Cloud Security and Best Practices
January 11th, 2018
Protecting Your Cloud Computing Environment
Cloud security is the discipline and practice of safeguarding cloud computing environments, applications, data, and information. Cloud security—also referred to as cloud computing security—is designed to protect cloud environments from unauthorized use/access, distributed denial of service (DDOS) attacks, hackers, malware, and other risks. To accomplish this, cloud security uses strategy, policies, processes, best practice, and technology.
Cloud security, in the context of the above definition, is related to, but distinct from “cloud-based security,” or security as a service. Cloud-based security refers to the software as a service (SaaS) delivery model of security services, which are hosted in the cloud rather than deployed via on-premise hardware or software.
Detailed Description of Cloud Security
Cloud computing is designed as an on-demand resource that organizations can leverage to run applications, databases, virtual machines, servers, and other IT infrastructure as needed.
There are three primary types of cloud environment, each presenting unique security challenges:
- Public cloud services are hosted by third-party cloud service providers and are generally accessible through web browsers, so identity management, authentication, and access control are essential. Examples of public clouds include Amazon Web Services (AWS), Microsoft Azure, and Google Cloud.
- Private clouds are usually dedicated and accessible to only a single organization. However, they are still vulnerable to access breaches, social engineering, and other exploits. Private cloud environments are provided by HP Enterprise, VMWare, IBM, and others.
- Hybrid clouds combine various aspects of public and private clouds, allowing organizations to wield more control over their data and resources than in a public cloud environment, yet still be able to tap into the scalability and other benefits of the public cloud when needed (such as by cloud bursting). With hybrid clouds workloads can be run in their optimal environment.
Cloud service models generally fall into three main categories: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (Saas); each with its own security implications.
- IaaS is a cloud layer offering that enables a self-service model for managing virtualized data center infrastructure. Customers pay for on-demand access to pre-configured computing resources, such as network, storage, and operating systems. This can involve automating the creation of virtual machines at scale, so it’s critical to consider how virtual machines are provisioned, managed, and spun down.
- PaaS is a cloud layer offering that provides tools and other computing infrastructure, enabling organizations to focus on building and running web applications and services. PaaS environments primarily support developers, operations, and DevOps teams. Here, management and configuration of self-service entitlements and privileges is key to controlling risk.
- SaaS consists of applications hosted by a third party and usually delivered as software services over a web browser that is accessed on the client’s side. While SaaS eliminates the need to deploy and manage applications on end-user devices, potentially any employee can access web services and download content. Therefore, it’s important to have proper visibility and access controls in place to monitor types of SaaS applications accessed, usage, and cost.
Common Cloud Security Challenges & Considerations
Incompatibilities create management and security shortfalls: IT tools architected for on-premise environments are frequently incompatible with cloud environments and virtualization. These incompatibilities translate into visibility and control gaps that expose organizations to risk from misconfigurations, vulnerabilities, data leaks, excessive privileged access, and compliance issues. Cloud platforms themselves may lack adequate native security capabilities (such as session monitoring) to audit users. Additionally, different cloud environments may be comprised of different building blocks, such as hypervisors, OSs, storage, etc., so security process or technology suitable for one cloud may not be portable across a heterogeneous, multi-cloud environment.
Multitenancy muddies traditional boundaries: While the multitenancy of cloud environments is the backbone for many of the benefits of shared resources (e.g., lower cost, flexibility, etc.), it also introduces concerns about data isolation and data privacy.
Simple errors can cause massive damage: Rapid scalability is a prime benefit of cloud computing, but the flip side is that vulnerabilities, misconfigurations, and other security issues can also proliferate at rapid speed and scale, potentially resulting in a wide-scale service outage or breach. Take, for example, cloud administrator consoles (such as with AWS and Office 365), which provide superuser capabilities. These consoles enable users to efficiently provision, configure, manage, and delete servers at the scale of hundreds to thousands. However, each of these virtual machines are born with their own set of privileges and privileged accounts, which need to be onboarded and managed (such as with an automated privilege management solution).
DevOps pushes the limits of cloud: The ascension of the DevOps movement, which relies heavily on cloud deployments and automation, also presents cloud security considerations. DevOps teams often leverage new, open source or immature tools in managing across hundreds of security groups and thousands of server instances. In the fast-moving DevOps world, a simple misconfiguration error or security malpractice such as sharing of secrets (APIs, privileged credentials, SSH keys, etc.) can be broadly propagated, causing widespread operational dysfunction or numerous exploitable security and/or compliance issues.
Credential/access management poses issues on multiple fronts: Finally, many cloud applications contain embedded/default credentials. Organizations need to be able to manage these credentials (such as with an automated privileged password management solution) as they would other types of privileged credentials.
This is a representative (but, by no means exhaustive), list of security considerations for cloud environments.
