Cloud Security is something that IT needs to consider very seriously as businesses move their operations to the Cloud. The security hardware and software and the policies and procedures they use for in-house systems need to be modified for external operations from the cloud. Cloud Security becomes a matter for IT operational management and strategic planning.
Because it is a fairly new discipline, IT can have a problem getting to grips with effective Cloud Security measures. One model which is gaining traction is the “shared responsibility” model. This means that the provider of the cloud platform is responsible for the security of the cloud, and the customer is responsible for the security of what is held in the Cloud.
Improving the security of a Cloud environment can be quite simple.
First, define some goals:
- Perimeter Security. Traditionally, security was based on creating solid perimeter defences. Cloud Security models are based on authentication and access control because of the dynamically changing and dispersed nature of endpoints and the increasing use of BYOD devices by remote users.
- Scalability. The dynamic nature of a Cloud means that the infrastructure to support rapidly changing storage and processing is also dynamic. Operational policies and procedures need to be equally fluid. These policies are often contained in a Business Continuity Plan, so it must reflect the Cloud environment.
- Monitoring. Hosting critical business systems and their data in the Cloud opens up an entirely new and much larger attack surface for malware and other hacker threats. New threats are evolving every day, and existing ones are increasing in frequency and ferocity. Monitoring defences and making sure they are up to date becomes a critical task. Proactive is the new watchword.
Here are five rules that have been proven to work in practice.
Under no circumstances allow hardware and software to retain default configurations and access credentials. Review the configuration, enable only those services that you need, change the access user credentials and remove the default ones.
Part of this process is severely limiting manual configurations. If possible, use automated techniques to limit the potential for accidental or deliberate misconfigurations. The ultimate objective is to remove the need for, and the ability to, carry out manual configuration. In networking, a Software-Defined or Intent-Based network is the goal.
Secure and Regularly Audit User Credentials
Cloud Security is heavily dependent on users having valid access credentials that first, allow access, and second define what they can see and do. The current move is towards a zero-trust model, where unauthorised users are blocked, and authorised users are given the lowest possible access privileges. They only receive elevated privileges when they are authorised to have them. Access control is enhanced by implementing a 2FA model.
An option is to move the Cloud environment to PKI authentication. This removes the need for passwords, and anyone without access to the private key is locked out. Password theft is irrelevant, and brute-force login attacks will fail.
Using groups can ease the admin workload considerably. Assigning all users to groups can implement a fine-grained security environment without overloading administrators. For example, create an admin group that has root access, but deny it to all other groups. A Reporting Group can have users with read-only access. Groups can be disabled temporarily by applying a non-access policy and reactivated by removing it later.
Monitoring and a very regular audit of groups, their users and access levels is a must.
A Business Continuity Plan
This is not optional. You will have security issues at some point and will need to recover from a catastrophic event. Design a Business Continuity plan based on your risk evaluation. It will involve third parties, so a communications plan is another essential component.
A common hack is to hijack a DNS entry and divert users to a fake website. Monitor and regularly review your DNS credentials and Cloud configurations to prevent Domain hijacking.
Logging and Monitoring
Usually, it is reactive, and it must change to become proactive. Use risk-based logging and make sure that alerts are used, and make them actionable, not just informative.
There are many other things that can be done, but the five tips set out above will give a solid basis for improvements in your Cloud Security.