Developing in the cloud introduces unique challenges for protecting applications, resources, and data. These challenges include but are not limited to detecting legitimate threats to your environment and managing complex cloud permissions and access controls. The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) address these hurdles in their list of cloud security strategies, which echo the recommendations of cloud providers, researchers, engineers, and security vendors.
At Datadog, our security researchers and advocates contribute to this effort by publishing timely insights, tools, and recommendations to help you mitigate cloud risk. Each year, we publish a State of Cloud Security report and share key findings to highlight the complexities of cloud security and explain why addressing them is vital.
To make these strategies actionable, we’ve compiled a roundup of our research, findings, and guides from 2024 and previous years, as well as insights into how we’ve integrated them with our products and day-to-day operations. These resources comprise research from Datadog Security Labs and guides published on our blog, The Monitor.
In this post, we’ll focus on the following categories:
- Cloud infrastructure and data security: Secure cloud-managed infrastructure, resources, and services
- Cloud identity and access management: Control and secure cloud access, including identity and key management practices
Read our other roundup post to see how we’ve contributed to strategies in the areas of:
- DevSecOps practices: Integrate security into existing DevOps workflows
- Threat detection and response: Proactively detect vulnerabilities in the cloud
- AI security: Understand how to monitor and secure LLMs
Cloud infrastructure and data
One of the first considerations for developing and hosting applications in the cloud is having a firm grasp on who is responsible for securing certain areas of your environment, which is referred to as the Cloud Shared Responsibility Model. Most cloud providers ensure the underlying infrastructure that runs their services is secure, but they are not responsible for securing every aspect of your environment. You are still responsible for securely configuring areas of your own infrastructure, including data storage, integrity, and transmission. Under the umbrella of shared responsibility, it’s important to consider the risks associated with using managed service providers to host your infrastructure and data.
Research
Our research has identified several ways an attacker can take advantage of cloud infrastructure and managed services, highlighting the need to understand the risks associated with using them and your responsibilities for securing them:
- A SaaS provider’s guide to securely integrating with customers’ AWS accounts
- Azure policy abuse for privileges escalation and persistence
- Deep dive into the new Amazon EKS Pod Identity feature
- Deep dive into the new Amazon EKS Cluster Access Management features
- Non-production endpoints as an attack surface in AWS
- How attackers use Amazon ECS for crypto mining
- Critical misconfigurations in metadata services and how to fix them
In addition to understanding the Cloud Shared Responsibility Model and managed service provider capabilities and caveats, there are other recommendations worth considering, such as securing your networks via segmentation and data. Our security researchers have identified some common challenges with managing these areas, such as detecting IP spoofing in cloud environments and handling vaults, buckets, and secrets. Though these examples are focused on specific scenarios and cloud resources, they provide a glimpse into what attackers look for when attempting to access a cloud environment. To mitigate these issues, which often stem from simple misconfigurations, we’ve built a comprehensive list of cloud security controls that can help you strengthen your overall security posture.
Guides
We’ve also written several guides on securing cloud infrastructure and data, including recommendations for applying the Cloud Shared Responsibility Model and working with managed service providers:
- Key metrics for monitoring AWS WAFs
- Primary risks to API security
- Detect SSRF attacks in APIs
- Secure Kubernetes infrastructure in the cloud
- Secure cloud networks, endpoints, applications, and data
- Best practices for sensitive data management
- How financial services companies manage sensitive data
In addition to these guides, we’ve shared insights into how to use our products to improve security, including a few posts on how we do it at Datadog:
- How we use Datadog CSM
- How we detect and notify users of leaked Datadog credentials
- How we implement Secure by Design principles
While these guides and research focus on specific areas in the cloud, they also reiterate the breadth and depth of knowledge that’s needed to keep those environments secure. To stay up to date on our research and the latest security features, sign up for the Datadog Security Digest.
Cloud identities and access
Efficient IAM practices and key management, as identified by the NSA, are other primary areas of concern for maintaining secure cloud environments. Our State of Cloud Security and State of AWS Security reports look at the ways secrets and IAM play a role in cloud incidents. These challenges are often magnified in hybrid and multi-cloud environments, which introduce additional hurdles for granting access to both on-premise and cloud hosts.
Research
In addition to our recommendations for securing identities and their access, which focus on the most pressing issues for managing cloud environments, our research has looked at other access issues across Google, AWS, managed Kubernetes, and Azure environments:
- Google Cloud default service accounts
- How attackers abuse Entra ID Administrative Units
- Cloud identities in managed Kubernetes environments
- GitHub-to-AWS keyless authentication flaws
Guides
We’ve also written practical guides for applying some of these insights, including:
- Tracking lateral movement in hybrid Azure environments
- Detecting unauthorized third parties in your AWS account
- Creating least-privileged IAM policies
- Developing secure IAM workflows
- Identifying risky secrets in your cloud environment
- Key metrics for monitoring Hashicorp Vault
Managing cloud identities, getting visibility into their misconfigurations, and understanding how attackers take advantage of them is a growing concern for organizations. These strategies, research insights, and practical steps provide a starting point for securely configuring cloud secrets, permissions, and IAM policies.
Secure your cloud infrastructure and identities with Datadog
In this post, we shared our research, expertise, and insights for securing cloud infrastructure and identities, which can help you adhere to the commonly shared strategies from sources like the NSA. Check out Part 2 to see our roundup of research and guides for DevSecOps, threat detection, and AI. To dig into our cloud security research, check out Security Labs, or read our blog and documentation to learn how Datadog’s security platform can help you monitor and secure your cloud environment. If you don’t already have a Datadog account, you can sign up for a free 14-day trial.
