Imagine a world without agile cloud services. Lost productivity, risks to confidentiality and damaged customer reputation threaten organizations that cannot properly address cloud security. Now more than ever, organizations are prioritizing a cloud-first approach making cloud security a critical topic to discuss.
While organizations are increasingly using cloud products as cloud introduces agility and capital savings helping streamline organizational operations, 40% of organizations are failing to achieve full value of their cloud investments according to Accenture. Though there are undoubtedly benefits to working with cloud products, there are inherent risks that organizations must consider. It is critical to understand foundational cloud security controls in order to ensure their security is upheld.
Imagine a world without agile cloud services
The Principle of Accountability in the Cloud
Organizations have a difficult time deciphering what they are responsible for. Often, organizations assume that cloud providers are responsible for all assets within the cloud environment. In reality, organizations are always responsible for their data. The shared responsibility model from the Cloud Security Alliance is an excellent resource to help organizations understand what they are responsible for and which facets of their technology strategy their providers are responsible for The Shared Responsibility Model helps organizations strategically manage risk that they are accountable for The shared responsibility model breaks down accountability into a way that can be translated into traditional IT. The intent of it is to help raise adoption and awareness whilst helping organizations adopt practices that they can maintain using their understanding of IT. Accountability should come from the top up and be tied to assets; senior management is still accountable for the data. Senior management of organizations should maintain accountability for maintaining the integrity and availability of data by means they can control. Addressing the resilience of data through controls such as backups, and implementing effective lifecycle management are approaches that organizations should seek to adopt.
Important Metrics
RTOs : Recovery time objectives
RPOs : Recovery point objectives
Backups – RTOs & RPOs
Recovery time objectives (RTOs) and recovery point objectives (RPOs) are important metrics for any organization (link). RTOs are the target times set for recovering from any interruption. RPOs are defined as the maximum amount of data – as measured by time – that can be lost after a recovery from a disaster, failure, or comparable event before data loss will exceed what is acceptable to an organization. Both of these metrics have immense meaning – they signify an organization’s ability to recover from disaster and determine powerful measures for management to mitigate risks.
Implement Security Lifecycles
As organizations adopt more sophisticated products and offerings, they must always balance the agility of the organization with operational security and risk management. One of the most efficient ways to accomplish this is to implement secure development lifecycle (SDLC) management through DevSecOps and good change management processes. DevSecOps is an approach to culture, automation, and platform design that integrates security as a shared responsibility throughout the entire IT lifecycle. DevSecOps supports strong SDLC management processes by integrating security through product lifecycles. DevSecOps helps maintain many of the agility benefits that come with cloud-first operations while ensuring that security is considered throughout. Organizations found that adopting DevSecOps in cloud-first organizations led to over 45x faster remediation time of cloud-related incidents in some cases. This is a significant value for any organization, particularly small organizations that can ill-afford downtime.
Cloud Security
Though it is well known that leveraging cloud means “using someone else’s IT infrastructure”, security needs to be implemented differently. There is a greater focus on controls that may not be considered for traditional brick and mortar businesses. Ultimately, protecting data within cloud environments is the responsibility of the collecting organization so it is critical to place safeguards around the people that manage your organization’s cloud environment. These may include:
- MFA
- Security Monitoring
- Logging
- Encryption
- Cloud vulnerability management
- Infrastructure as code integrity validation
- Virtual Firewalls
- Web application firewalls
- Implement role based access control
There are several considerations that are more common in cloud-first organizations. These include:
- Loss of ownership or loss of information
- Improper vendor/partner due diligence
- Compliance risks
- Misconfigurations
- Improper account management
Why multi-factor authentication is important for cloud security
Protecting access is critical to protecting cloud environments. In 2019, Microsoft posted a blog post which states that MFA can block over 99.9% of account compromise attacks since having a password compromised is not enough for an attacker to gain access to cloud accounts.
