?
editor’s question
implementation and
services than was ever
scoped for an on-
premise equivalent.
The simple reason
why is rather obvious
but often overlooked
– you do not own,
typically have access
to, or control any of the
physical aspects of a cloud
environment. It is after all,
someone else’s computer. So
how do you quantify and manage
cloud security? Here are three basic
premises to get you started:
MOREY
HABER, CHIEF
TECHNOLOGY
OFFICER –
BEYONDTRUST
I
t is undisputed
that more
and more
organisations
are moving
computing power
to the cloud.
In fact, some IT organisations have
adopted a ‘cloud first’ strategy for all
new deployments and will only consider
new on-premise deployments when the
technology, cost or sensitivity warrants a
deviation from a cloud deployment.
With this in mind, there are operational
challenges that every organisation should
consider as they move to the cloud.
The security services we rely on today
for on-premise implementations do not
necessarily translate to the cloud and
there are other risks we should consider.
This is true for public and private
cloud environments and should involve
more than just the security team when
key decisions are being made. The
outcome will generally affect more of the
www.intelligentciso.com
|
Issue 07
1. SEGMENTATION Consider a strong
zone approach to keep instances,
containers, applications and full
systems isolated from each other
when possible. This will stop
lateral movement in an attack and
inappropriate access between
systems by any threat actor. In
addition, just because it is in the
cloud does not mean that it should be
publicly addressable. Only expose the
resources you need to the Internet (if
any) and secure the rest.
2. ACCESS CONTROLS All aspects
of computing in the cloud should
have access control lists. Since
services like a database can be
instantiated separately, it is more
important than it is for on-premise to
define and implement proper access
controls. This includes any virtual
infrastructure, operating systems,
applications and even tools used to
monitor the environment.
3. PRIVILEGED ACCESS Remember,
these are not your computers.
Concepts like a crash cart do not
translate. So you need to manage
privileged access to all cloud
resources and consider disaster
recovery in your privileged access
scope. We manage privileges
today on-premise with password
solutions and administrator
accounts. We need the same
concepts in the cloud but do not
want cloud administrator rights to be
everywhere. Privileges need to be
role based, appropriately delegated
and monitored for usage to ensure
the access is appropriate.
4. VULNERABILITIES This concept
translates one for one from on-
premise implementations but may
use agents and other integration
technologies to determine the
premise of vulnerabilities. This
is old school low hanging fruit
that regardless of the computing
environment must be done
like clockwork to ensure good
cybersecurity hygiene.
Now that the basics are covered,
what else do you need to consider?
Cloud environments have resources
like hypervisors that are not present
on premise unless you have your own
virtual environment (and you probably
do); but you have no access to manage
it in the cloud. Consider the security tips
above for the following disciplines:
• Securing any and all access to
virtualisation technology and any
access to the hypervisor your
organisation may have
• The data you store in the cloud, at
rest and in motion, is just as valuable
to a threat actor as on-premise.
Consider how you safeguard it and
how you monitor appropriate access
• Application programming interfaces
are very common in cloud
environments and used for everything
from DevOps to monitoring solutions.
Consider how these are accessed,
locked down and monitored for
inappropriate access
Once you rationalise the benefits of the
cloud, you can understand the unique
security risks. Some are the same as your
on-premise implementations and others
unique. For those, be prepared with a
strategy and methodology to monitor,
measure and react in order to keep your
implementations safe and secure.
29