As enterprises increasingly move toward a cloud-first strategy, the challenge of securing data in the cloud moves front and center. We've assembled this list of cloud security tips for organizations to protect data in a hybrid or fully public cloud environment.
Tip 1. Document assets in the cloud
Former Defense Secretary Donald Rumsfeld famously referred to the categories of "known knowns," "known unknowns" and "unknown unknowns." The terms were actually coined by NASA researchers -- whom Rumsfeld credited -- and had long been used by national security and intelligence professionals.
When securing data in the cloud, organizations need to document precisely what assets they have in the cloud and the current security posture of those assets: the known knowns, as it were. Many tools enable technology professionals to locate resources; the real challenge is figuring out precisely what resources need to be documented. In addition to the obvious, such as where workloads are running, you'll want to look for the following resources:
- identity and access management user and administrator account privileges to find any overprivileged users and roles;
- all public IP addresses associated with your cloud accounts to provide early warning if any have been hijacked;
- relationships between assets and resources to uncover potential attack paths; and
- keys and key characteristics, including issue date to disable keys older than a given threshold.
Tip 2. Test, test and test again
Once the organization's cloud environment is set up, plan to test the living daylights out of it. A large and growing library of tools is available to enable organizations to run hostile tests against the environment, including penetration testing, misconfiguration testing and various forms of vulnerability testing. Some tools can search for keys and passwords, and some will even let the security teams create and launch advanced persistent threats against the organization. In sum, all the tools, techniques and procedures that attackers will use against the organization can be used to fire-harden the cloud environment.
Tip 3. Always be monitoring
Cheesy sales trainers emphasize the need to "always be closing" -- that immortal catchphrase from the film Glengarry Glen Ross. In a similar vein, maintaining continuous monitoring of the cloud environment -- i.e., always be monitoring -- is a wise idea. Organizations should be keeping an eye out for configuration changes, lapses in compliance, suspicious changes to files or structured data and the like. The value of doing this in real time is the ability to detect attempted attacks early enough to contain them and vulnerabilities in time to patch them.
Tip 4. Create live security training opportunities
"Live fire training" has become a staple of sophisticated fire departments. Live fire training refers to the practice of buying a building, outfitting it exactly like a typical residence or office, and then setting it on fire and sending firefighters in to control the blaze. Firefighters thereby gain a nuanced understanding of how fires behave in different conditions and learn about their own weaknesses and tendencies under the stress of live fires.
The cloud equivalents to live fire trainings are suites of cloud environments and cloud applications that are deliberately insecure. These tools incorporate misconfigurations and vulnerabilities and can be set up quickly and easily to train cloud engineers how to detect and remediate common configuration flaws and security vulnerabilities. Such environments should be part of an organization's training programs. Use gamification, and award points to the cybersecurity specialists who most quickly and effectively uncover the vulnerabilities.
Tip 5. Stay informed about emerging threats
Organizations need to track emerging threats, including sophisticated nation-state attacks, which increasingly utilize cloud services. A good way to do this is via the Mitre ATT&CK framework, which tracks threats and decomposes attacks into techniques and tactics, such as credential access, privilege escalation, discovery and the like. The ATT&CK framework also provides remediation recommendations and up-to-date insight into the behaviors and activities of attackers. Other ways to stay informed include subscribing to threat intelligence feeds from vendors and third-party organizations, as well as participating in organizations such as ISACA or other cybersecurity groups.