Guide to cloud security management and best practices
This cloud security guide explains the challenges facing enterprises today, best practices for securing and managing SaaS, IaaS and PaaS, and comparisons of cloud-native security tools.
Organizations of all sizes have adopted cloud strategies to varying degrees. While beneficial in many ways, the cloud also has its risks, which organizations should fully assess before placing assets there. In this comprehensive guide, complete with links to more information, we lay out the challenges in securing the cloud environment as well as how to develop best practices for managing cloud security.
Why is cloud security important?
Far too often, organizations place their trust in cloud providers to ensure a secure environment. Unfortunately, that approach has numerous problems -- namely that cloud providers don't always know the risk associated with a customer's systems and data. They don't have visibility into other components in the customer's ecosystem and the security requirements of those components. Failing to take ownership of cloud security is a serious downfall that could lead organizations to suffer data loss, system breaches and devastating attacks.
The Cloud Security Alliance shared the most common cloud security challenges to give organizations a sense of the massive attack surface cloud computing presents. In addition to the potential for data breaches and lack of visibility, the following are some of the most egregious problems the alliance found:
- misconfigurations and inadequate change controls;
- lack of cloud security architecture and strategy;
- insufficient identity, credential, access and key management;
- account hijacking;
- insecure interfaces and APIs; and
- abuse and nefarious use of cloud services.
The fallout from cloud attacks is often exponential, and the blast radius of attacks continues to expand. For example, "an attack on a single user's credentials reaches far beyond the targeted victim, often affecting the entire organization and its customers," wrote Dave Shackleford, principal consultant at Voodoo Security. Recent attacks also illustrate an immaturity of organizations' ability to defend their cloud environments, he added.
The type of cloud environment an organization selects must be well-considered because private, public and hybrid options each have pros and cons. For instance, a public cloud strategy can lighten the load on an organization's IT team since they don't have to manage systems in-house. A public cloud provider might not be as particular as the organization about security, however, which could leave gaps in the organization's protection.
With a private cloud environment, an organization might gain more control over security, but cloud costs will likely rise as a result. And while a hybrid approach -- part public, part private -- might seem like the perfect compromise, it presents challenges too, including policy enforcement across environments.
Best practices for cloud security
Once an organization has committed to a cloud environment for data, applications, platforms and infrastructure, the next task is to create a cloud security policy. The policy should address critical considerations -- such as how employees can interact with the cloud, the types of data that can be sent and stored there, access controls and more.
While developing a cloud security policy can be done using many approaches, including adapting an existing infosec policy or using a software package, independent IT consultant and auditor Paul Kirvan created a cloud security policy template that walks organizations through policy creation.
How you address cloud security is also dependent on the type of cloud service an organization needs: SaaS, IaaS or PaaS.
SaaS security best practices
SaaS is not a monolithic service and shouldn't be treated as such when it comes to security. Instead, organizations need to look at a roster of guidelines and apply the ones that best fit the service being adopted. Ed Moyle, software security principal at Adaptive Biotechnologies, laid out the following best practices to protect SaaS-based applications:
- vet and oversee potential providers;
- deploy enhanced authentication, such as multifactor authentication (MFA), where possible;
- encrypt data in motion and at rest in the cloud; and
- utilize manual and automatic methods to discover and inventory cloud assets.
SaaS also requires a corporate culture where IT and security teams work together to secure a cloud-based business application.
IaaS security best practices
Like SaaS, IaaS requires organizations to consider how to encrypt data at rest and inventory cloud assets, but securing infrastructure in the cloud requires even more attention to security. Organizations need to develop an IaaS security checklist to ensure consistent patching and access management. IaaS has many access layers to be managed, including access to the IaaS console and specific features such as backup and recovery.
PaaS security best practices
PaaS security guidelines recommend that organizations be deeply involved in the protection of their platform services and not leave the details up to the provider. For example, enterprises should engage in threat modeling and the deconstruction of an application design, which will help identify vulnerabilities and mitigate them.
Another key best practice for PaaS users is to carefully plan out portability so the organization isn't bound to one provider. One way to do this is to use common programming languages -- such as C#, Python and Java -- that are supported across providers.
Who is responsible for cloud security?
While traditional enterprise security teams can take on some cloud security duties, protecting cloud data and other assets requires a specific skillset.
