Cloud Security Fundamentals: 10 Questions To Ask

Securing your attack surface has become more complex than ever. Whether you’re on the bleeding edge and fully cloud-native, or running a hybrid cloud environment, odds are you have some visibility gaps. And that’s a problem, because you can’t secure what you can’t see. Securing the cloud environment requires a thoughtful analytical approach to workload and infrastructure observability, including understanding the threats you face. And that’s why it can be helpful to start by listing out the right questions you need to answer. Think of it as the Who, What, Where and How of your cloud that can reveal where the blindspots are, and how they could create risk.

Here are questions that you should ask to gauge your cloud security posture and decide what analytics capabilities you need to fill the gaps.

1. What does shared security responsibility mean from an IaaS/PaaS/SaaS perspective?

2. In what geographic regions are resources being created?

3. How will your workload monitoring requirements change when you start to adopt things like containers and microservices? How are you thinking about securing them?

4. How are you managing identity and access management (IAM) in the cloud? Who has permission to do what, when, and where?

5. How do I extend DevSecOps control in the cloud?

6. How do I achieve continuous visibility and monitoring in the cloud?

7. How should I be extending existing technical, process, and policy controls to the multi-cloud environment?

8. How do I mitigate risk when allowing third-party access to cloud resources?

9. How do I reskill my security operations/compliance workforce to extend their expertise to the cloud?

10. How do I prioritize addressing cloud security controls?

• Definitions of the shared responsibility model vary among service providers. They change based on whether you are using infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), or software-as-a-service (SaaS). Under-standing what aspects of security you are responsible for is key: Gartner estimates that 99% of all cloud security incidents are the customer’s fault due to misconfigurations.

• The customer manages security of the data, application logic and code, identity and access, and platform and resource configuration. The cloud provider oversees the security of the virtualization layer and physical hosts, networks, and data centers. The grey area of security responsibility includes identity and directory infrastructure, applications, network controls, and operating systems.

• To ensure a clear understanding of security in the grey area, the customer should ensure that security ownership is clearly defined, with each party maintaining complete control over those assets, processes, and functions they own. Shared responsibilities that are clearly defined enable you to focus on your application delivery strategy without burdening your teams with operational concerns in the physical layer.

Different geographic locations have various data protection regulations. For example, in Europe, there is the General Data Protection Regulation; in Brazil, there is the Lei Geral de Proteção de Dados (LGPD); in California, there is the California Consumer Privacy Act (CCPA); and other U.S. states are working on similar laws.

You need to keep track of personally identifiable information (PII) that you collect from individuals residing in those regions for these regulations. You also need to provide access to that data for the data owner, make corrections to the data, and delete the data if requested, in some instances.

Here are six things you can do with PII to ensure you are in compliance with various regulations:

1. Identify all the PII your organization collects, processes, and uses—on-premises and in the cloud

2. Locate all the places where PII is stored

3. Classify PII in terms of sensitivity based on the likelihood of compromise and the consequences of being leaked

4. Draft and implement an acceptable usage policy to access PII

5. Deploy data-centric encryption to secure the PII at rest and in transit

6. Train employees on how to protect PII and how to use encryption effectively. It is important that you be able to find PII, change it, or delete it within the timeframes set by regulations. You also need to ensure the data is tracked and secured when it is transferred out of the region where the regulation applies.

• Containers and microservices are being used more frequently to design, develop, and deploy applications using agile software development approaches. This environment produces dynamic systems with many moving parts across multiple layers. You should consider the security of workloads throughout the software development life cycle (build, deploy, run) in this environment. In fact, 80% of organizations with more than 500 employees are using containers.

• Containers and microservices have unique characteristics that result in increased security vulnerabilities. In terms of containers, there are security bugs in the technology, resulting in multiple entry points for cyberattacks. The more people have access to the code, the more opportunities there are to attack the code. For microservices, there are many moving parts, which create a larger attack surface, and they are in constant contact with each, resulting in greater communications risks.

• To secure this environment, you should consider creating immutable containers, run images only from trusted sources, secure access to images with a registry, deploy one microservice per host, harden the host operating system, defend in depth, build vulnerability scanning into your development and build pipeline, and use automat-ed system testing.

....more available upon request