Many companies today are turning to cloud security solutions — from security monitoring platforms to orchestration tools to alerting systems — in order to manage both strategic and tactical security initiatives. Purpose-built technological solutions — especially if you’re a company with limited in-house expertise and resources — can help you stay on top of security without having to hire more people or add to your already long list of things to do.
Before choosing a cloud security solution, however, you need to take many considerations into account — some that focus on the solution itself, and others that focus more squarely on the provider of the solution (because, ultimately, you can’t separate the solution from the provider). In this post, we’ll cover some of the most important considerations.
Note: Although we are a cloud security provider ourselves, the advice in this post is based on our team’s own experiences purchasing security solutions. As such, we believe the considerations we present are best practices that every cloud security company should be adhering to, and that you as a buyer should be looking for.
Without further ado, here are the top criteria to keep in mind when evaluating and choosing a cloud security solution.
1. They adhere to the shared responsibility model
Most cloud security solutions run in the cloud themselves. It would be hard not to. So you want to be sure they adhere to the shared security responsibility model. This means they should be following best practices to keep data, systems, and applications that are running in the cloud secure, even if they are using a cloud service provider (or CSP) like AWS that touts high levels of security themselves.
Of course, you would expect that a security company would sell you a secure product, but as the saying goes: trust, but verify. Verify that they have all the best practices in place, from encryption to strict user access policies, to firewalls, to monitoring and alerting.
At Threat Stack, for example, we eat our own dogfood. We use the Threat Stack Cloud Security Platform® to monitor our own cloud environment. This way, we can be sure that our configurations are always in compliance, that we have real-time visibility into what’s going on anywhere across our environment, and that we always have all the threat intelligence we need at our fingertips in case of an incident. This is how we uphold our part of the shared security responsibility bargain.
Using our own Configuration Auditing and Monitoring features ensures that we follow best practices, implement the latest updates and patches, and keep an eye on what’s going on everywhere within our cloud. We take the shared security responsibility model to heart, because it’s a key component of ensuring a strong security posture.
2. They have security experts you can learn from
Working with a cloud security company that keeps current on the latest cloud security best practices, develops their own best practices, and openly shares that information can benefit you in a number of ways. This is especially true if you have little or no time to study up on or keep abreast of new developments in the ever-changing world of security.
Not only do you know that the solution you’re using is built on a foundation of expertise and practical know-how, but you can also learn from some of the best in the industry by working with that company. So how do you find out if a company has bolstered their team with security experts you can learn from?
For starters, take a look at their blog. Do they regularly write about security? Next, check whether they have a resources section on their website where they have in-depth tutorials, webinars, or guidebooks that let you dive into specific subjects. This can be especially helpful when your team is first getting ramped up on the product. When you’re speaking with their sales team, find out what other levels of education they can offer you as a customer, whether it be access to additional training, setup, and support from a security expert on the team, or customer-only events or workshops.
All of these are signs that they’re open about their knowledge and are willing and eager to share it.
Companies like FireEye, SANS, and, of course, Threat Stack, all offer resources from in-house security experts to support your cloud security journey.
3. They’re experienced in your industry
Each industry faces different threats, customer requirements, and compliance regulations. If you’re in a highly regulated industry, it’s likely that you not only need to meet compliance mandates like HIPAA and PCI-DSS, but would benefit by going above and beyond those requirements to ensure complete security of your data.
To that end, you need to know whether the cloud security solution you’re evaluating is appropriate for your industry and has worked with other customers in your space to successfully meet compliance and security needs. Look on their website for a list of customers to see who they already work with and whether there are any testimonials or use cases you can reference. You can also ask the company directly for more information about their customer base and use cases. Don’t be afraid to ask for references, and do your due diligence to ensure that they understand your industry and will be a strong partner for you on your security journey.
4. They have an API and offer integrations
There are thousands of security products on the market today. But not all of them play well together. You don’t want to end up in a situation where you have ten security tools in place and none of them integrate or share information with each other. Ideally, you want your security toolset to be open, meaning that each piece of software has APIs and/or offers integrations with other common tools and applications.
For example, we have a REST-based API. We also offer a webhook API, which allows Threat Stack customers to configure their own integrations and subscribe to specific, prioritized events. We have also developed a number of integrations with applications that many of our customers use on a daily basis, including Slack, PagerDuty, Docker, VictorOps, Chef, and more. Many of these integrations pipe Threat Stack alerts into a communication or incident management tool that your team can use regularly to increase visibility and prioritization of alerts.
So before deciding on a cloud security solution, think about the tools your team uses on a daily basis for communications, ticketing, incident management, and more. Then, see which providers offer integrations that will make security a seamless part of your daily workflows.
5. They can help you bridge the gap from on-premise to the cloud, supporting a migration process
These days, many organizations are in the process of moving to the cloud. However, security can be a big unknown if you’re not sure how your on-premise controls will translate to the cloud. As we explain in this post, it’s not necessarily the approach to security that changes when you move to the cloud; it’s the tooling. That means that the way in which data is collected and endpoints are monitored may be different from on-premise, but you can still maintain the same level of security — often even higher.
While the cloud security providers you’re evaluating are likely to be well versed in cloud security, don’t be afraid to ask them how they handle on-premise security if that is a concern for your organization. We are at a moment now when many organizations are making the transition, and it’s key for security providers to help manage that process. Ideally, the cloud security solution you choose should be able to translate your on-premise controls, processes, and insights to the unique requirements of the cloud so that your transition is seamless.
At Threat Stack, we work with companies that are both transitioning some or all of their operations to the cloud (a hybrid setup) and who are all-in on the cloud. As companies make the move to the cloud, they can be sure that both environments are fully protected at all times, and in a manner suited to both types of infrastructure.
Choose the Right Provider for You
Armed with the above considerations, you can begin having useful conversations with cloud security solution providers to determine which product and provider is the best match for you and your unique cloud security goals. It’s vital to be well-informed and approach your entire security program strategically and holistically, from your own environment to the security tools you choose.
If you’d like more guidance on how to set up a cloud security strategy, download a free copy of our eBook: Jump Starting Cloud Security.
