Organizations of all kinds are embracing the cloud—including software, platform and infrastructure as a service (SaaS, PaaS, and IaaS)—for its economics, its flexible scalability, and its accelerated time-to-benefit. But cloud adoption has significant implications for enterprise cybersecurity. So here are seven key high-level principles that will help you keep your organization protected as it makes more extensive use of the cloud over time.
Cloud security tip #1: Maintain an accurate, up-to-date cloud census
Activating a cloud service can be as easy as entering a credit card number on a provider's website. So if you're not careful, individual departments and teams will start using the cloud without proper security. That's why it's essential to ensure that you always know whenever anyone anywhere across your organization onboards a new cloud service.
Cloud security tip#2: Understand the shared-responsibility model
Generally speaking, cloud providers are responsible for the security of the cloud—while you're responsible for security in the cloud. In other words, they'll make sure that what they're providing as a service (whether it's infrastructure, infrastructure plus an application, etc.) is safe. But you have to make sure that what you do with what they provide (i.e., the workloads you run and the data you store) is safe to mitigate cloud computing security risks. To make sure you're clear on who's responsible for what, take a close look at your agreement and don't be afraid to ask questions.
Cloud security tip #3: Leverage your providers' native security telemetry
Cloud providers offer a variety of tools to help you maintain visibility into your region of their cloud. Amazon Web Services (AWS), for example, offers a threat detection service called GuardDuty that continuously monitors AWS accounts, workloads, and stored data for malicious activity and anomalous behavior. Every provider offers a different set of telemetry and alerts, though—so make sure you understand what each of your providers can give you.
Cloud security tip #4: Add cloud security instrumentation wherever you need it
While cloud providers' native security tools are useful, you need to supplement them wherever appropriate. This is especially true in IaaS and PaaS environments where you're probably stacking multiple layers of technology on top of what you're "renting" in the cloud. But switching between siloed systems to try and detect and respond to threats, especially without broader context is inefficient and ineffective. A single solution that not only centralizes and correlates data but also provides related threat intelligence and dynamic detection capabilities can provide holistic coverage across cloud, endpoint, network, and other systems.
Cloud security tip #5: Integrate your cloud telemetry with your on-premise telemetry
To detect and stop an intruder who has already breached your perimeter, you often need to piece together clues from different locations in your environment—for example, an unusual remote login by a user account combined with keystrokes from that account utilizing a set of privileged administrative commands. The only way to automatically pick up on those clues is by using the advanced analytics built into solutions such as Taegis™ XDR. With the ability to detect behaviors such as hands on keyboard and pass the ticket attacks, on top of aggregating your cloud and non-cloud telemetry in an extended detection and response solution, enables timely detection and response across your entire connected ecosystem.
Cloud security tip #6: Watch your privilege
It can be a bit of a pain to rigorously implement tight role-based controls for every account across every cloud your organization uses. Aggressive adherence to the least-privilege principle can also occasionally cost you a little productivity when determining why perform an action. But those downsides are small compared to the cloud computing security risks you'll expose your organization to if you default everyone to excessive permissions—because those excessive permissions are often exactly what enable threat actors to turn a compromised account into a ransomware fiasco.
Cloud security tip #7: Establish and pre-test lines of communication
You don't want to wait until a crisis hits to establish your relationships with your cloud providers' security staffs. In fact, if you can get it written into your contract, it's not a bad idea to periodically include them in a tabletop security exercise. That relationship building will really come in handy down the road if and when you have to collaborate to address a live threat.
With all that said, it's worth noting that cloud providers as a rule are much better at cybersecurity than their customers are. That's in part because their economies of scale and business model permit them to allocate more far resources to preventive and reactive security. It's also because they typically subject themselves to multiple stringent security standards from around the world to serve customers in highly regulated markets such as finance and healthcare, whose trust would be lost without sufficient security.
You can validate cloud provider claims about their security posture by asking for any documentation they can offer about their certifications and recent audits. You may also want to talk to the security folks at your cloud providers' other customers to see what they have to say.
One more caution, though. Because the appeal of cloud is centered on its ease of implementation, organizations have a tendency to deploy first and worry about security later. This is obviously a bad idea. Encryption, identity management, and other cybersecurity best practices shouldn't be afterthoughts just because the cloud is inherently safer than on-premise infrastructure. Those best practices should be intrinsic to every cloud implementation from the get-go, as should a clear and established plan to implement a holistic prevention, detection, and response strategy that spans your cloud and other systems, such as leveraging Taegis XDR. After all, the cloud is simply an extension of your enterprise—which means it's also an extension of your attack surface.