Whether you are new to Cloud or have existing workloads already deployed it never harms to review Security – an area that evolves constantly as the threats around us change.
Due to the recent Global Pandemic the Threat Landscape has increased with more opportunities for “bad actors” to attack systems. With staff working from home the attack surface opportunity has increased. Isolated decision making is also coming in to play with the detachment of “working from home” reflecting in risky decisions which the average cyber-threat actor is just waiting for!
The following areas outline Security areas to focus on while organizations are at their most vulnerable.
Let’s begin by looking at who is responsible for what in Cloud Infrastructure:
Cloud Provider and Customer Security Responsibilities
Cloud Providers such as AWS/Microsoft are responsible for Facilities, Physical Hardware Security Virtualization and Network Infrastructure.
Custom Security Responsibilities include:
- OS and Patching
- Firewall Rules
- Network zones
- Application Stacks
- Applications and Code
One word of advice is to ensure that your systems are architected in accordance with the Cloud Providers framework – I have seen many instances where infrastructure has been set up incorrectly in the first place and facilitated security breeches.
Vulnerability Scanning and Compliance
Environments should be monitored for vulnerabilities on an ongoing basis. A vulnerability scan detects and classifies system weaknesses and predicts the effectiveness of counter measures.
It’s key to know how to interpret the results and prepare for the Vulnerability Scan so you can get the most out of the reports.
The demand for Vulnerability Scanning is growing and reports are often requested as part of compliance when dealing with larger clients (suppliers are often asked to confirm if they complete scans of their environments)
Compliance scans can also assess adherence to a specific compliance framework. e.g. PCI DSS.
Network and Firewall Security
A key area where staff are working from home – to avoid unauthorized access to your systems/ computers being compromised. Consider the following:
- Firewall – blocks or allows network traffic based on type, IP, Port
- Packet Filtering / Inspection – stop traffic based on content of requests
- Deep packet Inspection firewalls – examines packet data and can look at application layer attacks
- Network zone design e.g. private, public, IP whitelisting
Edge Network protection
Perimeter Security can be strengthened by introducing next generation firewall with sophisticated rule-based access controls and reporting as well as strictly adhering to client access via encrypted tunnels (VPN)
Geo based protection and content filtering – this can be provided for Content Delivery Networks (CDN) where specific (or all) content can be restricted (included or excluded) based on a list of countries.
Threat detection and mitigation (IDS / IPS) – services and tools are available that will detect potential security threats in (near) real time. These threats, once identified, can be reported upon in a timely manner and potentially mitigated automatically.
DNS Routing – In order to protect your online presence from DNS attacks it is critical that you have a trusted DNS service that is reliable, highly available and responsive
Web Application Firewalls (OWASP, Custom Rules, Geo Filters)
Web Application Firewall (WAF) filters, monitors and blocks HTTP traffic to and from a Web Application. Consider this an additional layer of defense to your overall strategy. Many of the larger Cloud providers such as AWS WAF and Azure WAF have rule based protection.
Geo-location blocking can be implemented as part of the WAF design and WAF Modes – Protection (Blocking) and Detection (Matching)
OS Vulnerability protection
Operating System Hardening – the disabling and removal of any non-essential services is the first level of defence when it comes to OS level protection. Standard OS images for Window and Linux should be substituted for Custom hardened images wherever possible
Regular Automated Patching – it is imperative that you develop a strategy for maintaining an effective patching process. This strategy should consider testing of patches with the associated applications that need to be running and well as consideration of the balance between the requirement for applying the very latest patches against the risk of causing an application failure
Security Updates – often security patches need to be considered ahead of other patches since this is often driven by vulnerability scanning systems attempting to reduce the security risk level.
Emergency patching – often zero-day attacks result in the release of an emergency patch for the particular OS and version. It is important to have a process in place that can handle these events so as to reduce the time where a system could be potentially exposed to the attack.
Patching consistency and SDLC as part of your regular patching process the testing of the patches with the associated applications can be aligned with the development Systems Development Life cycle (SDLC). What this means is that a group of patches can be applied in turn to servers associated with each stage of the SDLC. In this way any issue arising from a patch can be caught early in the cycle (e.g. at the development stage).
Security Information and Event Management (SIEM)
The combination of Information and Event Management provides a real time analysis of security alerts and typically includes:
- Event Log Centralized Collection and Reporting
- Anomaly Scoring
Threat Protection Layers
The idea behind this is aNetwork security approach using multiple levels of security measures. Each single defense component has a backup which has a better chance of stopping intruders compared to a single solution.
Example Layers include:
- Patch management
- Anti-virus software
- Anti-spam filters
- Digital certificates
- Privacy controls
- Data encryption
- Vulnerability assessments
- Web protection
In summary, ensuring that you have covered off these areas in your Cloud Infrastructure Security Plan should provide you with a robust defence but bear in mind threats continue to evolve! Plans should be reviewed on a regular basis and for some environments third-party, arms-length security reviews are recommended.