In traditional on-premises systems, organizations are responsible for securing everything – from the physical premises to the hardware, operating system, network, and applications.
In cloud deployments, it doesn’t work that way. In public cloud – both infrastructure as a service and platform as a service – security responsibility is shared between the CSP and the customer (you). The provider owns the security of the physical layer and infrastructure aspects of the cloud as well as the aspects of the compute, storage, database, and network and application services they offer. You, the customer, own the security configuration of your own operating systems, network traffic, and firewall settings – plus all security on your own systems that are used to connect to the cloud. To be secure, it’s imperative that you understand the security you own.
With a broad understanding of the Shared Responsibility Model, let’s review six cloud security essentials that must ALWAYS be addressed.
Ask yourself which applications and data you have that are critical to running your business. Start your security efforts here. Which apps and data would cause executive leadership, stockholders, or customers to abandon ship if breached? What data, if leaked, could cripple the ability to conduct business or effectively compete? What data would cause regulators to get into a whirr and possibly result in fines or sanctions? Highly coveted business data and government-regulated data must be classified as critical and protected.
Attackers often target vulnerabilities in your web applications. To ensure your applications are free from software vulnerabilities, you should actively look for vulnerabilities that create security risks. If the applications are open source or off-the-shelf, make sure to patch regularly and be sure to patch critical security flaws immediately. When building your applications, ensure your developers are trained to use secure coding practices and continuously examine the apps for potential flaws. A good place to look for guidance on how to start an application security program is the Open Web Application Security Project (OWASP).
Put processes in place to manage your user identities. This entails knowing who your users are, what job roles they have, and which applications and resources they should be able to access. It’s important to limit access to only those who have a reasonable need for those resources. When the roles of these people change, change their access. When someone leaves the company, for whatever reason, have their access revoked. This is one of the most important things you can do to keep a good security posture, yet it’s one of the areas that is so often overlooked.
It’s crucial to establish policies for security checks, settings, and configuration levels for all systems, workloads, and apps. As with vulnerability scans, first and foremost, it’s important to find systems that are out of date, and then check to ensure systems are configured and running in accordance with policy.
If there is a security task that can be automated through scripts or cost-effectively offloaded to a security services provider, it should be done. This e-book offers some helpful tips. If you are a smaller organization, scale the advice down to your size, but the precepts remain similar.
Of course, being on a steady lookout for security deficiencies in your organization is important, but many organizations, unfortunately, don’t bother to think about what comes next: remediation. When you start looking for security vulnerabilities, what will the organization do to remediate them? When you find violations of policy compliance, how will you quickly close the gap? Be sure to think these through and plan ahead.
These cloud security essentials are just the beginning, and they aren’t meant to be comprehensive. They are a starting point to get the gears turning toward putting an effective cloud security program in place. Check out the cloud section of our website to learn more.