Hackers do not discriminate based on the size of a business. In fact, some of the smallest businesses contain the most sought after Personally Identifiable Information (PII)—gold mines about their customers’ homes, cars, boats and financial investments. Even businesses like dry cleaners and bookstores aren’t immune from hacking—after all, they are using customer data for monthly mailers and store promotions to market their services, not to mention having transaction data from point-of-sale systems. As these businesses begin using new services in the cloud, the risks to the data do not change, but Cloud Security for protecting the data should be considered for any new service your business considers subscribing to.
In this next generation economy, the model has changed for how security is delivered in a world of Infrastructure-as-a-Service (IaaS) and Software-as-a-Service (SaaS). To illustrate my point, think about these traditional three layers of security and how they are delivered:
- Infrastructure – Who manages them and keeps them fully patched and tested?
- Servers and Operating Systems – Whether physical in a data center, virtual, containers, or instances, who is monitoring them and checking for security threats?
- Applications and Users – Who is tracking versions, role-based access, security patching, and management. Who mitigates the threats and blocks an attack?
When you move to an IaaS or SaaS model, you eliminate one or two of these layers that you, as the customer, need to worry about. While nearly every cloud provider is proficient at the security of their service, the other two layers could leave you wide open to attack depending on what you are protecting and your businesses level of skill in security. Moving to the cloud does not solve that problem; it just changes the focus.
Therefore, please consider the following characteristics in any Cloud-Based security solution you subscribe to, to supplement the services you move to the cloud:
Continuous monitoring and vulnerability management
Based on the inherently dynamic nature of cloud environments, traditional security and vulnerabilities need to be assessed at instance instantiation (powered on), runtime, and at decommission or destruction (power off) of the instance or worker process. This allows for any new non-persistent instances to be assessed for risks, verified that there are none present during operation, and to ensure no tampering or exploitation occurred during tear down.
Monitoring should start as soon as you start your cloud.
Many services you license have security features that do just this. Make sure you have visibility into the alarms, events, and logs. If you are building the resources in the cloud yourself, this playbook will help ensure your instances stay healthy and secure.
Monitoring cloud instances
When you deploy an IaaS environment, you need to make sure that every person who can deploy into your cloud cannot create additional paths to compromise. Almost always, users of cloud extend away from infrastructure people and often move to development and support staff, and maybe even business staff who want to do business quickly. When you allow more people to do deployments, even if it follows standards, you need to monitor every ingress point, all automation activities, all manual activities, and all egress points. Control, monitor, and respond should be built into an environment first, not at the end.
The API’s for almost every cloud provider and cloud platform allow for the enumeration of all running and powered-off instances, including public and private-facing resources. It is in the best interest of all organizations doing business in the cloud to identify vendors that use these API’s as a part of their solutions so that best practices for asset management, vulnerability assessment, patch management, privileged access, logging and auditing can track a potential threat. When these technologies lived on your servers in your office, your firewall and local logs provided the same benefits. There is no reason to give up or ignore security when a process is moved to the cloud.
Advanced threats like ransomware
Honest and full disclosure: Being secretive like the recent Yahoo breaches will only end badly and potentially involve legal investigations from government watchdogs like the SEC. This does not mean you blast out the problem, but handle it responsibly. If you are operating resources in the cloud, however, and your files are infected with ransomware on-premise or in the cloud, ensure your security practices for segmentation are not allowing propagation and that backup solutions can indeed restore the files without adding additional risk or reinfecting the environment. If you detect ransomware, having processes to isolate the environment and stop the propagation are critical. The cloud for file storage is potentially a value add since many on-premise file storage solutions fail to alert in a timely fashion that users have been infected. The cloud inherently has segmentation and can keep files protected between users.
Ultimately, it is the businesses responsibility for security in the cloud. Anything you deploy should always protect itself since the infrastructure and resources are no longer under your direct control. When moving to the cloud, consider what and how you protect today. Decide what the Cloud Service will provide in terms of security and how you can monitor their results. Disciplines like patch management, vulnerability management, privileges, change control, and log management do not go away; they just evolve and your organization needs to select equivalent cloud security solutions to perform the same functions.