Before we delve any deeper, it will be helpful to define what exactly MFA is. MFA authenticates users to services in a more secure fashion.
MFA dramatically reduces the risk of your account being compromised as it combines something you know (password) with either something you are (fingerprint, retinal scan) or something you have (hardware token or time-based access code). MFA allows any of the single points of authentication to fail; so if users’ passwords are compromised, attackers would be unable to compromise targeted accounts.
Les technologies/ tendances à venir
Cloud Access Security Broker (CASB)
If multiple cloud services from multiple different vendors are in use, consider implementing a CASB to enforce security policies across all the different cloud services in use. CASB products broker connections to several cloud resources following a single validation of user integrity. CASB products help streamline user experience while allowing organizational administrators to enforce industry-accepted best practices such as strong passwords, multifactor authentication and identity and access management. CASB benefits the overall user experience and productivity of organizations while maintaining high standards of security in cloud environments.
Zero Trust Network Access (ZTNA)
ZTNA is a growing control that maintains the confidentiality of critical assets regardless of where they are stored. ZTNA is a set of technologies that allow for secure access to internal applications for remote users. ZTNA provides secure remote access to these four core principles:
- Access is provided on an application basis, instead of access being granted to the whole network. (i.e. only specific applications with users that have been authenticated are granted access).
- Only outbound connections are made, ensuring that both network and application infrastructure are invisible to unauthorized users.
- Applications are segmented to ensure that authorized users only have access to specific applications rather than full access to the network. This segmentation prevents the risk of lateral movement of malware and similar threats as well as incorporates the principle of least privilege (POLP) by ensuring that overly permissive access is not granted.
- ZTNA uses a user-to-application approach to security rather than a traditional network security approach. This essentially means that the Internet becomes the new corporate network and end-to-end encrypted TLS micro-tunnels are used to protect confidentiality.
ZTNA may sound similar to Virtual Private Network (VPN) technologies but it has several key advantages.
VPN network access is granted when using the correct credentials (typically SSO) and allows the user to move laterally across the network. Meaning one set of compromised credentials can provide attackers with access to the entire corporate network!
On the other hand, ZTNA access is granted only under the correct context (user, identity, device and location all match up). Once authenticated, granular access is provided, rather than full network access, which prevents users from moving laterally.
Extended Detection and Response (XDR)
XDR is a critical control to implement to protect end users regardless of the resources they work with. XDR is an evolution of endpoint detection and response (EDR). EDR collects activities across multiple endpoints whereas XDR broadens the scope of detection beyond endpoints and analyzes events across networks, servers, cloud workloads, security information and event management (SIEM) tools and more. This provides a holistic view across multiple tools and attack vectors. Implementing an XDR tool allows corporations to significantly reduce risk while saving on cost and provides the same level of protection and security across all end users, no matter what resources they work with.
Ultimately, organizations need to maintain ownership of their organizational assets regardless of the tools, and regardless of where the data resides.
Leaders need to understand what they are responsible for versus what is the responsibility of the cloud providers. They must protect the data using strong program management and frameworks to develop scalable, agile processes.
Security teams can also leverage well-documented frameworks that address security concerns in cloud environments to provide defensibility and assurance that control implementations are validated, and effective.
Throughout these considerations, it is crucial to account for any organization’s most valuable asset – its people. Selecting technologies that allow workers to maintain a frictionless user experience is crucial to the success of technology adoption. Using industry-recognized tools is critical to enabling your end users to protect your organization against the present threat landscape.
Best Practices
- Choose trusted and well-reputed providers
- Select technologies that will scale with security processes
- Build security programs following well-reputed cloud frameworks
- Gather security attestations or ensure that there are well-understood due diligence processes
- Review contracts and SLAs annually
- Focus on your end users
- Harden their devices using endpoint security solutions
- Provide security awareness training
- Implement strong passwords
- Implement encryption
- Implement and maintain a logging and monitoring system
- Conduct risk assessments regularly