The 15 best cloud security practices
0 likes71 views
This document outlines essential cloud security best practices for organizations migrating to or operating in cloud environments. Key recommendations include enabling single sign-on, adopting multi-factor authentication, and educating employees on security measures to mitigate risks. It emphasizes the shared responsibility between cloud vendors and organizations for maintaining security and suggests continuous auditing to optimize security posture.
The 15 best cloud security practices
- 1. CloudSecurity BestPractices PRESENTED BY CLOUDRIDE © 2020 | CLOUDRIDE.CO.IL | HELLO@CLOUDRIDE.CO.IL
- 2. TABLEOFCONTENTS UNDERSTAND YOUR SECURITY POSTURE/ STATUS Employee education on cloud security Your current security process Documentation for the incident response process Your most critical data 4 4 4 4 5 5 6 7 8 9 9 10 10 11 11 12 12 12 13 CLOUD SECURITY BEST PRACTICES. Enable single sign-on (SSO) Turn on conditional access Proactively monitor your cloud infrastructure for threats Adopt multi-factor authentication (MFA) Gain visibility into your cloud environment. Educate your employees Audit and Optimize Monitor File Integrity Disable SSH/RDP Access to virtual machines. Implement data encryption Utilize intrusion detection and prevention technologies Conduct Audits and run penetration testing Secure the endpoints Develop a safe list Start with low-risk assets 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. © 2020 | CLOUDRIDE.CO.IL | HELLO@CLOUDRIDE.CO.IL
- 3. 15 Cloud Security Best Practices to secure your cloud infrastructure. Whether you’ve migrated to the cloud or are thinking of migrating your infrastructure, security is and should always be your top priority. Most organizations think security solely lies with the cloud vendors but more often than not, it isn’t the case. It’s your responsibility to exert all necessary measures to protect your data, applications, systems and networks. Alongside all the benefits cloud computing has to offer, it also presents new security challenges; from increased complexity straining the IT staff to challenging security control on multi-cloud environments. This eBook will delve into how you can understand your security posture, best practices for cloud security, who is responsible for cloud security and how Cloudride can help in securing your data and protecting your systems and networks from security threats. © 2020 | CLOUDRIDE.CO.IL | HELLO@CLOUDRIDE.CO.IL
- 4. CLOUDRIDE PAGE 01 Employee education on cloud security Your current security process Documentation for the incident response process Your most critical data Your security posture should tie directly to your company’s objectives, business, scaling needs and expansion, so that you can know the true evaluation of your security status. Below are points you should consider to determine and understand your security posture. Is the company staff aware and conversant with the basic security measures in place, the reasons why, the do’s & don’ts and the importance of maintaining such security best practices?Your staff is more likely to alert the IT team when something seems off more so when they understand the security basics and security measures implemented. The IT team should seek to educate all staff on cloud security and build a security culture in the company. Does your current security process prove to be effective in securing your cloud infrastructure?Conduct an audit to measure the effectiveness of the security process and the various security controls. Assess and reassess security threats and implications, and test your security controls’ resilience to such potential risks. Do you have a well-documented incident response process? In any organization running on the cloud, at some point, an incident will occur. If it does, there should be a process put in place for detection, response, mitigation, elimination and education. The IT and security team should have in place a clear data vulnerability hierarchy, specifying which data is of top importance (security-wise) to the business. Data such as client information and intellectual property are usually a top priority in protecting the business against security threats. After understanding your security posture, you can then implement cloud security best practices. UNDERSTAND YOUR SECURITY POSTURE/STATUS. © 2020 | CLOUDRIDE.CO.IL | HELLO@CLOUDRIDE.CO.IL 4
- 5. CLOUDRIDE PAGE 03 To ensure your cloud environment and workload is secure, make sure the following measures are in place: 1. Enable single sign-on (SSO) One of the main causes of breaches is compromised credentials. The more passwords we have - the less complex they tend to be. This is natural because with multiple passwords, it becomes more and more difficult to remember so we tend to start using weak passwords and reusing passwords across different applications. This makes your cloud workloads susceptible to security threats. Once you establish the SSO, your users can access the resources and data they need without having to remember a ton of passwords for each application or service they need to use. In addition, SSO enables you to control and manage employee access to specific resources or data, based on the employee’s role, ‘need-to-know’ and other criteria you have in place. For organizations using Microsoft Azure, they can enable SSO through Azure AD and businesses on AWS can enable it through the AWS SSO Console. Organizations not enabling SSO, run the risk of a breach because of users using common passwords on all applications and use of weak passwords which can easily be compromised. 2. Turn on conditional access Employees not only bring their personal devices to work but also use the devices to access the organization’s resources. The same devices would, later on, be installed with personal apps. The problem arises when the non-monitored devices don’t meet your security standards and the organization’s data is compromised. CLOUD SECURITY BEST PRACTICES. © 2020 | CLOUDRIDE.CO.IL | HELLO@CLOUDRIDE.CO.IL 5
