As enterprises continue to rapidly adopt cloud computing, cloud security remains a primary concern. According to Cybersecurity Insiders, 94% of cybersecurity professionals confirm they’re at least moderately concerned about public cloud security, with 69% of organizations rating their team’s security readiness as average or below average.
To help address the gap in cloud security readiness, we’ve outlined seven key steps to help cloud customers improve their cloud security posture management.
1. Clarify internal cloud security responsibilities
The first step to improving your cloud security posture is to clarify responsibilities. The Shared Responsibility Model defines the distribution of responsibilities for security in the cloud between the cloud provider and the customer. In short, the cloud provider is responsible for the security of the cloud and the customer is responsible for security in the cloud. The below diagram demonstrates how this plays out across different types of cloud services.
It’s also important to identify responsibilities internally. Cloud security is no longer a function of just one team—cloud security is a shared responsibility throughout the organization, with each department understanding the security risks and policies of the cloud services they’re using.
Leading organizations start with a Cloud Center of Excellence (CCoE)—a cross-functional team tasked with supporting and governing the execution of the organization’s cloud strategy. They do this by establishing policies and guardrails, driving collaboration and adoption of best practices across a range of disciplines—including cloud financial management, operations, and security and compliance—as well as overseeing the implementation of cloud technologies and tools.
2. Communicate
Once you have internal cloud security responsibilities defined, it’s important to keep open lines of communication between the centralized cloud security and operations team and broader lines of business.
With automated cloud security threats and malicious bots, information needs to be shared as quickly as possible to avoid lost time. A CCoE enables efficient information-sharing because it includes traditionally siloed teams (Developers, Finance, Security, etc.) and understands all the components of the cloud in order to get the right information to the right person, fast.
Additionally, a best practice is to have regular meetings with the CCoE and other lines of business to discuss pain points, solutions, policy updates, and lessons learned from their day-to-day efforts. With this, stakeholders from across functional teams can understand the cloud security implications of decisions before implementing them.
3. Gain comprehensive visibility into your cloud resources
As the saying goes, “you can’t protect what you can’t see,” it’s critical to have visibility across your entire cloud environment for a successful cloud security posture. Cloud service providers offer native monitoring tools that can be helpful to an extent, but have limitations, especially when it comes to getting detailed context and visibility across hybrid cloud or multi-cloud environments.
Leading third-party cloud security and compliance solutions can provide a complete picture of your cloud environment, spanning the data center, edge, and across clouds, for workloads running in VMs, containers, and alongside native cloud services. When evaluating the cloud security solution for your business, there are a few questions to keep in mind in terms of visibility:
- Does it provide granular visibility across different asset types (accounts, owners, IaaS, PaaS, Serverless)?
- Can it show relationships and dependencies between cloud services (not just in isolation)?
- How often is data updated? Weekly, daily, or near real-time?
- Can I visualize information by category (projects and cloud providers)?
These are just a few primary questions to keep in mind. For the complete cloud security solution checklist, see our infographic here!
In addition to having the right tools for visibility into your infrastructure, it’s important to have a coordinated approach to collecting, organizing, and analyzing your data. As a best practice, implement consistent tagging policies by application, owner, resource, department, etc. to break down reliable information by the categories most important to you. See multi-cloud tagging best practices here.
4. Define your standards with a cloud governance program
Cloud security teams need to strike a balance between giving cloud users what they need when they need it, and also putting rules in place to ensure security. To do this, align with your organization’s CCoE to create a cloud governance program where you define best practices, socialize them, and take action when a policy or standard is violated. When defining policies, consider your controls, target environments, and exceptions:
- Controls: The Center for Internet Security (CIS) provides a list of cloud security controls that are a good place to start, but especially if you’re in a highly regulated environment such as Healthcare or Government, ensure your controls cover all the guidelines you require (e.g. HIPAA, GDPR, NIST). Learn how to create custom compliance frameworks within CloudHealth Secure State here.
- Target environments: Once you’ve defined your controls, specify which environments they do or do not apply to. Should the control be applied business-wide? For internal or external environments? For development, testing, and production environments?
