In a world full of threats targeting data as well as stringent compliance mandates, it’s never been more important to create a strong unified cloud security strategy. But as cloud environments become more complex and diverse, it’s also never been more difficult.
Even if you’re partnering with a notably secure provider, it’s still important to understand your security responsibility and to be proactive about protecting your data in the cloud. Here are a few things to keep in mind as you build out your unified cloud security strategy.
Tip #1: Understand Your Cloud Security Responsibility
To build and maintain a unified cloud security strategy, you first need to understand the boundaries of your responsibility (i.e., who is responsible for what). According to shared responsibility models, the public cloud vendor is responsible for the security of the cloud, while the customer is responsible for security in the cloud. But what that means depends largely on the cloud model you’re using. In infrastructure as a service (IaaS) models, the cloud service provider is responsible for the core infrastructure, which includes storage, networking and computing power, while the customer is responsible for managing the guest operating system, as well as managing applications and protecting data. This includes vulnerability management, patching, the security of third party libraries, and the entire SDLC of any customer built applications.
In software as a service (SaaS) models, however, the cloud service provider oversees the security of its entire infrastructure — the host operating system, the virtualization layer, storage, database and the physical security of its facilities — while the onus is on the customer to secure your data within that cloud environment. That means you’re responsible for implementing appropriate identity and access management controls (IAM) and ensuring reliable network and firewall configuration. You are also responsible for encrypting data, both in transit and at rest.
Tip #2: Ensure Visibility into Your Cloud Infrastructure
It’s also imperative that you understand everything that’s running on your organization’s cloud infrastructure. While all major cloud vendors provide some form of monitoring for their specific IaaS platforms, there is still a need to provide monitoring across all providers, with AWS, Azure, and GCP being the most common. As organizations continue their migration to the cloud, this will also include monitoring across hybrid environments — so consider using a modern SIEM or data platform like Splunk that applies monitoring, analytics and data/asset management functions across both public and private cloud environments, as well as on-premises infrastructure.
In particular, make it a point to know what sensitive data is stored in the cloud, like intellectual property and proprietary information, payment card data, personally identifiable information (PII) and patient healthcare data. And ensure that you’re using appropriate security logging, monitoring, detection and alerting solutions to identify any malware, unauthorized cloud access and other aberrations.
Ideally, administrators should be able to see both public and private cloud systems from a single dashboard. Having a holistic view of your environment will help you more effectively identify threats and vulnerabilities, while also giving you the ability to get ahead of risk.
Tip #3: Create and Enforce Strong Access/Security Controls
When creating access policies, be sure to grant privileges sparingly, so that employees, contractors and other users can only gain access to the resources that are required to perform their jobs. Creating a standardized IAM framework across all systems will help protect assets in hybrid and multiple cloud environments.
Place safeguards on Amazon Web Services (AWS) keys by restricting access to those who need them. Create unique keys for each service, and regularly rotate them to reduce the chance of attackers using privileges to compromise cloud environments.
Also, consider investing in a strong Cloud Security Posture Management (CSPM) solution, which will closely examine cloud platform accounts, and check for any misconfigurations that can lead to unauthorized data leakage or breaches. To that end, encrypt all data stored in the cloud and maintain control of the encryption keys. Should your data end up in the wrong hands, at least it can’t be used.
When you hand your data to a cloud provider, the responsibility to safeguard your data lies with you. Assuming your cloud provider will take care of all security functions is likely a breach waiting to happen. But proactively creating — and enforcing — strong security and access policies will let you keep your cloud data safe.
Learn how to create a unified cloud security strategy — check out our on-deman webinar, "Approaches for a More Secure Cloud Environment: Prevention and Detection."