The migration from an on-premises environment towards the public cloud started years ago and is still going on. Both governmental agencies and business organizations are in the journey of migrating and maturing their cloud environments[SW1] , pulled by the compelling need for streamlining, scaling, and improving their production.
It won’t potentially come as a surprise but moving to the cloud comes with new security challenges, and the more cloud environments grow, the more new concerns will rise. The main question that comes up is: are you properly protecting your cloud and its data against breaches due to an insecure state?
In this blogpost, we will try to provide answers to that question by formulating several key steps on how to ensure that a cloud environment is securely configured. From our experience as cloud security consultants, we notice that several organizations already started this road in one way or another but really encounter difficulties in reaching the maturity of having a structured approach combined with the required expertise.
Continuous Security Assessments
For those who started using and securing the cloud a while ago, misconfigurations are something of which today everyone is aware. However, these still happen very frequently even with companies that have had a Cloud-First strategy for years. The IBM Data Breach Report of 2021 even lists cloud misconfigurations as the third most common initial attack vector for data breaches, after compromised credentials and phishing. Thus, it is essential for an organization to spot existing flaws and new misconfigurations on a timely basis. An effective method to understand the state on a certain point in time is performing cloud security assessments or config reviews. If those are being executed periodically, it enables an organization to compare with previous reviews and confirm that the most critical findings are solved.
There are several sources of security best practices, benchmarks, and checklists against which public cloud customers can rate their cloud security posture. Widely used benchmarks are those of Center of Internet Security (CIS), which we extended with additional best practices and controls for our own cloud security assessments.
Some of the key topics we review during our Cloud Security Assessments.
Despite this, such assessments do not offer a real-time overview but are rather a snapshot of the configuration at a certain moment in time. Furthermore, these are often analysis made on sample checks, and not on the entire environment. The purpose is to make Operations and Security Operations teams aware of what is wrongly configured and what represents a threat to the company. What happens after the assessment? How do you ensure those flaws do not come back while creating new cloud environments? Will you learn the lesson and improve your security by design while engineering your environment? How?
Cloud Policies Deployment
Considering this, cloud security did a step forward. In few words, security experts started working on creating policies to monitor security and compliance across their cloud environments in an automated way. This is usually done via native tools like Azure Policies for Microsoft Azure, AWS Config for Amazon Web Services, and Google Security Command Center for Google Cloud Platform.
Native policy management solutions on major public cloud providers.
The benefit is huge: thanks to proper policies, one can manage compliance in the cloud by centralizing rules and adapting them to different purposes, for example, depending on production, corporate, sandbox environments, etc. Note that a basic set of policies from several of the largest frameworks and benchmarks (e.g., CIS Benchmark) can be configured out-of-the-box for the three largest cloud providers.
In this way, you will get more visibility and, in some cases, will allow you to automate remedies against violations or enforce security controls.
If your organization has today a fully implemented policy compliance monitoring setup, you can breathe a sigh of relief, but there is still work to do! Policies need to be reviewed, updated and extended when necessary. Most important, the tools offered by the major public providers are limited in their multi-cloud environments applicability (for instance, Azure Policies can only onboard AWS Accounts, but no GCP or others).
How do you extend the same policies from a tenant to another? If you are using more than one provider, how difficult is it to re-adapt policies throughout your entire environment? Things might even get more complicated over the next years when policies need updates and continuous maintenance.
Replicability of your Secure Cloud Setup
As part of security improvements, leveraging Infrastructure as Code (IaC) can be a significant step towards deploying new cloud resources using Security and Compliance by design. IaC is not an only-security solution, but its usage in security is today highly recommended.
In the specific, it already becomes fundamental when an organization relies on multiple tenants across the globe, making it almost impossible to have a centralized visibility and ensuring cross-tenant compliancy.
What exactly is IaC used for in cloud security? IaC allows you to codify your resources setup according to (also) security best standards. By replicating these codes, you can maintain your desired level of security and setup, keeping the coded configuration as minimum security requirements. This can streamline deployment of new environments and better control existing cloud workspaces.
Although public cloud providers offer their built-in solutions (see Azure Resource Manager, AWS CloudFormation and Google Cloud Deployment Manager), there are top-quality external IaC tools that perfectly work with all Azure, GCP and AWS. For instance, HashiCorp Terraform, VMware SaltStack or RedHat Ansible.
Some of the most common open-source solutions for Infrastructure as Code used to create cloud environments.
The challenge of multi-cloud protection
So, what is next? Did you really flag all the checkboxes? This is already incredibly good! But as the business needs and features evolve, so does the cloud and its security.
More and more organizations are working for a multi-cloud structure, meaning that rather than relying on only one public cloud provider, they are investing on – at least – a second solution. Reasons for this are multiple: for exit strategy, for third copy backup, for different knowledge of cloud providers in different geographical areas, and so on.
What really matters from a security perspective is that working with multiple cloud providers adds an extra level of challenges, as we need to ensure that similar security standards and compliance modules are respected across different platforms. This is something that few tools can ensure, due to the lack of interconnectivity across solutions and specific features necessary to such particular scenario.
Here Cloud Security Posture Management (CSPM) is called in.
All the security tools mentioned so far do not replace the previous one, rather they integrate each other and add a further layer of prevention, detection and response to security misconfigurations and breaches on the cloud.
The ultimate solution to manage security misconfigurations, secure policy setup and cross-cloud security management is CSPM.
What exactly is Cloud Security Posture Management?
According to Gartner’s definition, CSPM is a new category of security products that can help in improving visibility, centralizing security monitoring, improving automated responses and provide compliance assurance in the cloud.
Although Gartner’s article dates back to 2 years ago and CSPM is already on the market since a while, this is the right moment to start planning its deployment in a proactive way to avoid loss of control on multi-tenant, hybrid and multi-cloud environments.
2022 will be an important year for cybersecurity and for the cloud: working habits taken during the emergency of the pandemic are consolidating and are projecting the work environment towards an always more decentralized and remotely connected network, cross-country collaborations, shared working, and production environments that find fertile ground in the cloud and in its complex and articulated deployment.
In light of this, tools that can facilitate and streamline our work keeping and improving a high security posture are crucial for a seamless progression of the business world.
Depending on one’s security maturity, one of the steps here described can be the milestone you are currently checking. Nevertheless, it is important to plan what’s next and act proactively towards the deployment of the right solutions, pairing the production needs to their related security concerns and tackle them in advance.
We at NVISO observe different level of maturity over several customers and, in light of this, consider Policies, IaC templates and CSPM the goal on which we have to hardly work together in the next year.
About the author
Alfredo is a senior consultant part of the Cloud Security team and solution lead of Cloud Governance Services. He has an extended knowledge of Microsoft security solutions, applied on Azure and Microsoft 365 bundle. On top of that, Alfredo is keen on cloud solution innovations and thanks to this he developed an in-depth knowledge of several solutions on the market related to the most modern and secure ways to keep the cloud infrastructure safe from threats.
You can reach Alfredo via his LinkedIn page.