The What, Why, and How of Cloud Security
There has obviously been a shift over the last several years to transition from physical data centers, locally based applications, onsite work, and tools that need to be physically plugged in somewhere to cloud hosted data, applications, remotely delivered workforce and Software as a Service (SaaS).
Assuming you were a part of this massive transition in some way, we are now smack dab in the middle of figuring out how to continue to grow, optimize and most importantly secure our cloud presence.
What is the Cloud?
Since you have arrived at this blog, I am assuming most readers know what cloud computing is but just in case, let’s cover that. Cloud Computing or “The Cloud” is “the on-demand availability of computer system resources, especially data storage and computing power, without direct active management by the user.”[1] Basically, the cloud is just someone else’s data center that is made accessible to a select number of users (your business) remotely.
Cloud providers have an inherent responsibility for information and cyber security to keep your data safe, sometimes a liability (SOC2 / HIPAA) but there have been many breaches that occurred through compromised cloud accounts and will continue to be, unless preventative actions are taken by your security organization.
Why Cloud Security Is Important!
According to recent research, 1 in 4 companies using public cloud services have experienced data theft by a malicious actor. An additional 1 in 5 has experienced an advanced attack against their public cloud infrastructure. In the same study, 83% of organizations indicated that they store sensitive information in the cloud.
How does Cloud Security Work?
Better yet, what are the different ways you can protect your data in the cloud?
- ACCESS! – The number one way to protect the data in your cloud is controlling who has access to the cloud in the first place. Having a Cloud Access Security Broker (CASB) will help solve this. You should also be considering Two Factor or Multi Factor Authentication (2FA/MFA) services as a layered approach.
- Cloud Proxy / Firewall – Consider a cloud proxy or firewall service that routes traffic through their service to enforce security and corporate policies like in industry leader Zscaler.
- Email Security – “but I thought this was a cloud security post?” Yes, but hear me out. Email is mostly cloud delivered today (i.e., Outlook, Gmail) and while there are inherent protections built in, we all know with the MASS amounts of ransomware incidents that still occur daily, that it is not enough. Having added email security will help protect your users from phishing attempts that may lead to compromised credentials and allow unauthorized access to cloud data. It will also protect from ransomware, but that is an entirely different rabbit hole we won’t go down today.
- SIEM (Security Information and Event Management)– Having a SIEM and having it properly integrated and configured for your cloud services is also highly important. If you have a good SIEM in place it should
be integrated with your cloud offerings via API and be alerting you to different risks and threats that may be occurring against those services. This gives you the knowledge of when something risky is taking place and provides you the necessary data to take corrective actions. - Encryption – This one is obvious, but once again, it is important to make sure it is considered and turned on with your cloud provider.
- Data Loss Prevention (DLP) – Most cloud providers will offer DLP services, but it is not to be overlooked to make sure it is considered and turned on (and paid for).
Can you Trust Cloud Security?
As a good security practitioner, you should inherently not trust a lot of things. I think it is important NOT to “Trust” that your cloud provider is fully protecting you. I also think its important to not “Trust” that once you have security measures in place, that you should “set it and forget it”. You should consider annual assessments of your cloud infrastructure and policies or even consider including your cloud presence as part of your next Penetration Test Scope.
You should be considering the cloud security tools and services that I mentioned above and once they are through your internal vetting process; they should be trusted to protect your data in the cloud. Security is always a multi-layered approach, and the cloud is no different. The more you migrate to the cloud, the more security controls you should be considering implementing to ensure you are protecting your business.
Other Services
Outside of the tools and services that were mentioned above (IAM, proxy, Email, SIEM, encryption and DLP) there are other services out there that can help improve our cloud security maturity.
- Security Assessments – Much like a security assessment you perform against your traditional infrastructure; many assessments have been adopted for cloud services. You can compare your gaps against standards such as NIST, ISO and CIS.
- Business Continuity and Disaster Recovery (BCDR) – Similar to having a solid BCDR plan in place for our physical infrastructure, it is important to consider that cloud services can and will get disrupted at some point. It could be your entire cloud presence; it could be one cloud delivered service or application. Sometimes its unavoidable but its important to consider what you MAY be able to do in the event of an outage.
- Network Security Services- Once again, hear me out, other network security products are important when considering a “Zero Trust” approach to security, all of which will help with unauthorized access that may lead to a breach of cloud services. Consider a layered approach to Network Security as well such as a Host Based Intrusion Detection Systems (HIDS) or tools that monitor Cloud API logs, or VPC Flow logs to give you
visibility into what machines are connected to the cloud and where.
Resources
[1] “An Introduction to Dew Computing: Definition, Concept and Implications – IEEE Journals & Magazine”. doi:10.1109/ACCESS.2017.2775042. S2CID 3324933.
Lines vector created by vectorjuice – www.freepik.com
Business vector created by jcomp – www.freepik.com