Cloud Security Best Practices

Gui Alvarenga - May 17, 2022

Organizations are adopting cloud platforms for their mission-critical workloads more than ever, thanks to the flexibility and efficiency provided by the cloud in comparison to traditional data centers.

One of an organization’s key concerns while embarking on a digital-transformation journey in the cloud is security, because cloud security entails a paradigm shift from traditional security solutions and approaches. In addition, security breaches and malware attacks are becoming commonplace in the cloud, as the threat vectors keep evolving every day. It’s therefore important to understand the constructs of security in the cloud, to implement the right tools and best practices to protect your cloud-hosted workloads, and to evolve the maturity of your security practices as your organization progresses along its cloud-adoption journey.

In this blog, we’ll look at the recommended security best practices organizations can implement at each stage of their cloud adoption, starting with the most basic and progressing to intermediate and advanced.

2022 CrowdStrike Global Threat Report

Download the 2022 Global Threat Report to find out how security teams can better protect the people, processes, and technologies of a modern enterprise in an increasingly ominous threat landscape.

Download Now

Cloud Security Best Practices: Basic

This is where all organizations start. When making the initial foray into the cloud, there are some non-negotiable security constructs that come into play.

Shared Responsibility

All leading cloud service providers — AWS, Azure and GCP — follow a shared responsibility model when it comes to cloud security. While some of the aspects such as underlying hardware security are managed by the service provider, customers are expected to enable security at the infrastructure and application layer.

For infrastructure-as-a-service (IaaS) deployments, this includes securing the OS of any virtual machines by regularly applying patches, configuring its firewall, and enabling virus and malware protection, among other measures. In addition, application-layer security measures are typically enabled through web application firewalls and tools that protect against distributed denial-of-service (DDoS) attacks.

In platform-as-a-service (PaaS) deployments, VM-level protection is the prerogative of the cloud provider. However, the customer must still manage application and data protection. With software-as-a-service (SaaS) deployments, the majority of security controls up until the application are managed by the cloud provider, while the customer handles usage and access policies.

It is crucial to review the shared responsibility matrix for your cloud service provider and enable the relevant controls for your app using native or third-party security tools and services.

Perimeter Security

As cloud networks are based on software defined networking (SDN), there is greater flexibility to implement multilayer security guard rails. You should start with a basic segmentation of workloads between different virtual networks and allow for only required communication between them. Additionally, restrict incoming traffic to your applications using network or application layer firewalls.

Attacks such as SQL injection, data exposure and cross-site scripting are some of the major application security concerns that a web application firewall (WAF) based on OWASP threat detection rules can help detect and protect against. A multilayer DDoS defense strategy is unavoidable to protect workloads from organized DDoS attacks in the cloud. All cloud service providers offer DDoS protection tools that can be integrated with your application frontend to detect and protect against such attacks.

An efficient firewall that can act as a gatekeeper against incoming threats and malicious attacks should be deployed at your network perimeter. These can be cloud-native firewall services or more advanced third-party tools that perform intrusion detection, packet inspection, traffic analysis and threat detection. You can also opt for a separate intrusion detection system (IDS) or intrusion prevention system (IPS) in the architecture to fortify the perimeter security of your cloud deployments.

Monitor for Misconfigurations

Successful infiltrations of cloud workloads are most often the result of service misconfigurations or manual configuration errors. Cloud security posture management (CSPM) solutions should be incorporated into your architecture to monitor for misconfigurations that could creep into your cloud deployment.

CSPM solutions add value by evaluating your deployments against a set of best practice guidelines. These could be organization-specific standards or aligned to leading security and compliance benchmarks. A secure score is provided that quantifies the current state of security of all your workloads in the cloud, with a healthy security score indicating a secure cloud deployment. These tools will also flag any deviations from standard practices so that customers can take the necessary corrective action.

