

However, it was difficult to govern the use of access entitlements within the large cloud environment. In addition, AppsFlyer wanted to audit all access entitlements granted to the infrastructure to limit high-risk access to vital resources, harden the environment, and remove unused users, roles, and permissions.

One of the big challenges was providing visibility, since so many moving parts are in the cloud and it’s easy to spin up more resources and infrastructure, Flechter says. “For example, developers can add new instances and buckets, [and] assign different access permissions and entitlements,” he says.

To address the various challenges, AppsFlyer deployed an entitlement management system from Ermetic. “Before we selected Ermetic we conducted a very comprehensive evaluation of cloud infrastructure entitlement management products based on security needs,” Flechter says. “The product needed to support multiple cloud providers. We wanted the solution to support operations and not just provide visibility. It needed to help us fix security gaps. Finally, we wanted the ability to remediate problems from inside the tool and integrate with our other automation tools.”

“I consider a security tool effective only if it can support operational processes as well,” Flechter says. “If it only provides good visibility, then it’s a nice dashboard. [The platform] provides the operational capabilities needed to support the activities that need to be performed based on the visibility it gives us.”

AppsFlyer began with a gradual roll-out of the platform to each of its different cloud environments, one at a time. It was easy to connect to each cloud platform, since they all support application programming interface (API) integration for reading permissions, Flechter says. Each connection took less than 15 minutes.

“Once we began generating outputs from Ermetic we immediately started to see the security gaps in our environment and began addressing them,” Flechter says. The platform did not require any fine tuning to start uncovering risks, he says.

The system prioritizes issues that need to be addressed first, based on the sensitivity and the risk of the asset. An example would be access to an AWS S3 bucket that is open to the outside world. The buckets are public cloud storage resources available in AWS’s Simple Storage Service offering. “This would be flagged as a higher priority excessive permission, even if the permission itself is not a privileged, administrative permission,” Flechter says.

The AppsFlyer security team used the platform to audit all third-party access to its environment and removed all software-as-a-service (SaaS) applications, including some security and optimization tools, that were no longer in use. The team also reviewed the applications that had privileged access to sensitive data and removed unnecessary permissions.

Building a complete cloud security portfolio

The entitlement management system is only one of the components of AppsFlyer’s security program. The company is also using Symantec Secure Access Cloud from Broadcom for authentication and authorization to resources in AWS. “It enables us to maintain secure and granular access management, using a software-defined perimeter to enforce zero-trust principles,” Flechter says. AppsFlyer also uses a cloud workload protection tool from Rezilion that enables the company to shrink its attack surface and protect against malicious activity; the Salt Security API Protection Platform to secure APIs that connect to AppsFlyer’s cloud resources, and stop attacks that attempt to manipulate the company’s cloud service APIs; and Amazon’s GuardDuty for threat detection. GuardDuty continuously monitors for malicious activity and unauthorized behavior to protect accounts, workloads, and data stored in AWS.

With its portfolio of security technologies in place, AppsFlyer now has full visibility of its cloud environment, across different accounts and different cloud providers, which it did not have before. “We also have the ability to automate the remediation of security gaps and continue to expand into other areas like incident response,” Flechter says.

Fixing cloud security blind spots

The company can more cost effectively identify and fix cloud security blind spots, Flechter says. “We know with confidence exactly where our risks are in each cloud environment, what needs to be addressed, and we have the automation needed to fix them,” he says. “We can drill down to a specific environment, but the fact that we have a global view of all four cloud environments in a single place is invaluable for us.”

One of the biggest benefits is that AppsFlyer now has a greater understanding of identities and their permissions. “We can immediately pinpoint unused permissions and eliminate them,” Flechter says. “This allows us to enforce zero-trust access on a continuous basis and in an automated way. We have much better security posture management than we did before.”