In our previous blog, Establishing Foundational Cloud Governance, we outlined the modern technology operating environment and governance structure mistakes organizations make while using a hybrid-cloud environment. This blog looks at a few other mistakes that organizations are likely to make.
The Number One Mistake: Failure to Automate
An organization cannot operate with the speed and agility that is required in the cloud with human-based execution. Security, Operations, and Development teams should strive to automate everything they do. The key automation capabilities are:
- Continuous monitoring for configuration drift from the management console to inside the operating system. Any drift that would result in a critical or high risk should have an automated remediation path. For example, if an individual opens Microsoft’s Remote Desktop Protocol (TCP/3389) from the internet to an instance within a security group, the group should be immediately modified via automation to remove the rule.
- All infrastructure and services should be deployed and changed via automated solutions like Terraform. Using an automation pipeline also enables organizations to build security checks into the system. For example, an organization can develop rules to evaluate network firewall rules or access control lists for storage systems.
- Automate external vulnerability scans with real-time IP address and DNS records from cloud platforms.
- In a data center world, it may be appropriate for Identity and Access Management teams to have a service level objective of twenty-four hours for the disabling of user access for employees who have departed the organization. In a cloud world, this needs to be completed in less time than it takes the employee to leave the confines of the office (virtual or physical).
- Security teams should be automating common incident response actions. Codifying a playbook that can automate initial triage and evidence gathering in preparation of human analysis speeds up response time. Playbooks should exist for adding IP addresses to block lists, disabling user accounts, revoking security keys, and so forth.
Failing to Have Critical Capabilities Present in Cloud Environments
The argument can be made that operating within a cloud environment is just as, or even more, secure than operating in a traditional data center. The key here is to ensure having a baseline of security capabilities in cloud environments that achieve the same outcomes of their data center counterparts, and where possible capitalizing on cloud services that elevate the outcomes. Early in the cloud journey, before a single bit of confidential data has been transferred to the environment, a company should have the following capabilities:
- Continuous Monitoring to detect and remediate configurations that result in unwanted risk and vulnerabilities. Cloud providers have native tools to fulfill this capability, but the commercial variants like Palo Alto Networks and Netskope can run across multiple cloud providers and generally have better reporting and automation capabilities.
- Vulnerability Management to detect known vulnerabilities within compute instances, containers, and serverless workloads. It is also critical to evaluate all developed applications against static code analysis with tools like SonarCube and Veracode. For an extra level of maturity, use a tool like Synk to validate all the third-party libraries and frameworks imported into the organization’s code base.
- Secure Remote Access to allow teams to access running instances. Use bastion hosts, zero trust gateways, and virtual private networks to enable secure remote access and avoid direct internet access.
- Audit Logging and Monitoring should be enabled on the cloud provider console and ingested into an organization’s security event and incident management systems. Don’t forget about operating system, container and other service logs that could be useful in detecting and investigating malicious behavior.
- Intrusion Detection and Prevention allows the organization to detect and block malicious network behavior. If your organization runs within AWS, use Guard Duty. It is an underrated tool that provides invaluable insight and detection capabilities.
- TLS Inspection provides organizations with the ability to break apart encrypted data streams to detect command and control network activity, discover data exfiltration and better understand their network traffic.
Speaking of network traffic, Outbound Internet Controls should be implemented in all environments and conform to the principles of least privilege. All systems do not need outbound internet access, and those instances that do need internet access do not need access to the entire internet. Organizations should also investigate and potentially block outbound ICMP and DNS traffic as these are known covert channels for data exfiltration and command and control traffic.
Each organization should evaluate their risk appetite against the threat landscape and attack surface to determine if additional controls are required before they have any live workloads or data in their cloud environments.
Depersonalizing our Pet Systems
In our data centers, we treat systems like pets. We name them, we take care of them, we patch them, and we always try to fix them. These behaviors are driven by the complexity in getting new systems and the tooling that is available. In the cloud, however, we have to depersonalize how we treat our systems. Recognize they are just a number and when they need an update or something breaks, we destroy them and create a new instance. They should never be considered persistent. This will contribute to resilience and an ability to quickly recover from business interruptions.
Failure to Use Provider Tools
All cloud providers furnish customers with security guidance and checklists, so organizations should leverage these tools when evaluating risks and their security posture. Azure’s Security Center, AWS’s Security Hub and Google’s Security Command Center can verify configurations against well-known compliance frameworks and benchmarks. Use these tools and read the reports!
There is no magic bullet to securing cloud environments. Cloud defense requires a creative and tactical mindset. More importantly, it requires a plan and collaboration across multiple disciplines within the organization.