momius - Fotolia
I've read about security authorities who support the idea of an enterprise having multiple cloud service accounts for each project and environment. As a security best practice, the idea is to keep each project or environment isolated from others so that in case of a breach, an attacker can't move laterally. Is this a sound strategy? What are the drawbacks of having multiple cloud accounts?
Separation of functions is a sound principle when it comes to keeping developer environments isolated from tester environments, which in turn should be separate from production environments. For example, developers writing code should not be able to deploy that code themselves, or at least not without some kind of gatekeeping operations to prevent an insider from deploying malicious code.
In the cloud, a cloud administrator could implement controls over subnets, object storage and deployment tools to prevent a developer from rolling out unapproved code. This best practice works as long as there are no misconfigurations or other vulnerabilities. It also assumes that the developers have limited privileges. It often makes sense to give at least some developers elevated privileges in a development environment. For example, they may need root privileges to install libraries or apply patches on their development instances. These kinds of exceptions that require a more relaxed security posture in return for more efficient software development is one reason for isolating development, test, user acceptance and production environments.
In addition to segmenting environment types, it is important to segment by project or business function. Separate cloud accounts for different projects or departments can help limit the exposure of the infrastructure in each account. If, for example, a system administrator fails to patch a server and it is attacked and exploited, only the resources accessible from the compromised instance will be vulnerable. Servers and other resources in separate cloud accounts are isolated and inaccessible.
Of course, there are more pieces to manage. Cloud administrators will have to ensure all accounts are applying a consistent set of policies and controls. Automation is the key to ensuring consistency within and across multiple cloud accounts.
Learn how to prepare for security risks when using cloud database services
Discover how to overcome multicloud management challenges
Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading