Public clouds have fundamentally changed the way organizations build, operate, and manage applications. The uniqueness of cloud requires security teams to rethink classic security concepts and adopt approaches that better address dynamic and distributed cloud infrastructure.
Unfortunately, many security teams have yet to rethink how existing security practices within their organization are ill-fitted for the cloud world. Practices such as asset management, incident response, and internal training/education, which were originally built for on-premises environments, are now outdated and unable to support proper security posture for cloud infrastructure.
We interviewed several cloud security experts on the changing nature of security in the public cloud and compiled a list of the top 10 best practices for cloud security posture management.
Automate compliance and align with cloud standards
Pre-established security and compliance auditing procedures designed for on-premises systems won’t work for your applications in the cloud. Assessing your security and compliance in the cloud requires your approach to take into consideration the dynamic nature of cloud objects and benchmark against rules specific to the cloud provider and service type. An added challenge? Making sure you’re being mindful of the lifetime of your application resources—some of these can be extremely short-lived, meaning scheduled periodic security scans may be too infrequent to account for these.
- Continuously monitor your cloud’s security posture against established best practices with the help of cloud-specific benchmarks from the Center for Internet Security (CIS).
- Leverage a cloud security posture management solution to automate benchmarking against multiple compliance frameworks at once.
- Ensure that your security tools and procedures account for the dynamic nature of your cloud environment and provide real-time visibility necessary to audit ephemeral cloud infrastructure.
Prioritize security violations by quantifying risk
The amount of violation alerts security owners receive everyday can be overwhelming. How do you prioritize violations to ensure the most critical are addressed first? Inability to prevent false positives and isolate critical violations can lead to inaction and serious blind spots.
- Begin with violations that impact your critical cloud assets first, especially those that could expose data publicly or lead to unauthorized access.
- Work with a cloud security expert to build a custom plan to selectively enable security checks and policies that are most critical for your environment. You can gradually roll out new controls as you begin to feel confident about existing security hecks and operational process in place.
Enforce security checks in Dev pipelines
The lifespan of many objects in the cloud can be extremely short-lived. How do you enforce security in the cloud when your applications are constantly spinning up and down new resources every other minute? Even if your applications are not dynamic, figuring out security gaps late in production can be extremely expensive.
- Define misconfiguration checks as a pipeline to find violations immediately after your deployment pipelines are executed.
- Embed remediation steps into the re-deployment pipeline to correct configurations.
- Continuously gather feedback from the pipeline to identify trends in violations, if any, to update your policies.