It is undisputed that more and more organizations are moving computing power to the cloud. In fact, some IT organizations have adopted a “cloud first” strategy for all new deployments and will only consider new on-premise deployments when the technology, cost, or sensitivity warrants a deviation from a cloud deployment.
With this in mind, there are operational challenges – from automation (devops) to security – that every organization should consider as they move to the cloud. The security services we rely on today for on premise implementations do not necessarily translate to the cloud and there are other (new) risks we should consider. This is true for public, hybrid, and private cloud environments, and should involve more the than just the security team when key decisions are being made. The outcome will generally affect more of the implementation and services than was ever scoped for an on premise equivalent.
The simple reason why is rather obvious but often overlooked – you do not own, typically have access to, or control any of the physical aspects of a cloud environment. It is after all, someone else’s computer.
Managing Cloud Security
So how do you quantify and manage cloud security? Here are five basic premises to get you started.
1) Network Segmentation
Consider a strong zone approach to keep instances, containers, applications, and full systems isolated from each other when possible. This will stop lateral movement in an attack and inappropriate access between systems by any threat actor.
2) Cloud-based Access Controls
All aspects of computing in the cloud should have access control lists. Since services like a database can be instantiated separately, it is more important than it is for on premise to define and implement proper access controls. This includes any virtual infrastructure, operating systems, applications, and even tools used to monitor the environment. A least privilege, or fully closed, security model is a preferred approach. In addition, just because it is in the cloud does not mean that it should be publicly addressable. Only expose the resources you need to the Internet (if any) and secure the rest.
3) Multi-tenancy in Cloud Computing
While multi-tenancy provides scalability and segmentation benefits by design, there are also chances of data bleed and irregular boundaries (like reporting or data export) that might not be controllable in the cloud. Consider access controls in a multi-tenant environment and policy boundaries for any account that may have access across tenants.
4) Cloud Access Management
Remember, these are not your computers. Concepts like a crash cart do not necessarily apply. So, you need to manage privileged access to all cloud resources and also consider disaster recovery and any failures in your privileged access scope. We manage privileges today on premise with password management solutions and administrator accounts. We need the same concepts in the cloud but do not want cloud administrator rights to be everywhere. This would negate the previous concepts of zones and access control lists. Privileges need to be role based, appropriately delegated, and monitored for usage to ensure the access is appropriate.
5) Cloud Computing Threats and Vulnerabilities
This concept translates one for one from on premise implementations but may use agents and other integration technologies to determine the premise of vulnerabilities. Once identified, they need to be prioritized using threat intelligence and remediated in a timely fashion. This is old school low hanging fruit that regardless of the computing environment must be done like clockwork to ensure good cybersecurity hygiene.
Other Cloud Computing Security Considerations
Now that the basics are covered – and arguably there are more – what else do you need to consider? Cloud environments have traits like Hypervisors that are not present on premise unless you have your own virtual environment (and you probably do); but you have no access to manage it in the cloud. Consider the security tips above for the following disciplines:
- Securing any and all access to virtualization technology and any access to the hypervisor your organization may have.
- The data you store in the cloud, at rest and in motion, is just as valuable to a threat actor as on premise. Just because it is in the cloud does not degrade its potential value or risk. Consider how you safeguard it and how you monitor appropriate access.
- Application Programming Interfaces are very common in cloud environments and used for everything from DevOps to monitoring solutions. Consider how these are accessed, locked down, and monitored for inappropriate access.
These resources cover everything from auditing to security management to ensure you identify all your potential weakness and have policies to mitigate the cloud’s unique risks.
If you need additional assistance, BeyondTrust is here to help as well. We have privileged access management and vulnerability management solutions that cover some of these recommendations to enforce security best practices. Contact us today to learn more about cloud security solutions.
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.