In a recent webcast, our panel of cybersecurity experts discussed all things cloud security, including cloud security best practices, how to avoid common security pitfalls in cloud environments, and how to work with DevOps to get the most out of your organization’s cloud investment.
In this blog post, we’ll share some of our experts’ insights into protecting your cloud environment:
Cloud security requires a new mindset
Our security panelists—Rapid7’s Aaron Sawitsky, Bulut Ersavas, Josh Frantz, and Tyler Schmidtke and Scott Ward of AWS—said that moving to the cloud requires security teams to develop some new ways of thinking. For security professionals accustomed to seeing and touching physical hardware in a data center, working with cloud environments can be a big adjustment. In order to take full advantage of the benefits of cloud, you’ll have to adapt your organization and your team’s skill sets to fit into your new reality.
There are some special considerations when it comes to the cloud. One difference is that for a cloud environment, the responsibility for security is shared between the cloud customer and the cloud provider. Although the details change depending on the provider, they are generally responsible for securing the underlying infrastructure of the cloud, while the customer is responsible for securing anything they put in that cloud environment.
This arrangement can be highly beneficial, as it gives your organization the opportunity to let security team members who would normally be tasked with infrastructure security focus on new projects. However, it’s also important that everyone at your organization is familiar with exactly what the cloud provider is responsible for keeping secure and what responsibilities still rest on your shoulders. More than a few incidents have occurred because someone incorrectly assumed that the cloud provider was taking care of all security considerations.
Another unique aspect of the cloud is the ease with which new assets can be deployed. In a cloud environment, a developer can deploy new infrastructure with the click of a mouse. As a result, the security team has far less oversight of cloud assets and less input into how they are configured. This can lead to misconfigurations, which are a leading cause of security incidents in cloud environments. At the same time, ease of deployment is a key benefit of the cloud, so security teams need to find a way to minimize the risk of misconfigurations, while still supporting easy deployments.
When moving to the cloud, you also have to think about the lifespan of assets. The cloud lets you spin up short-lived virtual instances, which can present challenges if your security team isn’t used to monitoring those assets in real-time. Keep in mind that if you only scan for vulnerabilities every week or every month, you might completely miss an instance that your DevOps team spins up for just a few days. Therefore, if you want to maintain an up-to-date picture of your cloud environment, you will need to use new tools and techniques.
Cloud security strategies and pitfalls
So, how do security teams evolve to better rise to cloud challenges? First, our experts discussed threats to cloud environments and the areas where security teams often go wrong. One of the largest factors in many data breaches is configuration vulnerabilities. Your cloud provider probably offers a variety of controls for your environment. Make sure you take the time to assess these controls and identify the ones that will provide the biggest security benefits. Guidelines such as the CIS Benchmarks for AWS, Azure, and GCP can be a great help when it comes to learning about best practices for configuring the controls in your platform(s).
All the experts on our panel agreed that defining baselines is crucial. Identify what measures should always be in place to effectively minimize risk. Once you’ve defined a baseline, our experts recommended implementing guardrails that ensure all new cloud assets conform to your baseline. This can be done using a tool from your cloud provider, such as AWS Config. You can also give developers templates for properly configured infrastructure using tools like Terraform or AWS CloudFormation. You can even go one step further and automate deployment of new cloud assets with all appropriate configurations applied using tools like Chef or Puppet. This will allow you to easily scale your cloud environment in a secure manner. Another benefit of automating the process is that you minimize the chance of human error.
Visibility is essential to protecting your cloud environment. People in your organization may spin up new instances in different regions, create new networks, launch new services, or even create brand-new AWS accounts. Whatever tools you’re using for visibility and vulnerability assessment need to have a broad-enough scope to take in this entire landscape. They should also have the flexibility to assess asset types beyond traditional VMs. Perhaps most importantly, the tools you’re using for visibility must also have the ability to detect assets that are misconfigured. Even if you define and enforce baseline configurations, misconfigurations can be introduced after deployment. Your security team needs the ability to know when this happens so that they can fix the issue and educate the appropriate employees on what risks they unintentionally introduced with their configuration settings.
DevOps and security culture
In cloud environments, security teams run the risk of stifling innovation if they try to replicate the processes used for on-premises networks and directly control the deployment of new infrastructure or software. By delaying deployments to conduct manual security assessments, your security team can defeat some of the core purposes of using cloud resources: speed, efficiency, and agility. The panelists suggested that moving to a cloud environment provides a great opportunity for security professionals to instead integrate themselves into the DevOps process, transforming it into DevSecOps. This means that security becomes a part of the testing process that occurs before any deployment. Rather than security being a standalone assessment that occurs outside the regular workflow that developers use, security issues are caught during pre-deployment testing and addressed like any other bug.
As our experts pointed out, everyone in the organization wants to do what’s best for the business. It’s important for each team to empathize with each other’s viewpoint and learn together. Security shouldn’t be trying to punish development for unsafe practices. Instead, try sitting down with developers to go through an audit log together. Paint them a picture of what could happen to the entire enterprise if best practices aren’t followed.
Cloud migration and hybrid environments
Most organizations don’t move all of their assets from on-premises to the cloud at once, and in fact, our experts recommended a crawl, walk, run approach when it comes to cloud migrations. That means you’ll end up running both types of environments simultaneously (maybe temporarily or maybe permanently).
Some businesses have completely separate security teams for on-premises and cloud—a solution that our experts don’t recommend. There are many best practices that are similar for both environments, and the teams will need to communicate often regarding emerging threats that need to be addressed across both environments.
When migrating, it’s important to make sure you have a holistic view and don’t lose sight of securing legacy systems as you move to new platforms. And for monitoring and threat assessment, consider solutions that are capable of bridging the divide. Learn more about how Rapid7 InsightVM and InsightIDR allow you to manage risk for both on-premises and cloud environments, all in one place.