• Security in the Cloud Part I

  • Security in the Cloud can be difficult to understand for some organizations. There are some security benefits with moving to cloud architectures, but there are also risks organizations should be aware of.

    Moving to the cloud doesn’t automatically mean more “security”. One of the problems here is that a lot of organizations perceive security as “not being able to get hacked“, and there’s much more to it than that.

    A good basic approach to increasing security using an industry standard framework is the Center for Internet Security’s Top 20 Controls. or the CIS Controls as it’s called.

    In this 3 part series I’ll cover a few of the Top 20 Controls and cloud considerations organizations need to consider.

    Inventory and Control of Hardware Assets

    While there are no actual hardware in the cloud from an organizational perspective, asset inventory and control of those assets is a major consideration. It’s easy to create multiple virtual machine instances, applications, and other cloud resources that are difficult to track.

    Undocumented assets can be the result of development initiatives, testing, or a rogue administrator. The results of undocumented assets can mean vulnerabilities in your cloud systems or increased billing costs.

    Take the time to document your cloud assets and implement an approval process and tracking procedure to better understand your cloud assets.

    Inventory and Control of Software Assets

    Security in the cloud also means keeping track of the software you deploy on your virtual machines. Unauthorized software can lead to vulnerabilities that can be exploited or unexpected licensing costs.

    It’s a good idea to integrate your software and your hardware asset inventories to get a better picture of your cloud assets. You also want to consider segregating those systems that run business critical applications or high risk applications.

    Continuous Vulnerability Management for Security in the Cloud

    Security in the cloud doesn’t absolve you from vulnerability management. Systems still need to be patched and updated on a regular basis as part of your ongoing vulnerability management program.

    Continuous vulnerability management includes:

    • Running automated vulnerability scanning tools
    • Performing authenticated vulnerability scanning
    • Protecting dedicated assessment accounts
    • Deploying automated operating system and software patch management tools
    • Comparing your vulnerability scans to verify they are remediated
    • Utilizing a risk-rating process to prioritize vulnerability management

    This can be more challenging in a cloud environment due to the scanning that needs to take place. You may need to work with the cloud service provider or allocate and configure systems specifically for this purpose.

    Controlled Use of Administrative Privileges

    This is an area we see a lot of organizations failing at. All your users should not have administrative access for your cloud services provider. You should be carefully documenting the administrative accounts and tracking the changes those accounts make.

    Other considerations are:

    • Changing default passwords
    • Use unique passwords
    • Enable and use multi-factor authentication
    • Use dedicated machines for all administrative tasks
    • Limit access to script tools
    • Log and alert to changes to administrative group membership
    • Log and alert on unsuccessful administrative account login

    Monitoring Security in the Cloud

    This one is extremely important regardless of where your assets reside. Without the appropriate logging, monitoring and alerting you can’t tell when bad things are happening.

    Considerations for this are include:

    • Utilizing three different synchronized time sources
    • Activating audit logging
    • Enable detailed logging
    • Make sure you have enough storage for the logs
    • Centralize your log management
    • Deploy a SIEM or User Behavior Analytics tool
    • Regularly review the logs
    • Regularly tune your SIEM or User Behavior Analytics tools

    Check back next week for part 2 of this 3 part series on Cloud Security!