Cloud computing continues to flourish, with substantial growth in the adoption of cloud-based services in recent years. From small businesses to enterprise organizations, digital transformation initiatives and cloud computing strategies are becoming increasingly commonplace. Within this industry, a critical focus lies on security— safeguarding sensitive data and privileged information is paramount.
Cloud service providers offer inherently secure platforms, built from the ground up to protect business assets and manage access effectively and safely. Thankfully, businesses have the option to connect directly with a dedicated cloud partner and utilize their existing security-as-a-service platform. This choice allows businesses to leverage a platform exceeding industry best practices, and it can help alleviate the technical complexities and high costs associated with managing security in-house.
Securing the cloud is a shared responsibility between the provider, the consumer, and all relevant third parties. There is no doubt that security decision making is vital in the cloud era, all cloud-based platforms must consume cloud infrastructure services diligently. There is still a very real chance that an unsuspecting system administrator may have misconfigured a cloud server, potentially leaving the door wide open to the entire system.
Cloud Analysis
All computer systems, whether they are cloud-native or in the process of transitioning to a cloud provider, need to undergo a thorough security diligence review. This review is crucial to understand the ways in which sensitive data is accessed and shared. A comprehensive understanding of the type of data you have, how it is processed and transformed, and where it is stored or transmitted is an integral part of this security review.
While analysis can be a complex and time-consuming task, it’s essential to identify sensitive or regulated data and take appropriate protective measures. Many providers offer agent-based tools that can send system configuration and setup data for review. This automated process might take mere minutes to configure, but it could create a detailed map of the existing environment.
The information collected is instrumental in auditing the existing or proposed cloud platform. It serves as an excellent tool to identify and prevent server misconfigurations, as well as to detect any unexpected or malicious behavior on the network. This could include instances of shared credentials, system services operating on an active directory user account, lax password policies, or inadequate file and folder permissions.
The goal is to rectify these issues before transitioning to the cloud. This early stage is also the ideal time to start employee training on new systems and protocols. Sharing information and offering training about the future aspirations of the cloud strategy is a great start. Train about the chosen partner, user, and computer etiquette, and provide details about security best practices to help prevent malware, viruses, and ransomware.
Protecting Cloud Services
A lot of work must take place to securely architect an organization’s cloud platform. Once production workloads and systems start running in the cloud, the security architecture must be revisited to ensure that it is fit for purpose. The majority of the hardware layer protections such as encryption, network segmentation, and firewalls will already be in place, and processes will be finely tuned by the provider.
Several security policies should be created and reviewed. These cover important aspects concerning controlling data. The almost limitless storage capacity of the cloud is a huge appeal to businesses. However, the type of storage and the controls put in place are of great significance. Policies regarding what data is stored and in what location? Is sensitive data allowed overseas, or must it remain onshore for compliance reasons?
Audit Controls and Access for Storage Buckets
Storage buckets should be equipped with audit controls that oversee the creation and deletion of data. Access controls should be checked to verify that authorized users possess the correct permissions to modify files. Monitoring controls should be established to track the retention and deletion period of data; some businesses opt to keep data for up to seven years, after which they are obligated to delete the data. Most of these processes can be automated through cloud storage.
Data Integrity and Security
Data integrity is of paramount importance in the cloud era. It’s strongly advised that all data stored in the cloud be encrypted, preferably using your own encryption keys. There should be measures to prevent data from being transferred to external devices, such as USB drives. Many security suites offer this functionality as a standard feature.
Continual Vulnerability Monitoring
Another significant security practice involves the continual monitoring of security vulnerabilities across the entire environment. This critical task often requires a team of security professionals to carry out. Security platforms are employed to scan external public-facing IP addresses from the public internet, and SecOp professionals scan internal networks and systems for vulnerabilities.
The execution of this task typically results in a significant number of actions needed to address the identified vulnerability. Common examples include weaknesses found in the operating system and applications, weak security ciphers used on websites, and the usage of weak or default passwords. Scans are also carried out against an extensive database of known vulnerabilities. Each vulnerability is reported, including its severity and the probable risk of an exploit.
MFA
Multi-Factor Authentication (MFA) is the expected standard for securing access to cloud services. The most common method to gain access is to provide a username, personal pin, and a secured code from a device, commonly a mobile phone. These protections are typically found on the network layer, such as starting a VPN tunnel to the target cloud VPS, but can be used as an additional layer of security to websites and sensitive production servers.
Many organizations go a step further and proxy all network traffic through a screening service that inspects packets as they enter or leave the network. This approach improves logging and tracking capabilities, but it is also very simple to blacklist unauthorized addresses.
Transition to SecOps
Once an organization’s computer systems have been integrated with the cloud, they are subject to a variety of daily operational activities. These processes are tailored to reinforce security best practices in the era of cloud computing. Continually updating and revising cloud access policies helps to tighten access control, ensuring only approved users can access the system.
Security Information Management
Security information management requires that technical procedures are up-to-date and that documented operating procedures for the cloud platform are readily available. This serves several purposes: facilitating knowledge transfer and employee training, as well as providing the organization with business continuity capabilities. Best security practices stipulate that procedures for system restart and data recovery should be readily accessible in case of system failure.
The documentation should clearly detail how the organization processes and handles information, define the backup policy, outline scheduling requirements (including the start/end times of tasks), and include instructions for managing errors or exceptional conditions. It should also describe how confidential information is processed and securely disposed of.
Change Management in SecOps
SecOps security practices encompass the change management process. This involves recording significant changes, planning and testing changes, and conducting impact assessments. All changes must be approved by a panel that includes security officers, and all relevant parties should be kept informed.
Other Noteworthy Security Practices
Other security measures of note include capacity management planning, the segregation of development, test, and production facilities, and the implementation of controls against malware, including antivirus measures. Both system and data backups should be performed, and information should be maintained in accordance with local legislation, such as GDPR or CCPA.
Detailed logging and auditing of services is highly desirable. Records can be collated and kept within a SIEM platform. This includes enabling the appropriate levels of logging on web servers, application servers, and database products. Other considerations involve monitoring privileged access, unauthorized access attempts, system alerts, and changes made to system security settings.