The best ways to keep your cloud environment secure start with knowing what security threats exist and how best to deal with them. Then, once the appropriate measures have been put in place, a best practice is to use policy driven automation to protect your environment around-the-clock.
In 2017, the Cloud Security Alliance published its “Treacherous Twelve” (registration required) - a report listing the twelve biggest threats to cloud security ranked in order of their severity. The list will contain few surprises to any business operating in the public cloud, and naturally threats related to data loss dominate the list.
The report also suggests best practices to mitigate these threats and their impact. Some best practices are unique to specific threats - i.e. patching system vulnerabilities - but, due to considerable crossover between threats, the best ways to keep your cloud environment secure come down to five elements - encryption, access controls, education, multi-factor authentication, and automation.
Why doesn’t every business encrypt its data?
Data encryption doesn’t necessarily keep a cloud environment secure, but it does mean the impact of data breaches is limited. However, according to some cloud security experts, up to 82% of relational databases and 40% of storage volumes are unencrypted, with a high percentage of each cloud service being publicly accessible due to other poor security practices.
Encrypting everything has its problems since encrypted databases experience performance issues, and there’s also the risk encryption keys to storage volumes could be targeted by hackers—which would undermine the purpose of encryption. Nonetheless, if you want to keep your cloud environment secure, encrypting sensitive data and following security best practices is a must.
Are too many people getting too much access?
Although it may be impractical to encrypt every piece of data, there’s no excuse for failing to apply “least privilege necessary” access controls. Poor identity, credential, and access management has been responsible for several significant data breaches, and it’s important users are assigned privileges according to their role or function—and nothing more.
Take system administrators for example. They administer systems, so shouldn’t have access to every area of the network—but many do. If a hacker was to get hold of an administrator’s login credentials, they’d have access to areas of the network beyond an administrator’s role—i.e. payroll. Applying appropriate access controls is one of the best ways to keep your cloud environment secure.
Everyone needs educating from the top to bottom
Although it’s entirely possible that certain C-level executives or administrative assistants have nothing to do with your business’s operations in the cloud, if they have a corporate email account, they could be the weakest link in your online defenses. If a hacker compromises a single email account, they may be able to control it remotely to gain other login credentials posing as a “trusted contact”.
Everybody needs educating about best security practices - from email phishing to protecting web-facing workloads. There are plenty of free security resources available from the leading Cloud Service Providers and, in order to keep your cloud environment secure, users should be given time to study courses most relevant to their roles.
Multi-factor authentication is a must for privileged accounts
Strong and frequently rotated passwords aren’t enough to stop the most determined hackers. The speed at which passwords can be cracked using brute force increases year on year, and when hackers are using algorithms and botnets to further accelerate the pace, it may not matter how many letters, numbers, and unique characters the password includes.
Multi-factor authentication is a nuisance, but it’s an essential security mechanism for any user with privileged account access. Ideally users should use a security key to generate MFA PIN numbers rather than receive SMS messages, as—in these days of BYOD—the same device could be used to log into a privileged account and receive the PIN number.
Using automation to keep your cloud environment secure
Automation enables you to do more with fewer resources in many different use cases. In the context of keeping your cloud environment secure, policy driven automation enables you to set the parameters under which your business operates in the cloud, and then let the automation software monitor your cloud environment and take action whenever a violation of a security policies occurs.
Typical cloud security policies could include:
- If any S3 bucket with tag “PII” is unencrypted, execute function to encrypt bucket.
- If an IAM User's Access Key has not been rotated in 90 days, send email notification
- If any privileged IAM user has MFA disabled, execute function to revoke access
Assess, implement, automate, repeat
No two businesses are the same, and although we have provided the 5 best ways to keep most cloud environments secure, your business may face unique security threats. Therefore, conduct risk assessments to identify security threats relevant to your business, implement appropriate security measures, automate wherever possible to eliminate human error, and repeat the exercise—as the threat environment is always evolving.