How to Create a Cloud Security Strategy
Cloud Security is not easy at the start and this is how to create a cloud security strategy.
I say this as someone who has worked in this industry for the past 20 years, the last five of which have been dedicated to the cloud.
One of the most challenging steps in a Cloud Security journey is to create a roadmap for securing your cloud environment.
The importance of this step cannot be understated as if not made correctly then it can lead to wrong investments, wasted time and potential data breaches down the road.
Cloud and digital adoption have sky-rocketed in the last few years, and cybersecurity teams without a proper roadmap can face serious problems.
As CIOs and CISOs sit down and work out the best approach to secure their cloud workloads, they will be flooded with a huge amount of material present, which can be quite frustrating!
Based on my own experiences with numerous cloud implementations, I have decided to jot down what are the key success factors for a successful cloud security implementation.
I have divided the roadmap into three basic phases, which are
Foundational
Implementation
Optimize
Note: I have tried my best to make it as detailed as possible based on my experience, but not so detailed that it becomes impractical to most companies.
Phase 1: Laying down the foundation
One of the most common reasons a cloud security project fails is for CISOs to simply “copy-paste” their on-prem model onto the cloud.
Not understanding the cloud will result in potent native capabilities being ignored; hence, laying down a proper foundation before starting your journey is very important.
A few of the key foundational elements are listed below
A. Understand the regulatory environment
Before starting your cloud security journey, a crucial first step is to know the regulations for your particular geography.
If not done correctly, you could move data if you are not authorized to move it and be subject to severe regulatory fines.
Certain countries do not allow their data to be moved outside their borders and impose heavy penalties for non-compliance.
The plus point is that most regulations also overlap with security best practices, so putting a proper framework first will cut down work later.
Whether it is HIPAA, PCI DSS, or SOC 2, engage with your legal departments and fully know the dos and don'ts for your particular sector.
You have to know what data is going into the cloud , what the controls will be and what questions you have to answer what the regulator comes knocking.
One excellent news for cyber-security teams who are fed up with doing audits all year long is that most of the cloud providers do a lot of heavy lifting for them.
AWS, Azure, and Google all have multiple third-party programs running hundreds of local and global certifications all year long, which can be requested for no fees
One example is the AWS artifact below, which gives you access to hundreds of reports for AWS
NOTE : While this is great news for cyber-security teams, this does not mean you are automatically compliant to PCI or ISO just because you are hosting on AWS or Azure or Google. This is the topic of the shared responsibility model detailed below
B. Understand the Shared responsibility model
The Shared Responsibility model is one of the most important things to know upfront before implementing anything on the cloud.
Some companies move into the cloud with the mistaken assumption that going forward AWS or Microsoft will handle everything and all their security obligations are gone.
This is a huge mistake, as security in the cloud becomes a shared responsibility. The customer and the cloud provider must work together to secure the environment.
A lot of the foundational work is done, but you still have to go the last mile and implement controls on your data and applications to ensure everything in your area is compliant.
As AWS says, they are responsible for security OF the cloud while you look after security IN the cloud
This can change depending on the model you use ( fully managed, IaaS or Platform, etc. ). Depending on your chosen model, the cloud provider will effectively do more or less of the work.
C. Ramp up your teams in parallel
Creating cloud skills within your teams is a key foundational step if you are a CISO and starting your cloud security journey.
Please do not rely solely on external consultants. They usually leave once the project finishes, and the internal teams will take over running day-to-day operations.
Without knowing how to secure Infrastructure as Code, Containers and Serverless your cyber-security teams will be at a severe disadvantage later on and not be able to handle queries by the technology teams. There are numerous free and paid trainings / certification paths available on these technologies.
The team will also see this as a vote of confidence due to the investment being made in them
Phase 2: Securing the Cloud
Now that you have a solid foundational understanding of the cloud and regulatory approval ( hopefully! ), we can start examining how to secure the cloud environment.
As I mentioned, don’t try to copy whatever toolset you are using on-prem blindly, but always try to use native cloud services first.
This phase can be one with the most effort required by the teams and the most stress-inducing.
In this phase, the two most important things to do are bench-marking and creating your cloud security model.
A. Benchmark
The best and quickest way to immediately know your security posture in the cloud is to enable bench-marking against security best practices.
The good news is that providers like Google, Azure, and AWS have already provided you with pre-configured benchmarks against which you can measure your environments from day one.
Turning on CIS benchmarks from day 1 to get some easy, quick security wins within your cloud will be a great way to make your CISO happy.
Below are the tools to use for the major providers:
Apart from that, there are third-party tools that can help you get visibility if you have the budget for the same
B. Establish your cloud security model
With benchmarks enabled, now is the time to start implementing a high-level security framework for your environment. Below are the key areas to focus on:
Identity controls: Your identity is your firewall in the cloud, so focus there as the priority. Do not just enable MFA and call it a day; create a proper security ecosystem for your identities. The best thing you can do is to connect it with your Single Sign On system if you have one so you don’t have to manage a separate set of identities in the cloud.
Encryption: A lot of this will be dictated by what regulations you are under and what data ( PCI, PII ) is going into the cloud. Know the encryption controls for sensitive data at rest and in transit. AWS and other cloud providers provide some amazing managed services for handling cryptographic keys, which take away the hassle of managing HSMs in-house
Logging and Alerting: It is very easy to overdo logging and alert in the cloud. Creating too few alerts will result in missing critical data, and creating too many will flood your response teams, leading to alert fatigue. The good thing is that if you have enabled benchmarking already, you just need to translate many of those high items into alerts and add your own.
Workload protection: Ensure your VMs, Containers, and Clusters are protected and secure when running your cloud workloads. Your VMs should be spinning up from secure images. Container Images would have to be scanned before spinning up, and runtime protection would be available across the board. Make this a minimum requirement for the cloud
Threat Intel: One of the most extraordinary things about the cloud is how much threat intelligence you can access, thanks to the cloud provider. Azure, Google, and AWS are investing billions in threat intelligence technology, which benefits customers. This data is fed into their cloud services, enabling early detection of attacks. Enable these services early, so they start learning from day one and can generate a baseline to take proactive action.
Phase 3: Optimize the Cloud
This is the phase where you start gaining confidence in your cloud controls, and you can shift your focus to more strategic work. A few key areas to look at in this phase are below:
Turning on auto-remediation for the alerts that are being generated so your security teams can start focusing on more productive work
Fine-tune the existing alert logic so you will now realize what is working and what isn’t.
Cleaning up of cloud permissions granted in the earlier phases. By now, you should know who needs white and can fine-tune accordingly
Extending your toolset via collaboration tools like Slack can greatly increase the efficiency of your security processes and move you away from email culture
A. Risk Review
While you should have maintained a risk tracker from day 1, this is the time to take a long, hard look at your risk database and decide what stays and needs to be accepted by management. Be pragmatic and realize you will never get that lovely 100% complete risk tracker.
What can be fixed should be tracked, and what can be fixed should be closed.
That wraps up the significant steps and puts you on the road to a successful cloud security journey.
If you want more details, check out the video I made below.
Taimur Ijlal is a multi-award-winning information security leader with over two decades of international experience in cyber-security and IT risk management in the fin-tech industry. Taimur can be connected on LinkedIn or on his YouTube channel, “Cloud Security Guy,” on which he regularly posts about Cloud Security, Artificial Intelligence, and general cyber-security career advice.
Comments