- Exceptions: They’re going to happen, so plan out the workflow and documentation around exceptions—what are the exceptions specifically? How long is the exception in place? For which users does the exception apply?
To see how a control might look like in your organization, here’s a practical example:
- Control: EC2 instance is Publicly Accessible and has elevated privileges for S3 Buckets (CIS AWS, NIST 800-171, EU-GDPR)
- Target environment: All Production SaaS Accounts
- Exception: Whitelist/suppress accepted EC2 instances with Tag App1
Pro tip: To help increase cloud security policy adoption, ensure policies are clearly defined and something a developer could actually put into code. For example, if you have a policy that passwords must be complex, it would be better to have a policy that passwords must be greater than 12 characters because a developer can implement this function into their code.
5. Detect cloud misconfiguration vulnerabilities
With the rate at which workloads are deployed in the cloud and the number of people that can deploy at the same time, speed is key when it comes to cloud security. Manual detection is no longer an option to stay on top of the potential misconfigurations and vulnerabilities in your cloud environment.
Many cloud security detection tools will provide isolated information. It can show that within a security group, a resource type is not compliant with a certain rule, but this doesn’t provide insight into the level of risk, how it’s connected to other resources, or recommendations for next steps.
For example, an EC2 instance with SSH port (22) accessible from any source address is a medium risk security violation. SSH port is commonly used for administrative access and is an attractive target for attackers. However, the relationship diagram below also shows that the same EC2 instance is connected to an internet gateway. This relationship makes this SSH port publicly accessible, thus elevating the overall risk of the security violation.
To better prioritize security issues and make your job easier, look to leading cloud security solutions that can visualize cloud resource relationships and misconfigurations in context, detect security risks in real-time across cloud platforms, and track progress for detections and remediations.
6. Remediate issues
Once you detect a cloud security issue, the next step is remediation. Just like detection, speed is key. Bad actors today rely extensively on automation and can target new cloud misconfiguration vulnerabilities quickly, sometimes in just under a minute. While the attacks are getting more frequent and sophisticated, cloud security teams must rely on automated remediation in order to scale.
Initially, most security teams resist auto-remediation. They worry that without reviewing, automated actions could break production or cause other problems. The key to automation for cloud security teams is to segment security actions into ones that can be fully automated and those that need human intervention.
As a best practice, fully automated actions or guardrails are cloud security policies and configuration standards that apply universally across cloud teams or resources. Examples include policies that deny accidental changes to baseline security monitoring controls or those that require boundary permissions for all IAM users and roles.
The policies you choose to automate, and at which level, depends on your organization. Align with your CCoE to define where to automate policies and where manual actions may be needed.
7. Shift left
In terms of cloud security, “shift left” is the practice of implementing security checks and best practices early in the software development process, rather than later. This enables detection and prevention of potential security issues before getting too far along in development, ultimately saving developers time and the business money.
To shift left, we recommend a few best practices:
- Start with security-verified coding standards. Ensure all developers agree to the same coding standards. This helps expedite the review process and also guarantees a higher quality of code.
- Verify security configurations early on in the development process. Implement testing into a continuous integration and delivery (CI/CD) pipeline. How often and when testing takes place needs to be standardized and agreed upon across all development teams.
- Leverage cloud security tools. By leveraging cloud security tools like CloudHealth Secure State, you can continuously monitor your environment, alert application teams, and proactively remediate violations before applications hit production. You can learn more about how CloudHealth Secure State can improve your cloud security and save your teams’ time in our solution brief here.
More recently, shift-left has grown to include management and operational processes—for integration earlier in the application lifecycle, or to move operational capabilities closer to the developer or end user. We address the question, “What does shift left really mean for IT Platform Teams?” in our in-depth article here.
Next steps
Whether you’re planning your first cloud migration or already automating a majority of your cloud security policies, it’s imperative to gain visibility into your cloud environment to ensure a strong cloud security practice. If you’re not sure where you stand, here is a five-minute cloud management maturity assessment. Based on the results, you’ll receive personalized insights and next steps to improve your cloud management maturity.
And if you’re looking for a deeper dive into cloud security best practices, see our whitepaper: Building a Successful Cloud Infrastructure Security and Compliance Practice