Security in any cloud environment is a shared responsibility between the organization and the cloud provider. The distribution of responsibilities between the two would depend on the cloud model implemented (i.e. IaaS, PaaS, SaaS), services in use, and applicable security compliance requirements. But on a more general note, the cloud provider is responsible for securing the cloud itself while the customer is responsible for securing their data within the cloud.
As you move your workloads to the cloud, the security risks will increase in parallel since resources will be more exposed to the internet. To protect your organization from the damaging effects of cybercrimes, security measures must be in place by both the customer and the cloud provider. In this article, let’s focus on what you can do as a customer.
Managing security in the cloud has shifted from securing the network perimeter of an organization to treating identities as the primary security perimeter. This means creating security controls around identities wherein only the right users are allowed to access the right resources at the right times for the right reasons. This concept is the main principle behind Identity and Access Management (IAM).
Establish a Centralized Identity and Access Management
Securing cloud environments should start with centralizing all IAM roles, policies, permissions, and procedures. With centralized IAM, administrators would have more control over users and the resources they need to access and use. Think of it as a single workspace where administrators can grant and restrict access to users, create security groups, and apply security controls over who should have access to what.
Implementing IAM in the cloud works differently than having a traditional directory service on-prem. Traditional directory service deals with a collection of objects where each object can be clustered into organizational units with a fixed number of attributes. On the other hand, most IAM solutions in the cloud are dynamic in the sense that user attributes are scalable depending on the services implemented in your environment.
As your organization moves forward toward cloud transformation, there comes the challenge of managing security among different cloud services and vendors. Having a centralized enterprise identity provider reduces management complexity and thus improves the security posture of an organization.
Implement Role-based Access Controls for Smaller Organizations
Role-based access controls (RBAC) are permissions and restrictions used to limit the level of access of a user account based on what they need to work on. Simply put, RBAC grants and restricts user access to resources based on their role within an organization.
Roles can be user-specific or can refer to a certain group of users sharing the same responsibilities. Group roles can be according to departments, job roles, and sometimes, even locations. Roles are often integrated with Active Directory (AD) for added security—to make sure that all users are identified by the organization. The best practice in configuring roles is to give the least privilege needed by the account to avoid unnecessary access.
Implement Attribute-based Access Controls for Larger Organizations
For years, IAM is built around RBAC systems. It has become the de-facto standard in regulating access controls in information systems globally. While RBAC is still in use, the implementation of Attribute-based Access Controls (ABAC) has been talked around to be more fitting for cloud environments.
Implementing RBAC is not scalable. With the scalability benefits of the cloud, implementing RBAC is seen as a challenge for larger organizations. As the organization grows, there will be more roles to fill in and more applications to use, making it more difficult for administrators to manage. Compared to RBAC, ABAC is more flexible due to its granularity where access controls are based on attributes not roles.
Utilize Secure Access Keys
If there is an external partner who needs to have access to resources within an organization, secure access keys can be given instead of creating an AD account for that user. These secure access keys are used to give external users temporarily restricted access to resources where they can perform certain tasks. These access keys are also mainly used by applications where APIs integrate between your applications and cloud applications.
API keys and associated secrets need to be managed to ensure access levels are properly assigned, audit logs reviewed on a periodic basis, and keys rotated based on security policy. Most cloud platforms provide Security Center, dashboards, and reports to track and control access keys usage. Make sure your organization designates this responsibility to the appropriate cloud and/or security engineers.
Deploy and Configure Firewall and Security Groups
Most of the resources in the cloud are exposed to the internet by default when newly created. Attackers are everywhere on the internet and they actively try to search for vulnerable resources to gain sensitive information. To ensure that only trusted sources can access these resources, security options like firewalls or security groups can be deployed and configured to only allow specific IP addresses (IPs) and ports.
For IPs, the best practice is to deploy rules to deny all IPs and allow only trusted public IPs. For ports, the best practice is to use more secure protocols (i.e HTTPS, SSH) instead of less secure ones (i.e HTTP, Telnet) when allowing traffic to and from the internet to keep your traffic encrypted and avoid being captured by the attackers. These can be applied either on the subscription, resource group, or resource level.
While firewalls and security groups control access at the network level such as subnets, ports, protocols, sources, and targets, network micro-segmentation can control access at a more granular level using a more complex logical set of rules. One such implementation at the software access control level is the use of Application Security Group, which can specify which sets of assets such as VMs (e.g. application servers) can access which other sets of VMs (e.g. databases). Logical groupings can control access regardless of what networks each asset may belong to.
Furthermore, traffic patterns can also be studied and controlled based on timelines. For instance, access can be allowed from source to target groups only during a certain time or isolated if an intrusion is detected. Often many types and roles of applications are deployed in a shared network, but they may require special controls to logically separate them for security purposes.
Deploy and Configure Load Balancers and Application Gateways
A resource can be accessed from the internet by the public IP that is assigned to it. However, it is not recommended to expose the actual IP of the cloud resource from the internet because it can be breached easily by attackers. The best practice used in the cloud is to deploy resources behind a load balancer or application gateway to receive inbound traffic from the internet. This way, only the public IP of the load balancer is accessible from the internet and is responsible to forward traffic to the internal resources depending on the type of traffic or destination FQDN or IP it will receive.
Ensure Routine Maintenance of Resources
Security vulnerabilities are commonly found when the software version or operating system running in your resources is outdated. Service providers regularly release new updates for their products which include fixes to the vulnerabilities affecting the older versions. Once the new versions become available to the products, it is the responsibility of the customer to keep resources up to date with the latest security patch to minimize security risks and prevent jeopardizing the security posture of the organization. Monitoring of software versions, vulnerabilities, and what assets they impact, along with automation of patching can help respond to urgent remediation requirements as well as proactive patching.
Resource Tagging and Reporting
Cloud resources all have the ability to be tagged when they are created or updated. These attributes are important to classify purposefully the usage of each cloud resource so that they can be accounted for when security policies are applied. Untagged or improperly tagged resources can indicate rogue assets which should be investigated.
Bring Your Own Key (BYOK) Encryption
In a zero-trust environment, your business may require to protect your data in the cloud with your own encryption keys so that if a cloud vendor is compromised, you still have full control of the data as the encryption key does not belong to the cloud vendor.
This is one of the fastest growing threats to IT organizations, particularly in cloud environments. Due to geo-political risks, there has been an exponential rise in cyber threats in ransomware attacks. An example of a ransomware attack may encrypt your system storage, either in the filesystem or in the database, rendering them unreadable. The cybercriminal often demands payment in return for the key to decrypt the data. Ransomware protection has to be designed per business-critical application to protect system and database backups in a secure vault in order to have a safe recovery point in case of a ransomware event.
Establish a Security Operations Team
Once your resources have been deployed in the cloud, daily operations need to be in place to ensure the environment is running without misses. Moreover, cybersecurity threats are actively looking for vulnerable resources on the internet. This emphasizes the importance of having an operations team that regularly monitors the environment for any cyber attacks.
Organizations must equip the engineers with the needed skills to keep resources secure. Deploying a reliable tool for detecting and remediating cyber attacks should also be part of your strategy.
Securing your cloud environment works hand in hand with the security measures implemented by your cloud providers. But generally, you are responsible to keep your data intact and secure from breaches and malicious attacks. Establishing a centralized IAM, implementing RBAC or ABAC security controls, deploying and configuring firewalls, security groups, load balancers, and application gateways are some of the things you can start working on to secure your resources in the cloud. You also need to ensure your resources are up-to-date and a dedicated team of security experts should exist in your organization to strengthen your security posture.