Data Encryption

While using cloud services for data storage, the data resides in an environment controlled by the cloud service provider. As a result, ensuring data security at rest and in transit is critical. There are different out-of-the-box encryption capabilities offered by cloud service providers for data stored in block and object storage services. To protect the security of data-in-transit, connections to cloud storage services should be made using encrypted HTTPS/TLS connections.

Data encryption is by default enabled in cloud platforms using platform-managed encryption keys. However, customers can gain additional control over this by bringing their own keys and managing them centrally via encryption key management services in the cloud. For organizations with stricter security standards and compliance requirements, they can implement native hardware security module (HSM)-enabled key management services or even third-party services for protecting data encryption keys.

Identity and Access Management

When it comes to your cloud workloads, control plane security is critical since it holds the keys to the kingdom. You will need to use identity and access management services native to your cloud platform to implement role-based, fine-grained access control to cloud resources.

Cloud platforms also provide tools for hassle-free integration of on-premises solutions like Active Directory with cloud-native identity and access management (IAM) services; this can provide users with a seamless single sign-on (SSO) experience for cloud-hosted workloads. When it comes to IAM controls, the rule of thumb is to follow the principle of least privilege, which means allowing required users to access only the data and cloud resources they need to perform their work.

Learn More

Meeting the needs of DevOps and the multiple clouds that companies now need to protect requires a unified platform that automates security controls and compliance for hosts and containers regardless of the cloud provider or deployment model. To get cloud security efforts cooking, organizations need the right ingredients for effective security.Blog: 3 Ingredients for Successful & Effective Cloud Security

Cloud Security Best Practices: Intermediate

Your organization can implement additional controls to strengthen security as you evolve in the cloud.

Security Posture Visibility

As the cloud landscape expands, the likelihood of breaches remaining unreported increases. Having the right tools in place will help achieve much-needed visibility into your security posture and enable proactive security management.

All leading cloud platforms have an advanced/premium tier of a native CSPM solution that can provide capabilities like detection of data exfiltration, event threat detection, IAM account hijacks and cryptomining, to name a few. However, note that these features are often limited to their respective cloud platforms. For hybrid or multi-cloud deployments, it is recommended to incorporate a specialized tool for enabling security posture visibility.

Cloud Security Policies

Cloud security policies are defined to implement organization-wide restrictions to ensure security. For example, restrict workload deployment using public IPs, contain east-west traffic flow, or implement monitoring of container workload traffic patterns.

The implementation approach differs among service providers. In Azure, customers could use Azure policies, while in GCP, this can be done using organizational policies. The advantage of security policies is that they will auto-enforce the compliance standard across the board in cloud deployments.

Container Security

Container security involves both container and orchestration platform protection, with Kubernetes being the solution most often used in the cloud. You will need to create industry-standard security baselines for containerized workloads, with continuous monitoring and reporting of any deviations.

Organizations require tools that can detect malicious activities in containers, even those that happen during run time. The necessity of security technologies that enable visibility into container-related activities, as well as the detection and decommissioning of rogue containers, cannot be overstated. With the threat landscape always changing, it’s best to employ technologies that leverage advanced artificial intelligence (AI) and machine learning (ML) to detect malware without relying on signatures.

Vulnerability Assessment and Remediation

You should have a real-time vulnerability scanning and remediation service to protect your workloads against virus and malware attacks. The service should be able to support workloads deployed in VMs as well as in containers.

Consider a vulnerability management solution that can continuously scan workloads for vulnerabilities, compile reports and present the results in dashboards, and auto-remediate problems where possible.

Zero Trust Approach

The Zero Trust (aka assume breach) approach is the gold standard for enabling cloud security. It entails not assuming any trust between services, even if they are within the organization’s security perimeter.

The main principles of a Zero Trust approach involve segmentation and allowing for only minimal communication between different services in an application. Only authorized identities should be used for this communication aligned with the principle of least privilege. Any communication that happens within or with outside resources should be monitored, logged and analyzed for anomalies. This applies to admin activities as well. Here, you can adopt either native or third-party monitoring and logging tools.

