Closing Cloud Security Gap : With Freedom Comes Greater Responsibility
In last couple of years Cloud adoption has gained a lot of momentum. The Gartner global Cloud adoption survey states that 80% of organizations if not already invested in Cloud have shown indications to move to Cloud in coming few years.
One intrinsic property Cloud Computing has is : Elasticity/Agility. I like to call it Cloud Freedom:
- Freedom to have the required infrastructure whenever you want.
- Freedom to scale up or scale down your infrastructure as per your need and even as per multiple dynamic parameters.
“The Elasticity & Agility of Cloud provides the Freedom to developers and organizations to scale new heights.”
This Freedom to launch an infrastructure with just few clicks and have it ready for you within minutes is what has made Developers/Engineers to be the prime drivers of Cloud adoption across organizations.
With this freedom, organizations are saving on an average 14 percent of their budgets as an outcome of public Cloud adoption, according to Gartner’s 2015 Cloud adoption survey.
“With Freedom comes greater Responsibility .”
This Freedom, if not handled with greater responsibility, can very easily wash away the 14 percent saved on budgets!
During early adoption days of Cloud, the major concern everyone had was around security. All major public Cloud providers, especially AWS, in past few years, have demonstrated successfully that their services are resilient and their infrastructure has the best possible security measures. Thus, adding to the momentum of Cloud adoption.
The security measures demonstrated by public Cloud service providers in recent times suggest that Cloud with it’s world class security best practices is even safer than on-premise data centers! For example, AWS has even gone ahead and got security compliance certifications like PCI DSS and ISO 27001.
But this absolutely doesn’t mean that once you move your infrastructure to Cloud, you can now forget about security! Moving to Cloud certainly reduces scope of some of traditional security tasks, but doesn’t eliminate them all together. Plus the added Freedom brings in the added security challenges.
Security of infrastructure on Cloud is a shared responsibility. All public Cloud service providers advertise this upfront.
“Security in the Cloud is a shared Responsibility.”
You as a customer of public Cloud services is responsible for your data security and access management of your Cloud resources. If we consider AWS EC2, a public Cloud infrastructure service, you are responsible for:
- Amazon Machine Images (AMIs), Operating systems & Applications
- Data in transit, Data at rest & Data stores
- Credentials, Policies & Configurations
So, overall there are 4 major core areas of the threat landscape you need to tackle with respect to security of your Cloud infrastructure:
Here are some of the most important best practices you must follow to close the security gap within your Cloud infrastructure.
Grant least privileges
You must follow this thumb rule of granting least required privilege to users and programs. AWS Cloud has very strong foundation in Identity and Access Management. You must make full use of IAM capabilities to define a very fine grained permission level for all access points into your Cloud infrastructure. Also make enabling multi-factor authentication mandatory for your users.
Enable all the detective services
You must enable all the tools and configurations provided by your Cloud provider to ensure that you have the ability to track access and activity within your Cloud infrastructure. For example, with AWS, you must enable the below services:
- AWS CloudTrail Logs (Even in regions where you don’t have instances)
- Enable VPC Flow Logs
- Enable ELB Access Logs
- Enable AWS Config
Encrypt data at rest as well as in transit
This is something everyone knows, but very few follow it diligently. If you have any sensitive data stored in your Cloud infrastructure. It is super naive to leave it un-encrypted! AWS provides native encryption capabilities with it’s Data storage services like RDS, S3 and EBS. You should use HTTPS/SSL almost always when transferring data over internet or across regions.
Architect networks with desired segmentation
You must ensure that you follow the best practices while architecting infrastructure networks within your Cloud. With AWS you must create VPC and further segment your network into public and private subnets. Always keep your data stores in a private subnet.
Backup the backups!
It is recommended to have one or multiple separate Cloud accounts just to keep backups. Only very limited set of users should have access to these accounts. So, say you are using AWS EBS and you take regular snapshots for backup. Now, your AWS account is compromised; EBS is deleted as well the snapshots(backup) are deleted by the attacker! Hence, it is advised that snapshots should be copied to a different AWS account with limited access.
Every team which is elated with the Freedom provided by Cloud must also bring in the much required discipline within the team to ensure the security of their Cloud resources. Security leaders within such teams must strive to bring in processes to inculcate the required discipline. They must also bring in the habit of regular audits, preferably automated.
One last quick advice, rotate access credentials regularly! Again, it’s about being disciplined as a team and ultimately being more responsible to ensure security of your Cloud infrastructure.
PS: You can hear me talk on AWS Security Do’s and Don’ts — Tackling the Threat Landscape in below listed webinar recording.