The public cloud has certainly been a great enabler for business, but it has also created a number of blind spots and brought with it serious security challenges. The collection of cloud services and applications has continues to increase exponentially, making access logic, permission sets, resources, capabilities and risks much more difficult to manage.
Authorization is no longer a nice-to-have feature, it is an imperative. Permissions and access for user identities must be well defined and carefully verified, and over-provisioned users must be identified and their permissions right-sized. Otherwise, the results can be disastrous and often irreversible.
Go here to see a listing of eWEEK’s Top SIEM Companies.
Go here to see eWEEK’s listing of the Top Cloud Computing Companies.
When planning your cloud infrastructure, note what access controls and security guidelines your cloud providers offer. Apply a principle-of-least-privilege model, and define permissions for each entity in your infrastructure based on this principle. Identify how any attacker, whether from outside or inside your organization, could reach sensitive information in any of your cloud services, and monitor those areas. This will allow you to focus on updating access and permission definitions every time a new position or cloud app is introduced into your organization, the cloud security best-practices are changed, or your cloud provider publishes a new security tool.
Only after you have established a strategy to manage the security guidelines you have created, will you be able to adapt in this dynamic world, while reducing the risk of destructive configuration mistakes.
In this eWEEK Data Points article, using industry information from Polyrize Security Head Researcher Tal Peleg, we present five tips to get you started in taking control of the access to your sensitive cloud information.
Data Point No. 1: Know Your Infrastructure
Know which users can access what, and why. In the cloud environment, it is all the more important to define strong privileges. Each entity, machine or storage space should have its own specific purpose, and communication between services should be according to need and use. Once you have set the boundaries for each resource, it will be much easier to monitor strange activity and access changes. You will be able to focus on consequential activities, rather than on putting out fires. Additionally, assign a purpose, with specific access permissions, for each virtual service or user, to mitigate the risk of unnoticed data leakage.
The first step in designing your cloud environment should always be defining the roles of each component, as this will help you secure it, and keep it secure as you expand it in the future.
Data Point No. 2: Apply a Principle of Least Privilege
Delegate access permissions to roles, with each permission-giving access only to the resources it needs. Identify users with too many permissions, just like you would in an on-premises environment. When you reduce the number of entities with access to sensitive information, it is easier to monitor them and identifies unusual or new behavior in your cloud network. Remember that you never know where a breach will start, whether from stolen credentials from an administrator or a zero-day vulnerability in a web application, so choose carefully in whose hands you put your sensitive data.
Data Point No. 3: Separate Your Resources
The cloud gives you virtually unlimited storage space all over the world. Use it. But, just as you would not put your proxy server on the same machine as your database or your code base on-premises (not a good idea, ever), do not put all your data in the same storage or permission set in the cloud. For example, if access to your buckets in AWS is per role, create a separate bucket for your web applications, your logs, and your sensitive data, and create separate roles to access each of them.
If access to folders is delegated in Box, keep your information segregated into separate folders, so it doesn’t accidentally fall into the wrong directory. If you are running a web application and a database with sensitive data, give each server and app only the privileges it needs.
Data Point No. 4: Manage All Entities in Your Organization
Define how you will be able to implement and maintain your security guidelines in the cloud environment. Remember, it is a dynamic environment, and users often switch positions or jobs. Your cloud security guidelines may change, and new requirements and apps may be introduced to your infrastructure. Managing many roles and permissions for all the resources in your environment can be confusing. Look for a platform that will help you manage your permission sets, and one that will expand as your needs, and your cloud network, grow. Also, look for one which covers all or most of your cloud services, so you can focus on advancing the company while keeping it secure.
Data Point No. 5: Keep Your Infrastructure Up To Date
Just as your business grows, and your products improve, public cloud providers, update their infrastructure and expand their security tools. Make a point to follow the changes in your cloud provider’s security guidelines, and upgrade to the strongest set of security tools they offer. You will sleep easier knowing your infrastructure is as strong as it can be. This will only get better and easier over time.
In the public cloud today, it is easy to upgrade to the newest servers, storage and apps, and to keep up-to-date with the latest security best practices.
If you have a suggestion for an eWEEK Data Points article, email cpreimesberger@eweek.com.