Aqua Blog

Protecting Cloud VMs for Full-Stack Cloud Native Security

Protecting Cloud VMs for Full-Stack Cloud Native Security

The management of Virtual Machines (VMs) in the cloud is not like anything else in your cloud native environment. Traditional host-based security methods used for VMs running on physical servers relied on agents to perform functions that simply do not exist in cloud native environments. In addition, cloud instances frequently have OS-level vulnerabilities, configuration violations, and may not provide enough visibility — creating security blind spots. Compounding this, VMs also have a longer life span than containers/functions and frequently use standardized (i.e., easier to hack) default settings, which makes them attractive to attackers.

These VMs requires periodic compliance checks, monitoring, and detection controls as a multi-layered defense against sophisticated hackers.

Similarly, in an orchestrated environment, Kubernetes nodes (which are highly automated cloud VMs) often require a comparable set of security policies, or posture, for assessing compliance, preventing malware and monitoring of suspicious file, process, and network activity. To help in this effort, more mature organizations often leverage automation by instrumenting monitoring and protection agents into their automation scripts for the entire lifecycle of a VM workload. The ability of these controls to integrate into the entire lifecycle is paramount to provision the security of VM workloads.

Multi-faceted attack vectors

Virtual machines (also referred to as cloud instances) come in many different shapes and sizes. They might be Windows, RHEL, Ubuntu, CentOS, or any other variant of Linux, and could be single- or multi-core with diverse memory configurations. These VMs can also be used for hosting various server-grade or custom applications and databases. All VMs, containers, and functions offer compute capabilities, and are therefore susceptible to attack — a sobering fact when considering that just a single compromised container could also be used to move laterally on Kubernetes nodes and virtual machines. These complex compute stacks are vulnerable to workload exploitation or compromised file or system integrity, cryptographic attacks, malware and ransomware attacks at various layers of the stack. So, using a single, unified solution is simply the best way to discover modern threats in VMs and protect against these evolving attack vectors.

CWPPs should provide consistent visibility and control for physical machines, virtual machines (VMs), containers and serverless workloads, regardless of location.

Gartner, Market Guide for Cloud Workload Protection Platforms, Published 14 April 2020

Cloud VM security integrated into a cloud workload protection platform (CWPP) is your best protection, as it offers security controls across the entire stack of compute elements. These security controls should offer layered defense mechanisms to thwart multi-faceted attacks meant to compromise user credentials, scan for open ports, drop malware, or establish reverse shells by exploiting vulnerable applications, open source libraries, or operating systems. Your security solution should also support the auditing of suspicious events and log sufficient details to trace user/application activities to aid forensic analysis and create security insights and alerts.

Sample hybrid multi-cloud setup

Figure 1 – Sample hybrid multi-cloud setup

Cloud security is a shared responsibility

We have established why identifying threats before the worst happens is a critical need when protecting and securing cloud VMs. So, to help accomplish this, most public cloud vendors offer out-of-the-box security features for managing the underlying hypervisor layer that orchestrates cloud instances. All cloud vendors provide some level of granular information and accountability regarding the usage of VMs, as they use those details for invoicing their customers. So, it is possible to identify any misuse of Virtual Machines (e.g., cryptocurrency mining, command and control server) for smaller setups that have predictable usage patterns.

But what cloud providers offer is a “Shared Responsibility” security model. This model divides security tasks and responsibilities between the cloud provider and the customer. It can help relieve customers’ operational burden, as the cloud provider (e.g., AWS, GCP, AZURE) operates, manages, and controls various components from the host operating system and virtualization layer, down to the physical security of the facilities in which the service operates. But when looking specifically at VMs, if you use the OS provided by the cloud provider, it’s their responsibility to keep it patched and updated. However, if you deploy any other OS, it’s your responsibility.

As businesses grow and expand, they often use disparate tools and clouds to support their respective businesses. Due to this autonomy, they may use compute and storage solutions from different public clouds and various tools to manage those cloud instances. Unfortunately, there often aren’t enough security professionals in an organization to find and fix every security blind spot, or they might have limited access to the systems needed to apply uniform security. Moreover, ITOps’ transformation into DevOps — and SecOps’ transformation into DevSecOps — has resulted in sophisticated usage of cloud metadata attributes for the definition of workload types. Security on workloads needs to match the “speed of cloud” in modern DevOps to meet rapid development and deployment cycles. Software solutions still using static policies and segments will never be able to provide context-sensitive security, which helps businesses make security decisions based on their total risk profile by using multiple security inputs. And businesses using disparate security tools and policies may never be able to free themselves from the burden of having to manage them all.

Security Blind Spots

Figure 2 – Security Blind Spots

Choosing the right Cloud Workload Protection Platform

The most fundamental VM platform characteristic is the Operating System boundary. It allows security technologies to identify, segment, monitor, and uniformly enforce security. Regardless of what public cloud service a business is using, the vulnerabilities impacting a Microsoft Windows® 2012 or 2016 server or an Ubuntu 19.04 or RHEL 8.0 VM will be similar across AWS, Azure, GCP, OCI, etc. Similarly, a malware attack on a Windows 2019 server would be equally effective for a VM on any other cloud.

