This is the third post in a series focused on cloud security fundamentals. The first post looked at the shared responsibility model, which establishes security of the cloud as the cloud provider’s responsibility and security in the cloud as the customer's responsibility. The second post examined cloud security network management and discussed the flexibility and ease that the virtual private cloud can bring to customers by providing complete isolation of the resources running in the cloud.
It is essential for every organization to focus on security. As security requirements change with time, the security process has to evolve and be updated. A customer hosting workloads in the cloud needs to be clear about the different layers of security. While the shared responsibility model reduces the customer’s degree of responsibility, there are still specific layers that need to be looked after. Those layers are the cloud infrastructure layer, the operating system layer, the application infrastructure layer, and the application layer. Each layer requires right amount of security controls, expertise, and audits to maintain the desired state.
Cloud Security Essentials
Security is not a product which can be procured and implemented. It is a process which has to be baked into the DNA of an organization. Security should be included in every phase of every product, starting with design and moving through development, testing, release, and operations. One gap or mistake can open up a can of worms for the organization. Additionally, it is critical that organizations train their teams on their security practices. The majority of security lapses happen as a result of human error, not system error.
Once systems are built and in production, an organization should enforce continuous audits to identify any lapse or deviation from the compliant state. Usually, the cloud provider receives multiple compliance certifications, such as HIPAA, FedRAMP, and PCI-DSS to support regulated industries. The organization’s responsibility is to ensure that compliance for the resources and architecture is running in the cloud.
As more and more customers adopt the cloud, cloud providers have taken a step forward by providing various security as a service solutions for them. These include web application firewalls as a service, DDoS as a service, and encryption as a service. These features are sufficient for most companies. One of the most significant advantages of using these built-in services is seamless integration with other cloud services. The level of abstraction provided by these security features allows an individual or a team with a decent security background to implement them directly. For organizations running complex and regulated workloads, additional security controls can be put in place to meet the desired secure and compliant state.
Understanding Unique Workloads
An essential component of cloud security is understanding security architecture variations and ensuring that the existing controls and processes adopt them or modify them as per their requirements. With the cloud, new sets of architecture patterns like containers and serverless have emerged, and their security requirements are different than those required then running web/app based architectures on the cloud. As organizations adopt and implement DevOps, they should add security into the culture and become familiar with the DevSecOps model.
Securing communication between different microservices
For effective security implementation and monitoring, an organization needs real-time alerting and monitoring systems to protect itself from any security threat. Real-time monitoring isn’t just about the threats or attacks received from the outside world. It should be robust enough to look into various other threat patterns, such as the changes made to the cloud infrastructure, the provisioning of the new resources, the cloud services connectivity, and the communication pattern between multiple resources. The monitoring system should be covering both the internal and external threat patterns and providing real-time alerts to the security team.
Beyond Firewall and Security Groups
Tho a very important aspect in any data center environments, some adjustments need to be made when dealing with the complex cloud. To start with, those firewall rules should understand the context and nature of the applications that reside in the workload. Additionally, those rules should be tiered-based, meaning that each user will have different permissions based on his role for better structure and enforcement.
Those security policies should be enforced consistently across even the most complex hybrid and multi-cloud deployments.
Security is a continuously evolving process, and it is essential for every organization to not only adopt security practices but also update the controls and the team skill set necessary to achieve the desired state. There are multiple services, features, and products available to support organizations in this process, but a security-focused mindset is the real requirement for reaching this state. With new evolving architectures, security requirements differ from company to company; the same set of generic rules can't be applied everywhere. As a result, it is crucial for organizations to be aware of evolving best practices—whether they are self-taught or learned through reading web-based articles—and apply them as appropriate.