Use of public cloud infrastructure is now commonplace with nearly $60 billion spent annually. Of course, there are good reasons for this as Infrastructure and Platform as a Service provide several advantages over traditional in-house hosting.
Important benefits are time to implement, scalability, availability, and a wealth of centralized tools to help companies manage and monitor their cloud infrastructure.
However, with the benefits come some potential security risks, most stemming from the customer’s use of the platforms versus the platforms themselves.
One big mistake when venturing into cloud is using the same patterns and processes long established with internal in-house infrastructure. Certainly, there are legacy principles that still apply, but companies should build and secure per the best practices of their chosen platform.
From a security perspective, where do you start? To answer that question, I propose starting with 4 key principles that will help you manage your cloud security risk.
To seasoned security professionals, this is an obvious statement but not so simple to implement in practice. At one time this meant hardening your organization’s firewalls.
However, today’s cloud infrastructure, like the applications they support, take a much more componentized approach with interconnecting services.
By starting with a ‘deny all’ strategy in which two services cannot connect until explicitly authorized, and monitoring for when these rules are not followed, you can avoid unexpected access.
While this strategy is often applied to the network, some additional components to include are:
In addition to specifying access explicitly, components must be configured to authenticate themselves with each other to validate their identities. Certificates and a properly managed certificate authority can ensure that when your components interact, they are your components and not an attacker.
Again, for most this is common sense but often falls short in practice. Sensitive data such as customer information, financial data, configurations, etc. all must be encrypted at rest.
Doing so can greatly reduce the risk of an attacker exfiltrating your data or gaining insight on how to expand their access.
The good news is the big cloud platforms provide built-in services to encrypt stored data whether in a file system or database and just as importantly will securely manage the access keys. Because of this, there are very few legitimate reasons to not encrypt your data at rest.
Of course, at rest is only half the story. If unable to access and decrypt stored data, an attacker can instead look for data being passed between components, services, or systems in the clear.
Encrypting data in transit often falls on developers and system designers commonly employing SSL and/or preferably TLS. The cloud platforms do provide tools and services to help, but much of the effort falls on those building and operating the systems.
Our hope is over time more comprehensive services to encrypt data will become available regardless of its current disposition.
Recently Amazon EMR was updated with additional support to centrally manage encryption for both at rest and in transit across clusters. However, EMR as a managed cluster platform is overkill for many applications, but it’s a start.
Today’s environments are too complex to configure and maintain by hand. Infrastructure as Code has become well known and employed by a growing number of organizations. Scripting the deployment and maintenance of your cloud infrastructure has numerous benefits including reduced errors, reduced response time, and better change management.
Often lost though is how automation can reduce your security risks. Codifying not only the deployment configuration but also the security policies means the environment is deployed securely as possible from the start.
Automating the deployment of monitoring and alerting can ensure when an incident occurs, your organization has the information needed to respond quickly and effectively. Using scripted automation to adjust and harden your cloud infrastructure when new risks are identified can give your organization rapid coverage against potential threats.
Over time cloud platforms have developed a rich set of APIs to support nearly all aspects of configuring, deploying, and operating infrastructure in their environments. Regardless of your chosen platform, invest in understanding the automation capabilities, and automate as many aspects of managing and securing your infrastructure as possible.
Operating your cloud infrastructure isn’t a one-time proposition, so it makes sense that securing it isn’t either. Establishing security compliance controls and then continuously monitoring those controls ensures your infrastructure continues to be secured per policy.
The cloud platforms provide robust logging and alerting, covering nearly all services. Alerting should be configured to notify of exceptions that can quickly be remediated before an incident occurs.
When new controls must be applied due company risk profile or regulatory standard changes, monitoring can identify any new exceptions created by policy adjustment.
Finally, for many organizations, continuous monitoring of controls provides the audit evidence needed for more accurate and lower effort audits.