(ISC)²'s bi-monthly e-newsletter Cloud Security INSIGHTS, delivers timely, must-read original articles for the professional development of infosecurity practitioners focused on cloud security.
CLOUD SECURITY INSIGHTS NOVEMBER ISSUE SPONSOR
Online MS in Cybersecurity from Drexel University
Drexel University’s online MS in Cybersecurity utilizes the College of Computing & Informatics and College of Engineering’s network of professionals to give students access to the latest research, tools and insights, and prepares students to meet the workforce needs through rigorous academic and experiential practical training.
NOVEMBER CLOUD SECURITY INSIGHTS
Practical Advice to Harden Multi-Cloud Environments
By Paul South
|Image Credit: Getty Images|
Jeremy Snyder traveled the globe for several years learning how companies large and small secured their multi-cloud environments. The result of this international listening tour? A list of 10 recommendations for how to improve your multi-cloud security posture—a goal that’s now more important than ever with the shift to remote work and bad actors seeking novel ways to infiltrate public, private and hybrid cloud infrastructures accessed from so many more entry points.
Snyder is senior director of business development and Solution Engineering for DivvyCloud, an Arlington, Va.-based cloud and container environment protection firm. He outlined his recommendations during an (ISC)2 webinar with moderator Brandon Dunlap. Here, in general, is his advice to shore up an organization’s cloud security posture and develop action plans where there are noted deficiencies.
Gain visibility and define workloads
We’ve all heard it before, but it’s worth repeating: If you don’t know an asset exists, you can’t secure it. This is why Snyder ranks gaining visibility as a top priority. “There’s no way that you can have that visibility, know whether it’s in a secure state, whether it’s properly configured, properly secured, etc.,” he said. “So, you really have to have visibility in order to gain security around it.”
One common way to gain such visibility is to create and collate spreadsheets showing an inventory of all cloud-based or cloud-stored assets. All cloud providers expose API endpoints for conducting inventory checks. Additionally, there are third-party tools that bring everything together, so the task isn’t as daunting as it may first appear.
Snyder also found that when he talked to companies, he discovered security standards often were defined by workloads. While at first blush this might not seem to be a security issue, he recommends that workloads be defined by tagging or by project.
Tagging is the natural evolution of these little asset tags, and identifying assets by account or by project, particularly with multiple accounts, helps separate each workload into a dedicated account of its own. “And that’s where you can then apply the scoping or apply the security policies at that account layer,” he said.
Focus on password policies, MFA and logs
Just as with on-premises datacenters, all cloud environments demand an established and enforced identity and access management systems that incorporate strong passwords, multi-factor authentication and auditable logs. Despite being a best practice, it’s one that often gets overlooked.
“[People] make this move to the cloud and they think, ‘Oh, shoot, I’ve got to learn about managing security groups, S3 bucket policies. I’ve got to learn about VPC flow logs and looking for threat signals in my flow logs.’ And they move away from a lot of the core basics and fundamentals that they’re used to, and I’d say that’s actually wrong,” Snyder said.
Clean up attack surfaces
While he acknowledged that he has sometimes received pushback about how hygiene impacts cloud security, Snyder points out that when larger firms go to the cloud, they sometimes tend to open their clouds more broadly. For example, a website is established to generate leads during a 30- or 60-day marketing campaign. But when the campaign ends, the site is now an “orphan,” a workload no longer serving a useful purpose while spreading an organization’s attack surface.
This brings up another best practice: eliminating “blind defaults” that all cloud providers provide to facilitate adoption. Such defaults range from accepting the default network segment for a virtual private cloud with just a couple of clicks. Or, using a vendor’s setup wizard to create a virtual machine or default firewall rules. Instead, take a moment to consider security standards and select better settings as you establish the inner workings of a specific cloud configuration.
Pay close attention to perimeter security
More multi-cloud mistakes come from failing to properly follow the above recommendations. Once better cyber hygiene is established, along with better visibility and inventory building, it’s time to tighten your cloud security perimeter just as you would an on-premises datacenter. This means closing buckets and locking down ports.
“When I say close your buckets here, I don’t just mean close your S3 buckets or your equivalent Azure Blob storage, GCP object storage, etc.,” Snyder explained. “I mean, for any of these services out at the edges of your network design or your application design, make sure that you’re imposing the right level of public access versus private access. Typically, that’s probably going to be don’t have public access enabled by default. That’s going to mean make sure that you’ve got some privacy settings around them and you don’t have them public by default, unless that is the intention.”Encrypt where needed
While the complexity of a cloud environment can make previously mentioned recommendations difficult, one suggestion that is actually easier in the cloud is encryption. All cloud providers now offer multiple encryption options, depending on workloads and the location of key data assets. This harkens back to two earlier points about defining workloads and knowing a firm’s data assets.
“Without that, it’s very difficult to know what kind of encryption approach you should take,” Snyder said. “If you don’t know which data should be encrypted, which data is most critical, is most private, is most sensitive, I think you’re faced with one of two scenarios. Either you default encrypt or you default don’t encrypt, and neither one of those as a security professional feels like a good approach.”
PAUL SOUTH is an Alabama-based freelance writer and regular contributor to Insights and Infosecurity Professional magazine.