With the focus of cloud security solutions shifting from external threats to insider threats, we suggest five tips for better cloud security that can help better protect organizations against data breaches and compliance issues caused by threats originating from within their cloud environments.
Recent studies indicate that the most significant threats to cloud security are not from organized gangs of cybercriminals, but rather from within organizations themselves. Reports point towards organizations exposing themselves to cloud security threats due to issues such as misconfigured applications, a lack of identity management, the non-enforcement of password policies, and a failure to protect against genuine user mistakes.
Cloud Service Providers have responded to the studies by launching new security products or supplementing existing security products with new capabilities. Services such as AWS’ Security Hub, Azure’s Secure Score, and Google Cloud’s Security Command Center can now tell you if you deploy misconfigured resources, forget to patch vulnerabilities, or have storage volumes with public read or write permissions. Even Alibaba Cloud has a service in which applications are scanned for vulnerabilities.
Because of the volume of new products and services coming onto the market, it can be difficult for an organization to determine which security products are most appropriate for their needs. Therefore, although it is still important to protect cloud environments from organized gangs of cybercriminals, we have compiled 5 tips for better cloud security that should be applied by every organization to help better protect against data breaches and compliance issues caused by threats originating from within.
#1 Build configuration auditing into the development process
McAfee attributes an increasing number of misconfigured resources to the speed at which resources are deployed using automated CI/CD processes. The security company states the automated process makes it easy to introduce misconfigurations and replicate them quickly, and suggests organizations build configuration auditing into the development process to check each application against a development template in order to identify configuration drift, vulnerabilities, and other irregularities.
A simple way to build configuration auditing into the development process is to implement a solution such as VMware Secure State that integrates continuous verification into the development pipeline. The solution continues to monitor the well-being of the application throughout its lifetime—flagging issues to administrators for investigation, or fixing them itself if the solution is used in conjunction with a cloud management platform that has auto-remediation capabilities.
#2 Apply role based access controls to resource groups
Applying role based access controls to resource groups may seem like another administrative process to deal with, but it actually simplifies Identity and Access Management (IAM) by limiting what resources users, processes, applications, and devices can access without having to apply controls for each individual user. An example of how role-based access controls can be applied to Azure resource groups was covered in this blog, and a similar process applies to organizations operating in other public clouds.
In the context of our 5 tips for better cloud security, this tip is one of the easiest to apply if an organization operates in a single public cloud or in a hybrid environment consisting of an on-premises infrastructure/private cloud and a single public cloud. In more complex environments, implementing this tip may require more administration initially, but the benefits will be worth it—not only in terms of security, but also for cost allocation and user accountability.
#3 Implement app-centric security policies
Implementing app-centric security policies as an alternative to east-west firewalls simplifies policy management and reduces the opportunities for mistakes to occur in the configuration of firewalls. The security policies can be mapped by application type, isolation zone, or other criteria, and managed with tags. When changes are required, you only have to add or remove tags, or change their policy values.
As with building configuration auditing into the development process, it helps if you enforce the security policies using a cloud management platform with policy-driven automation capabilities. Depending on how the platform is configured, attempts to violate security policies can be blocked automatically and flagged to system administrators in order to investigate the cause of the potential violation. For further information about app-centric security policies, please refer to this blog.
#4 Use multi-factor authentication in every possible case
Although organizations should continue to enforce password policies and ensure passwords are rotated periodically, there is no safer way to protect a network from a phishing attack or the inadvertent disclosure of log-in credentials than multi-factor authentication. Admittedly, MFA is inconvenient, and there can be problems if a user loses their mobile phone or other device required to access the secondary log-in. Nonetheless, this tip for better cloud security is one of the most effective.
#5 Automate enforcement of cloud security policies
Cloud management platforms with auto-remediation and policy-driven automation capabilities have been mentioned several times, so it is only fitting this solution is given an entry of its own. This is because any policy developed to enhance cloud security is only as good as its enforcement, and although there are multiple tools on the market for notifying you to a policy violation retrospectively, in most cases, retrospectively is too late.
Cloud management platforms with auto-remediation and policy-driven automation capabilities not only help resolve the issues of application misconfigurations and unauthorized lateral movement, they can also be configured to prevent the type of security issues attributable to genuine user mistakes. These include inadvertently adding permissions to an IT sanctioned third-party app, which allows the app access to sensitive data in an otherwise secure cloud environment.
Read our ebook “Top 10 Best Practices for Cloud Security Posture Management” to learn more.