For a lot of cloud security breaches, the problem isn't with the household-name cloud providers, but with you,...
the ops admin.
The IT operations team often overlooks cloud security policies and best practices when it implements workloads on top-tier public cloud providers. The most common example is an inability to secure Amazon Simple Storage Service buckets. The cost to fix a breach -- and the damage done to a high-profile brand due to the breach -- far outweigh the time it would have taken to implement proper precautions.
Simple acts boost protection from users: role-based access control and key-based entry instead of passwords. Other policies create an operations forcefield to protect workloads: firewall implementation, geographical tethering and in-depth monitoring. And who doesn’t like free upgrades?
There's no magic formula for the administrator to shore up defenses outside the corporate data center, but this cloud security checklist supports a layered approach. As a bonus, most of the items on the checklist are standard offerings from major cloud providers.
1. Secure cloud accounts and create groups
Ensure that the root account is secure. To make daily administration easier and still adhere to cloud security policies, create an administrative group and assign rights to that group, rather than the individual.
Create additional groups for fine-grained security that fits with your organization. Some users need read-only access, as for people or services that run reports. Other users should be able to do some ops tasks, such as restart VMs, but not be able to modify VMs or their resources. Cloud providers make roles available to users, and the cloud admin should research when and where to use them. Do not modify existing roles, as this is a recipe for disaster: Copy them instead.
To disable an account temporarily, create a no-access policy. Apply that policy to the administrator or other account, then simply remove it to re-enable the account as it was, without risk of unintended changes.
2. Check for free security upgrades
Every major cloud provider allows and encourages the use of two-factor authentication (2FA). There is no reason not to have 2FA on your cloud security checklist for new deployments, as it increases protection from malicious login attempts.
3. Restrict infrastructure access via firewalls
A lot of companies use webscale external-facing infrastructure when they adopt cloud. They can quickly protect private servers from external access.
Check for firewall polices. If the cloud provider makes it available, use firewall software to restrict access to the infrastructure. Only open ports when there's a valid reason to, and make closed ports part of your cloud security policies by default.
4. Tether the cloud
Some cloud-based workloads only service clients or customers in one geographic region. For these jobs, add an access restriction to the cloud security checklist: Keep access only within that region or even better, limited to specific IP addresses. This simple administrator decision slashes exposure to opportunistic hackers, worms and other external threats.
5. Replace passwords with keys
Passwords are a liability: cumbersome, insecure and easy to forget. Every seasoned administrator knows that Monday morning user-has-forgotten-password scenario.
Make public key infrastructure (PKI) part of your cloud security policies. PKI relies on a public and private key to verify the identity of a user before exchanging data. Switch the cloud environment to PKI, and password stealing becomes a nonissue. PKI also prevents brute force login attacks. Without the private key, no one will obtain access, barring a catastrophic PKI code failure.
While this might seem obvious, include a note on the cloud security checklist that the private key should not be stored on the computer or laptop in use. Investigate vendors, such as YubiKey, that provide secure key management. For some programs, the user has to touch the device. Cloud key management for multiple users is easier with these tools.
All the major public cloud providers offer a PKI. If you prefer to use your own keys, make sure they are kept safe with a good, secure password. That means if you lose the USB key/storage medium holding the key, you have a certain level of security that will give you time to replace the lost key.
6. Turn on auditing and system monitoring
A lot of administrators don't think about monitoring until it's too late. Systems create logs in huge amounts. Use tools that capture, scan and process these logs into something useful for cloud capacity planning, audits, troubleshooting and other operations.
Log monitoring and analysis tools sum up all those warnings, alerts and information messages into something useful. Again, many cloud providers do offer auditing tools, and there are many good tools you can try with no commitment, such as Splunk and its visual tools.
The administrator can immediately see and identify trends and anomalies and take action to remediate them quickly and efficiently. Taking it to the next level, a SIEM system will also help to identify any issues or threats that need attention.
In summary, there are lots of ways to help secure the environment. The vendors have gone to huge lengths to provide tools to help you secure the environment. Why not use them?