Learn More

The old saying is true: You can’t protect what you can’t see. As cloud environments become more complex and distributed, stitching together a comprehensive view of cloud activity is a vital part of enterprise security. Blog: 5 Cloud Security Must-Haves

Cloud Security Best Practices: Advanced

Seasoned cloud-adopters with a large cloud footprint, particularly cloud-native businesses, should consider implementing advanced cloud security best practices.

Hybrid/Multi-Cloud Security

Large businesses rarely rely on a single cloud provider or the cloud exclusively. While designing their security architecture, such organizations consider tools and services that can enforce security controls over hybrid and multi-cloud deployments.

Some cloud providers do offer native tools (e.g., Azure Defender, Google Chronicle) that can enable some level of security protection for hybrid/multi-cloud assets. However, having a single pane of view often becomes a challenge. Tools that provide visibility into the security posture and assist in taking actions to avert potential security events across all environments should be considered in hybrid/multi-cloud deployments.

Integration with CI/CD Pipeline

It’s critical to employ a security shift-left strategy early in the application lifecycle to discover vulnerabilities and security flaws. This can be achieved by integrating security best practices in your continuous integration/continuous delivery (CI/CD) pipelines during the build, testing and deployment phases. The use of verified images in deployment pipelines, threat detection scanning and vulnerability posture management of pipelines are some of the measures that can be adopted to achieve this.

Real-Time Visibility and Proactive Threat Hunting

Organizations should leverage tools that can provide in-depth visibility into their workloads, especially those running on containers: file access, network connectivity and process activity, to name a few. Another must-have feature is proactive threat hunting, which aids in tracing an attack vector’s origin and lateral transmission. Some cloud security vendors offer fully managed security services that includes human threat hunting to proactively identify and resolve vulnerabilities, like Falcon Cloud Workload Protection Complete, which includes security services.

Red Team/Blue Team Exercises

Even after implementing a number of cloud security best practices, there could still be residual risks that attackers can exploit. Running red team/blue team security exercises regularly will help identify such chinks in your armor and help reinforce your cloud security posture.

The red team is made up of cybersecurity experts who aim to infiltrate an organization’s cybersecurity defenses. The blue team will try to defend, respond to and remediate the attack. This exercise will also help measure the effectiveness of your security-incident response mechanism.

Penetration Testing and Proactive Protection

Regular proactive penetration testing will evaluate your business’ overall defense mechanism against different types of cyberattacks. Automated network and application scanning is required to identify hard-to-find vulnerabilities that can be exploited during an attack. To thwart real-world attacks, security controls should be updated based on the findings.

Conclusion

Leading cloud platforms provide native tools that can implement some of the above security controls. However, it is always recommended to complement native cloud security with advanced tools like those offered by CrowdStrike.

CrowdStrike offers unified cloud security posture management and breach prevention for workloads deployed across hybrid and multi-cloud environments. The Falcon Horizon CSPM solution provides much-needed visibility across multi-cloud deployments, monitors for misconfigurations, eliminates compliance violations and enables continuous protection from identity-based threats. It also provides comprehensive container security by identifying and remediating even the most discrete threats.

Your organization can also leverage the Falcon Cloud Workload Protection solution to provide full breach protection for workloads, containers and Kubernetes, allowing you to quickly design, manage and secure cloud-native applications.

Schedule a demo today to learn more about CrowdStrike’s security tools and services that can help you implement the best practices outlined in this article.

GET TO KNOW THE AUTHOR

Guilherme (Gui) Alvarenga, is a Sr. Product Marketing Manager for the Cloud Security portfolio at CrowdStrike. He has over 15 years experience driving Cloud, SaaS, Network and ML solutions for companies such as Check Point, NEC and Cisco Systems. He graduated in Advertising and Marketing at the Universidade Paulista in Brazil, and pursued his MBA at San Jose State University. He studied Applied Computing at Stanford University, and specialized in Cloud Security and Threat Hunting.