Keeping pace with complex cloud security best practices
Securing modern cloud-based environments is complex. It requires a multi-level defensive approach to establish and enforce appropriate security controls that cover multiple clouds and associated infrastructure, such as containers, as well as customer data and code.
Having a lot of moving parts in an environment naturally expands the potential attack surface. That is, there are more possible points of entry for an attacker, and each of these must be identified and either secured or de-risked.
Immediately, that necessitates a different thought process and approach than securing traditional on-premises environments.
In a traditional data centre environment, there are a handful of entry points and a defined network perimeter that needs to be secured.
The cloud, by contrast, is a perimeter-less environment. That makes it complex to secure because the task involves implementing security best practices across all aspects of the environment - from infrastructure and services to applications or third-party tools that get deployed in the cloud. In addition, the size of the challenge scales linearly with every new cloud service or as-a-service application that is adopted.
Our experience is that organisations often do not know where or how to start on a cloud security journey. That leads them to make mistakes that increase security risk exposures.
The "basics" of cloud security can be hard to do, and lapses are often the root cause of security incidents. For many years, cloud misconfigurations - mistakes in the setup of environments - have been a challenge for cloud and security teams to identify and fix. Cloud misconfiguration is among the top three initial entry points used by attackers to gain unauthorised access to an environment and/or to access private data. This is one reason Gartner believes that "through 2025, 99% of cloud security failures will be the customer's fault."
It isn't just the propensity for mistakes in the production environment that is a cause for concern: other research shows that what is understood to be basic security hygiene in the cloud varies between organisations and that adoption has not kept pace with evolving best practices.
According to a UK Government survey, a "clear majority of businesses … have a broad range of basic rules and controls in place", with "the most frequently deployed rules or controls involving cloud back-ups, updated malware protection, passwords, network firewalls and restricted admin rights". Even then, up to one-third of organisations did not have these "basics" implemented.
But other controls considered today to be basic security hygiene when operating in the cloud world - such as strong multi-factor authentication on applications, enforcement of least privilege access for identity and access management, and the implementation of more fine-grained network access controls - have much lower adoption rates.
These types of controls can significantly reduce the attack surface and also limit the potential blast radius of a successful attack against an organisation. As such, they should be considered an integral part of an organisation's approach to securing the cloud.
Defining an approach
A holistic approach is ultimately required to protect cloud infrastructure, applications and data. Standing up a cloud centre-of-excellence (CoE) is one way of achieving that holistic understanding of and coverage over cloud operations. A CoE is a confluence of the finest engineering talent, processes, tools, frameworks and industry best practices, enabling cloud workloads to be built, managed and operated in a modern, efficient and secure way.
More specifically on security, while cloud platforms come with some native security capabilities, these should be augmented with more comprehensive third-party tools that can provide additional layers of protection. These additional layers - covering data, applications, infrastructure, and other critical assets that underpin your cloud environment - should be delivered and overseen by the CoE.
By employing a combination of services, tools, best practices, skills and expertise, organisations will be better-placed to address a constantly evolving array of security and compliance threats, weaknesses, and risks present in their cloud environment.
Ideally, this combination should cover off three key areas or security disciplines: first, advisory and assessment of people, processes, and technology maturity using frameworks and best practices; second, the adoption and use of security engineering principles and best practices, including implementation of zero-trust policies and controls using DevSecOps; and third, continuous monitoring of security operations with an engineering-centric automation framework.
A maturity assessment is important. Customers should adopt a security framework like the ACSC's Essential Eight or the U.S. NIST, so they can standardise their security process and then create a benchmark against which they can measure their maturity levels. Benchmarking makes it easier for organisations that are otherwise unsure where to focus their efforts, aiding strategic decision-making on their security programs and framing pathways to uplift maturity.
DevSecOps is a software engineering culture and practice that aims to unify the different teams that have a role in deploying applications to production. The main idea here is to establish a culture of joint ownership and accountability among all these different teams to work together. This can be supported with proactive guardrails and automated testing being built into the software development lifecycle, such that developers can receive feedback on security issues early in the development process. This will require some tooling investment to enable and oversee.
Finally, organisations should ensure that their cloud infrastructure, applications and data are continuously monitored. Cloud Security Posture Management (CSPM) tools play a significant role in monitoring cloud infrastructure for misconfigurations and non-compliance activities and can also be configured to auto-remediate most of the security findings, which will help to maintain cloud security in real time.