Juggling security in the cloud can seem like an insurmountable task, especially when hybrid cloud and multicloud environments come into play. While your cloud service provider (CSP) can help manage some layers of cloud security, you’ll still be left with management of at least your users and data, if not your application layer.
One way to help keep track of all the security vectors within your organization is to divide them into these ten zones of enterprise cloud security. Any cloud security policy should cover each of these areas. You can also assign a single engineer or administrator to have ownership over each zone.
Risk management includes aspects of all of the below. It spells out your ability to evaluate and mitigate risk in the use of your cloud environment. Risk management policies should include overall governance of cloud services, including who takes responsibility for managing contracts and overall cloud operations, who is in charge of the security team(s), what happens when a contract is broken, how overall security and risk is evaluated for CSPs, and any other potential legal issues. Risk management can also describe how your organization handles sensitive data, including how data is protected during a security event involving a CSP.
Carefully review all SLAs with your CSP as well as the contract itself to determine who is responsible for what within your cloud environment. Check for data ownership issues, security breach disclosure clauses, privacy policies, and any international laws that could come into play (if your cloud provider has facilities overseas, for example). You must be clear on who is responsible for various breach scenarios within the environment.
All data that resides in the cloud must be carefully tracked and managed, both for security purposes and to reduce overall costs by archiving old data or bumping it into a lower performance tier when no longer needed regularly. Information lifecycle management should include policies on how to locate, migrate, and handle data stored in the cloud. Be sure to clarify data ownership as part of your cloud contract, as mentioned above.
Specific industries and data types like health data or even e-mail discussing legal matters must be treated differently in the cloud than everyday business information. Use a compliance checklist, third party auditors, and certified compliant hosting providers to achieve compliance. eDiscovery can be added to your cloud environment to help locate archived e-mails and other data should they be required for a court case. Your CSP can help configure specific cloud instances tailored to long-term archive and eDiscovery as well as to meet specific compliance standards.
Operational security focuses on traditional infosec models and how daily procedures can affect security and business continuity. When adopting a cloud operational security policy, examine any additional risks involved in using a CSP as opposed to on-premise infrastructure, and conversely consider how the provider may in fact improve your security through monitoring, IPS/IDS, firewalls, etc. Business continuity plans like backup and disaster recovery also come into play as part of operational security, as they can help you recover from malicious activity. A key factor in operational security is virtualization platforms. Consider how multitenant environments may affect your security and whether any of your systems might require isolated VMs. Be sure to ask your CSP about how they handle hypervisor updates and vulnerabilities.
With 60% of workers using their devices at work, learn how VDI can help BYOD management.
While you may never see the data center hosting your cloud services in person, you should still maintain some minimum standards for facility design and operations. Some level of redundancy is recommended, but what is vital for security are access controls. From the perimeter to data center floor access to individual rack locks, data center facility security is a multilayered affair.
Identity management is another layer of access control, this time on the digital application layer. Security policies must recommend directory service administration to maintain secure access to company data and applications only by authorized individuals. This includes password policy, single-sign on if used, two-factor authentication, and any other method used to access cloud resources.
The application layer is often left up to users of cloud services, while CSPs will secure most the infrastructure underneath it. Some apps may not be suitable for cloud migration if it will have a negative impact on security. Others might need to be modified. Application and OS security centers around API protection, phishing detection, anti-malware/anti-virus tools, data loss prevention, intrusion detection/prevention, log inspection, and regular patching and updates.
With your primary infrastructure residing in the cloud, data traversing the network both on your premise and at the CSP could be vulnerable. Network security overlaps with application security in its focus on data loss prevention and IPS/IDS, with the addition of firewall rules and DDoS mitigation. Packet sniffers must be adjusted with the network edge no longer placed at the end of corporate networks, as data now extends into the cloud. Consider whether a VPN or encrypted direct connection is necessary vs. connecting to your CSP via public internet provider.
When a security incident occurs, whether it’s a confirmed data breach or just a user misplacing their credentials or some sensitive data, you need to have a plan in place to respond, including how you will collect relevant logs and information from your CSP. Detection of the breach, who responds and how, the notification process (both internal and external as required), and remediating the access point and any loss of data, if possible.
Cloud security isn't much different from your traditional models, but you will have to adjust operations to accomodate this new paradigm. Keeping these ten zones top of mind will help you architect a secure cloud environment and maintain high performance.