I often hear from customers, colleagues and industry experts on how the cloud can affect their security posture, and whether it is improved, or negatively impacted when applications are deployed.
The industry has now matured enough for businesses to start moving their enterprise and production workloads into the public cloud platforms. This is no doubt down to the massive investment made from the likes of Amazon and Microsoft on their compliance accreditation and technology capabilities.
So what about compliance?
Compliance accreditation is a critical component to any cloud provider… it shows the processes and platforms meet industry recognised standards. Just take a look at the level Amazon and Microsoft have. You can see all the main ones in there, including PCI-DSS, G-Cloud and ISO27001.
However, one thing people often miss out is that these are only platform level certifications, and the responsibility for data integrity and security is solely the responsibility of the customer.
People and Process
Remember that information security relies on so much more than just providing a technological capability. During your cloud adoption programme, it is critical that you adapt your target operating model to be cloud friendly.
I will write another blog in the coming weeks on some quick wins to on this. For this post however, I will cover some no brainers to help secure your tenancy.
1. Enable multi-factor authentication
You see it all the time in the news… passwords are often compromised and sold on the ‘dark web’. Simply take a look at have I been pwned to see if you are have been caught.
There is another level of protection you can be apply; and that is a second challenge to prove the person logging in is who they say they are.
Options available include one time passwords (think fobs or tokens), phone calls and text messages and device level authentication. All are now available from the major cloud providers.
Amazon: https://aws.amazon.com/iam/details/mfa/
Microsoft: https://azure.microsoft.com/en-gb/services/multi-factor-authentication/
2. Configure role based access control and just-in-time administration
IT administrators can be lazy… it is often easier to give an administrative account full access to everything. These accounts are often used as the day to day accounts aswell. This cannot happen in this day and age.
Therefore, it is critical to provide dedicated administrative accounts that have the minimum access required to complete their role. This is following the principle of least privilege. Take a look at using the inbuilt roles, or where needed create custom roles to limit a users access to their job description.
To improve on this RBAC, invest in a privileged access management capability to ensure accounts are protected, access is only granted when needed and most of all, it is logged.
3. Encrypt your data
We have all seen the news, where data has been stolen and corporate secrets. This might be down to a compromised account or an employee who left on negative terms. How can you protect against this?
Simple, encryption. Each cloud provider provides an encryption solution, that can do both data at rest and the data disks that are attached to your VMs. Add an extra layer of security by enabling a key management solution such as Microsoft Key Vault or Amazons KMS to ensure your administrators do not see the keys.
4. Automate, automate and automate some more
My final point for todays blog is around the benefits of automation on your security posture. Not only are you saving time on deployment, you are removing the risk of errors and ensuring security controls are compliant and deployed every time.
Using tools like PowerShell DSC, Azure resource manager and amazon cloud formations, you can ensure your applications are deployed the same, every time. Once you integrate these scripts into a version control system like git, and integrate with workflows and CI, you can validate what is being deployed and whether anything has changed.
Until next time
This was a very quick starter for 10, and I hope it has helped in some of your initial design patterns. I will be writing a full series on designing your security patterns for the cloud in the coming weeks… so watch this space.