Cloud Security, Identity & Access

CLOUD SECURITY - WHO IS RESPONSIBLE?

From a security perspective public cloud removes the requirement to secure the physical infrastructure, that task is no longer the customers responsibility as the cloud vendors fully manage the security of the abstracted infrastructure.
A Public cloud providers responsibility is “Security of the Cloud”, and their customers responsibility is “Security in the Cloud”.
Both AWS and Azure have a shared responsibility model which splits the responsibility between them and the customer in terms of who will secure what.
These vendors will take full responsibility for the security of the infrastructure, protecting compute, storage, networking and database services against attacks and intrusions. They are responsible for the security of the software, hardware and Datacentres that are used to deliver their services.
Therefore, as a customer you need to focus on how to achieve “Security in the Cloud” as this will be your responsibility.
As a customer you will be responsible for protecting the security of the your data and identities. This will include endpoints, accounts and access management.
The cloud vendors will provide the features and recommendations, but ultimately it is up to the customer to enable and architect these features.

Asystec follow’s best practices when advising and consulting on cloud projects. Based on our experience of such projects there are certain principles that we would apply as outlined below.

PRINCIPLES OF CLOUD SECURITY

Access Management/Identity
This is one of the most important functions of any cloud platform; having a system in place that ensures controlled access is secure and governed is of the highest importance.

– Multi-Factor Authentication, SSO – Adds a layer of additional security, prove who you say you are. Password less access.
– Identity & Access Management (IAM) secure access to services and resources securely. Based on permissions for fine grained access control, analyse access and integrate with existing corporate directories. Create single identities for each user’s across hybrid enterprise keeping users in sync. Use RBAC for fine grained access management.

Traceability
Traceability is required to ensure changes to the environment are audited in real time. Monitor, Alert, Audit. Establish a logging system and where possible provide automated response mechanisms to act when anomalies are detected.

Keep People Away from Data
Reduce the need for direct access or manual processing of data. Reduces risk of loss or human error with sensitive data.

Apply Security at all Layer’s
Design security that encompasses each layer of the cloud that includes the following:
– VPC’s and VNet’s, Edge Network, Subnet, Load Balancer, WAF, every instance, every OS, every application.
– At Rest and In-Transit data security and encryption.

Automate Security
Ideally Managed as Code, version controlled and ability to always secure as a standard. Follow best practices from cloud vendors “well architected” guidance.

Assume Zero Trust
Access requests from users’, devices and applications should be considered untrusted until validated. MFA, Conditional Access, SSO should always be used as best practice.

Apply Governance
Use tools to ensure the correct posture is maintained and insider mistakes don’t threaten security. Ensure continuous compliance and threat detection.

Prepare for Security Events
Have an incident response process established. Run simulations and use tools with automation to increase speed of detection, investigation and recovery

“According to Gartner, through 2025, 99% of cloud security failures will be the customer’s fault and 90% of the organisations that fail to control public cloud use will inappropriately share sensitive data”.

Is the Cloud Secure? Gartner, October 2019

AWS CLOUD SECURITY

AWS has developed a “Well-Architected Framework” that will provide architectural best practices for designing and operating reliable, secure, efficient and cost-effective workloads in the cloud. From a security perspective the framework outlines the necessary steps that should always be applied at an organisational level and a workload level. These include the following:

Identify and prioritise risks using a threat model: Use a threat model to maintain an up to date register of potential threats, with this information threats can be prioritised, and security controls adapted to prevent, detect and respond.

Evaluate and implement new security services and features regularly: Evaluate and implement security services and features from AWS and APN Partners that allow you to evolve the security posture of your workload.

Keep up to date with security recommendations:Stay up to date with both AWS and industry security recommendations to evolve the security posture of your workload.

Keep up to date with security threats: Its critical to stay up to date with the latest attack vectors, this will help define and implement ongoing controls.

Identify and validate control objectives: Based on the results from the threat model, derive controls that need to be applied at workloads. Ongoing validation will help measure the effectiveness of risk mitigation.

Automate testing and validation of security controls in pipelines: Use tools and automation to test and validate all security controls continuously. Reducing the number of security misconfigurations introduced into a production environment is critical—the more quality control and reduction of defects you can perform in the build process, the better. Asystec have experience with building (CI/CD) pipelines to test for security issues, enhancing security at each stage of build the delivery process.

AZURE CLOUD SECURITY

Azure also provides a “Well-Architected Framework” that is a set of guiding tenets that can be used to improve the quality of workloads in the cloud. Security is one of the 5 pillars in the framework, and this provides guidelines for the confidentiality, integrity and protection best practice measure to mitigate attacks and abuse of data and systems. Microsoft outlines 3 key strategies as follows:

Establish a Modern Perimeter: A design should include a perimeter that will intercept authentication requests for cloud resources via identity controls.

Modernise Infrastructure Security: Take advantage of cloud technology to reduce security risk. As an example, using Azure Security Centre you can quickly identify patch state of all servers and remediate them.

“Trust but Verify” each cloud provider: Create a trust but always verify approach when permitting access to resources and data.

VMWARE SECURE STATE

Reducing misconfigurations, monitoring malicious activity, and preventing unauthorized access are foundational activities necessary to ensure security and compliance of applications and data in the cloud. As criminals become more sophisticated in their abilities to exploit cloud misconfiguration vulnerabilities, security teams need a smarter approach to prevent security breaches.

VMware Secure State is an intelligent cloud security and compliance monitoring platform that helps organisations reduce risk and protect millions of cloud resources by remediating security violations and scaling best practices at cloud speed.

Increase visibility with real-time insights: Better understand your multicloud’s security and compliance posture by visualising object relationships and mapping associated violations, metadata, etc.

Establish security & compliance best practices: Build a program to establish organisation wide standards and prioritise violations based on risk.

Remediate misconfigurations with automated actions: Resolve existing and new misconfigurations with a flexible, in-account remediation approach to scale security at cloud speed.

Empower security, developers, & operations teams: Drive security and compliance improvements with faster alignment and distribution of insights across stakeholder teams.

CONTACT US

Asystec have guided customer’s through the process of Security in the Cloud and what best practices need to be considered. This can be for both our existing cloud customers and those just starting out with applications in the cloud. Whatever stage you are at we can help consult and design the right secure solution for you. To find out how our unique approach to Cloud Security can protect your business, contact us today!