For enterprises that use the cloud, the key to being protected starts with understanding the layers that make up the components of their cloud stack (see figure below). These different layers—services, identity, app edge, load balancer, compute, and storage—create multiple potential targets, and for the informed, each represents a piece of the cloud environment that can be secured against potential threats.
Lock down identity management. Identity and access management determines what parts of the cloud stack users have access to, and what they can do when they’re there. If a bad actor can gain access to systems using legitimate credentials, compromise is nearly certain. Do the following:
1. Require secure passwords. Use the longest password or passphrase allowed by the system, or use a complex password that includes a mix of letters, numbers, and symbols.
2. Implement MFA everywhere. Having a strong password is not enough. Organizations need multiple layers of protection. Using a second validation or authentication method provides another layer of protection for user logins.
3. Create least privilege roles. Only give users access to the fewest number of accounts and systems that allow them to be productive. This limits the damage that can be done if a mistake is made or a bad actor gets access to an account.
4. Disable inactive accounts. When employees leave an organization, their access to all systems and their access keys should be disabled immediately. Inactive accounts leave more endpoints vulnerable, and inactive account activity is not usually monitored the same as active ones.
5. Monitor for suspicious user behavior or compromised credentials. Use real-time monitoring that leverages machine learning and analytics to identify suspicious activity and possibly compromised account credentials.
Secure the compute layer. Organizations should take steps to secure the compute layer to ensure availability of systems and data, and to keep bad actors from using their compute power to further spread malware across the business and the internet. Do the following:
6. Harden the operating system. Remove unnecessary programs that only serve to broaden the attack surface. Stay up to date on service packs and patches as much as possible.
7. Continuously check for misconfigurations and anomalies. Use automated tools to detect changes across the environment, as well as anomalous behavior.
8. Enable secure login. Issue Secure Shell (SSH) keys to individuals. This keeps assets protected when moving across unsecured networks.
9. Implement inbound and outbound firewall rules. Set definitive rules about what, how much, and who can send, receive, and access both inbound and outbound data. Many organizations are reluctant to set up outbound rules, but because attackers will attempt to steal (exfiltrate) sensitive data and intellectual property, it’s important to ensure outbound rules are explicitly defined. Firewall rules need to be created at the application layer rather than the transport or network layer (IP and port information) to prevent attackers from piggybacking off open ports (such as the Domain Name System [DNS] on port 53).
10. Use only trusted images. Build images or templates from scratch, or get them from very trusted sources, like AWS or Microsoft Azure. Don’t use images from Stack Overflow or random message boards and user communities.
Secure storage. If attackers get access to the storage layer, they can potentially delete or expose entire buckets or blobs of data. Do the following:
11. Manage data access. Identity and access management (IAM) policies and access control lists (ACLs) help you centralize the control of permissions to storage. Security policies allow organizations to enable or deny permissions by accounts, users, or based on certain conditions like date, IP address, or whether the request was over a Secure Sockets Layer (SSL) encrypted session.
12. Classify data. Automatically classify data to understand what type of data is stored and where it’s stored. Data classification policies should be matched to security policies, and any violations should be flagged or automatically remediated.
13. Encrypt, encrypt, encrypt. Encrypt data both in transit and at rest. Note that the metadata is often not encrypted, so organizations should not store sensitive information in cloud storage metadata.
14. Enable versioning and logging. Versioning allows organizations to preserve, retrieve, and restore data if something goes wrong. With versioning turned on, businesses can restore from an older version of the data if a threat or application failure causes loss of data. Maintaining access logs provides an audit trail in case someone or something gets into your system.
15. Do not allow Delete rights (or require MFA for Delete). Organizations should set up roles in their cloud infrastructure that do not allow users to delete any data. Many cloud storage solutions enable a feature that requires MFA to delete any version of data stored in the storage layer.
16. Continuously check for misconfigurations and anomalies. Use automated tools to detect misconfigured storage and permissions settings, as well as anomalous file access behavior.
Protect your cloud services. After you’ve secured the perimeter and enforced smart policies, you need to focus on security specifically for your services in the cloud.
17. Use source control to secure versions, access to builds, and deployment instances. This will reduce the surface area of your code and limit the potential for attacks across your entire network.