- 6. CLOUDRIDE PAGE 03 Run Azure AD anomaly reports on a daily basis or on-demand to identify brute force attacks on an account, attempts of signing in from multiple locations, sign-ins from infected devices and suspicious IP addresses. Use Azure AD Identity Protection to protect your organization’s identities. Configure risk-based policies that respond to detected issues when a specific risk level is reached. Leverage Azure Monitor. It provides an analysis of how your applications are performing and proactively identifies issues that might affect the applications and services you use. Identity Access control measures (i.e monitoring who is accessing resources) aren’t enough. It is imperative for you to know how the resources are accessed in order to secure your workloads. Through the Azure Active Directory and AWS Identity and Access Management, you can make automated control decisions based on conditions for accessing your cloud resources. 3. Proactively monitor your cloud infrastructure for threats Security solutions used to be reactive in nature, but with the rise of more complex attacks and with the increase in sensitive data & resources stored on the cloud, IT managers, DevOps engineers, Site Reliability engineers and developers need to be proactive in the sense that enables better implementation of security best practices to avoid risk, and also detecting anomalies early on, before they spread to compromise your entire cloud infrastructure. Most hackers sit on your system for days or even months gathering intelligence to attack your system and steal your data undetected. This brings about the need to actively monitor your system and infrastructure to identify suspicious activities and malware in the system before they take hold. For businesses on Microsoft Azure, you can implement the following monitoring measures: © 2020 | CLOUDRIDE.CO.IL | HELLO@CLOUDRIDE.CO.IL 6
- 7. CLOUDRIDE PAGE 03 Use Amazon CloudWatch to detect suspicious activity in your environment, visualize logs, implement automated measures, troubleshoot issues and analyze insights of your applications, AWS resources and services. Leverage Amazon GuardDuty to identify malicious activity in your AWS account. With information gleaned from your VPC Flow Logs, AWS CloudTrail Event Logs, and DNS logs, this allows GuardDuty to detect many different types of dangerous and mischievous behavior including probes for known vulnerabilities, port scans and probes, and access from unusual locations. For those running their infrastructure on AWS, impose the following monitoring measures: Organizations that don’t monitor their infrastructure frequently, run the risk of compromising the security on their systems. Security attacks differ from one to another, and there is no single cut & paste measure that if worked once, will therefore work indefinitely. Without frequently scanning, monitoring and managing these threats, organizations can’t be in control and mitigate risk. 4. Adopt multi-factor authentication (MFA) The conventional authentication techniques of solely using a username and a password are insufficient in cloud environments, because the cloud is susceptible to attacks. The solution is, therefore, the implementation of MFA. The goal of MFA is to provide an extra layer of security to make it challenging for an unauthorized entity to access the network, applications, services or the entire infrastructure. MFA requires users to receive a security code on their phone or a one- time password to use as opposed to just a username and password. This will make it harder for hackers or unauthorized entities to gain access to your cloud, as they won’t obtain the code or the one-time password even when they have access to your standard credentials. © 2020 | CLOUDRIDE.CO.IL | HELLO@CLOUDRIDE.CO.IL 7
