Make cloud security your responsibility! Or to put in the words of Werner Vogels, CTO of AWS, “We are responsible for the security of the cloud.” In the age of ever increasing data security concerns, security is everyone’s job. This is more apt for cloud infrastructure security. While cloud cost management may be a concern it is not the priority.
While cloud comes with the flexibility that gives developers and organizations the freedom to start up experiment and scale with ease it also comes with a great responsibility to tackle the increased security threat surface area. Werner recently stressed on the importance of encrypting and securing your data on cloud at the re:Invent 2017 in Las Vegas.
Cloud security is a shared responsibility of the cloud provider and customer. Security is also one of the five pillars of a well architected framework for cloud infrastructures, as published by AWS.
As a responsible customer of cloud, you can follow the given security design principles to effectively safeguard your information, systems and other cloud assets.
Follow the principle of least privilege for strong identity management
Encrypting data should be your default behaviour. You must follow the principle of least privilege to reduce the threat surface area. Provide only the required necessary permissions to users and groups. You can always give more permissions on a need basis. Having a solid identity and access control is paramount to a secure infrastructure.
Ensure there is no credential sharing. Each entity/individual in your team should have their own credentials. This will help you to quickly isolate any security incident.
Also, don’t forget to rotate access credentials regularly! Always follow identity and access management best practices.
Automate periodic and real time security audits
While most public cloud providers have APIs which help you to automate in numerous security best practice checks, cloud management platforms like Botmetric can help you in the quest to automate. Finding and bridging security gaps in your cloud infrastructure must be automated as much as possible.
Apply security at all layers of your cloud infrastructure
Securing the perimeter of your cloud infrastructure is just the tip of the iceberg. You must have a robust security in place at every level from the perimeter to the application. For example: On AWS you must have proper and well defined security controls in edge network, virtual private cloud (VPC), subnet, load balancer, every instance, operating system, and your application logic.
Enable the detective services and have an audit trail for all activities
The detective services refer to enabling all access and flow logs, across all layers of cloud infrastructure. If your cloud provider provides ways to monitor the access to your infrastructure in real time, you must enable such options. For example, on AWS, you can enable CloudTrail. You can also go one step ahead and automate the response to known security alerts. For example, on AWS, you can automatically disable a user’s account on a specified number of continuous failed login attempts using CloudTrail events and AWS Lambda.
Data is what most intruders are after. Protect it!
Focusing on cloud data security is the most essential element. It is mandatory to take all the necessary steps to protect your data. From data protection perspective, data can be categorized on a cloud infrastructure as follows:
Data in transit
Data in transit includes data transmitted between servers within your infrastructure, or between your servers and internet, which may include your end users. You can ensure safety of data in transit by using transmission protocols that implement the latest version of Transport Layer Security (TLS). Consider using HTTPS, or, in fact, force HTTPS usage at places where sensitive information is transmitted.
Data at rest
Data at rest includes data stored in storage mediums persisting data. It includes block storage, database, and object storage. A common cloud security best practice is to encrypt data at rest, so that even if an intruder gets access to stored data, the real data will still be safe as it is encrypted. You should also check with your cloud provider if it provides built-in encryption mechanisms for various storage mediums. Additionally, check if you can bring your own encryption keys for heightened security.
In addition to safeguarding your data and protecting it from getting into un-authorized hands, you must have a well defined Data Backup Policy. On incidents when the intruder just deletes data instead of trying to access it, you should be able to recover. At least, your mission critical data must be backed up at proper intervals.
Have a well defined incident response management process
Despite following all cloud security best practices, you may fail. The best solution is to be ready for anything. Implement a response plan as well as a recovery plan to solve possible security incidents.
While cloud providers ensure security at their end (physical infrastructure and at other levels based on the service you are using), you as a customer must focus on security at your end.
It is important to be extremely stringent while designing/defining the security controls of your cloud infrastructure. Follow best practices from day-1, regularly, monitor each of the security layers in your infrastructure, efficiently automate best practice checks, including automating the response to known incidents. Make security your #1 priority in 2018 to stay compliant and let security breaches in your cloud be a thing of the past. Security risks are tough pills to swallow. Remember: Security is everybody’s job!
The original post is published in the Botmetric blog. Read it Here.
