Cloud service providers do provide some security for your applications and data, but you share responsibility with them. Primarily, those responsibilities include managing access to your cloud resources and maintaining the security of your applications.
While it may seem that having responsibility for two things is not a lot of work, it’s quite a challenge. Following, are the essentials of cloud security.
Managing access to cloud resources
Access to cloud resources involves several types of security precautions:
- Protecting your local devices from malware. Infected devices can allow hackers to gain access to your local network and consequently to your cloud services. Compromised accounts can also reveal login information that can be used to infiltrate your cloud accounts.
- User account control limits who has access to your resources. There are several strategies for managing who can connect to your applications and data, but the goal should be to trust no one. This concept is known as zero trust, where access is granted only to those who have a legitimate need. This means that a well-managed access system knows the risks from both the users and the resources they access.These systems can even control the time of day that access is allowed to limit access to times when it’s reasonably expected that someone should have access.
Here are some ways you can get started along the path to better managed cloud access:
- Employ a network discovery tool. With environments changing by the second as mobile devices, IoT gadgets, desktops, and remote networks connect and disconnect constantly, it’s not possible for people to manually track what is connected. Discovery tools can make this process possible.
- Use a CMDB configuration management database to keep track of the devices your discovery system finds. It will also track where your data resides, users who access your cloud resources, and even create lists of people who are responsible when a resource fails or begins operating outside of its normal parameters.
- Create a risk assessment. All configuration items (Cis) in your CMDB have a level of risk associated with them. Create risk levels based on how your business would be impacted should one of these items stop working, be stolen, or locked up by ransomware. People also need to have a risk profile. For example, employees might be more trusted than vendors who have access to your cloud resources. Risk assessments allow you to automate how applications such as user account management systems control access to your resources.
- Consider employing AIOps an artificial intelligent system of managing your network operations. Using data from logs, tracking systems, user account management systems, and more, the AI uses this data to create and manage alerts. Alert management can be automated to reduce the number of mundane tasks, such as adding disk space when a drive becomes full.Alert management can also intelligently group alerts to avoid overwhelming your network operators with floods of alerts. Instead, they are grouped based on the most likely cause of the alert and these AIOps systems then recommend solutions based on how similar problems were solved in the past.
Maintaining network and application security
Hacking user accounts to break into networks is not the only way hackers exploit your cloud systems. The number one exploit is taking advantage of misconfigured networks. The number of configuration possibilities in a complex cloud environment is staggering. With the virtualized environment of the cloud, where applications run in containers or on virtual machines, each of these environments have their own configuration settings. To manage this complexity Configuration as Code (CoC) allows you to automate these configuration settings.
Configuration as Code can cause misconfigurations when the settings in the code are incorrect. Make sure you test these settings before putting this code into production.
Beyond misconfigurations, applications running in the cloud can have bugs that hackers exploit to gain control of the data they manage or even to gain control of the network on which the application runs.
There is a methodology for application development known as DevOps that allows for continuous planning, development, testing, and release of applications in an agile manner. The testing portion of this application development is normally automated, catching bugs and weak code before applications are released. Monitoring after applications are released catches bugs before they are exploited.
Where to go for more information
There are hundreds of organizations and groups focused on improving cloud security. Find local groups and get involved giving you support in keeping up with the rapidly changing world of information security and how it impacts the security of your cloud resources. Some of the best resources to monitor for the latest security updates are:
Cloud Security Alliance: This non-profit alliance is dedicated to defining and raising awareness of best practices to ensure a secure cloud computing environment.
National Institute of Standards and Technology (NIST): This government agency has created a framework for information security, giving you a guide for implementing your own security measures.