In the first installment of this two-part series, we looked at why organizations must understand the specific cloud features and services are available from their cloud service providers (CSP). Additionally, we went into detail about the importance of appropriately configuring them to ensure their own cloud-environment remains appropriately secure.
Many of the services offered by the major cloud service providers – AWS, GCP, Azure – overlap in high-level functionality but the implementation details vary by provider. This is where configuration baselines like the CIS benchmark help because they translate a security requirement into a CSP specific, prescriptive recommendation. Some areas to focus on when securing your cloud environment include:
Identity and Access Management
Don’t overprovision privileged access and be sure to enable multi-factor authentication (MFA) in the appropriate places. You should apply MFA to critical portals like your CSP management console, where privileged accounts are used (like root), and to manage specific services or even the components within a service when it is offered. For example, you may choose to enforce MFA in order to delete permanent objects from your storage service.
The major CSPs offer robust key management services used to securely create and store cryptographic keys and other secrets. Using your CSPs key management service provides additional benefits too, like the ability to leverage your CSP role-based access control to protect your keys and leveraging the key management service to provide encryption for your other services.
Know the surface area of your services and applications and protect accordingly. There are many services offered by major CSPs to isolate a host, device, or application from network attacks that include using host-based firewalls, network-based firewalls, application firewalls, disabling unnecessary services on your host, prohibiting routing, or using a virtual private network. The implementation and capability of each of these solutions vary by CSP so be sure to understand which options are available and best to keep your valuable assets protected.
Logging for Hosts and Services
By default, your CSP may not enable enough logging that meets your security requirements. For example, if you use Amazon AWS, you will use CloudTrail logging to view events and can optionally create CloudTrail trails that enable additional analysis. Plus, don’t forget to integrate CSP logging with logging from your broader environments to facilitate unified review and response.
Don’t forget to include cloud-specific technologies in your vulnerability program. For example, containers behave differently than a virtualized machine and your traditional vulnerability scanning tools may not suffice. Scan your container images for vulnerabilities to ensure only trusted containers are created. Regularly apply software security updates and remember that misconfigurations can also lead to security vulnerabilities. Create a configuration baseline that defines exactly how each asset should be configured and then audit against that baseline to ensure your assets remain compliant with security policy.
Host management responsibilities will vary widely based on the service platform offering choices you have made. For example, if you use an IaaS platform you must include those virtualized machines into your management scope and likely can leverage traditional tooling. But if you instead subscribe to SaaS and PaaS offering you will have less access to the hosts and machines on which your subscribed service runs. Most of your management activity may be restricted to only what is exposed by the SaaS provider.
Auditing your environment for compliance with your security policy and requirements is an important detective control to validate that the rest of your security controls are operating effectively. The major CSPs each offer compliance centers in which you can configure rules and policy that govern many of the aspects of cloud asset deployment and configuration. For example, if your security policy prohibits the use of unencrypted data you may be able to configure your CSP storage service to technically enforce this policy rule.
Security Management Consoles
Enrolling your cloud subscription into your CSPs security console will provide additional, consolidated information about the overall security posture of your assets. These consoles make it much easier to find a lot of information and can reduce the time it takes to respond to misconfigurations, vulnerabilities, threats, and other security problems.
Whichever cloud service provider you choose, be sure to understand and integrate their security offerings into your security program. Using cloud-aware tools that integrate with your CSP can provide further benefit if they also can leverage the CSP features to provide deeper visibility into cloud security performance across your subscriptions. These tools also can help audit your cloud configuration to remove unwanted vulnerabilities.