Cloud computing is thriving and the uptake of cloud-based services has grown significantly in recent years. Almost all small, medium, and enterprise organizations have some form of digital transformation initiative or cloud computing strategy underway. Security is a major component of the industry, and the protection of sensitive data and privileged information is a top priority.
Cloud service providers operate intrinsically secure platforms that are designed from the ground up to safeguard business assets and control access in a logical, but a secure method. Fortunately, when selecting a dedicated cloud partner, businesses can opt to plug straight into an existing security-as-a-service platform, one that is already designed to surpass industry best practice and one that can alleviate the technical complexities and huge costs of an in-house, DIY approach.
Securing the cloud is a shared responsibility between the provider, the consumer, and all relevant third parties. There is no doubt that security decision making is vital in the cloud era, all cloud-based platforms must consume cloud infrastructure services diligently. There is still a very real chance that an unsuspecting system administrator may have misconfigured a cloud server, potentially leaving the door wide open to the entire system.
It is vital that all computer systems, either cloud-native or systems being transitioned to a cloud provider, complete security due to diligence review. This process is designed to understand how sensitive data is shared and accessed. Knowing exactly what data you have, how you process and transform the data, and where that data is stored or transmitted is a required security review component.
Analysis is a challenging, time-consuming activity to complete, but it is vital to identify sensitive or regulated data and take appropriate actions to protect it. Many providers have agent-based tools that can send system configuration and setup data directly to be reviewed. This automated process takes minutes to configure, but it can help to create a schematic of the existing environment.
The gathered information helps to audit the existing or proposed cloud platform and is a great tool to identify and prevent server misconfiguration. It can also uncover any malicious or unexpected behavior that is occurring on the network. Examples include users sharing credentials, system services running on an active directory user account, weak password policies, or weak file and folder permissions.
The aim is to fix the problems before migrating to the cloud. It is at this early stage where the training of employees should already be underway. Sharing information and offering training about the future aspirations of the cloud strategy is a great start. Train about the chosen partner, user, and computer etiquette, and provide details about security best practices to help prevent malware, viruses, and ransomware.
Protecting Cloud Services
A lot of work must take place to securely architect an organization’s cloud platform. Once production workloads and systems start running in the cloud, the security architecture must be revisited to ensure that it is fit for purpose. The majority of the hardware layer protections such as encryption, network segmentation, and firewalls will already be in place, and processes will be finely tuned by the provider.
Several security policies should be created and reviewed. These cover important aspects concerning controlling data. The almost limitless storage capacity of the cloud is a huge appeal to businesses. However, the type of storage and the controls put in place are of great significance. Policies regarding what data is stored and in what location? Is sensitive data allowed overseas, or must it remain onshore for compliance reasons?
Storage buckets must have audit controls concerning the creation and deletion of data. Access controls must be checked to ensure authorized users have the correct permissions to manipulate files. Controls are put in place to monitor the retention and deletion period of data, some businesses choose to keep data for up to seven years, after this period the organization is duty-bound to delete the data. Cloud storage can automate the vast majority of this headache.
Data integrity is vital in the cloud era. It is highly recommended that all data in the cloud is encrypted, preferably using your own encryption keys. Measures need to be in place to prevent data from being moved to external devices, such as a data dump to a USB pen drive. Many security suites offer this functionality out-of-the-box.
Another important security practice is to constantly monitor for security vulnerabilities in the entire environment. This is a crucial task that may require a team of security professionals to complete. Security platforms are used to scan external public-facing IP addresses from the public internet, and also SecOp professionals scan internal networks and systems for weaknesses.
This activity creates a large number of actions required to fix the vulnerability. Typical examples include weaknesses found in the operating system and applications, weak security ciphers used on websites, and weak or default passwords being used. Scans are also completed against an extensive database of known vulnerabilities. Each vulnerability is reported and it includes the severity and the likely risk of an exploit.
Multi-Factor Authentication (MFA) is the expected standard for securing access to cloud services. The most common method to gain access is to provide a username, personal pin, and a secured code from a device, commonly a mobile phone. These protections are typically found on the network layer, such as starting a VPN tunnel to the target cloud VPS, but can be used as an additional layer of security to websites and sensitive production servers.
Many organizations go a step further and proxy all network traffic through a screening service that inspects packets as they enter or leave the network. This approach improves logging and tracking capabilities, but it is also very simple to blacklist unauthorized addresses.
After an organization’s computer systems have been embedded in the cloud, there are many day-to-day operational activity requirements. These processes are designed to improve security best practices in the cloud era. Constantly updating and amending cloud access policies helps businesses harden access, helping to guarantee approved users only have system access.
Security information management requires technical procedures are up-to-date and documented operating procedures are available for the cloud platform. This serves several purposes. It helps with the knowledge transfer and training of employees and also provides the organization with business continuity capabilities. Security best practice dictates that system restart and data recovery procedures are available in the event of system failure.
The documentation must explicitly define how the organization processes and handles information, defines the backup policy, include scheduling requirements (start/end time of tasks), and include instructions for handling errors or other exceptional conditions, as well as how confidential information is processed and securely disposed of.
SecOps security practice covers the change management process. This includes the recording of significant changes, planning, and testing of changes, including impact assessments. All changes must be approved by a panel that includes security officers, and all relevant persons are kept informed.
Other security practices of note include capacity management planning, and the separation of development, test and production facilities. Implementing controls against malware and ensuring antivirus controls are in place. System backups and data backups are completed and information is maintained as per local legislation (GDPR or CCPA).
Detailed logging and auditing of services are highly desirable. Records can be collected and maintained within a SIEM platform. This includes the appropriate levels of logging being enabled on web servers, applications servers, and database products. Other areas include monitoring privileged access, unauthorized access attempts, system alerts, and any changes made to the system security settings.