Part 3: Cloud Security Best Practices Summarized

Based on lessons learned and experience from across the cloud industry, we should consider the following best practices for your organization’s planning.

 

PLANNING

As an organization plans for transitioning to a cloud service or deploying a private or hybrid cloud, the first step from a security standpoint is to consider what IT systems, applications, and data should or must remain within a legacy enterprise datacenter. Here are some considerations:

 

MULTITENANCY

Most clouds use software-based access controls and permissions to isolate customers from one another in a multitenant cloud environment. Hardware isolation is an option for private clouds and some virtual private clouds, but at additional cost.

 

AUTOMATION IN A CLOUD

The first rule in an automated cloud is to plan and design a cloud system with as few manual processes as possible. This might be contrary to ingrained principles of the past, but you must avoid any security processes or policies that delay or prevent automation. Here are some considerations:

 

Experience has shown that traditional security processes have tended to be manual approvals, after-provisioning audits, and slow methodical assessments, tendencies that must change when building or operating a cloud. Pre-certify everything to allow automated deployment—avoid forcing any manual security assessments in the provisioning process.

 

NETWORK CONFIGURATION

It is common for customers to request additional network configurations or opening of firewall ports. These can be handled through a manual vetting, approval, and configuration process, but you might want to charge extra for this service. Here are some things to keep in mind:

 

ASSET AND CONFIGURATION MANAGEMENT

The key to success is to also automate the updating of asset and configuration databases. This means that you configure the cloud management platform, which controls and initiates automation, to immediately log the new VM, application, or software upgrade into the asset and configuration databases. Here are some considerations:

 

MONITORING AND DETECTION OUTSIDE YOUR NETWORK PERIMETER

Traditional datacenter and IT security had a focus on monitoring for threats and attacks of the private network, datacenter, and everything inside your perimeter. Cloud providers should increase the radius of monitoring and detection to find threats before they even find or hit your network. Here are some things to keep in mind:

 

CONSOLIDATED DATA IN THE CLOUD

Many customers are concerned that data consolidated and hosted in the cloud might be less secure. The truth is that having centralized cloud services hosted by a cloud provider or your own IT organization enables a consolidation of all the top-level security personnel and security tools. Most organizations would rather have this concentration of expertise and security tools than a widely distributed group of legacy or mediocre tools and skillsets. Here are some considerations:

 

CONTINUOUS MONITORING

As soon as new systems are brought online and added to the asset and configuration management databases (as described earlier), the security management systems should immediately be triggered to launch any system scans and start routine monitoring. There should be little or no delay between a new system being provisioned in the cloud and the beginning of security scans and continuous monitoring.  Monitoring of the automated provisioning, customer orders, system capacity, system performance, and security are critical in a 24-7, on- demand cloud environment. Here are some considerations:

 

 

There are three key tenets of continuous monitoring:

 

1 ) Aggregate diverse data

Combine data from multiple sources generated by different products/vendors and organizations in real time.

 

2 ) Maintain real-time awareness

Utilize real-time dashboards to identify and track statistics and attacks. Use real time alerting for anomalies and system changes.

 

3 ) Create real time data searches

Develop and automate searches across unrelated datasets to identify the IP addresses from which attacks were originating. Transform data into actionable intelligence by analyzing data to identify specific IP addresses from which attacks originated and terminated hostile traffic.

 

DENIAL-OF-SERVICE PLAN

Denial-of-Service (DoS) attacks are so common that it is a matter of when and how often, not if, your cloud is attacked. Here are some recommendations:

 

GLOBAL THREAT MONITORING

Consider implementing security tools, firewalls, and intrusion detection systems that subscribe to a reputable worldwide threat management service or matrix. These services detect new and zero-day attacks that might start somewhere across the globe and then transmit the patch, fix, or mitigation of that new threat to all worldwide subscribers immediately. Thus, everyone subscribed to the service is “immediately” immune from the attack even before the attack or intrusion attempt was ever made to your specific network. These services utilize some of the world’s best security experts to identify and mitigate threats. No individual cloud provider or consuming organization can afford the quantity and level of skills as these providers have.

 

CHANGE CONTROL

Legacy change control processes need to evolve in an automated cloud environment. When each new cloud service is ordered and automated provisioning is completed, an automated process should also be utilized to process change controls that can also feed or monitor be security operations. Here are some recommendations:

 

 

==END