In this blog, we’ll look at the recommended security best practices organizations can implement at each stage of their cloud adoption, starting with the most basic and progressing to more advanced practices.
2022 CrowdStrike Global Threat Report
Download the 2022 Global Threat Report to find out how security teams can better protect the people, processes, and technologies of a modern enterprise in an increasingly ominous threat landscape.Download Now
Why Cloud Security is Important
Organizations are adopting cloud platforms for their mission-critical workloads more than ever, thanks to the flexibility and efficiency provided by the cloud in comparison to traditional data centers.
One of an organization’s key concerns while embarking on a digital-transformation journey in the cloud is security, because cloud security entails a paradigm shift from traditional security solutions and approaches. In addition, security breaches and malware attacks are becoming commonplace in the cloud, as the threat vectors keep evolving every day. It’s therefore important to understand the constructs of security in the cloud, to implement the right tools and best practices to protect your cloud-hosted workloads, and to evolve the maturity of your security practices as your organization progresses along its cloud-adoption journey.
Cloud Security Best Practices: Basic
This is where all organizations start. When making the initial foray into the cloud, there are some non-negotiable security constructs that come into play.
All leading cloud service providers — AWS, Azure and GCP — follow a shared responsibility model when it comes to cloud security. While some of the aspects such as underlying hardware security are managed by the service provider, customers are expected to enable security at the infrastructure and application layer.
For infrastructure-as-a-service (IaaS) deployments, this includes securing the OS of any virtual machines by regularly applying patches, configuring its firewall, and enabling virus and malware protection, among other measures. In addition, application-layer security measures are typically enabled through web application firewalls and tools that protect against distributed denial-of-service (DDoS) attacks.
In platform-as-a-service (PaaS) deployments, VM-level protection is the prerogative of the cloud provider. However, the customer must still manage application and data protection. With software-as-a-service (SaaS) deployments, the majority of security controls up until the application are managed by the cloud provider, while the customer handles usage and access policies.
It is crucial to review the shared responsibility matrix for your cloud service provider and enable the relevant controls for your app using native or third-party security tools and services.
As cloud networks are based on software defined networking (SDN), there is greater flexibility to implement multilayer security guard rails. You should start with a basic segmentation of workloads between different virtual networks and allow for only required communication between them. Additionally, restrict incoming traffic to your applications using network or application layer firewalls.
Attacks such as SQL injection, data exposure and cross-site scripting are some of the major application security concerns that a web application firewall (WAF) based on OWASP threat detection rules can help detect and protect against. A multilayer DDoS defense strategy is unavoidable to protect workloads from organized DDoS attacks in the cloud. All cloud service providers offer DDoS protection tools that can be integrated with your application frontend to detect and protect against such attacks.
An efficient firewall that can act as a gatekeeper against incoming threats and malicious attacks should be deployed at your network perimeter. These can be cloud-native firewall services or more advanced third-party tools that perform intrusion detection, packet inspection, traffic analysis and threat detection. You can also opt for a separate intrusion detection system (IDS) or intrusion prevention system (IPS) in the architecture to fortify the perimeter security of your cloud deployments.
Monitor for Misconfigurations
Successful infiltrations of cloud workloads are most often the result of service misconfigurations or manual configuration errors. Cloud security posture management (CSPM) solutions should be incorporated into your architecture to monitor for misconfigurations that could creep into your cloud deployment.
CSPM solutions add value by evaluating your deployments against a set of best practice guidelines. These could be organization-specific standards or aligned to leading security and compliance benchmarks. A secure score is provided that quantifies the current state of security of all your workloads in the cloud, with a healthy security score indicating a secure cloud deployment. These tools will also flag any deviations from standard practices so that customers can take the necessary corrective action.
Identity and Access Management
When it comes to your cloud workloads, control plane security is critical since it holds the keys to the kingdom. You will need to use identity and access management services native to your cloud platform to implement role-based, fine-grained access control to cloud resources.
Cloud platforms also provide tools for hassle-free integration of on-premises solutions like Active Directory with cloud-native identity and access management (IAM) services; this can provide users with a seamless single sign-on (SSO) experience for cloud-hosted workloads. When it comes to IAM controls, the rule of thumb is to follow the principle of least privilege, which means allowing required users to access only the data and cloud resources they need to perform their work.
Cloud Security Best Practices: Advanced
Your organization can implement additional controls to strengthen security as you evolve in the cloud.
Security Posture Visibility
As the cloud landscape expands, the likelihood of breaches remaining unreported increases. Having the right tools in place will help achieve much-needed visibility into your security posture and enable proactive security management.
All leading cloud platforms have an advanced/premium tier of a native CSPM solution that can provide capabilities like detection of data exfiltration, event threat detection, IAM account hijacks and cryptomining, to name a few. However, note that these features are often limited to their respective cloud platforms. For hybrid or multi-cloud deployments, it is recommended to incorporate a specialized tool for enabling security posture visibility.
Cloud Security Policies
Cloud security policies are defined to implement organization-wide restrictions to ensure security. For example, restrict workload deployment using public IPs, contain east-west traffic flow, or implement monitoring of container workload traffic patterns.
The implementation approach differs among service providers. In Azure, customers could use Azure policies, while in GCP, this can be done using organizational policies. The advantage of security policies is that they will auto-enforce the compliance standard across the board in cloud deployments.
Container security involves both container and orchestration platform protection, with Kubernetes being the solution most often used in the cloud. You will need to create industry-standard security baselines for containerized workloads, with continuous monitoring and reporting of any deviations.
Organizations require tools that can detect malicious activities in containers, even those that happen during run time. The necessity of security technologies that enable visibility into container-related activities, as well as the detection and decommissioning of rogue containers, cannot be overstated. With the threat landscape always changing, it’s best to employ technologies that leverage advanced artificial intelligence (AI) and machine learning (ML) to detect malware without relying on signatures.
Vulnerability Assessment and Remediation
You should have a real-time vulnerability scanning and remediation service to protect your workloads against virus and malware attacks. The service should be able to support workloads deployed in VMs as well as in containers.
Consider a vulnerability management solution that can continuously scan workloads for vulnerabilities, compile reports and present the results in dashboards, and auto-remediate problems where possible.
Zero Trust Approach
The Zero Trust (aka assume breach) approach is the gold standard for enabling cloud security. It entails not assuming any trust between services, even if they are within the organization’s security perimeter.
The main principles of a Zero Trust approach involve segmentation and allowing for only minimal communication between different services in an application. Only authorized identities should be used for this communication aligned with the principle of least privilege. Any communication that happens within or with outside resources should be monitored, logged and analyzed for anomalies. This applies to admin activities as well. Here, you can adopt either native or third-party monitoring and logging tools.
Leading cloud platforms provide native tools that can implement some of the above security controls. However, it is always recommended to complement native cloud security with advanced tools like those offered by CrowdStrike.
CrowdStrike offers unified cloud security posture management and breach prevention for workloads deployed across hybrid and multi-cloud environments. The Falcon Horizon CSPM solution provides much-needed visibility across multi-cloud deployments, monitors for misconfigurations, eliminates compliance violations and enables continuous protection from identity-based threats. It also provides comprehensive container security by identifying and remediating even the most discrete threats.
Your organization can also leverage the Falcon Cloud Workload Protection solution to provide full breach protection for workloads, containers and Kubernetes, allowing you to quickly design, manage and secure cloud-native applications.