To enforce a cloud security policy effectively, you need a solution that can identify policy violations as they happen and automatically take action to prevent the violation occurring. The failure to act in real time can expose a business to serious data breaches and compliance issues.
Most businesses understand the necessity to implement cloud security policies, but not necessarily what the policies should consist of. For example, evidence suggests many businesses have not implemented a cloud security policy to address cloud configuration drift despite misconfigured infrastructure being one of the leading causes of security breaches and the highest new entry in the Cloud Security Alliance’s “Top Threats to Cloud Computing” (PDF).
Even when a comprehensive cloud security policy is in place, some businesses rely on solutions that notify policy violations retrospectively—the cloud computing equivalent of closing the stable door after the horse has bolted. These types of solutions do little to enhance a business’s cloud security posture and can even create a false sense of security that the policies put in place to protect the business from data breaches and compliance issues are effective.
Why real time enforcement of cloud security policies is essential
Imagine arriving at work on a Monday morning and reading a notification from your monitoring solution that the previous Friday night an intruder got into the network via a misconfigured security group, was able to move laterally throughout the network, and extract 100 GB of unencrypted sensitive data. Depending on what cloud security policies you have in place, that’s potentially three policy violations that could have been avoided by:
- Enforcing a policy that prevents the deployment of misconfigured security group
- Enforcing a policy that prevents lateral movement through a network
- Enforcing a policy that automatically encrypts sensitive data
With real time enforcement of the first cloud security policy, the intruder would never have got into the network and the subsequent events would not have occurred. Nonetheless, the second and third policies are still required to prevent other security threats.
In addition to the above scenario, there are multiple examples of how real time enforcement of cloud security policies can help businesses avoid data breaches and compliance issues by preventing the unauthorized use of resources and the misuse of authorized resources.
Real time enforcement solutions don’t have to block every non-compliant cloud activity
While it’s clear real time policy enforcement is more effective than retrospective notifications, when you use a cloud management platform with policy-driven automation capabilities, blocking non-compliant cloud activity is not the only option available to you. For example if your business has a cloud security policy requiring the rotation of user passwords, a notification when passwords are next due to be rotated would be more appropriate than blocking access when the policy expires.
Similarly, it may be the case that a cloud security policy stipulates users can only deploy instances within a certain family type, but workload would benefit from being run on a compute optimized instance. Rather than blocking the deployment of the compute optimized instance, the cloud management platform could be configured to initiate an approval workflow that, if approved, would allow the deployment of the compute optimized instance to go ahead.
Other options include building a cloud security policy into the development process using a solution such as VMware Secure State in order to ensure infrastructure are configured securely before deployment, and using auto-remediation to correct issues such as unencrypted storage volumes and security groups with ports open to the internet.
Find Out More about Enforcing Cloud Security Policies with Policy-Driven Automation
If you’re looking to implement cloud security policies and practices, but are unsure of where to start, you should read our whitepaper “Building a Successful Cloud Infrastructure Security & Compliance Practice”.