Whether you are running your resources in the cloud, or in your own data center, you should strive to meet the following criteria which are at the heart of any security strategy;
Key Security Principles
Least Privilege – It’s still very common to create overly permissive accounts & resources in any environment, make sure that any asset created is only assigned the privileges that are required to perform the scope of its duties. Limited access equals limited blast radius.
Separation of Duties – To condense, and limit the blast radius, the Separation of Duties complements the Least Privilege principle by further enforcing limited access. Most notable breaches over the past decade carry the same theme, targets often have fortified perimeter security, and state-of-the-art security tools, yet, overly permissive admin accounts or system resources. Always assume the possibility of being breached and explore the paths available in your environment through lateral movement.
Defence-in-Depth – DiD originates from military principles, and carries significant importance as part of your cloud or on-prem security program. The DiD metaphor defines a layered security approach with the idea that if any security control is bypassed there is another security control to detect or limit the blast radius. DiD identifies risks associated if a security control is bypassed and aligns additional resources to substitute a failure. The key is that each security control is tested and planned for beyond failure.
Secure your Weakest List – A massive security infrastructure can crumble if a critical vulnerability is present in your environment and remains unpatched. As part of a continuous security and risk analysis, critical vulnerabilities must be continually reviewed and resolved. Incorporate threat modeling to address possible affected assets of your environment.
Keeping resources on-premise often carries legal responsibilities that carry high costs associated with implementing security tools, and permanent staff which requires specialized vendor knowledge. Here are some of the items that fall within the scope of on-prem;
- The suite of security hardware and security tools provides an adequate level of security controls.
- Organizations are required to provide physical as well as network security.
- Enterprises are in full control over the data, and data centers, which includes the responsibility for the security and any issues that arise from it.
- A significant amount of monitoring capability to provide a holistic view of the potential threats, and vulnerabilities and to address responses to potential breaches. Enforcements through rules, and automated incident response tools.
- High-level of specialized vendor-specific knowledge, and dedicated teams to operate, and maintain security hardware, and tools.
- Continuous dedicated training to accommodate for emerging threats, and attacks.
- Hardware lifecycle management.
We continue to see a gradual year-on-year increase in cloud adoption and the use of cloud services. Amazon Web Services is leading the way in the cloud landscape. Though AWS is optimally designed to withstand attacks, a false conception is that adopting cloud computing outsources risk to the cloud provider. Vulnerabilities and threats marble throughout the cloud ecosystem if the right security controls and preventative strategies are not taken, the system is equally vulnerable to being easily compromised. Here are some items to consider as part of your cloud security program;
- Security in the cloud is part of the shared responsibility model and customers must understand and identify their responsibilities.
- Encryption of data at rest and out of AWS data center.
- As part of your disaster recovery plan, implement backup and recovery capabilities.
- Software development lifecycle management.
- Controlled access to your resources through Identity and Access Management
- Log management and monitoring.
As part of the shared responsibility model, here are some items that fall under AWS responsibility:
- Physical security of the data centers, including controlled access to the data centers. All access is logged and monitored.
- Virtual security of the AWS environment includes malware scanning, and tampering of data as data is transferred in and out of the data centers.
- Real-time monitoring of AWS networks for attempts to gain unauthorized access.
- Redundant data stores, servers, cooling systems, power systems, and physical internet infrastructure, etc.
- For disaster preparedness, data centers must be able to withstand natural disasters or must have backup sites readily available.
The shared responsibility model is great and a major benefit of the cloud. However, you can’t assume that half your job is done and become complacent. You are the one responsible for the security of your cloud security program and environment.
In-house data centers is a complex venture, and the associated risk of being compromised is significantly higher. In most cases, in-house data centers often fail to address the security implications that are part of the threat and vulnerability landscape. It is clear that if you do not have a regulatory requirement, taking the route of cloud making use of AWS offers greater fine-grained integrated out-of-the-box security features. However, with the complexity of cloud resources, security must be a continuous risk assessment process that focuses on technology, people, and processes, and should be evaluated on an ongoing basis.