Now that we have looked at critical cloud security threats, we examine key defensive measures to protect yourself from them.These recommendations are by no means exhaustive but represent top points of focus.
Secure your client devices.
You want to implement firewalls to protect the perimeter of your network and to deploy advanced endpoint security, as indicated by Dr. Rao Papolu (PhD).
Understand cloud security models.
You can use different tools or models in order to conceptualize and systematize security. Common model types, per the Cloud Security Alliance (CSA), are design patterns (reusable ways to resolve certain issues); reference architectures (templates through which to deploy protections); control models (information on and organization of certain security controls); and conceptual frameworks (description and images of cloud security principles).
Models that are endorsed by the CSA include:
- ISO/IEC 27017:2015
- NIST Special Publication 500-299
- CSA Cloud Controls Matrix
- CSA Enterprise Architecture
Focus on three-pronged access management.
Key capabilities of access management are the creation and enforcement of access policies; assignment of access rights to users; and user identification and authentication:
- Set up access policies – Cloud service providers provide content delivery services, virtual disks, blob storage, and other storage services. Access policies should be service-specific – unique to that service, said CERT security solutions engineer Don Faatz. This specificity of access policies underscores the importance of choosing a flexible provider who can both help you get the right information and design your systems to align with security best practices.
- Assign access rights – You want rights and privileges to be assigned appropriately. Rights must fit roles; and as a whole, roles should make certain that no single individual is able to negatively impact the complete virtual infrastructure. Determining rights is about figuring out the roles applicable to consumer and shared responsibilities. Hemming in what a system manager or developer can do is achievable through role-based access control. Through this method, you limit system managers to designated resources and make it so that developers can only access the projects assigned to them. “Limiting access can limit the impact of a credential compromise or a malicious insider,” noted Faatz.
- Identify and authenticate – A nefarious party could potentially steal the credentials of someone with special privileges and use them to control and change cloud setups. By introducing an additional factor to get into the account, you lower the chance of intrusion by forcing users to take additional steps. Hence, multifactor authentication (MFA) is critical.
Use data classification methods.
You want to know about the data as you consider what you need in security protections. Data security is becoming more and more intricate as there is an increasing amount of unstructured data being handled by companies. “Treating [all data] the same is a recipe for security failures inside or outside a cloud environment,” noted Samuel Greengard, author of The Internet of Things (MIT Press, 2015).
Value of data protection rises in the context of compliance needs such as the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and Sarbanes-Oxley (SOX). Plus, risk tolerance should generally be considered when assessing cloud, with additional security added based on your assumed value of the data.
Use a straightforward cloud security process model.
Depending on the specific scenario of a single cloud project, you will have different design models, processes, controls, and setup specifications. However, the process can typically flow as possible, noted the CSA:
- Assess and list the current controls, along with compliance and security needs.
- Determine your implementation model, cloud service provider, and plan.
- Decide on specifics of your architecture.
- Review present cybersecurity controls.
- Locate any gaps in controls.
- Resolve controls to close the gaps, and set them up.
- Monitor and adjust as time passes.
It is important to understand who the provider is before you begin thinking of what you need in controls. Then you are able to seamlessly look at requirements, construct your architecture, and then see what the gaps are that you must address.
It is key to look at each project individually given the disparity between cloud providers and the disparity between the difference services they provide.
Review the safeguards that are implemented.
Encryption is key to your security. It is so important that some organizations encrypt prior to uploading, even when using a setup that encrypts data. You want to know about at-rest encryption as well as in-motion. You also want to have strong protections in place to defend yourself against security flaws within software and other threats. Specifically, be certain you have distributed denial of service (DDoS) protection, advised Greengard.
Attack simulation and patch simulation are the two key elements of vulnerability management, advised Tim Woods in Hacker Noon:
- Simulating attacks – By designing and launching what an attack would look like and achieve, you bring together your security policies and controls with vulnerabilities. Seeing what happens with your current setup when faced with a vulnerability allows you to understand how malicious access could occur so you can prevent compromise.
- Simulating patches – Simulating patching is about filtering and considering rather than simply applying patch after patch. “Patch simulation done effectively makes patching focused, targeted and strategic,” said Woods. Patch simulation is about checking various ways to solve problems by trying patches and analyzing if they optimize risk mitigation by broadly minimizing vulnerabilities.
Manage control changes.
Assess the controls that you have implemented. Many people wrongly think that they can manage cloud in the same manner as an onsite server if they have the cloud provider host their traditional firewall, said Woods – which does not address cloud-specific architecture.
Achieve continuous compliance.
Compliance is not simply about making sure you are meeting regulations. Set aside the anxieties and concerns of an audit. Focus on the very real security objectives and motivations of your organization.
If you use automation well and orchestrate your systems to work integrally, you can achieve continuous compliance. To meet this end, focus on centralizing security methods and technologies. You want your controls to be in a single location so that you can coherently make any changes and then use real-time benchmarking to assess them. You need to know immediately if you are compliant so you can act quickly if you are not.
Consider how cloud providers address security and privacy.
Look at your service agreements to see how your cloud provider presents its security foundation and responsibilities. Note that cloud providers will sometimes change service agreements, tweaking them in ways that can be detrimental to security or privacy, noted Greengard.
Anything that you do not understand related to procedures, policies, and security components is ideally discussed upfront. Of course, a strong provider should be able to explain its setup, commitments, and what it is specifically doing to protect you at any point.
Cloud security – preferable and about trust
Your cloud providers should adhere to the same or better security best practices than you have implemented at your own organization. In fact, the security provided by cloud providers is better than what is available at most on-premise data centers, as indicated by a 2017 poll of 300 IT professionals.
While the security of cloud systems may be preferable to those of in-house systems, you still need to follow best practices (i.e., the provider cannot handle everything – such as how you store passwords or configure their environments). Plus, you must find providers you can trust. At Total Server Solutions, we’re trusted by educational institutions, government agencies, financial institutions, and telecom firms to keep their data on-line and available. Your secure cloud starts here.