Making Cloud Security Best Practices Work for You
As we mentioned in our las blog Effectively Managing Security Challenges in Multi-Cloud Deployments, developing a standard or set of cloud best practices from scratch is a Herculean task and the last distraction most cloud-hungry organisations want. Luckily for the good of the cloud security practitioner’s health, sanity and personal relationships there are growing range of security standards and best practices freely available, off the shelf.
Currently, the best of these are made available by the Centre for Internet Security (CIS) who not only have Benchmarks for AWS, Azure and Google but also have hardening guides for some deployed services (i.e. Linux servers hosted in AWS).
Such cloud-specific tools offer invaluable guidance to configure cloud environments to achieve an optimum security posture, though it is also important not to lose sight of the other standards and legislative compliance that your organisation is bound to. For example, if your organisation processes card payment data PCI DSS 3.2 compliance is a must. If your organisation is ISO 27001 accredited there is a requirement to ensure compliance with this in the cloud. Finally, if your organisation holds or processes personally identifiable data on European citizens you will definitely have to consider how to ensure the data privacy requirements of GDPR (or the DPA 2018 in the UK).
Hmmmm…seems like a lot of reading!
You would be forgiven for grimacing at the sheer volume of understanding required when trying to secure your cloud environments and the context required to ensure compliance against applicable legislation and best practices! Furthermore, once best practices are understood, the exercise of configuring many cloud environments in accordance with these practises and legislation begins. For sake of argument, let’s say a cloud platform offers users 500 configurable options which all carry a security implication, understanding the end result of every configuration choice on the final security posture is a considerable challenge. Now think that some cloud platforms have upwards of 3000 configuration options. Sore head?
Just give me the facts!
OK, so in case you don’t have time to look at these documents in depth and map them to the configurable options in your cloud environment(s) before that important “How on Earth are we going to secure our cloud environment?” meeting with your management in 30 mins, we have teased out a few of the most significant best practices to get you started.
As with the more highly developed standards and practices, these are born out of addressing the most common cloud security risks which include:
• Violation of regulatory controls
• Account hijacking
• Insider threats
Here are 9 steps you can take to begin securing your business from threats and start to successfully enjoy all of the benefits that public cloud computing provides.
- Educate your employees. Security training is a massive concern among IT professionals when dealing with security management. Ensure employees understand how to spot cyber threats and what to do when they come across them.
- Encrypt your data. Just as we use combination locks on our gym lockers, it’s extremely smart to protect all data using encryption.
- Implement multi-factor authentication. Passwords are not enough to keep information safe. When you implement multi-factor authentication, you add an extra layer of protection to your information making it difficult for information to be stolen.
- Limit access control. Identity and access management (IAM) technologies allow IT managers to control user access to important information. Implementing IAM is a powerful way to limit access and offer increased protection for critical information.
- Test security measures. Ethical hackers help organizations by attempting to hack into company systems to test their security. Work with ethical hackers to detect vulnerabilities in your system before a malicious hacker does.
- Monitor and remediate resource misconfigurations on a 24 x 7 x 365 basis. Use a robust, ‘always-on’ cloud security solution that seamlessly remediates misconfigurations and reduces the window of opportunity for malicious actors.
- Detect and remediate anomalous user activities. i.e. A cloud security platform using AI to detect abnormal behaviours and sensitive user activities.
- Detect and remediate suspicious network traffic. It is crucial to monitor your cloud environments for suspicious network traffic across all resources to detect threats such as network intrusions and cryptojacking.
- Identify vulnerable hosts. Since IP addresses are constantly changing and cloud resources are continually being created and destroyed, make sure your vulnerability data is correlated with configuration data to accurately identify vulnerable hosts in your public cloud environment.
It is worthy of note that a large percentage of cloud-related breaches are due to environment misconfiguration – things like poor key rotation, little or no access control to cloud storage (leaky S3 buckets are a major issue), weak administrator passwords and poor security group configurations all potentially causing massive issues. This is compounded by two further issues –
- Malicious actors are using automated tools to scan for configuration vulnerabilities in the cloud and launching attacks against cloud infrastructure all the time. The native tooling in most cloud platforms simply doesn’t do enough to detect and block or remediate cyber attacks against your cloud-based infrastructures.
- It is not enough to define a security standard, publish it to everyone in the DevOps team and expect that a security posture may be upheld. DevOps allows new applications and services to be deployed in a fraction of the time previously possible and as a result, cloud environments are being spun up and down all the time. Once in place you need to ensure that you can monitor and manage the configurations and threats against these environments 24 x 7 x 365.
When it comes to cloud computing, it’s better to be safe than sorry. Having standards to shoot for is a great place to be as it defines what you need to achieve and it is easy to get everyone pointing in the same direction. Implementing the proper security measures across people, process and technology to consistently monitor and uphold these desired security standards (there will definitely be more than one!) will allow you to mitigate the biggest business-risking factors that cloud introduces. Unfortunately, people don’t scale very well when it comes to monitoring cloud configurations. In multi-cloud environments, knowing how everything should be configured, scanning for threats and remediating issues requires significant manpower. Couple this with a widely recognised shortage of skilled and experienced personnel in the field of cloud security, the only feasible solution is automation!
Automated configuration monitoring, standards/best-practice benchmarking and threat defence tools are here today. Such tools use machine learning to detect even the stealthiest malicious activities and ensure continuous security and compliance in all your cloud deployments. Just like a terminator, the right automated tooling is fast, smart, focussed on the job in hand and simply will not stop…..all the qualities you need to meet the challenges of cloud security head on!Contact us today to find out more about using automation to make cloud best practices fully work to your advantage.
Gyrocom is a network and security company. We support your digital transformation with secure, automated and simple to manage solutions for the data centre, branch office and cloud.