- 8. CLOUDRIDE PAGE 03 Have strong access control management in place. This would ensure no user is given more privileges than necessary and end up misusing their access by breaching data from the inside. Constantly monitor user activity to ensure no deviation from the company policies. Protect your data at rest and in motion and implement data loss prevention (DLP) to ensure, if data is compromised, it won’t get out of the network. Even the strongest of security measures sometimes can’t prevent all breaches, so at some point, a breach might occur. When it does, you must be prepared by putting in place processes and technologies to mitigate the risks and reduce the attack implications. 5. Gain visibility into your cloud environment. To secure their cloud environment, organizations need to map their entire infrastructure and know every application, service, data running on it, the ones running but not used, and all the authorized users for each. Organizations often obtain various cloud technologies, features or applications they don’t necessarily need… some without collaboration with the IT and security team. This will cause visibility & control issues in your cloud environment, because it makes it difficult to track all the assets running on your infrastructure. In addition to that, as most organizations use containerized workloads, many security and IT teams find it difficult to make sense of how container technology works. So really your organization would be going in blind when the IT team is left behind. The main point is that you can’t secure what you can’t see. So how do you get visibility and control over your infrastructure security? Here are a few best practices you can implement. Maintaining strong visibility into your cloud is essential because you are then able to protect your applications, critical data, workloads and network from critical breaches. © 2020 | CLOUDRIDE.CO.IL | HELLO@CLOUDRIDE.CO.IL 8
- 9. CLOUDRIDE PAGE 03 6. Educate your employees Successful cloud migration and smooth running of the workloads without security issues depends, to some extent, on the capabilities of the employees and how conversant they are with cloud infrastructure environments. The security processes, protocols and measures you set in place to protect your cloud are useful only when your employees understand and know how to implement and abide by them. For instance, when implementing the single sign-on, you should educate them on why it is important and how to use it. In addition to that, they should also be able to identify the different types of cyberattacks and various mitigation strategies, so they can be on the lookout if they sense something is off. Having an educated staff would ease the burden put on the security and IT team trying to maintain strong visibility into the cloud environment because the staff would be only using approved applications and services, communicate detected anomalies and abide by protocols. 7. Audit and Optimize An important cybersecurity best practice is to constantly audit and optimize your posture and infrastructure. The frequency of the audits depends on the complexity of your cloud environment. It can be daily, weekly or monthly but be sure to audit your cloud security frequently enough and consistently. An audit would shed light on the unapproved applications and services that crop up and pose a risk to your cloud posture and environment. It also shows where your environment is more vulnerable and susceptible to threats. © 2020 | CLOUDRIDE.CO.IL | HELLO@CLOUDRIDE.CO.IL 9
- 10. PAGE 03 Leveraging the point-to-site VPN also referred to as the remote access VPN server connection. A user can use SSH or RDP to connect to any virtual machine that the user accessed via the point to site VPN. 8. Monitor File Integrity As you are well aware, there is a great number of sophisticated threats targeting organizations, and it’s only a matter of time until a breach of some sort occurs. Cloud threats attack key assets of an organization in an attempt to progress undetected towards the system control and critical data. File integrity monitoring provides a layer of defense to identify suspicious changes in system files and prevents attacks from occurring before they cause critical damage. File Integrity monitoring tools analyze current file attributes and compare these to the baseline, aiming to identify any suspicious changes. 9. Disable SSH/RDP Access to virtual machines. Virtual machines are accessed by using Remote Desktop Protocol and the Secure Shell Protocol. These protocols enable the management of Virtual machines from remote locations and are standard in cloud computing. The main security concern of using these protocols over the internet is that attackers can attack your virtual machines using bruteforce techniques. They’ll then use the compromised virtual machine as a launch point to infiltrate other virtual machines on your virtual network. Disabling access from RDP and SSH to these virtual machines over the internet will secure your virtual network from such attacks. Below are some alternative ways you can access your virtual machines for remote management. © 2020 | CLOUDRIDE.CO.IL | HELLO@CLOUDRIDE.CO.IL 10
- 11. CLOUDRIDE PAGE 03 Use a site to site VPN. it connects an entire network to another network through the internet. You can connect your on-premise network to your virtual network, then users can access your virtual machine through RDP and SSH protocols over the site to site VPN without the need of allowing direct access of RDP and SSH over the internet. Using alternatives to accessing virtual machines over the internet other than using RDP and SSH would provide an extra layer of security to your cloud infrastructure. 10. Implement data encryption Date encryption is basically encoding your data so that it remains inaccessible from unauthorized users. This means that even if due to a security breach your data is accessed, it is useless to the attackers as they won’t be able to read it. Best practice is to encrypt your data both at rest, and in transit, because most attacks happen on data that is being shared and on the move. Both Azure and AWS offer SQL database transparent data encryption which performs real-time encryption and decryption of the database, backups and log files. It encrypts the entire database using a symmetric key. Local encryption added to the encryption services offered by your cloud provider would add an extra layer of security. 11. Utilize intrusion detection and prevention technologies This is a reactive form of cloud security best practice. These IDS and IPS identify an attack once it occurs, and take measures to stop the attack. They also alert administrators of suspicious activities and policy violations. You can use the intrusion systems offered by your cloud provider in conjunction with a comprehensive third-party IDS and IPS solution. © 2020 | CLOUDRIDE.CO.IL | HELLO@CLOUDRIDE.CO.IL 11
- 12. CLOUDRIDE PAGE 03 12. Conduct Audits and run penetration testing Penetration testing determines whether your current cloud security efforts are effective in protecting your data and workloads.This is important because it shows you where your system is most vulnerable, and you can then improve your security measures. In parallel, conduct regular audits of your cloud security capabilities. This includes an audit of your cloud provider’s capabilities in securing your infrastructure and that they are meeting the security standards required. 13. Secure the endpoints To be more productive, organizations have granted access to data and applications from anywhere, anytime and from any device. The endpoint devices accessing your data complicate cloud security in many ways. From the growing list of endpoint devices accessing the cloud which is susceptible to attacks and exposes the whole network, to the lack of knowledge of the content of those endpoint devices. If you’ve already put up measures such as intrusion detection and prevention solutions, using conditional access, antimalware and other measures, then you have the right solutions in place But you still have to constantly be on the lookout for new threats that might override your current security measures and optimize accordingly. 14. Develop a safe list Employees conduct their work using various cloud services but there are cases where they use the services for their personal gains. This might bring about compromise in security and legal problems due to compliance issues. © 2020 | CLOUDRIDE.CO.IL | HELLO@CLOUDRIDE.CO.IL 12
- 13. PAGE 03 Define your cloud security needs and requirements before choosing a cloud vendor. If you know your requirements, you’ll select a cloud provider suited to answer your needs. As such, developing a safe list as part of your security measures is vital. This safe list would stipulate the services employees are allowed to access through their cloud accounts and they are aware of the type of data which is allowed to be shared over the cloud. 15. Start with low-risk assets As you migrate to the cloud, start with less sensitive data and applications. Move items that would not cost much due to downtime and data loss. You would be vetting the reliability and capabilities of your cloud provider in securing your assets. When you have vetted them and are confident in their capabilities, you can move the high-risk assets such as clients’ data. Who is responsible for cloud security? Within the field of cloud environments, there are generally two parties responsible for infrastructure security. 1. Your cloud vendor. 2. Your own company’s IT / Security team. Some companies believe that as cloud customers, when they migrate to the cloud, cloud security responsibilities fall solely on the cloud vendors. Well, it is clearly described in detail above, that’s not the case. Both the cloud customers and cloud vendors share responsibilities in cloud security and are both liable to the security of the environment and infrastructure. To better manage the shared responsibility, consider the following tips: © 2020 | CLOUDRIDE.CO.IL | HELLO@CLOUDRIDE.CO.IL 13
- 14. CLOUDRIDE PAGE 03 Clarify the roles and responsibilities of each party when it comes to cloud security. Comprehensively define who is responsible for what and to what extent. Know how far your cloud provider is willing to go to protect your environment. Basically, CSPs are responsible for the security of the physical or virtual infrastructure and the security configuration of their managed services while the cloud customers are in control of their data and the security measures they set in place to protect their data, system, networks and applications. Cloudride is a full-service consultancy firm for public cloud platforms, with expertise in main cloud providers such as MS-AZURE, AWS and GCP alongside with an ISVs wide ecosystem in order to provide coherent solutions tailored to each customer's needs. Driven by market best practices approach and uncompromised security awareness, Cloudride's expert team is obligated to serve customer needs in a timely manner, pursuing the highest quality of delivery and keeping budget constraints under control. © 2020 | CLOUDRIDE.CO.IL | HELLO@CLOUDRIDE.CO.IL 14 HOW CAN CLOUDRIDE HELP