Cloud Security Migration

4 Simple and Effective Cloud Security Governance Policies

Due to the nature of the public cloud, your teams can roll out new services and deliver results faster than ever before. But sometimes it’s faster than your security processes can adapt.

As a cloud environment scales and enables teams to deploy new applications more easily and independently, cloud security processes need to account for more users with access to infrastructure and services they couldn’t access previously. Organizations need to implement established cloud security governance policies to mitigate risk and ensure cloud security.

But where do you begin? The Cloud Security Alliance hosted a panel earlier this year where they discussed best practices in cloud security. Here, we’re sharing a few simple, but effective cloud governance policies they discussed that you can adopt in your organization:

1. Restrict Access to Least Privilege

Jason Needham, Senior Director of Cloud Security at VMware, said that cloud security governance policies don’t need to focus solely on the high-profile industry standards and guidelines. Restricting access to least privilege is an example of a basic cloud security governance policy that can have a big impact.

Kolby Allen, Senior Architect at Zipwhip, acknowledged how important this is, and said his organization doesn’t create public cloud accounts that allow access beyond least privilege. He also added that implementing these types of guardrails can help educate broader teams on the concept of privilege, which can help them think more strategically about who receives access to which resources over the long term.

2. Disable Regions Where Your Cloud Environment Doesn’t Host Workloads

You may think that if your organization doesn’t host workloads in a specific region, your organization won’t pay for it. But that’s not necessarily true.

Attackers who gain access to your public cloud accounts often deploy services based on infrastructure billed to your account. If that infrastructure is hosted in a region that your organization doesn’t monitor, and your organization lacks visibility into the sources of your cloud spend, this can go unnoticed for a long time.

To mitigate this risk, Kolby said that his organization disables all regions except those where they’re hosting workloads.

3. Disable Cloud Services Your Teams Don’t Need

The library of services available via public cloud service providers is immense and constantly growing.

In addition to disabling unused regions, Kolby recommends disabling access to the cloud services you don’t need as well. This will have minimal impact on your teams, while also limiting the financial damage an attacker can inflict through a cloud breach.

4. Limit Cloud Services Your Organization Does Use

To maximize the flexibility of their cloud accounts, many engineers and developers will set high service limits on instance usage so they have access to the resources they need, regardless of whether actual utilization ends up near those limits.

However, this can expose your organization to risk in the event of a cloud security breach. For example, Kolby highlighted one trend where hackers use cloud resources for bitcoin mining operations. Bitcoin mining can generate a significant financial return, but requires immense amounts of computing power. To keep their costs low (or, more accurately, shift the cost to someone else), hackers will look for unprotected GPU instances to mine bitcoin until their access is revoked.

For organizations that use GPU instances, implementing limits in line with expected usage can protect against this risk. For those that might be concerned about setting limits on resources available to their teams, setting up a governance policy can ensure the right people are notified when a certain type of instance exceeds a usage threshold so they can determine whether the usage is legitimate.

For more recommendations to help your security strategy adapt for the public cloud, read our whitepaper, Building a Successful Cloud Infrastructure Security and Compliance Practice.