The adoption of cloud-based software, platforms and infrastructure has expanded massively in recent years and the trend looks set to continue. Cloud infrastructure services, for example, are forecast to grow by 30.5% in 2023 compared to 2022. It’s no surprise therefore that cloud security is now more integrated into the concerns of software development and deployment, hence the rise of cloud security specialisms and integrated delivery practices like DevSecOps.
Major cloud service platforms like AWS, Microsoft Azure and Google Cloud are invested in protecting against data breaches. But there is also a wealth of other cloud service providers. Cybersecurity is made more complex by data being distributed across many different platforms. Security is also now tightly integrated into disciplines like DevSecOps, meaning it’s not just the concern of security enthusiasts.
That means it’s more vital than ever to get a handle on cloud security by asking who has access to your data and how. Using strict and consistent policies and procedures can bolster resilience and guard against unauthorised access. Strengthening network and application protection can help keep hackers out. And of course, adequate incident detection and response strategies will enable you to deal with problems before they get out of hand.
Good cloud security is not just about keeping your data safe, it’s also important for compliance with international standards. Diligence here can avoid reputational damage for your company. If you’re a security enthusiast or work in a DevSecOps team, these concerns fall at your door. So we’ve teamed up with S2E to present a roundup of some cybersecurity best practices for the cloud.
Identity and Access Management: get it right
The first step in securing any computer system is controlling who has access to it. High-profile data breaches on targets such as Apple and Microsoft have been well-publicised. Around 40% of UK businesses have reported cyber attacks in each of the last six years. That means it’s more important than ever to lock down access rights and improve your DevSecOps policies.
Identity and access management (IAM) is a framework deployed to control and monitor user access to digital resources and systems, using tools like password control, multifactor authentication and biometrics.
In terms of authorization, an important rule of thumb is the principle of least privilege. This means that any given user, process or program only has access to the resources necessary for their legitimate purposes. This kind of approach is essential when working with the automation needed for DevSecOps.
Strong restrictions on the use of root accounts can prevent the most severe breaches, but access controls still require fine-grained control. A common approach is role-based access control (RBAC) where user access to resources is mediated by defined roles. RBAC allows adequate granularity of restrictions for many scenarios and is relatively simple to set up. But in some cases, RBAC’s controls are too static and may expose aspects of a system unintentionally.
For more detail, attribute-based control is preferred. Indeed, it is S2E’s preferred authorization framework. ABAC draws on more specific attributes of users, environments and resources. It’s more complex to set up, but ultimately provides better security and easier auditing.
Network and application protection
Access controls are useless if your network and application security isn’t up-to-scratch. Misconfigured network firewalls, for example, are an open door for hackers. So it’s worth making sure that basics like firewall config are set up right and thoroughly tested.
Services like AWS can use security groups or network access control lists (NACLs) to secure networks, the two together functioning as a virtual firewall. The former allows instance-level security controls to be specified through groups. NACL, on the other hand, is a network-level control, restricting traffic to or from subnets with specified inbound and outbound rules. Ultimately, either can achieve the same results, but a combination of both can be particularly effective. For example, you can let your NACLs handle the majority of inbound and outbound traffic, leaving your security groups to handle internal communication between instances.
A major cause of service outages is DDOS attacks. Distributed denial of service attacks work by flooding a system’s bandwidth through various means and are commonly used to target web servers. Given the prevalence of services like AWS, Azure and Google Cloud for content and application delivery, it’s no surprise that they each offer native services to mitigate DDOS attacks. AWS Shield, Azure DDOS Protection and Google Cloud Armor each offer close integration for DDOS mitigation on their own platforms.
Detection & Incident Response
Whatever cybersecurity steps you take, you can’t simply protect yourself once and for all. Eternal vigilance is required, as well as effective monitoring to detect incidents. It’s no less vital to have well-considered and tested incident response procedures too so that when breaches happen, you can tackle them effectively to reduce damage to your services and reputation.
There are four main areas of detection and response to consider.
- Full-time monitoring. With automated systems, you can effectively monitor all your network operations to detect suspicious activities and threats. Network security monitoring analyses factors such as network payload, traffic patterns, client-server communications and protocol usage.
- Log analysis. Log analysis can also offer important insights into the state of your cloud security. While monitoring detects immediate threats, log analysis looks at historic activity to identify incongruities or unusual activity. Armed with this data, you can take measures to avoid future incursions.
- Smart threat hunting. Threat hunting aims to root out attacks that have entered your network without being noticed. This involves intelligent data analytics to identify activities that may not be immediately obvious. Smart threat hunting cannot be carried out continuously and is best used to confirm suspicions. It often requires more detailed logging than normal.
- Containment and remediation. On finding threats or attacks, you need to be able to stop them before they do any more damage, and prevent further incursions. Automated ‘kill’ commands can stop a process, but if an attacker still has access to your system, they can easily spawn again. Remediation needs to get to the root cause of the incursion and close unauthorised access points.
Compliance is key
Any cloud security strategy needs to consider international standards and guidelines. Compliance with these standards brings an added assurance that you have done all you can to shore up your cybersecurity. Adherence can gain you certification too, which offers reassurance to your clients and improves your chances of winning new business from security-conscious consumers.
A good start is to take a leaf out of S2E’s book. They work with CSA, CIS and Mitre to ensure the best international standards of cybersecurity. The Cloud Security Alliance (CSA) leads the world in defining and advocating security best practices for cloud computing. They offer certification and insights based on up-to-date research.
The Center for Internet Security (CIS) similarly provides controls and benchmarks for cybersecurity. They also produce a range of tools to aid the implementation of their standards. Mitre serve security interests across a range of applications, including cybersecurity. They advise governments and other bodies on secure technologies and tools.
Your data protection questions
A useful way to address the spiralling challenges of cybersecurity is to ask yourself a series of targeted questions. These can help you focus on what you need to do to protect your systems and how to resolve breaches should they occur.
- Where’s the data? Cloud systems add additional challenges to your security procedures as data can be dispersed across many locations. It’s important to know where it all is, control it and ensure communications between different systems are secure.
- Is the data exposed? How? Ensure that only the data you want to expose is exposed. Use fine-grained ABAC or RBAC to specify tight controls and never take shortcuts or quick fixes with your security measures.
- Which are the main risks? The roster of threats is constantly changing, but the main problems include malware, malicious code, ransomware, rootkits, DDOS and network security failures. It pays to audit your set-up to see where you are most vulnerable.
- Who has access and how? Ensure you know how all users are accessing your systems as human weaknesses are still a major source of security headaches. Use strong attribute or role-based authorisation to limit access in line with the principle of least privilege.
- How to act in case of breach? Make sure your remediation procedures are up-to-date and tested. Rapid recovery in the event of an attack is essential to reassure customers and maintain your reputation.
Cloud security can be a complex business and building a cohesive response to modern challenges in DevSecOps and other areas may seem daunting. For more advice on developing your cybersecurity strategy, it’s worth checking out S2E’s insights and services.