Multi-cloud adoption is now the recommended approach for cloud availability. Oliver Pinson-Roxburgh providers some pointers for those who are just starting to consider this option.
There is a seemingly constant influx of news regarding cloud adoption trends, but what seems to be somewhat missing from industry discussion is the trend towards multi-cloud adoption. Analysts and industry experts including Gartner recommend standardization on multiple IaaS cloud service providers as a security and availability best practice. For security workloads in public clouds, their top recommendation is a hierarchical list starting with foundational items that fall under operations hygiene (access control, configuration, change management) and then focus on core work-load protection like vulnerability management, log management, network segmentation and whitelisting. Organizations should also be aware not to place too much trust in traditional endpoint protection platforms commonly used in physical/ on-premise deployments.
Most advice on best practice in this area tends to be focused on workload security, but what are the likely consequences for security operation professionals (SecOp) that have a solid understanding of what success looks like in traditional enterprise environments? What do they secure first? What security technology should they choose? The criteria that should be considered in answering these questions should be influenced by ‘shared responsibility models’ from the cloud service provider as well as common compliance mandates as a start. The next step following this is to identify the most critical assets. The security of access control at the application layer (think databases or other data-driven controls) is equally important, and often overlooked. Every CSP is different and sometimes these models overlap or conflict with existing best practices and corporate security mandates.
I can understand how intimidating this approach can seem to enterprise professionals, but it’s necessary to point out that installing software is simply not enough as a security deterrent. Businesses should never be afraid to ask for help and seek the aid of security professionals who are subject matter experts and can work with enterprises throughout all phases of a successful security plan.
Securing the cloud workload
Securing the cloud workload must be the first priority. Access controls serve as the basic foundational requirements. Who or what has access should be determined by server workloads. This means having tighter controls over administration access and the utilization of multi-factor authentication. Having established proper access control, the configurations will have all unnecessary components removed and it should be hardened and configured strictly in line with the enterprises standard guidelines and it must be patched regularly in order to close up potential security holes.
Network isolation and segmentation is another foundational component of workload security. This process of limiting the server’s ability to communicate with external sources can be done either via internal firewalls or the external firewalls on Windows or Linux. While this segmentation is important, enterprises should also closely examine the logging capabilities of their systems. Logging systems allow security managers to keep a close eye on the overall health of a security plan.
A concluding point of concern regarding security cloud workloads is secure code and application control. Applications are a popular avenue of approach for potential attackers and they should be as secure as possible. Even at the very beginning of an application’s life-cycle, security should be kept in mind. Whitelisting should be utilized to limit what executables are allowed to run within a system. This simple step is a powerful security tool as all malware in the form of an executable will be immediately prevented from running.
Developing a solid workload protection scheme should be top priority for any enterprise utilizing cloud infrastructure services. While this should remain a priority, it is not enough alone to constitute a full security plan. Having considered workload protection, enterprises should then go on to evaluate a number of other aspects of their security plan. It is also important to remember that cloud security is a shared responsibility, and no matter what cloud platform you are utilizing it is essential to be crystal clear when considering who is responsible for what aspect of security. Responding appropriately to all of these factors will ensure that an enterprise can stop worrying about its security plan, providing them with the peace of mind they deserve.