Companies of all sizes are rapidly moving to cloud-based technology to enable a remote workforce and support critical business functions in the challenging pandemic environment. While the expansion of cloud services was exponentially accelerated by COVID-19, the truth is they have been growing rapidly even before the pandemic. These shifts increase companies' attack surface and complexity of secure cloud management, risking breaches to sensitive data and damage to both reputation and operations.
In this article I summarize five crucial tips I've learned throughout my career that can help secure your cloud exposure and attack surface.
1. Know your responsibilities for cloud services.
Some people will erroneously say, "Just add it to the cloud, the cloud does all the security!" This disengaged approach is not accurate. Unclear roles and responsibilities lead to a lack of decisions and action on implementing cloud controls. In general, cloud providers state that they manage "security of the cloud" while customer responsibility is to manage "security in the cloud". This responsibility varies by the type of cloud services used, with the most common models being: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service).
For IaaS services, the customer cloud operators are responsible for all software defined networking (SDN), patching, and software upgrades. Essentially, the cloud consumer is responsible for securing all services, applications and cloud deployments above the hypervisor layer.
For SaaS services, the SaaS provider manages all the infrastructure, software upgrades, patching, and only allows customers to control user data and identities.
PaaS services fall somewhere in between: users can host applications and the platform provider is responsible for managing hypervisor and infrastructure layers.
Containers and Kubernetes add in some complexity where they can be IaaS or PaaS, depending on how they are deployed. In general, this principle is called the "Cloud Shared Responsibility Model".
Knowing and understanding these responsibilities is critical to securing cloud services. Otherwise, it becomes very difficult to deploy a plan of action to properly secure your data and applications. The cloud security alliance and major cloud providers have extensive documentation and guidance on the shared responsibility model.
2. Identity is the new Security Perimeter.
With the rapid expansion of distributed cloud services and technology, identity has become the new security "perimeter". Implementing strong Identity Access Management (IAM) controls to ensure appropriate access to cloud resources is paramount.
People and applications need access to technology. Cloud providers offer extensive Identity Access Management solutions for both. I strongly recommend to follow the principle of least privilege for Identity Access Management. This means granting users and applications the minimum amount of access to perform the required functions and job duties.
Requiring and using Two-Factor Authentication (2FA) for interactive user and application access is another critical measure. 2FA should be applied to both cloud console and command line interface (CLI) access to enforce better security for access to cloud services and technologies.
Having a strong IAM plan using least privilege and requiring two-factor authentication will drastically improve the security of cloud services. All major cloud providers support 2FA and IAM technologies.
3. Audit and logging: Visibility is critical.
You don't know what you cannot see. Visibility is so important in the cloud, where the traditional "perimeter" of network security has dissolved. Enabling auditing and logging on cloud systems is a critical step to increase visibility and security. Start with enabling log trails on your most critical and sensitive systems, and then increase to as many systems as possible.
Feeding cloud logs and audit trails into a centralized security monitoring tool will allow your security operations teams to track activities and events in cloud services. This audit and logging data can then feed into dashboards that illustrate metrics on operations, reliability, performance and security.
In the event of a security issue or incident, audit trails and logging will help both security operations and forensics teams further investigate. Engineering and infrastructure teams will also gain advantages with troubleshooting and resolving issues.
4. Automate reusable design patterns and security best practices.
Use secure design principles and build security in as early as possible to avoid misconfigurations. Using well-formed and securely designed cloud templates to deploy applications and infrastructure in the cloud can improve security baselines and resilience. All major cloud infrastructure providers support these tools, such as CloudFormation in AWS or third-party tools such as Terraform. Their templates can be reused and deployed as a secure default, which helps avoid human errors.
Using secure defaults such as private S3 buckets (AWS) and Blob storage (Azure) in cloud deployments is much easier with automated and reusable templates. Misconfigured cloud storage has led to several major security incidents, and storage should be defaulted to private and not publicly accessible.
Cloud automation tools, such as Terraform and cloud formation templates (CFTs) in AWS, make it much easier to deploy secure infrastructure using well designed templates. Secure templates can be used and automated to follow best practices for network segmentation, including private and public zones, n-tier architecture and micro segmentation.
5. Work with cloud partners to pen test cloud applications and infrastructure.
Most SaaS providers are already conducting pentesting on their applications. You can always ask your SaaS partners for evidence.
Cloud services, especially IaaS applications, do allow certain types of security assessments and testing on their infrastructure, but under certain conditions. Work with your cloud providers and account teams to make sure that proper approvals for security testing are in place.
Scoping of cloud and application penetration tests can be done to ensure full coverage of your cloud systems. Infrastructure and application pentests can find common, as well as unique issues in your environment.
We've produced a variety of resources that can get you started with AWS pentesting, such as: