Structured approach to secure your cloud assets
Cloud security is not challenging, if done correctly. A structured, all-inclusive approach and attention to possible misconfigurations are the important ingredients for the same. Challenges arise when major cloud service providers like AWS & Azure provide a plethora of security services making it a bit confusing for businesses to decide which ones are really required and what level of redundancy is a MUST. Balancing cost and security is another factor that cannot be ignored.
We start outside-in towards your assets in the cloud. It means we start inspecting the outer-most layer consisting of edge services like CDN or WAF and work inwards until the inner-most layer of computing instance or storage container. We have found this approach to be methodical and secures the perimeter, external connections and every asset. Apart from this, we look at the dimensions of identity, network, compute & storage, encryption & keys and finally monitoring.
For companies that already have paying customers or the product is live, tweaking the production networks and other related configurations needs to be done with utmost care and consideration.
1. Network Configurations
Continuing our philosphy of working inwards from out, one of the primary question that the company can ask itself is if it needs a DOS or DDOs protection at the outermost layer. Is there is a compelling reason due to market conditions or competition that this kind of protection is essential. For many companies, the answer might be NO. You know better what wuld be the response for yours. Sticking with DOS/DDoS, another recommended strategy that is light on budget and provides an additional layer of protection is have this kind of security from a totally different service provider like CloudFlare or Akamai. External connectivity to on-prem gateways or site-to-site VPNs create secure tunnels based on secure protocols. Whenever necessary, they should be leveraged.
Content Delivery Networks (CDN) can restrict access to lot of static content in storage containers, unless absolutely required. (Wait a second, how is CDN related security?! - if that is your question, its not, it provides an indirect security measure) by preventing threat actors at the gate for trivial and mostly static content. Next comes our WAF and API gateway. Many customers are torn apart to decide, which one is needed and so here is our suggestion - go for an API gateway. Surprising, right?! API gateways can act a forward proxy, rate limiter, very helpful in load balancing and introducing new services or servers with new configurations. Good API gateways can do a lot and if you are really particular, most service providers allow attaching WAF to this gateway.
Last but not the least, we had already touched upon multiple aspects of network security in our previous article here on securing networks and machines within those networks.
2. Identity & Access Management (IAM)
Best practices in IAM start with the root or source of these identities. So, the most fundamental question that needs to be first addressed is that the identities are being replicated or federated (fancy word for propogation) from an existing identity provider. Even when federated from an identity provider, remember that only a small subset will need to access to configure or manage your cloud resources. Each user should have only absolutely minimal and required access (what is referred to as "least privilege" in the industry). The higher the critical of the resource being accessed, the minimal the access rights should be.
Similarly, IAM policies also need to be as restrictive as possible (particularly in the case of AWS). If a user needs to permission to a particular file in a bucket, grant him exactly that - not to the folder, not the entire bucket. Second or multi-factor authentication is fine but what is your defence against social engineering attacks for the second factor can be an important consideration, unless the organization is small enough that the caller can be trusted by merely the voice itself. Last but not the least, zero-trust network or application access (ZTNA/ ZTAA) is a space that has gained lot of traction and attention. This basically means that no user will be granted access to resource based on just one parameter, the user has to be trusted based on network, device, identity, application permissions and so on.
3. Compute & Storage
Virtual machine instances (most famously called EC2 in AWS) are fun to use! They can also quickly becomes your worst enemy if the right measures are not taken. The "right" measures are not just one or two, here is a small list of actions required to be maintained: a) Was the instance built from an approved image list? b) Who initated the instance and was the user authorized to do so? c) Is the compute machine fully patched? d) Is the machine hardened as per company's standards? (open ports, minimum users, required software etc.) e) Are the machines running signed binaries and applications? f) Are the defined and required security software like anti-virus and host firewall turned on the endpoint machine?
As far as storage containers are concerned, the IAM policies or access control management is a big deal and needs to be done right. Test for all kinds of negative scenarios and from non-cached versions of browsers to verify that content can be reached only rightful hands. Do not mix up containers for multiple use - for instance if you have 5 clients who will end up sharing hundreds of end-client data, it is better to segregate the data into 5 buckets rather than solely relying on IAM policies for data separation.
4. Encryption & Secrets management
Data at rest is the easy part. Most mordern day cloud providers have the ability to encrypt the databases and storage containers with least effort from customers. Add your encryption keys only if you have regulatory compliance requirements because managing the keys is even more sensitive and needs extra care with a full-fledged key management service.
Similarly, most organizations have requirements around storing hashed passwords in the database, which also means that secret keys need to be stored appropriately. Several organizations integrate with third party software at API-level, which means that authentication mechanism like API-keys need to be stored safely. Even rhe company's own internal environmental variables could contain sensitive credentials, which is not a good practice. These are some of the frequently encountered use-cases for integrating with vault services where keys and secrets are secured and retrieved safely programmatically.
Digital signatures and certificates are other use-cases but less often used where appropriate protective measures an absolute must. For your convenience, we are sharing the best practices guide related to encryption both for AWS & Azure here.
5. Continuous Monitoring
Continuous monitoring will be recurring topic across most subset topics of cybersecurity. It is pertinent to remember that VPC, identity, compute and storage logs can easily be centralised with Cloudwatch (AWS) or Sentinel (Azure). However, most important and often forgotten is the application logs. Ensure that your cloud footprint consists of infrastructure and your applications. Hence collate application logs and the remaining logs at once place for correlation and event monitoring.
Having configured these logs for monitoring, settings alerts for the events is a bit tricky. There are no right answers here. While some of them (like user from an unknown device or a seemingly obvious intrusion) might be low- hanging events for which alerts can be configured but you will be suprised with the amount of false-positives. So, only over a period of time, you will realise the optimal set of events that fit your organization's environment.
YOU DID IT!
If you have patiently read through the entire article until this point, we sincerely hope you have gained a thing or two about cloud security. More iportantly, it will help you secure your cloud posture, configurations, networks and other assets as already discussed. If you are interested in a more comprehensive audit for your company, please choose one of our wide-range of plans or you can seek a customized plan. If you have questions and would like to discuss with us before taking the plunge, you can contact us and we will most happy to assist you with the same.