In today’s technology environments, data is growing at an exponential rate of 10x of what it was several years ago, and instead of gigabytes it is petabytes. Organizations look to store their data and also archive it in the public cloud. Given this situation, every CISO’s, what keeps me up at night question is, how do we secure our data when we don’t own the infrastructure it is on.
Cloud security is a journey not a destination. No matter which cloud you choose to put your data in, one thing remains the same, t is always your data and your responsibility. Many organizations want everything logged, secure coding vs secure infrastructure, it’s a huge basket of technology, everything from platform logs, O/S logs, network flow logs, logins -failed/successful and it just ends up eating storage in the SIEM.
When we talk about cloud security and where to start, it is always imperative to start with the following:
- Zero Trust
- Least Privilege
- Process Security
Zero Trust is built on a framework. Essentially it means no person/device or application in the network should be trusted. Which then brings in “Least Privilege” Giving the user just the correct amount of rights to be able to perform their job successfully.
This is where Authorization and Authentication come into place. Authentication simply means proving that the user, whether a human or computer user, is in fact who they claim to be. Whereas Authorization means establishing, once we are certain of the user’s identity, that this person or service is permitted to access the resource that it is requesting access to. Identity and Access Management (IAM) is a strong foundation for access in the public cloud which allow for credential identity and access for humans, applications and devices.
Within IAM it is best practice to also create policies in which we can write “Allow” or “Deny” and note that if it is an explicit deny then nothing takes precedence over this statement. With this it is possible to finely grain access control.
It is very important to fundamentally think about the security design principles, which are the following.
- Zero Trust
- Implement a strong identity foundation
- Enable traceability
- Apply security at all layers
- Automate security best practices
- Protect data (in transit and at rest)
Once the foundation is applied then, Detective Controls should be implemented which help in Identifying a potential security threat is essential for any organization, key areas in this are:
- Capture and analyze logs
- Integrate auditing controls with notifications and
workflow / Use your logs
Ensure that all your public cloud accounts have audit logging enabled centrally
- Prevent auditing from being modified in an account
- Have all audit logs consolidated in one central place
To protect Network and Host level boundaries, VPC considerations:
- Subnets to separate workloads
- Use NACL’s to prevent access between subnets
- Use route tables to deny internet access from protected subnets
- Use Security groups to grant access to and from other
security groups
Limit what you run in public subnets:
- ELB/ALB and NLB’s
- Bastion hosts
- Try and avoid where possible having a system directly
accessible from the internet
External connectivity for management:
- Use VPN gateways to your on-premise systems
The best strategy for Data Classification
Start off by classifying data based on sensitivity:
- Public data = unencrypted, non-sensitive, available to everyone
- Critical data = encrypted, not directly accessible from the internet, requires authorization and authentication
Use resource tags to help define the policy:
- “Data Classification=CRITICAL”
- Integrate access with IAM policies
The key success of enabling good security in the public cloud is by automating the security posture. By using automation, it has many key benefits, however, to name a few are: –
- Minimize Risk and Downtime – this key benefit is by Automating a Security Incident Response.
- Harden The Attack Surface –By using automation to harden the attack surface it is possible to grain the environment more finely.
- Spotlight Vulnerabilities –the attackers get more technological and to prevent an attack we must be able to get insights and analytics that show the weakness or areas to improve in the environment.
- Enable Continuous Monitoring – For the best security posture, it is necessary to have integrated risk management and continuous authorization and monitoring in the environment.