The major cloud service providers support Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS), and Platform-as-a-Service (PaaS) offerings on which you can build a robust cloud environment. Regardless of which cloud service provider (CSP) you choose, the concepts for securing these offerings will be similar although the specific services, features, and implementations will differ. For example, for each CSP you will manage much of your virtualized infrastructure of network, storage and compute instances through a management console or by code, but the API’s you call, the features you enable, and code you write to do this will be different.
Organizations must understand not only what cloud features and services are available from their CSP but also how to appropriately configure them to ensure their own cloud-environment remains appropriately secure.
Ensuring that your cloud configuration is secure requires a solid understanding of the capabilities of your CSP. Often the features that provide these capabilities may be similar in concept between CSP offerings. Even within a single CSP, there may be multiple features that sound like they do the same thing but have very different capabilities that you must understand in order to choose the best one for a given use case. Also, it might seem like common sense but the features and services available by one CSP may not be available by another, although CSPs are constantly releasing new features all the time in order to keep up or stay ahead of their competition.
The security services and features offered by the major CSPs are powerful tools to help protect your cloud environment. In some cases, these features may not completely meet your security requirements and you will need to supplement with your own technology or processes to protect your cloud environment from unwanted vulnerabilities. Some organizations may choose to use multiple cloud providers to distribute their risk across vendors but, for these situations, they may also need to develop multiple solutions for a single control because tools and code that works for one CSP may not work for another. Auditing your cloud configurations against a recommended standard helps ensure that you are not missing important controls and are using compliance tools that have visibility across multiple cloud technologies.
Your security approach doesn’t need to be complex, but it must be consistent. First, be sure you understand what business and security requirements your cloud environment must meet. These requirements may come from a variety of sources ranging from your internal security policy to compliance requests made by your customers or set by the verticals that your product serves.
Next, assess the service and feature capabilities offered by your CSP to understand what controls they provide, which of their controls you can use, and which controls you must provide yourself.
The major CSPs — Microsoft, Amazon, Google — offer hundreds of individual services and features that you can leverage to improve your cloud environment. A number of these features help improve the security and compliance of your deployment. Understanding which ones to enable can be daunting but the CSP documentation is usually good and there are other online resources that can help.
Lastly, audit these controls for effective operation and be sure to regularly update your documentation and tooling to reflect changes to your environment. Choosing a cloud-aware security tool to help manage the security and compliance of your cloud environment are important because traditional tools designed for on-premises infrastructure and legacy networks may not work well in the cloud. For example, using containers and overlay networks may make it more difficult to track down an attacker. This is because the ephemeral nature of the containers means they come and go, and by the time a defender’s investigation reaches a compromised container it may already have been spun down and the evidence lost. Likewise, orchestration software may regularly recycle IP addresses which also makes tracking by IP address more difficult without some sort of historical timeline able to maintain and correlate past container activity with IP address allocation. Cloud-aware tools that register and correlate IP addresses, virtual machines instances, clusters, cloud subscriptions, and other cloud-specific meta data can improve incident response rates.
In the second part of this two-part series, we’ll look specifically at specific tactics for securing your cloud environment.