Keep Your Head in the CloudWith 2017’s high-profile cybersecurity incidents and 2018’s major new regulations such as GDPR, now is the time to take actions to secure the cloud. By: Secureworks
On-demand self-service, resource pooling, rapid elasticity and broad network access have all driven enterprises to some form of cloud adoption. But it's important to remember that “the cloud” is not a discreet business tool or strategy—it's not a single avenue for IT—it's every avenue. The flexible, dynamic uses of the cloud present an equally dynamic and shifting landscape that requires protection.
Defining shapes in the cloud—what is the scope of the security problem?
One of the first steps is to recognize and understand the model of shared responsibility for cloud security, in which the cloud service provider (CSP) and the enterprise have varying degrees of ownership for network, platform, application and data protection. From there, you can take stock of the different ways your cloud usage could be vulnerable, including:
- Interface risk – that the documented interface differs from reality
- Vendor insider risk – posed by a malicious insider at the cloud service provider
- Corporate insider risk – posed by a malicious insider within your organization
- Control gaps – that create exposure because some security controls are not applied correctly.
Enterprise security teams must also contend with the fast pace of cloud development and the decrease in cost for complex deployments. It is difficult to put the brakes on exciting, affordable new IT initiatives until proper security controls have been established and tested. Many security teams are losing their place in the governance pipeline as business units rapidly pursue new SaaS tools and employees simply start adopting new cloud applications organically.
Is security just a rain cloud?
Just because security best practices for the cloud require awareness and proactive thinking, doesn't mean security will rain on the innovation parade. Many of the advantages of cloud computing are also beneficial to security implementation. For example, cloud migrations and applications present an opportunity to reset security strategy and perfect the asset inventory. The cloud also enables and encourages micro-segmentation, a security technique that supports fine-grained policies to be assigned to data center applications, down to the workload level. With micro-segmentation, security models can be deployed deep inside a data center, using a virtualized, software-only approach. It also reduces the attack surface within your network, limiting what attackers can exploit. Last but not least, the cloud is driving security to a much higher degree of automation, making compliance, detection and configuration management more systematic and robust. Automation will also expand to include incident detection, forensics, and visibility.
Five recommendations for effective cloud security in 2018
1. Begin with the end in mind—start with a risk-based approach
Perfect security isn't possible, but that doesn't mean enterprises should bury their heads in the sand or stand paralyzed by fear. First assess and document the accepted level of risk tolerance for the areas in the cloud (data, applications, the platform and the network). Then determine the most critical areas to address first. Anticipate what happens if a security control fails. Make regular red team/blue team exercises, and response plans a bigger part of the security strategy in 2018. Remember that you can't boil the ocean, but you can address risk with optimism and practicality.
2. Assess and leverage native security services
Cloud service providers offer native security services that can be programmatically applied or baked into standards and processes. With a wide variety to choose from, enterprises can decide which services best meet their needs for added, instant protection.
3. Get identity management right
One of the tricks to identity management in the cloud is to integrate and apply it everywhere possible—across users, groups and roles, system and service accounts, and SSH key management. In cloud environments identity management can be a versatile and reliable security control. Done properly, identity management creates a win/win for both users and security.
4. Address configuration hygiene
As organizations adopt infrastructure as a service (IaaS) and migrate workloads to the cloud, getting all of the configuration details right from the start is foundational to effective security. The cloud control plane is the best place to mind security hygiene. It's a good place to enforce and monitor policy and it enables you to deploy tools to assess and repair issues. If your organization is using Amazon Web Services (AWS), the Center for Internet Security (CIS) Benchmarks program provides well-defined, un-biased and consensus-based industry best practices to help organizations assess and improve their security.
5. Think and act like a development team
If you want to weave security throughout your cloud computing environment, your security team needs to think and act like a team of developers. In the cloud, developers can build, deploy and manage applications rapidly. Your security team should try to take advantage of existing workflows to ensure security keeps pace with development. In addition, encourage the security team to use standard images. VM image sharing is one of the underpinnings of cloud computing, and can facilitate the deployment of secure new virtual machines while reducing configuration and management costs.
Make the secure path the easy path
No matter where you are on the cloud computing spectrum, any consideration of your users and your data eventually comes back to security—or at least it should. By starting with a risk-based perspective, you can assess or re-assess where your cloud usage is vulnerable. SaaS, PaaS and IaaS all take different approaches to addressing those risks. But whichever model applies, getting identity management right, prioritizing security hygiene at the cloud control plane, and emphasizing a development mindset for your security team will set your enterprise on a secure path in 2018.