Organizations should create a cloud IAM team dedicated to certain aspects of cloud security, such as access, authentication and authorization. Shackleford recommended that the cloud IAM team, which could tackle single sign-on and federation, should be started with existing internal groups because they have a deep understanding of the business and its goals.
A dedicated IaaS team might also address cloud security automation in four key areas:
- container configuration;
- infrastructure as code;
- asset tagging; and
- vulnerability scanning.
Setting and managing IaaS controls and processes in these areas enables smooth and consistent deployments, proper auditing and reporting, and policy application and enforcement.
These special-purpose teams follow cloud compliance standards closely, making sure cloud service providers are up on the latest industry requirements. Read about the top cloud security standards bodies and their areas of compliance oversight.
Cloud security training has improved in recent years, and targeted certifications can demonstrate a professional's cloud security chops. For instance, (ISC)2 has a Certified Cloud Security Professional (CCSP) certification, and the Cloud Security Alliance offers a Certificate of Cloud Security Knowledge. CompTIA, Arcitura and Exin also have programs, as do vendors such as Amazon, Google and Microsoft.
Cloud security-savvy professionals can test their bona fides with these CCSP exam questions.
Cloud security management strategies
Rarely do organizations have a single cloud environment -- more likely they have multiple ones that address various data, application, platform and infrastructure needs. Managing disparate cloud services can be challenging, so organizations need a sound strategy that protects corporate assets.
To prevent or rein in sprawl, organizations should centralize the procurement, deployment and management of their multi-cloud environments. Doing so can ensure an organization's security policies and compliance requirements are applied and enforced. Centralizing also is critical for organizations to be able to collaborate and communicate in a uniform way about threats and mitigation strategies.
Cloud security teams need to test their cloud environments regularly. Nemertes Research Founder and President Johna Till Johnson encouraged companies to tap into specialized tools that enable organizations to run hostile tests against their environments. These tools help shore up the cloud environment. She also suggested performing live-fire training -- where cloud environments are made deliberately insecure -- so security professionals can learn how to combat threats and discover weaknesses and gaps in the environment and their skills in real time.
Testing also is essential for the shared responsibility model where in-house and provider security teams together assume the role of protecting assets in the cloud. Cloud penetration testing is a useful way to test the shared responsibility model and the security of a cloud environment overall.
Some organizations in highly regulated or high-risk industries might want to employ forensics techniques in their cloud environment to support investigations. Automation should be top of mind for this goal so that organizations can not only inspect and analyze information in the cloud for court proceedings (e.g., network packets, workload memory, workload disk volumes, and logs and other event data) but also mitigate any issues based on what is discovered.
One of the most significant types of attacks security teams must ward off through better cloud security management is cloud account hijacking, in which hackers compromise a subscription or other type of cloud account to engage in malicious activities. The following three key strategies can protect an organization from such an incident:
- use MFA;
- segregate duties; and
- trust but verify account access.
Cloud security tools
Many enterprise tools try to extend security to the cloud, but cloud-native tools can provide more seamless and comprehensive protection for cloud assets.
Cloud access security brokers
Cloud access security brokers (CASBs) serve as a security policy enforcement gateway to ensure users' actions are authorized and compliant with company policies. They have four main characteristics: visibility, compliance, threat protection and data security.
CASBs also have business-critical use cases, such as cloud application usage tracking and user behavior analytics. Purchasing a CASB requires careful consideration, and to help, Kevin Tolly, founder of The Tolly Group, shared some CASB buying tips and vendor comparisons.
For multi-cloud deployments read these tips for evaluating CASB tools.
Cloud security posture management tools
Cloud security posture management tools (CSPM) enable companies to perform continuous compliance monitoring, prevent configuration drift, set limits on permittable configurations or behavior in the cloud, and support SOC investigations.
Organizations can use CSPM tools to uniformly apply cloud security best practices to increasingly complex systems -- such as hybrid, multi-cloud and container environments.
Zscaler, Orca Security and Trend Micro are some of the vendors offering CSPM tools.
Cloud workload protection platforms
A cloud workload protection platform (CWPP) unifies management across multiple cloud providers, packages controls together with workloads and ensures controls are designed to be cloud-native.
CWPPs have the following benefits:
- reduced complexity;
- consistency; and
Microsoft, Amazon, Palo Alto Networks and Capsule8 are among the vendors with CWPP offerings.