While cloud migration isn't as controversial as it used to be for many organizations, issues about security linger. That's why it's important for security teams to put together a solid program to protect their cloud environments.
To do that, it's useful to have a list of action items—high-priority projects—that will serve as the pillars of a robust cloud security program.
Here are key action items to consider to bolster your cloud security and privacy.
Adopt an industry-accepted guide
Using an industry standard should be the starting point for building, implementing, and maintaining a cloud security strategy.
"Security guidelines can be useful for organizations to ensure that they’ve covered a full set of protections," said Eric Hanselman, chief analyst at 451 Research.
"The challenge is adapting them to your specific operational capabilities and team skills. By their nature, these aren’t one-size-fits-all recommendations, and organizations will need to translate them into a workable plan."
—Eric Hanselman
Guides available to organizations include the Center for Internet Security Controls Cloud Companion Guide, the Cloud Security Alliance Cloud Controls Matrix, and the National Institute of Standards and Technology publication SP 800-144, "Guidelines on Security and Privacy in Public Cloud Computing."
"Guides can be used to show customers, stakeholders, and partners that you're investing in security and can pass audits, which is key to doing business in the modern world," said Arick Goomanovsky, co-founder and chief business officer at Ermetic, an access policy management company.
However, he cautioned: "You have to remember that they give you high-level guidance of what you should be thinking about. They're not comprehensive. They can miss a lot."
"They tell you what to do, but they don't tell you how to do it."
—Arick Goomanovsky
Include CSPM capabilities in your strategy
Cloud security posture management (CSPM) is a way to determine whether an organization's cloud applications and services are configured securely.
Deloitte Risk & Financial Advisory partner Aaron Brown stressed its importance.
"CSPM is one of the first things an organization should do when it deploys to the cloud, because it allows it to get a quick sense of its security posture. CSPM can identify misconfigurations and vulnerabilities within the cloud platform."
—Aaron Brown
"CSPM is the necessary sanity check on cloud operations," 451 Research's Hanselman added. "It’s the backstop that organizations require to ensure minimum security configurations in cloud."
Tim Bandos, CISO at Digital Guardian, a data loss protection and managed detection and response company, explained that CSPM allows organizations to monitor risks and fix some security issues automatically. "CSPM can detect issues like lack of encryption, improper encryption key management, extra account permissions, and others," he said.
The technology also fits nicely into modern application development techniques by integrating security procedures into DevOps processes. "Locking down your environment with vulnerability scanning and CSPM solutions is a key part of a shift-left strategy, securing as much as possible pre-runtime," said John Morgan, CEO of Confluera, a cloud cybersecurity detection and response provider.
Deploy a cloud security broker app
Cloud access security brokers give organizations the visibility to maintain consistent security policies and governance across one or multiple cloud deployments. The broker does network inspection as it sits between the cloud service provider and the organization.
"It can catch shadow IT," Deloitte's Brown said. "It makes sure people in your organization aren't consuming cloud services outside your governance model."
"CASBs aren’t a comprehensive solution to cloud or SaaS security," warned Tim Bach, vice president of engineering at AppOmni, a provider of security posture management services.
"They can inspect cloud traffic that flows through the proxy-access gateway, but they don’t have visibility into traffic that bypasses the proxy and connects to the cloud provider directly. This means that they don’t monitor or manage the many data access points outside the network. These access points are used by external guest users, customers, contractors, partners, third-party applications, and IoT devices."
—Tim Bach
"Access may get intentionally granted to these users or granted accidentally through misconfiguration or user error," he continued. "Unfortunately, we see that more than 95% of organizations have overprovisioned access to their external users."
Do an inventory of your CSP's security controls
Knowing what security controls are offered by a cloud service provider (CSP) is an essential part of cloud management. Clearly defined, documented, and agreed-to responsibilities are imperative to securing an organization's cloud environment.
"Cloud service providers and cloud customers have different requirements within different types of cloud environments, such as IaaS, PaaS, and SaaS," observed Kayla Williams, vice president for information technology governance, risk, and compliance at Devo Technology, a cloud-native logging and security analytics company.
For example, according to the CIS shared responsibilities model network, control responsibilities within an IaaS environment are split between the CSP and the customer, while network controls in a SaaS environment are the responsibility of the CSP alone. "If a company were not aware of these differentiating control obligations," Williams said, "they could be left exposed to critical risks in their network."
"You cannot secure what you do not know about," AppOmni's Bach said. "Creating an inventory of your cloud providers, cloud services, and the controls they do and do not provide is a critical starting point to deploying proper security management tooling and processes."