A CWPP solution that applies a comprehensive compliance and runtime policy to monitor and protect against adversaries is exactly what cloud security architects recommend. They benefit greatly from deploying security platforms offering a single-pane-of-glass view of their entire compute stack, regardless of where their hybrid, multi-cloud infrastructure is hosted. A solution offering broad platform and cloud vendor support creates more flexibility to avoid vendor lock-in while providing consistency and centralized management. The ability to quickly track suspicious or malicious activity across a stack of VMs, containers, Kubernetes clusters, pods, etc., to form a holistic view of wide-scale, multi-vector attacks can help immensely in defending against attackers.

In our research with several customers, we determined that most cloud VMs will experience brute force login attempts within just the first couple of hours after launching a VM. Recognizing and being informed earlier about detections not only provides insight into possible adversaries and their attacks but likewise reveals source details that can be used for updating firewall policies. Early detections can also provide opportunities to correlate those details with other possibly compromised assets within the customer’s Infrastructure. This enables them to zero-in on ongoing, slow-moving cyberattacks that look for anything from low-prized to high-prized assets, credentials, and data – including sensitive data found on container workloads and Kubernetes Infrastructure.

Infrastructure Host View

Figure 3 – Infrastructure Host View

Of course, a degree of security can be achieved simply by following configuration best practices to close gaps created by overly-open permissions, reducing reliance on default settings, or employing least privilege policies (for purpose-built OSs and containers), etc. But the reality is that several attack vectors would outsmart or bypass these measures, which are never foolproof, and require much better visibility and response capabilities in runtime. These attacks could be zero-day exploits, code using privilege escalation, and remote execution models.

As mentioned earlier, VMs have a system boundary that offers a certain level of segregation and protection, and it also allows additional security controls that can be applied for monitoring and protection. These controls could range from system integrity protection, trusted applications, blocked applications, memory and exploit protection controls, server monitoring, and detection controls, malware protection controls, as well as modern heuristics and threat mitigation controls.

Aqua platform – Full-stack compute Security

Figure 4 – Aqua platform – Full-stack compute Security

Security controls for compliance

Most compliance and security standards like PCI-DSS, NIST-53, and NIST 800-190, ISO 27002, require businesses to implement best-possible security controls to prevent intrusions and safeguard environments. These controls range from system integrity monitoring, including file integrity, malware protection, firewalling, authentication & authorization controls, as well as encryption. It’s very common for organizations to implement disparate tools during their cloud migration journey, but it doesn’t take long before they realize the pitfalls of maintaining multiple tools. Management of policies, security events, and analysis across a collection of tools can soon become a nightmare. Newer analytical tools like Splunk offer quick, band-aid solutions requiring security teams to push security events from disparate security tools while trying to correlate events to determine suspicious behavior. However, even if they can derive some analytical information, these analytical tools are not purpose-built for security and the insights offered are limited.

This is why a single CWPP platform or CWS service offering a consolidated view of the risks impacting a Kubernetes cluster or a node hosting multiple containers is invaluable. Without that view, it would be a challenge to manage these time-critical issues:

  • Compromised containers producing multiple file integrity events
  • Multiple alerts as attackers try to change the system time or create a new Windows® service
  • Hackers implementing changes to permissions to make a file executable
  • Dropping a malware payload
  • Bad actor egressing to a container running on the node hunting for high-valued assets

Similarly, you need visibility into vulnerable packages or applications and the ability to prioritize the most critical ones for remediation, patching, or investigation to make those insights actionable. Doing offline analysis using analytical tools isn’t as effective as a dedicated security platform that can correlate events from multi-faceted attacks on different Infrastructure elements.

In addition, Auditors and forensic analysts look for evidence of best-possible security measures and any policies implemented by businesses to secure their customer’s cloud infrastructures. The use of a single system of truth negates questions around evidence tampering and sequencing across disparate tools while reconstructing the sequence of attack.


Virtual Machines are the longest-lived, heaviest, and slowest moving entities in the cloud native compute stack — outliving containers and functions. This combination of factors makes them perfect targets for hackers to drop malware, persist, create backdoors, attempt brute force logins, establish network command & control mechanisms, as well as using them for slow exfiltration of sensitive information and secrets. Development and Security teams should be able to focus on delivering business value. Security should be agile, context-sensitive, and should comprehensively cover the broadest stack of compute form factors, OS platforms, and cloud environments with multi-layered security controls.

For all these reasons, a hybrid or multi-cloud user will appreciate the value delivered by VM security as part of a single CWPP solution. Security that uses cloud native integrations to deliver visibility into the infrastructure for eliminating security blind spots and employing security best practices to prevent intrusions — as well as fast response to anomalous and suspicious events — will win the day. In the end, implementing a specialized, purpose-built, full-stack compute security solution is the only way to stay ahead of adversaries.

Go here for more information on securing Cloud VMs

Aqua Team
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform is the leading Cloud Native Application Protection Platform (CNAPP) and provides prevention, detection, and response automation across the entire application lifecycle to secure the supply chain, secure cloud infrastructure and secure running workloads wherever they are deployed. Aqua customers are among the world’s largest enterprises in financial services, software, media, manufacturing and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions and cloud VMs.