Many organizations are learning the hard way that translating their on-premise security framework to the cloud is more difficult than they originally thought. For example, recently a misconfigured database at UW Medicine in Washington state left patient data from nearly a million individuals exposed for several weeks. The breach was discovered when a patient searched their own name on Google and found a file with their information.
Breaches like this are all too common. According to Gartner analysis, by 2020, 80% of cloud breaches will be due to customer misconfiguration, mismanaged credentials, or insider theft, and not cloud provider vulnerabilities.
Operating securely in the cloud requires different mechanisms and approaches than on-premise computing. For one thing, not all on-premise solutions work in the cloud. Additionally, cloud infrastructures contain numerous security services that need to be incorporated.
A successful migration to a cloud security framework rests on five pillars that are part of a sequential cycle, with each pillar dependent on those that precede it. Organizations that follow this methodology can create a framework that not only supports their cloud strategies, but also optimizes their overall security.
Identity Access Management
Traditionally, customers look at identity access management (IAM) from the standpoint of users, roles, and permissions. Within a cloud infrastructure, IAM allows IT administrators to authorize who can take action on specific resources, and to provide visibility and control across the infrastructure.
Similarly, companies in the cloud have come to understand that services can be subject to the same IAM as users, and those services need to be understood in terms of how they are accessed and managed.
To develop an actionable IAM pillar, companies must enable single sign-on and multi-factor verification, use roles-based access controls, and reduce the exposure of privileged accounts.
Detection Controls
This pillar relies on determining who is allowed access and to what — and then detecting anomalies. These intrusion detection systems (IDS) are automated, and they are designed to monitor and analyze network traffic, and to generate an alert in response to activity that either matches known malicious patterns or is anomalous.
Because an IDS is watching the actual network traffic flow, it not only permits a timelier response to an active compromise, it also offers the ability to identify devices that are in imminent danger of compromise.
An actionable detection controls pillar is enabled by deploying detective controls at Layer 4 to Layer 7 and protecting applications; understanding the difference between IDS and a firewall; and understanding all monitoring and logging activities performed as part of in-place detection systems.
Network Security
Many organizations make the mistake of beginning their cloud security framework discussions around network security (NetSec), but the cloud is different. The shared responsibility model under which cloud ecosystems operate inherently guarantees security of the network — but can’t guarantee the security of the companies that are accessing it.
This is where firewalls and web application firewalls (WAFs) in the cloud offer security at a different level. The functions they provide are designed to operate in an infrastructure that is inherently fluid and off-premise. Because resources are cloud-based, companies often turn to benchmark policies such as CIS Benchmarks that describe cloud-focused policies to detect security policy violations — situations which simply didn’t exist in an on-premise infrastructure.
Finally, an actionable NetSec pillar also needs to consider endpoint security. Companies must fully understand the policies and benchmarks that are appropriate to their business and deploy solutions that translate those benchmarks into actionable results.
Data Protection
The very notions of data-in-motion and data-at-rest become blurred in the cloud. As data in transit is more vulnerable to malicious activity, the difficult task of protecting that data during transport has become more critical.
Encryption is the most popular method of protecting data at rest and in transit, but it is not a total solution. NetSec controls add another layer of protection, as do data policies. Data that has been classified as at-risk can have specific policies applied to it whenever it is accessed or moved.
There are other data conditions that need to be considered, such as archiving and ongoing threat scanning. For instance, emails residing in trash or spam folders often contain latent threats, which could be triggered if inadvertently opened at a later date, so they must be removed from users’ systems in a timely manner.
Companies need complete visibility of their data and information, as well as controlled versioning of that data, and end-to-end data protection and encryption.
Incident Response
For some organizations, incident response (IR) is the first symptom of a non-actionable cloud security framework. Often, incidents aren’t even identified until long after they have occurred and the damage has already been done.
Within an actionable IR framework, incidents are typically security failures or non-compliance issues that can be easily identified and rectified, with the intention of responding to the “incident” before there has been damage.
IR can take many forms, from simple identification and rectification, or prevention, to changes in policies and strategies that avoid similar incidents in the future. Organizations that leverage actionable cloud frameworks as a basis to enforce security and workflow best practices can use IR to identify where best practices aren’t being followed and why.
Next Steps
IT organizations are typically staffed to keep their respective companies or users secure and productive and to operate within a defined company framework. Even those with extensive security understanding and cloud experience are best served by partners whose focus is architecting security.
Once a company has defined its five cloud security pillars and developed a strategy to close any gaps, it can work with an MSP partner to implement tools and processes to enable an actionable security framework. The partner can ensure that hybrid frameworks don’t hamper cloud migrations and leverage, but instead remain integral parts of the organization’s overall security framework.
End users are then able to focus on the real value they intend to extract from the cloud: digital and operational transformation.