|THE IT SECURITY PROFESSIONAL|
The IT Security Professional
Helping Organizations Understand IT Security
The cloud has become ubiquitous in today’s IT infrastructure as most organizations have adopted it as an integral part of their infrastructure architecture, but it continues to be difficult to implement and setup properly. While there are controls and specific settings that can be applied to your cloud resources, it is important to understand which ones and how to do it. This begins with choosing the right service provider and developing an overall strategy on how it will be implemented within your company.
1. Determining the Right Service Provider
This begins with determining the right service provider. While there are a couple of HUGE players in this area (we don’t need to drop names here). They are not the only ones these days as there are more and more independent or affiliated providers that are becoming more competitive in the market. When implementing cloud security, it’s not just the data center that you are evaluating. It is the services that the provider has to offer and what types of security application resources they have to offer.
Understanding what you will be using the cloud infrastructure and resources for is an important part of the evaluation and implementation process. The controls that are used to secure the cloud infrastructure will be different depending on its usage within your infrastructure. This is a key component of securing the cloud, including the cloud as part of the network, and securing as you would those within your corporate firewalls.
2. Zero Trust
DON’T TRUST ANYBODY! REALLY, I MEAN IT, DON’T TRUST ANYBODY! This seems to be a great mantra these days as we find that even the slightest kink in the armor of a well-protected network can lead to a compromise. Employing Zero Trust across your cloud infrastructure will allow you to enforce and implement security controls that require your users to validate who they are by multiple methods.
Why is this important? Because the cloud is one of those resources that once you are able to compromise a server or application, or even a service, it is easy to pivot and try to get into other resources of the same company (yes, even if they are logically separated) or even a different one for that matter. Zero trust allows you to be able to require and restrict all users regardless of who they say they are. This is critical for those services that your organization depends on to deliver for your customers and clients.
3. Access Management
Once the service provider has been determined, it is important to determine who will gain access and how will they be granted it. The various service providers all have the capability to help determine who will be granted it. Additionally, they may have the capability of implementing multi-factor authentication (MFA). Logs and access events will also be recorded and documented, which is important if you want to know who is access your cloud resources and when.
4. Endpoint Security
Securing your endpoints in the cloud is one area that most organizations do not employ when setting up and configuring their resources. This is a mistake and these assets should be protected as much as the systems that sit in the office or in the homes of your employees. Its important to have the same security measures in place for your cloud assets. A majority of organizations will depend on service providers for their security controls, even when this is not the case.
The organization pays for the hardware and the bare metal of the servers and the infrastructure for which those assets reside. It is up to the company to employ endpoint security measures to secure those endpoints. Whether this means employing malware detection software, or scanning those assets for vulnerabilities, it is important that those systems are managed in a similar manner as those that are on premises.
5. Network Monitoring
One of the key areas of monitoring will be the network environment, this is especially true of the resources and infrastructure that your utilizing in the cloud. This resource is something that your business will be paying for and it is important that it be utilized effectively. Monitoring traffic, access, and utilization are all important aspects that should be monitored closely be any company.
6. Define Cloud Usage Policies/ Procedures
No matter why you are using the cloud, defining the policies and procedures that you will use is important for your company to establish right away. The reason for this is that resources in the cloud are finite and you may be restricted based by capacity or availability, and even monetarily. These restrictions can be detrimental to an organization that is using the cloud infrastructure to enhance their network environment. Establishing the guidelines for its usage is important as it will lay the groundwork for future development and utilization of those resources.
7. Determine Trusted Services
What services are you employing using the cloud? Setting up trusted services allows for the organization to employ automated processes to help secure those services in a timely manner. Whether it is the deployment of certificates from a trusted certificate authority as soon as the previous one expired. This allows your IT Security staff to be one step ahead of a potential bad actor.
Establishing the trust relationship will enable an organization to secure its perimeter by trusting that those services meet specific requirements. Its important for an organization to determine what specific factors they will want in a trust relationship and how those factors are measured. While most cloud providers will be able to help in this process, it is important that IT Security Pros follow up and do their own evaluation.
8. Manage Data
Understanding your data and how it will be transmitted and stored is important especially when monitoring network traffic. Data can accumulate at a rapid pace and it can be difficult to sift through the complex and exhaustive logs and datasets. Developing a process for how this data will be managed and monitored will help to make sure that this information is manageable.
Depending on which industry you are working in, there may be specific requirements as to how long the data will need to be stored for. It is important to understand these requirements as they will effect which standard your organization adopts. With data storage, it all comes down to the capacity to store the data and how it is managed once it is collected. Having this addressed when you setup your cloud environment will go a long way in saving headaches later on.
9. Adopt a Standard
While there is a myriad of standards out there, it is important to pick and adopt a standard that makes sense for your organization. This may be due to the type of work your company does, or industry specific requirements. Whatever the reason, adopt a standard. Here are some cloud related standards to consider:
Having an established baseline to build from will help to determine configurations and settings that will be employed during the development of your cloud infrastructure. Being compliant with these standards is different than being certified as the majority of the standards listed here require a third-party assessment in order to validate their processes.
SummaryOrganization’s are continuing to adopt cloud services in order to realize the cost savings and the flexibility that these service providers are able to offer their business. No matter the reason that you are looking to adopt the cloud infrastructure, it is important to remember that there are things that you can do to help secure the environment and infrastructure. By employing the 9 Cloud Security Best Practices as outlined in this article, your organization will greatly benefit from the enhanced settings and configurations outlined here.
Erich is an experienced IT Security Professional that works with businesses of all sizes to help them understand the impact of IT Security on their organizations.