Cloud security is a pressing challenge for many organizations. While there are clear business incentives for moving applications and workloads into the cloud, there are also serious risks that companies must manage when doing so. For this reason, many companies are beginning to place a higher priority on ensuring proper cloud security when evaluating cloud vendors, using or developing cloud software or infrastructure, and implementing the processes and policies that keep critical business data safe.
In this blog post, we will highlight seven tips for shoring up your cloud security in the new year:
1. Treat cloud infrastructure differently
Cloud infrastructure isn’t the same as an on-premises data center. Differences in the cloud include:
- Far more people can deploy cloud infrastructure and do so with minimal oversight
- Comprehensive guardrails are needed to ensure assets aren’t misconfigured
- The environment is constantly changing as assets get spun up and deprecated
A big advantage of cloud infrastructure is it allows your teams to work more efficiently. Security teams need to embrace new ways of working that allow them to keep up with their engineering teams. Bringing on-premises processes and technology to cloud infrastructure won’t just slow down your developers—they’ll also prevent you from effectively managing risk in the dynamic world of cloud infrastructure.
2. Start with a security baseline for your cloud environments
Any organization using cloud infrastructure should take the time to create a security baseline for their cloud environment that specifies what the cloud network should look like from a security perspective. The objective is to make sure everyone (security, IT, engineering, DevOps, etc.) is aligned on what needs to be done to keep the network secure on an ongoing basis. The baseline should specify the architecture of the cloud environment, how each type of asset should be configured, and who should have read or write access to each part of the environment.
Consider using guides like CIS Benchmarks or the AWS Well-Architected Framework to help define your baseline. Once your baseline has been created, enforce it by monitoring for assets that are out of compliance, or even consider failing builds during deployment if they don’t adhere to the baseline.
3. Learn your cloud provider’s shared responsibility model
All the large public cloud providers have some sort of shared responsibility model (here are the models for AWS, Azure, and GCP). These models explain what parts of security are the responsibility of the cloud provider and what parts of security are your responsibility. Far too many organizations incorrectly assume that their cloud provider is taking care of things like updating patches on virtual machines. Because of these misunderstandings, basic security best practices are not followed, leaving the organization unnecessarily exposed. Take the time to read through your provider’s shared responsibility model and make sure you clearly understand what you’re on the hook for.
4. Carefully vet cloud security vendors
Organizations, particularly those in regulated industries, must ensure proper due diligence when vetting cloud vendors. Make sure that any cloud vendors you consider have the required security certifications at a minimum, documented areas of security coverage and users’ security obligations, and are willing to answer questions about their cloud security practices, including whether they have experienced data breaches and, if so, how they have responded to them.
5. Integrate security into the SDLC
Adopting a secure approach to DevOps will help your business cost-effectively highlight and resolve potential web application vulnerabilities before they have the potential to result in a breach or security incident. The most impactful thing you can do is add some form of security testing to your QA process, so that you can detect and fix potential exploits before deploying the code. Ensuring better collaboration across your security and development teams will aid this process, making it easier for your organization to quickly respond to security concerns.
6. Conduct cloud security awareness training
Insider threats involving even well-intentioned employees are a common cause of cloud security incidents. Just as you would educate users on how to spot phishing campaigns or instances of fraud, it is equally important that your IT staff, developers, and operations team have role-specific training on cloud security best practices.
7. Remember that cloud security is about more than technology
Although advanced security tools can significantly boost your security capabilities, they cannot serve as a substitute for strong security management practices that encompass people, policies, and processes. Make sure your cloud security program addresses those critical elements as well.
Organizations that proactively address these challenges by building their internal capacity to manage the risks associated with the cloud will be best positioned to take advantage of its many compelling business benefits.