Cloud Security – The 10 things every business must do when using cloud services
Below are the Top 10 things that every business must do when adopting cloud services. Simply put, if you don’t take your part of the shared responsibility model seriously and practice strong cloud security, it is a matter of when, not if, your cloud infrastructure will be breached.
Implement Strong Access Controls:
Limit access to sensitive data and resources by using strong authentication methods, such as multi-factor authentication (MFA), and role-based access control (RBAC) to ensure only authorized personnel can access specific resources.
MFA is a must-have for every account that will be accessing the management plane (cloud website). This is due to the broad network access of cloud services. Everybody in the world can access the login page. Assuming your email address and password are already compromised, MFA is the only thing that will protect your cloud services.
As for the type of MFA device, a Yubikey or other hardware based device is generally considered to be the best approach as an attacker would require physical access to the device to use it. As such, it is extremely resistant to social engineering attacks. Software approaches have been compromised in different ways (push fatigue, sim swapping, etc). That said, any MFA is better than no MFA.
Regularly Update and Patch:
Keep all software, including operating systems, applications, and cloud platforms, up to date with the latest security patches to protect against known vulnerabilities.
Your servers and workloads are yours. In IaaS and PaaS, the provider doesn’t maintain the operating system or the applications. This is core to the shared responsibility of cloud services. As for SaaS, application and platform maintenance is on the provider to maintain.
This may require a faster patch deployment than you are used to. The servers and applications that are running in cloud likely don’t have the same defenses as systems running behind a perimeter like they do in traditional data centers.
Going with an immutable approach where you replace servers rather than update them should be seen as a strong contender for a new approach to updating systems in IaaS and PaaS environments.
Encrypt Data at Rest and in Transit:
Use encryption to protect sensitive data, both when it is stored (at rest) and when it is being transmitted (in transit) between systems or users.
The good news here is that encryption of workloads can be as simple as clicking a box. This assumes you leverage your provider’s encryption key management system and provider managed keys (e.g. AWS managed Keys in AWS KMS). More complex solutions can be “bring your own key” and “hold your own key” approaches.
As far as encryption of data in transit goes, this should be practiced with any system that has data traversing the hostile internet. As far as system to system network encryption, ask your provider if they automatically do this for internal network traffic. Chances are they already do this.
Implement Intrusion Detection and Prevention Systems (IDPS):
Deploy IDPS solutions to monitor and analyze network traffic for potential threats and to block or alert on suspicious activities.
Several third-party IDPS solutions are available in the AWS Marketplace. These solutions, such as Alert Logic, Trend Micro, and Palo Alto Networks, can be integrated with your AWS environment to provide additional IDPS capabilities. Setting these up will require network routes to be established to ensure all data flows through these virtual appliances as intended.
When leveraging a third-party virtual appliance, make sure you understand what features the virtual appliance supports. Don’t assume the virtual appliances are exactly like their physical counterparts.
Secure Application Development:
Incorporate security best practices into your software development lifecycle (SDLC), such as using secure coding standards, performing regular code reviews, and conducting penetration testing.
Just like you should be doing in any environment, you should be practicing strong application development. Shifting left and incorporating security earlier in the design process may seem like it prolongs development time, the reality is that addressing security earlier in the development process will lead to efficiencies at the end as development won’t have to refactor an application to address security issues later on. CSSLP training from ISC2 is equally applicable for traditional and cloud computing environments.
Regular Security Assessments:
Conduct periodic security assessments, including vulnerability scanning and penetration testing, to identify potential weaknesses in your cloud infrastructure and applications.
Many providers have services that can assess infrastructure and applications in a continuous fashion. These services may not address the penetration testing portion of continuous assessment, so augment the automated services with manual penetration testing to ensure security of your applications and systems.
Data Backup and Disaster Recovery:
Implement a robust data backup and disaster recovery plan to ensure business continuity in the event of a security breach or other disaster.
Business Continuity and Disaster Recovery (BC/DR) needs to be addressed on a risk-based approach. Not all applications have the same value to a business. Depending on the BC/DR architecture, costs can be very high, so consideration of Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are essential.
Employee Training and Awareness:
Train your staff on cloud security best practices and raise awareness about potential threats, such as phishing attacks, to help prevent security incidents.
Anyone working with a cloud environment needs to be trained on the fundamentals of cloud security in general. Courses for this include the Certificate of Cloud Security Knowledge (CCSK) by the Cloud Security Alliance and the Certified Cloud Security Professional (CCSP) by ISC2. We deliver in-person, instructor-led online training and on-demand training for both offerings. Additionally, platform specific training is also required.
Monitor and Audit Activity:
Continuously monitor and log user and system activity within your cloud environment to detect and investigate any suspicious behavior, and perform regular audits to ensure compliance with security policies and regulatory requirements.
This logging must include both the cloud environment and the systems that are running inside the cloud environment. In a PaaS environment, additional application logging may have to be included to address the lack of transparency that occurs in a PaaS compared to an IaaS environment.
Establish a Security Incident Response Plan:
Develop and maintain a comprehensive incident response plan to guide your organization’s actions in the event of a security breach. This plan should include clear roles and responsibilities, communication protocols, and procedures for containing and mitigating the impact of an incident.
The number one thing you must identify is the support package that you have and what kind of support that offers. During an incident is a terrible time to realize that you only have 9-5 support. Been there, done that. It isn’t fun.
After that is sorted, the next thing you need to address is the tools that you have to support incident response in a virtual environment. Does your incident response team have the ability to capture running memory from an image for example? Do they know how to quarantine a server and to launch a new instance to receive new requests in order to minimize downtime?
If your incident response will be performed via the vendor web management plane, are they testing the plan on a regular basis? The web interface will often change, whereas the APIs don’t change nearly as often.
I hope this top 10 list has helped you in understanding the importance of understanding the shared responsibility associated with cloud services. These items and more are discussed in our Certificate of Cloud Security Knowledge (CCSK), Certified Cloud Security Professional and our exclusive CCSK + Cloud GRC training offerings.