More and more businesses are migrating their applications to the cloud. A recent report pegs the market at $23 billion annually.
As more businesses migrate to the cloud, it is important to ensure the security and protection of the data and applications. However, Cloud Security still remains among the main concerns for business leaders when migrating to a cloud platform. According to a study conducted by SecureData, 78 percent of IT managers cited security concerns as the No. 1 obstacle to adopting cloud technologies.
Cloud security is not automatic and requires a deep understanding of networking, boundary protection, enclave hardening and robust operational processes. Based on our collective experience of migrating large applications for Government, Financial Services, Healthcare and security conscious customers, here are 8 effective security practices that can help you secure your cloud environment.
SSL is an encryption technology that encrypts the private information while it’s in transit over the public internet. SSL uses the Public Key infrastructure wherein, the Public Key encrypts the information and a Private Key decrypts it. With SSL, data can move securely between the servers on the cloud. SSL encryption also prevents the accidental disclosure of information making regulatory compliance easy. The biggest worry organizations have with the cloud is that they don’t know where exactly the data physically resides. With SSL encryption, organizations can be sure that their data is secure while stored as well as in transit.
Identity and Access Management (IAM) allows users to control the access to cloud services and resources. It is recommended that the admin role be restricted to not more than two to three accounts. While defining policies, the least amount of privileges should be granted. We recommend locking down the group policies as far as possible and further restricting the privileged access with conditions applied to policies. As a best practice, passwords, API access keys, and credentials should be changed on a regular basis.
Multi-Factor Authentication (MFA) offers an additional level of security in the cloud environment. Even in the case of password sharing or information leaks, unauthorized users cannot access the account when MFA is implemented. You can either use the security-token based MFA or SMS text message-based MFA. When it is cumbersome to implement MFA access to every resource, it is recommended to configure a few entries with limited access and log those sessions.
Ensure that the network architecture of your cloud provider allows you to select the security level according to your business needs and workload. The cloud infrastructure must have a firewall and other boundary devices to monitor and control communications with external networks as well as key internal boundaries within the network. The boundary devices should have rules, access control lists, and configurations to enforce the flow of information to specific information system services.
Elastic IP addresses allow you to quickly remap the address to another instance in case of any failure. Use of Elastic IP is recommended when your software active server is periodically re-launched but you need to return to the same service with the same IP address. Whenever you use the Elastic IPs, ensure that you lock the IPs to avoid accidental stealing of the IP from any of the other active instances in your system. Before using the Elastic IP for the actual production environment, use it for a few days on test or staging environment so that you avoid the old traffic due to caching.
Planning a secure VPC connections that take into account all the present requirements while leaving room for growth is paramount. A simple convention might be to use even number networks (for instance, 10.0.2.0/24) for public subnets and odd numbered network (10.0.3.0/24) for private subnets. Minimize the exposure by limiting instances in the public subnet – in most cases, you can get away with just a VPN server or a hardened bastion host.
Security groups are the firewall rules which control the traffic for various instances. Each instance can have one or more security group associated with it. Rules can be added to each security group that regulate the traffic flow. Since you cannot create security group rules that deny access, ensure that the inbound rules are not open to everyone. You should lock them to known IPs or CIDR block.
It is important that you log each and every action taken by any user or resource in your cloud environment. The logs should be well-protected and regularly reviewed by the engineers. Logs should be hosted in a secure environment with MFA and only admins should have write access to that location. Engineers should also ensure that alarms are set up to send out notifications when the logging is disabled. AWS CloudTrail, AWS VPCFlow and AWS Config are good options to consider for AWS environments.
This list, by no means, is exhaustive. The cloud is still evolving and there is a lot to learn, but we hope that this serves as a good starting point to help you put together the right strategies for securing your cloud deployment. What has been your own experience with securing the cloud? Do you have any specific tips we could all learn from?
Interested in speaking with a stackArmor Cloud Security Specialist? Please contact us at firstname.lastname@example.org