Cloud security management is a joint venture between Cloud Service Providers and customers; and whereas Cloud Service Providers are very good at meeting their responsibilities for cloud security, sometimes customers lack the knowledge, skills, or resources to uphold their side of the deal.
When you operate in the cloud, the responsibility for the security of your assets and data is shared between you and the Cloud Service Provider. The division of responsibilities depends on the services you use, with the Cloud Service Provider assuming more responsibilities, the higher the level of abstraction.
AWS describes the division of responsibilities as the security “of” the cloud versus security “in” the cloud, and Microsoft recently produced the following chart to help explain the divisions of responsibility for cloud security management. Google Cloud Platform has a similar “shared responsibility model”.
How CSPs Meet their Responsibilities for Cloud Security Management
Cloud Service Providers (CSPs) invest a great deal into meeting their responsibilities for cloud security management. Each CSP owns and controls access to their data centers, and has state-of-the-art technology in place to regularly perform threat and vulnerability reviews.
Consequently, cloud security management “of” the cloud is practically watertight. This covers the hardware maintained in CSPs’ data centers, the software used to run the cloud, and networking. Additionally, all customer data stored in CSPs’ data centers is encrypted at rest.
Where the “Shared” in Shared Responsibility Occurs
The “shared” responsibilities for cloud security management are shared in name only. Where the diagonal lines appear in Microsoft’s chart above, these mean the CSP has security responsibilities for certain areas of this service, while customers have security responsibilities in other areas. For example:
- CSPs have the responsibility for controlling access to their physical data centers, and customers have the responsibility to protect their accounts from unauthorized access.
- CSPs have the responsibility for patching and fixing flaws within their infrastructures, and customers have the responsibility for patching and fixing flaws in the applications.
- CSPs have the responsibility for maintaining the configuration of infrastructure devices, and customers have the responsibility for configuring their guest OS, databases, and applications.
- CSPs have the responsibility of training their employees and enforcing cloud security best practices, and customers have the same responsibilities in their own organizations.
Where Customers Fail to Uphold Their Side of the Deal
Last year, Gartner predicted that “through 2022, at least 95% of cloud security failures will be the customer’s fault”. They attributed this statistic to a lack of understanding about how cloud security management works and the failure to automate processes in order to eliminate human error.
Around the same time, the Center for Internet Security published its security benchmarks for IT systems. The benchmarks vary according to the nature of the IT system, but they had three common core recommendations that are particularly relevant to cloud security management - identity and access management, monitoring and logging, and network controls.
Identity and Access Management
Cloud security starts with properly managing users and access controls. Without proper identity and access management, users can intentionally or unintentionally create security flaws with serious implications. Ideally, businesses should be using multi-factor authentication and automatic logging off to protect systems from users interacting with phishing emails and the prying eyes of a malicious insider.
However, where this is impractical, controls should be put in place to identify security issues such as misconfigured users, inactive user accounts, and users with too broad a span of control. Businesses should also limit access to accounts by IP address and have mechanisms in place to identify suspicious activities such as assets being launched outside of their geographical regions.
Monitoring and Logging
Without proper monitoring solutions and audit trails in place, it’s virtually impossible to identify security incidents, policy violations, fraudulent activity, and operational problems, and what caused them. Without knowing what was responsible for a failure in cloud security management, it’s impossible to resolve the issue or patch the flaw to prevent a recurrence of the incident.
Most security experts recommend monitoring and logging controls that alert the customer to security incidents via metric-filters and alarms. This coincides with Gartner’s recommendation that businesses should use automation to eliminate human error to the extent that businesses use policy-driven automation as a monitoring and logging control that will alert them to a policy violation.
Maintaining a secure perimeter to allow only legitimate traffic onto the network is essential for both on-premises infrastructures and cloud infrastructures, especially with increases being recorded in both malware attacks and phishing attempts. Additionally, as businesses move towards multi-cloud and hybrid environments, it becomes harder to identify what is legitimate traffic and what is malicious.
Network controls are designed to monitor for security group and network protocol misconfigurations, such as when a Security Group has too large of an ingress port range. Beyond measuring for Security Group configurations, it’ss also recommended to be advised of new Security Groups, Security Groups that aren’t being used, and Virtual Machines associated with a large number of Security Groups.
How to Make Light Work of Cloud Security Management
The measures mentioned above to improve cloud security may seem to be labor-intensive; but, by applying Gartner’s recommendation of policy-driven automation to the Center for Internet Security’s benchmarks, it’s possible to make light work of cloud security management. Here are a few examples of how this works:
- If, for example, you wanted to be alerted to users with vulnerable accounts, you could create a rule for the automation solution to notify you of non-compliance with your password policy.
- Similarly, you could create a rule to revoke access to accounts that launch assets outside of U.S. regions or that are logged into from outside a user-defined range of IP addresses.
- In order to protect data from unintentional access, you could create a rule for the automation solution to monitor your assets and restrict access to publicly-accessible storage volumes.
- With regard to network controls, rules can be created to terminate Virtual Machines with unauthorized open ports, or that alert you to certain types of ICMP ingress traffic.
Find Out More about Policy-Driven Automation for Cloud Security
CloudHealth cloud management platform can be used to enhance your business’s security in the cloud and we can organize a demo to help you better understand the concept of policy-driven automation.