It is undisputed that more and more organizations are moving computing power to the cloud. In fact, some IT organizations have adopted a “cloud first” strategy for all new deployments and will only consider new on-premise deployments when the technology, cost, or sensitivity warrants a deviation from a cloud deployment.
With this in mind, there are operational challenges – from automation (DevOps) to security – that every organization should consider as they move to the cloud. The security services we rely on today for on premise implementations do not necessarily translate to the cloud and there are other (new) risks we should consider. This is true for public, hybrid, and private cloud environments, and should involve more the than just the security team when key decisions are being made. The outcome will generally affect more of the implementation and services than was ever scoped for an on premise equivalent.
The simple reason why is rather obvious but often overlooked – you do not own, typically have access to, or control any of the physical aspects of a cloud environment. It is after all, someone else’s computer.
Managing Cloud Security
So how do you quantify and manage cloud security? Here are five basic premises to get you started.
1) Network Segmentation
Consider a strong zone approach to keep instances, containers, applications, and full systems isolated from each other when possible. This will stop lateral movement in an attack and inappropriate access between systems by any threat actor.
2) Cloud-based Access Controls
All aspects of computing in the cloud should have access control lists. Since services like a database can be instantiated separately, it is more important than it is for on premise to define and implement proper access controls. This includes any virtual infrastructure, operating systems, applications, and even tools used to monitor the environment. A least privilege, or fully closed, security model is a preferred approach. In addition, just because it is in the cloud does not mean that it should be publicly addressable. Only expose the resources you need to the Internet (if any) and secure the rest.
3) Multi-tenancy in Cloud Computing
While multi-tenancy provides scalability and segmentation benefits by design, there are also chances of data bleed and irregular boundaries (like reporting or data export) that might not be controllable in the cloud. Consider access controls in a multi-tenant environment and policy boundaries for any account that may have access across tenants.
4) Cloud Access Management
Remember, these are not your computers. Concepts like a crash cart do not necessarily apply. So, you need to manage privileged access to all cloud resources and also consider disaster recovery and any failures in your privileged access scope. We manage privileges today on premise with password management solutions and administrator accounts. We need the same concepts in the cloud but do not want cloud administrator rights to be everywhere. This would negate the previous concepts of zones and access control lists. Privileges need to be role based, appropriately delegated, and monitored for usage to ensure the access is appropriate.
5) Cloud Computing Threats and Vulnerabilities
This concept translates one for one from on premise implementations but may use agents and other integration technologies to determine the premise of vulnerabilities. Once identified, they need to be prioritized using threat intelligence and remediated in a timely fashion. This is old school low hanging fruit that regardless of the computing environment must be done like clockwork to ensure good cybersecurity hygiene.
Other Cloud Computing Security Considerations
Now that the basics are covered – and arguably there are more – what else do you need to consider? Cloud environments have traits like Hypervisors that are not present on premise unless you have your own virtual environment (and you probably do); but you have no access to manage it in the cloud. Consider the security tips above for the following disciplines:
- Securing any and all access to virtualization technology and any access to the hypervisor your organization may have.
- The data you store in the cloud, at rest and in motion, is just as valuable to a threat actor as on premise. Just because it is in the cloud does not degrade its potential value or risk. Consider how you safeguard it and how you monitor appropriate access.
- Application Programming Interfaces are very common in cloud environments and used for everything from DevOps to monitoring solutions. Consider how these are accessed, locked down, and monitored for inappropriate access.
These resources cover everything from auditing to security management to ensure you identify all your potential weakness and have policies to mitigate the cloud’s unique risks.
If you need additional assistance, BeyondTrust is here to help as well. We have privileged access management and vulnerability management solutions that cover some of these recommendations to enforce security best practices. Contact us today to learn more about cloud security solutions.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.