CLOUD SECURITY - WHO IS RESPONSIBLE?
- From a security perspective public cloud removes the requirement to secure the physical infrastructure, that task is no longer the customers responsibility as the cloud vendors fully manage the security of the abstracted infrastructure.
- A Public cloud providers responsibility is “Security of the Cloud”, and their customers responsibility is “Security in the Cloud”.
- Both AWS and Azure have a shared responsibility model which splits the responsibility between them and the customer in terms of who will secure what.
- These vendors will take full responsibility for the security of the infrastructure, protecting compute, storage, networking and database services against attacks and intrusions. They are responsible for the security of the software, hardware and Data Centers that are used to deliver their services.
- Therefore, as a customer you need to focus on how to achieve “Security in the Cloud” as this will be your responsibility.
- As a customer you will be responsible for protecting the security of the your data and identities. This will include endpoints, accounts and access management.
- The cloud vendors will provide the features and recommendations, but ultimately it is up to the customer to enable and architect these features.
Asystec follow’s best practices when advising and consulting on cloud projects. Based on our experience of such projects there are certain principles that we would apply as outlined below.
PRINCIPLES OF CLOUD SECURITY
This is one of the most important functions of any cloud platform; having a system in place that ensures controlled access is secure and governed is of the highest importance.
– Multi-Factor Authentication, SSO – Adds a layer of additional security, prove who you say you are. Password less access.
– Identity & Access Management (IAM) secure access to services and resources securely. Based on permissions for fine grained access control, analyse access and integrate with existing corporate directories. Create single identities for each user’s across hybrid enterprise keeping users in sync. Use RBAC for fine grained access management.
Traceability is required to ensure changes to the environment are audited in real time. Monitor, Alert, Audit. Establish a logging system and where possible provide automated response mechanisms to act when anomalies are detected.
Reduce the need for direct access or manual processing of data. Reduces risk of loss or human error with sensitive data.
Design security that encompasses each layer of the cloud that includes the following:
– VPC’s and VNet’s, Edge Network, Subnet, Load Balancer, WAF, every instance, every OS, every application.
– At Rest and In-Transit data security and encryption.
Ideally Managed as Code, version controlled and ability to always secure as a standard. Follow best practices from cloud vendors “well architected” guidance.
Access requests from users’, devices and applications should be considered untrusted until validated. MFA, Conditional Access, SSO should always be used as best practice.
Use tools to ensure the correct posture is maintained and insider mistakes don’t threaten security. Ensure continuous compliance and threat detection.
Have an incident response process established. Run simulations and use tools with automation to increase speed of detection, investigation and recovery.
“According to Gartner, through 2025, 99% of cloud security failures will be the customer’s fault and 90% of the organisations that fail to control public cloud use will inappropriately share sensitive data”.
Is the Cloud Secure? Gartner, October 2019
AWS CLOUD SECURITY
AWS has developed a “Well-Architected Framework” that will provide architectural best practices for designing and operating reliable, secure, efficient and cost-effective workloads in the cloud. From a security perspective the framework outlines the necessary steps that should always be applied at an organizational level and a workload level. These include the following:
AZURE CLOUD SECURITY
Azure also provides a “Well-Architected Framework” that is a set of guiding tenets that can be used to improve the quality of workloads in the cloud. Security is one of the 5 pillars in the framework, and this provides guidelines for the confidentiality, integrity and protection best practice measure to mitigate attacks and abuse of data and systems. Microsoft outlines 3 key strategies as follows:
VMWARE SECURE STATE
Reducing misconfigurations, monitoring malicious activity, and preventing unauthorized access are foundational activities necessary to ensure security and compliance of applications and data in the cloud. As criminals become more sophisticated in their abilities to exploit cloud misconfiguration vulnerabilities, security teams need a smarter approach to prevent security breaches.
VMware Secure State is an intelligent cloud security and compliance monitoring platform that helps organizations reduce risk and protect millions of cloud resources by remediating security violations and scaling best practices at cloud speed.
Increase visibility with real-time insights: Better understand your multicloud’s security and compliance posture by visualizing object relationships and mapping associated violations, metadata, etc.
Establish security & compliance best practices: Build a program to establish organisation wide standards and prioritize violations based on risk.
Remediate misconfigurations with automated actions: Resolve existing and new misconfigurations with a flexible, in-account remediation approach to scale security at cloud speed.
Empower security, developers, & operations teams: Drive security and compliance improvements with faster alignment and distribution of insights across stakeholder teams.
Asystec have guided customer’s through the process of Security in the Cloud and what best practices need to be considered. This can be for both our existing cloud customers and those just starting out with applications in the cloud. Whatever stage you are at we can help consult and design the right secure solution for you. To find out how our unique approach to Cloud Security can protect your business, contact us today!