That inventory becomes particularly important when dealing with multiple clouds. "Security controls and their depth differ across CSPs so enterprises need to be aware of it and potentially use third-party cloud-native security solutions that provide a single pane of visibility and control across clouds and take the burden away from enterprises to understand these differences across CSPs," said Vishal Jain, co-founder and CTO of Valtix, a maker of a multi-cloud network security platform.
While identifying a CSP's security controls sounds like a straightforward process, it may not be. "The additional challenge in cloud is understanding the nature of controls that are available in detail," 451 Research's Hanselman noted. "It’s all too easy to presume that similar-sounding control capabilities are the same as those that we’re used to. That’s often not the case, and can lead to coverage gaps."
Control access to your cloud
Many organizations are having trouble with who has access to their cloud services. Common mistakes include enabling global permissions on servers, allowing any machine to connect to them, and permitting Secure Shell connections directly from cyberspace, allowing anyone who can figure out the server location to bypass the firewall and directly access data on the server.
All CSPs offer identity and access control tools that can be used to determine who or what has access to cloud resources. Use them.
Access to your cloud by human users should have some form of multifactor authentication. Privileged identities for users, applications, and services should be tightly controlled, and least-privilege policies implemented. "You have to make sure that users and applications in the environment have access only to relevant data," Ermetic's Goomanovsky said.
Rajiv Pimplaskar, chief revenue officer of Veridium, maker of an authentication platform, also recommends that organizations consider scrapping passwords.
"A modern access management strategy has to consider going passwordless as a core principle. Passwordless solutions offer the best security while also reducing friction, thereby enhancing user experience."
—Rajiv Pimplaskar
Implement an encryption strategy
Encryption is a fail-safe for data anywhere. If security controls fail, encryption prevents attackers from doing anything with any data they steal.
All of the major CSPs offer encryption tools and key management services. Before using those tools, an organization has to ask itself, "What can I accomplish with the default encryption capabilities of my cloud service provider?"
Some organizations, though, don't believe encryption should be delegated to a CSP, especially when it comes to allowing CSPs to manage encryption keys. "That's like locking a door and leaving the key in the lock," observed Reiner Kappenberger, product management director for data security at Micro Focus.
"Organizations should consider format-preserving encryption or tokenization to protect data at a field level so they de-identify data without making changes to a database. With format-preserving encryption, you can encrypt fields that contain sensitive data and leave other fields unencrypted."
—Reiner Kappenberger
"That's a key aspect," he continued, "especially when migrating into the cloud because the organization is handing their data to someone else, the cloud provider. Data protection is never more important than it is in that environment."
Turn on your CSP's security and monitoring tools
Although this sounds like a no-brainer, many organizations just don't seem to get around to doing it.
Leveraging native cloud security capabilities is always a good idea, 451 Research's Hanselman said. "The challenge organizations face is in integrating those capabilities into their existing security operations."
"Native security tools can’t become an operational island, disconnected from the core security environment," he continued. "That's a path that will create additional work for security teams and potentially leave gaps in coverage and understanding."
Cost considerations may also influence the decision to take full advantage of the security offerings of a cloud service provider, Ermetic's Goomanovsky added.
"You have to realize there's no free lunch. These tools aren't free. When you turn them on, you're going to have to pay for them."
—Arick Goomanovsky
You have to make an informed decision about the best strategy, he continued. "Do you want to turn on all these services for your all your cloud service providers? How do you synchronize events coming from each provider?
The alternative would be to go to a third-party vendor, which will give you a unified view of your environment and will do the integration of the events coming from each cloud, Goomanovsky maintained.
Whether an organization uses its CSP's security and monitoring tools or someone else's, having them in place is important not only for security, but also for its brand. "Having controls in place to safeguard a company’s systems and information entrusted to it is the first step to gaining customer and market confidence as a security conscience company," Devo Technology's Williams observed.
"Being able to monitor those security controls and your network and to respond in near-real time to anomalies and potential events and incidents is absolutely critical. Company reputational risk is not only dependent on an event that impacts a company but also on how quickly it is acknowledged and responded to."
—Kayla Williams
Keep learning
Get up to speed on unstructured data security with TechBeacon's Guide. Plus: Get the Forrester Wave for Unstructured Data Security Flatforms, Q2 2021.
Join this discussion about how to break the Ground Hog Day repetition with better data management capabilities.
Learn how to accelerate your analytics securely into the cloud in this Webinar.
Find out more about cloud security and privacy, and selecting the right encryption and key management in TechBeacon's Guide.
Learn to appreciate the art of data protection and go behind the privacy shield in this Webinar.
Dive into the new laws with TechBeacon's guide to GDPR and CCPA.