The following is a guest blog post written by Stephen Coty (@StephenCoty), Chief Security Evangelist of Alert Logic. For more about cloud security and compliance, visit alertlogic.com.
Many years ago I started a security and development business with little capital and big dreams. When I started to build out infrastructure and development platforms, I realized the cost of doing business. This was in the early 2000s, when cloud infrastructure was not available and if you built it you paid for it. On top of being HR, Operations, Finance, Sales, and Marketing, now I was building and maintaining infrastructures for my teams. Cloud today makes a lot of those responsibilities much easier, with self-service installations and the variety of services offered. The cost savings of no upfront infrastructure, facilities, physical security, and maintenance makes cloud the perfect setting for any startup business.
But even with all the benefits of the cloud, you still have to consider security just as you would for your business's physical hardware. The public cloud comes with great financial benefits, ease of deployment, several security options, and people to assist you along the way. The cloud also comes with its share of threats, which can be addressed with some best practices outlined below.
Alert Logic produces a yearly report that we will reference for threat details. The Cloud Security Report - 2014 gives us a look into the attacks that are hitting the cloud from real world customers and honeypot servers. Over the years we have seen an increase in attack frequency and the diversity of the malicious software used. One interesting thing comparing year over year is the nearly 50% increase on vulnerability scanning, brute force and web application attacks. These are threats that you need to understand and build an in-depth security solution to defend your environment from malicious attacks.
The key to being secure in the cloud is a solid understanding of the shared security model that exists between you the customer and a service provider such as Microsoft Azure. Without this understanding you will make assumptions that your service provider is protecting you, when you are the one that is responsible for that particular security function. Your service provider is responsible for 100% of the foundational services, such as computer power, storage, database, and networking services. At the network layer your service provider is responsible for network segmentation, perimeter services, some DDOS and spoofing. You the end user are responsible for network threat detection, reporting and any incident response. At the host layer you have a few more responsibilities than you did at the previous layer. You are responsible for access management, patch management, configuration hardening, and security monitoring and log analysis. The application components of you site are 100% your responsibility. To view your responsibilities more in depth, let's reference this chart:
Here are a few best practices to securing your cloud environments:
- Secure Your Code - Securing code is 100% customer responsibility. There are several ways to do this, one being to ensure that security is part of your software development lifecycle. Make sure that your code is consistently updated and that any plug-ins have the latest patches. Add delays to code to prevent you from being a victim of a botnet. Use encryptions where possible. Test all libraries and third-party dependencies. Stay informed of the vulnerabilities that you may have with the different products you use. Scan your code constantly after all changes.
- Create an Access Management Policy - First you need to determine what all of your assets are. Once you have your list, define roles and responsibilities required for access to assets. Centralize authentications if possible and start with a least privilege model to implement authentication.
- Adopt a Patch Management Approach - Again inventory your assets. Determine a plan for standardization if possible. Research the vulnerabilities to which you may be susceptible. Classify the risk based on vulnerability and likelihood. Test patches before you release them if possible. Set up a regular patching schedule and don't forget to include your third-party products that will require manual updating.
- Log Management - Logs are for more than compliance. Logs have become a powerful security tool. You can use log data to monitor for malicious activity and for forensic investigation. The trick to making it an effective security tool is the 24/7 monitoring it takes to find anomalous behavior.
- Build a Security Tool Kit - You need to treat the cloud as you would a business network. You have to implement an in-depth defense strategy that covers all the layers of the stack for which you are responsible. Implement IP tables, web application firewalls, anti-virus, intrusion detection, encryption, and log management. Explore your security options and make sure you have the right solution that fits your business.
- Stay Informed - You have to stay informed on the vulnerabilities that you may have in your environment. Follow websites like securityfocus.com and securitybloggersnetwork.com. These sites follow some of the best researchers in the world. This will allow you to stay up to date on vulnerabilities, exploits, and attacks that may be taking place. You can use this information to understand what you might be vulnerable to and to make sure you have coverage.
- Understand Your Service Provider - Understand the security responsibility you share with your service provider. Know your provider's security offerings. Make sure the implementation of your security strategy is efficiently and effectively deployed through constant testing.