Cloud Security Strategy
To enable cloud resources for their best use cases, while effectively managing risk, an organization should have a comprehensive cloud security strategy that accounts for:
- The organization’s current and future cloud computing needs
- Potential security risks
- Overall accountability for cloud computing security
- Security already provided by the cloud environment provider or vendor (what is covered in the SLAs)
- Existing IT security practices
- Gaps between current cloud security and the desired end state
- Possible technology solutions for bridging any gaps in visibility or control, to improve security and compliance
Cloud Security Policies
Your overall cloud computing security strategy will, in turn, be supported by policies, which should clearly explain the necessary compliance and regulatory needs to keep the online cloud environment safe. These policies will document every aspect of cloud security including:
- Scope — the specific cloud environments and services that are covered
- Compliance — the expectations of cloud security in meeting federal, end user, business, and other regulatory requirements
- Accountability — the areas and people responsible for ensuring a safe cloud computing environment
- Deployment — a high-level view of how cloud security will be maintained
- Identity and access management — who has access to specific information and how identity is authenticated and authorized
- Confidentiality and sensitivity — an objective analysis of the confidentiality of specific data sets, applications, and other cloud elements
- Acceptable use — the standards that you expect end users, developers, and other authorized users to abide by
- Breach — what happens in the event of a breach of security or policy
The Principal Risks that Cloud Security Protects Against
Lack of Control: Using a public cloud service means that an organization is effectively “renting” IT assets. They no longer have ownership of the hardware, applications, or software on which the cloud services run — instead they are leasing IT services. A holistic cloud security approach will ensure that there are appropriate steps in place to understand the cloud vendor’s approach to these assets.
Lack of Visibility: Cloud computing makes it very easy for anyone to subscribe to a SaaS application or even to spin up new instances and environments. These types of shadow IT may occur outside the view and control of your security policy. You need a strong acceptable use policy that ensures that users follow best practices in obtaining authorization for, and for subscribing to, new services or creating new instances.
Transmitting and Receiving Data: Cloud applications often integrate and interface with other services, databases, and applications. This is typically achieved through an application programming interface (API). It’s vital to understand the applications and people who have access to API data and to encrypt any sensitive information.
Identity Management and Access Control: Only authorized users should have access to the cloud environment, applications, and data. This means your organization needs robust identity management and authentication processes, which could include multi-factor authentication, single sign on, and/or other technologies. Additionally, users should only have access to the data and applications they require to fulfil their role, and nothing more.
Malware: Cloud environments typically have strong anti-malware protections and other security measures, but that doesn’t mean they satisfy the acceptable risk profile criteria for your organization. Identify any gaps and ensure you have the proper cybersecurity solutions in place.
External Attackers: Hackers and other bad actors pose a constant threat to organizations. Vigilance, early detection, and a multi-layered security approach (firewalls, data encryption, vulnerability management, threat analytics, etc.) help keep hackers out of your environment, and enable you to swiftly react with precision if a breach event should occur.
Insider Threats – privileges: Whether it’s through malevolence or simple negligence—such as inadvertently creating a security hole through a misconfiguration or the careless sharing or reusing of credentials—insider-related threats generally take the longest to detect and resolve, and have the potential to result in the most catastrophic damage. Again, having a strong IAM framework and the right privilege management tools in place to enforce least privilege and best practice privileged credential management is essential to limiting the damage from these threats and helping to prevent them from gaining a foothold in the first place.
Best Practices for Implementing Strong Cloud Security
Here are some high-level recommendations for introducing strong cloud security to your IT environment.
- Network segmentation: in multitenant environments, assess what segmentation is in place between your resources and those of other customers, as well as between your own instances. Leverage a zone approach to isolate instances, containers, applications, and full systems from each other when possible.
- Identity and access management and privileged access management: implement robust access management policies. Enforce least privilege to restrict access and to harden cloud resources (for instance, only expose resources to the Internet as is necessary, and de-activate unneeded capabilities/features) All facets of computing in the cloud should use access control lists (ACL). Ensure privileges are role-based, and that privileged access is audited and recorded via session monitoring.
- Discover and onboard cloud instances and assets: Once cloud instances and services are discovered and grouped, bring them under management (i.e. managing and cycling passwords, etc.). Discovery and onboarding should be automated as much as possible so that shadow IT cloud resources and accounts aren’t able to arise and proliferate.
- User activity monitoring: Track how your users are using your cloud environment.
- Password control (privileged and non-privileged passwords): Never allow the use of shared passwords. Combine passwords with other authentication systems for sensitive areas. Ensure password management best practices.
- Vulnerability management: Regularly scan for vulnerability and privilege-related risks. Perform penetration testing to determine real-world security resilience. And, carry out security audits and testing to identify vulnerabilities.
- Patching and maintenance: Ensure your cloud vendor has a reliable approach to patch known vulnerabilities. Also, be proactive in scanning for and patching known vulnerabilities across your own infrastructure.
- Encryption: Ensure your cloud data is encrypted, at rest, and in transit.
- Alerts and reporting: See what reporting is available through your cloud vendor(s) and use a SIEM or other tool to integrate and centralize it with data from in-house and other vendor solutions as much as possible, so you have a holistic picture of what is happening in your environment. .
- Disaster recovery: Be aware of the data backup, retention, and recovery policies and processes for your cloud vendor(s). Do they meet your internal standards? Do you have break-glass strategies and solutions in place?
- Monitoring — Ensure you have continual security monitoring in place across all environments and instances.
With a soundly-crafted cloud security strategy and discipline, you can enable your employees enhance organizational innovation and support workforce productivity, while keeping your applications safe, and your data secure.