The pandemic has accelerated digital transformations unlike any single event in history. While cloud enables application developers with amazing possibilities and modern development tools, it is also a challenge to infrastructure administrators and CIOs. For IT teams, cloud security is a constant balancing act between control, cost, and agility.
Cloud vendors such as Amazon Web Services have done a great job at addressing many of the cloud challenges. AWS has a growing list of 25+ services dedicated for the Security and compliance areas. Customers will need to understand the value and configuration of many of these services in order to protect and enable their teams. Each of these 27 services come with their own configuration settings and APIs. For organizations with large cloud infrastructure developers, this is a blessing. But most IT teams that own digital transformations do not have the skills to effectively use these rich API surfaces. The same IDC survey found that 66% of the respondents stated insufficient personnel and expertise as their top concern to managing cloud security.
Verizon’s 2020 Data Breach Investigations Report revealed that 20% of the 3,950 high profile breaches reported in 2020 were a result of misconfigurations and errors, second only to organized hacking.
Source: Verizon’s 2020 Breach Investigations Report
Cloud services when implemented properly are transformative. IT teams can overcome their challenges by
In this blog, I discuss five easy steps you can take today to balance your security and compliance profile alongside costs and agility.
Over the past decade all major cloud vendors have invested significantly in cloud security. Their underlying infrastructure that powers your applications is very secure.
It is common for customers to assume that once they move to the cloud, security and compliance is the responsibility of the cloud provider. In reality, security and compliance in the cloud is a shared responsibility between the customer and the cloud provider. Your cloud provider does not know which applications are running in your account and does not have access to your data. This makes it impossible for your cloud vendor to secure and enforce compliance on what they don’t know.
All cloud vendors including Amazon Web Services operate under the shared responsibility model. This means your cloud provider has the responsibility to secure the underlying service, the host operating systems, the physical hardware, and the datacenters including regions, availability zones and edge locations.
You, as the customer, have the responsibility to protect your application stack, which includes your guest operating system, and all the application components such as your database instance, underlying storage user access controls, network traffic to and from your application. AWS has this useful image on their website, which explains the delineation of responsibilities well.
Source: https://aws.amazon.com/compliance/shared-responsibility-model/
Understanding your responsibilities is the first step to designing a robust security posture. This understanding will help you find the tools to continuously detect and enforce security and compliance policies.
Knowing what is running in your environment is the next step towards robust cloud security. A survey of 300 CISOs conducted by research firm IDC ranked lack of adequate visibility into cloud resources as one of the top 3 reasons for cloud security breaches. The other two being misconfigurations and identity & access management errors.
The power of a well-managed cloud infrastructure is that you can enable your users to provision resources and scale up or scale down on demand. This means new cloud resources are coming live or going offline all the time.
For example, it is not uncommon for your development organization to spin up a dev/test environment and forget to take it down at the end of their task. Sometimes these can just be a group of compute instances such as Amazon EC2. Unless automatically enforced, these environments rarely comply with your organization’s security and compliance standards. Untagged, abandoned or orphaned resources can go rogue very quickly. The recent Solarwinds breach is a prime example. The perpetrators penetrated through a dev-test system and introduced malicious code into production systems.
Getting continuous visibility into your cloud resources, keeping a real time inventory of what resources are running along with which application and/or user owns a resource is therefore vital.
Compliance and security posture assessments provide a status check on your systems and applications relative to your security policies.
A good place to start is with the standards for your industry and the best practices defined by your cloud provider. Amazon Web Services has documented about 200 these foundational security best practices that surface through AWS Security Hub and 56+ conformance packs. They cover commonly used industry standards such as NIST 800 171, NYDFS 23, PCI DSS 3.2.1, CMMC, CIS, FedRamp and HIPAA that are available through AWS Config.
You can download the control list and manually run your assessment checks periodically. Another alternative is use tools like MontyCloud DAY2 that use the AWS defined best practices as the baseline and enable you upload your own policies. You can also configure tools like DAY2 to run assessment checks at predetermined intervals and give you an assessment of your security and compliance posture.
Central public cloud strategies will always lag public cloud usage. “Unapproved” cloud consumption is the new reality. IT teams that make successful digital transformations, embrace the controlled chaos. The most efficient path for central IT teams is to define robust security and compliance policies and to implement tools and systems to continuously check and automatically remediate drifts or respond to alerts.
Industry experts agree that there are generally three levels of policies –
Your cloud providers such as AWS, your industry bodies and even open-source channels maintained by security experts such as ElectricEye provide a good baseline but you must define and implement your own policies, controls and remediations that suit your organization. You can then leverage tools like MontyCloud DAY2 to automate checks and remediations.
Last but not the least keep an audit trail. Implement tools that give you operational dashboards and an assessment report at least once a day. In addition to alerts, you should also get actionable recommendations.
Cloud environments are dynamic. There is room for a lot of noise in your dashboards and alerting systems. Automating remediations can go a long way. Equally important is to identify non-issues and suppress them.
Finally, ensure that you maintain an audit trail of all events that trigger specific actions and of the actions themselves. Audit trails help you analyze usage and access patterns. Frequent analysis helps you iterate your security policies and compliance standards and remain responsive to your business.
MontyCloud DAY2 can automate free security and compliance posture assessments in just five easy steps. With MontyCloud, you can immediately: