Cloud security is continually increasing in importance, regardless of the cloud provider. With Amazon, Google and Microsoft taking an ever bigger share of the hosting market, hackers are now looking at these platforms to find their vulnerabilities. There are many tools available for customers to review their security provision and these platforms are well updated. But what steps can you take to better protect your cloud environment?
- Zero Trust
Traditionally, businesses would employ a hardened perimeter and once the user had passed the perimeter, the internal infrastructure would treat the user as being trusted. Cloud breaks this model by removing the perimeter from the corporate network and introducing services which are accessible anywhere by anyone.
Zero Trust was introduced to help businesses give their users access to exactly what they required, regardless of location, without risking corporate systems which are now available publicly on the internet. It starts from a position of distrust (or zero trust, as the name implies) then expects the user to prove their identity and the security of their device’s location and environment.
Depending on the context of the resource, the level of security may vary, from simple identification and encryption to the browser for low risk SaaS products. While at the other end of the spectrum a full verification of device might be required to meet corporate standards for more risky applications which require local data storage or administrative access to systems. Importantly, the minimum of access is provided to the client in order to achieve their request, and all access is logged and audited by the Security Operations Centre (SOC) to ensure there is no security compromise.
In the context of the cloud, Zero Trust enables companies to perform administrative tasks or access more sensitive corporate systems without a traditional hard perimeter. Businesses can therefore enable their workforce to be more efficient and work from any location.
It’s important to ensure all the data held in the cloud is encrypted whenever possible. Although all the major cloud providers make every effort to ensure their systems are secure and maintain segregation between customers, ultimately it’s always important to remember that they are multi-tenanted platforms. As a result, through systematic failure, there is a risk that the platform could bleed or leak data either between customers or into the public domain.
A good example is S3 buckets which in early history used to default to a public setting. This wasn’t truly appreciated as an issue until it was exploited by hackers to dump family photos, sensitive corporate documents and personal information into the public domain. Despite this, even as recently as June 2019, information is surfacing relating to the US midterm elections in 2018 where election voting machine passwords were publicly stored on S3 buckets and were therefore open to the world.
But encryption at best is only part of the story. This is because the vast majority of data breaches occur on live systems whose data is available in an un-encrypted format. The best way to mitigate against this is to employ encryption in transit, decrypting data only when it’s needed for processing. This is the only way to be sure that data is not being intercepted as part of a man-in-the-middle attack, which 95% of HTTPS servers are currently believed to be vulnerable to.
When developing an application for the cloud, businesses are often introduced to the concept of DevOps and CI/CD pipelines. While this is a topic worthy of its own article, one thing that is often missed is the security built into the DevOps process. An application is often put through the CI/CD process and will reach staging before being tested and approved by the security team.
The fundamental principles of shift left in DevOps doesn’t change simply because we’re talking about security. It’s crucial to move with the pace of a DevOps team and enable them to fix security issues early in the development cycle. This helps reduce the cost of fixing bugs and ensures a positive relationship between the Development and Security teams in the business.
But how do we implement security in DevOps? I hear you say. Well, actually it’s pretty simple. Adding some automated security tests to your acceptance testing; automating security updates with patches for known vulnerabilities; utilising Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools for your CI/CD process and integrating security scanners into the containers by default. By taking these steps you can improve the process to add security and catch vulnerabilities quicker.
4. Runtime Application Self-protection (RASP)
Building in self validation extends the principles of Zero Trust right into the application code. An effective RASP solution will both monitor and prevent malicious use of the application. It will validate what each process or function is intended to produce and compare that to the actual output from the application.
There are many RASP products which are designed to complement a more traditional web application firewall by analysing the actual application code. This allows them to ascertain the risk level of completing a particular request, which usually results in a much lower false positive rate. They can either be put into a monitor & alert mode, or alternatively a blocking mode which enables automatic protection of the application without human intervention.
The nice thing about RASP solutions is that they are integrated into the application code, meaning they can be deployed for containerized and serverless solutions without any compatibility issues. However as with everything automated, logging and validation processes are always required, which brings us on to the last section.
5. Security Operations Centre (SOC)
Ensuring that you have a 24x7x365 SOC is vitally important to any security solution. Having automated tools is an excellent start but only part of the puzzle. Ultimately, it’s always an arms race between hackers and security companies looking to provide technology solutions to cyber security.
A properly equipped SOC will help you to identify when you have been breached, and having experienced analysts protecting your business round the clock is vital to being able to identify and defend against advanced and persistent threats.
Your SOC team will have access to all the data feeds from the RASP, IDS and Zero Trust authentication logs and will be able to aggregate and analyse this data. Aided by the security technologies your SOC team will be able to defend your applications in real time and prevent data infiltration. However, with the average SOC receiving 10,000 alerts a day, and with the majority of those threats being mis-prioritized or false positives, it’s important to hire highly qualified individuals with excellent analysis skills.
Of course, maintaining such a security team is an expensive and operationally a difficult task for most businesses even when you take into consideration my five points of zero trust, encryption, DevSecOps, RASP and SOC. To that end, Rackspace offers its customers a market leading managed security service known as Rackspace Managed Security (RMS). By being able to detect, respond and mitigate threats based on pre-agreed run books Rackspace is able to help customers remove operational and financial burdens of a full team by providing expertise and tooling which can prevent your businesses critical data being stolen and ensuring your business meet industry-set security standards.
Seeking a managed security partner? Consider Rackspace.