When you are securing traditional on-premises systems, you own the responsibility for securing everything from the physical premises to the hardware, operating system, network, and applications.
In cloud deployments, it doesn’t work that way. Depending on the nature of the cloud service, there is always part of the technology stack that the cloud provider is responsible for keeping secure, and parts that customers are responsible for managing the security on their own. Essentially, this concept is what Amazon calls the Shared Responsibility Model. This model is true whether one is speaking about any flavor of outsourced cloud (of course in on-premises private cloud you own it all).
In public cloud, infrastructure as a service, and platform-as-a-service the provider owns the security of the physical layer, and infrastructure aspects of the cloud as well as the aspects of the Compute, Storage, Database, and Network and application services they offer. You, the customer, own the security configuration of your own operating systems, network traffic, firewall settings, and all of the security on your own systems that are used to connect to the cloud. We will dive more into the Shared Responsibility Model in future posts, but that’s essentially it. And to be secure, it’s imperative that you understand the security you own.
Before we do dive more into the Shared Responsibility Model in the future, it’s important to take a look at some security essentials that need to be taken care of always:
Security Essential One: Classify apps and data
Where do you start your focus on the security you own? Ask yourself what applications and data you have that are critical to running your business. What apps and data would cause executive leadership, stockholders, or customers to abandon ship if breached? What data, if leaked, could cripple the ability to conduct business or to effectively compete? What data would cause regulators to get into a whirr and possibly result in fines or sanctions?
All of these are the type of highly-coveted business data, or government regulated data, that you have to classify as critical and protect it as such. This is the data, applications, servers, and systems that decide where you start your security efforts first, and likely always keep the highest level of focus.
Security Essential Two: Keep an eye on application security
At times your attackers are going to target vulnerabilities in your web applications. And you do have attackers targeting your assets. Whether you believe you do, or not, doesn’t matter: They’re still targeting you. To make sure your applications are as free of software vulnerabilities as you can make them you have to actively look for vulnerabilities that create security risks. If the applications are open source or off-the-shelf applications, make sure to patch regularly and be sure to patch critical security flaws immediately. When building your applications, it’s important that developers be trained and use secure coding practices and that applications continuously be examined for potential flaws. A good place to look for guidance on how to start an application security program is the Open Web Application Security Project (OWASP).
Security Essential Three: Get user identities and access under control
Put the processes in place to manage your user identities. This entails knowing who your users are, what job roles they have, and from that what applications and resources they should be able to access. It means limiting access to only those who have a reasonable need for those resources. And when the roles of these people change, change their access. When they leave for whatever reason, have their access revoked. This is one of the most important things one can do to keep a good security posture – and yet it’s one of the areas so many organizations skimp.
Security Essential Four: Policy and Configuration Management
It’s crucial to establish policies for security checks, settings, and configuration levels for all of your systems, workloads, and apps. And just like vulnerability scans are important to find systems that out of date, it’s important to check and to ensure systems are configured and running to policy.
Security Essential Five: If it can be automated, automate it
If there is a security task that can be automated through scripts or cost-effectively offloaded to a security services provider – it should be done. Good reads on continuous security and continuous policy monitoring can be found here and here. If you are a smaller organization, scale the advice down to your size – but the precepts remain similar.
Security Essential Six: Be ready to respond
Of course, being on the steady lookout for security deficiencies in the organization is important but many organizations, unfortunately, don’t bother to think about what comes next: remediation. When you start looking for security vulnerabilities, what will the organization do to remedy them? When you find violence’s to policy compliance – how will the gap be closed quickly? Be sure to think this through and plan ahead of time.
These essentials are just the beginning, and they aren’t meant to be comprehensive. They are meant to get the gears turning toward putting in place a cloud security program. There’s many more posts coming, and in the next post on this subject we’ll take a closer look at what the Shared Responsibility Model means for securing cloud services.