How to guarantee the security in the cloud environment? Experts recommend 6 methods to help companies improve
Posted May 26, 2020 • 8 min read
Introduction:Cloud services have become very popular, but this does not mean that the threat of cloud security has disappeared. So, how do companies enhance security in a multi-cloud or hybrid cloud environment? See what security strategies these research institutions give.
Translator of this article:"Open Source Village OSV" WeChat public account
For many years, due to concerns about security threats, many enterprises and IT executives have been skeptical of the public cloud, and even completely avoided the use of these services.
As the cloud services market matures and leading cloud providers build highly secure infrastructures, these concerns are largely alleviated. But this does not mean that the threat of cloud security has disappeared, nor does it mean that cloud customers should assume that they are no longer responsible for ensuring that their data is protected.
"Cloud configuration errors are the first thing an attacker should check ... A small oversight, such as the inability to delete old accounts, may cause problems within seconds." The Cloud Security Alliance(CSA) pointed out:"The global cloud adoption rate The rise brings new cloud security threats, where hackers can study company weaknesses and gain unauthorized access to steal confidential information. "
CSA said:"We need smarter and more agile controls to deal with such threats, and this is where the traditional security measures of cloud service providers \ [CSP ]have failed." The surveys and questionnaires of its members have determined the highest threats to cloud computing, including data breaches; lack of cloud security architecture and policies; insufficient identity, credentials, access, and key management; account hijacking; internal threats; insecure interfaces and Application Programming Interface(API); and limited visibility of cloud usage.
Organizations that now rely on multiple or hybrid cloud environments to support their business processes need to be vigilant to ensure the security of their data and applications as if these resources were internal.
The well-known international research company Gartner has made many predictions about cloud security. These predictions should attract the attention of CISOs and other security executives, including:First, by 2025, 90%of organizations that cannot control the use of public clouds will be inappropriate. Share sensitive data; the second is that by 2024, most organizations will continue their efforts to properly measure cloud security risks. The third is that by 2025, 99%of cloud security failures will be the fault of customers, not the fault of cloud providers.
The following are some specific suggestions for enterprise customers on how to enhance security in a cloud environment.
- Deploy identity and access management tools
Steve Riley, senior director and analyst at Gartner Cloud Security, said that managing who has access to which data and services in the cloud should be the foundation of cloud network security programs.
In the public cloud, "logical access control at the level of individual resources and data objects becomes critical." "Identity is perhaps the most important form of virtual boundary, which can effectively reduce the attack surface of potential vulnerabilities."
Riley said that anyone with an internet connection can access the cloud management console and cloud-resident applications. As a result, any basic policies used to maintain control of the cloud services portion of the organization are effective identity and access management(IAM) policies.
"When an organization designs an IAM strategy that can both realize and protect the business, remember that the principle of least privilege is still a useful foundation." "Habitful, but implemented a process that can quickly and easily request and Grant other privileges with minimal disruption to personal workflow. "
Riley said that when the privilege allocation is too narrow, the system will "safely fail" and errors often do not cause security problems. But "when the assignment of tasks is too broad(usually caused by the rise in power), the situation is just the opposite:mistakes often cause real security problems."
Most public cloud services now provide role-based management, built-in multi-factor authentication(MFA) and extensive logging capabilities. "Some can be integrated with privileged access management tools. Most services also provide some form of" effective permissions "evaluation procedure, which helps eliminate speculation whether it is possible to determine whether the user or service account's permissions are too large."
Riley said that the permission is too wide and the object's access permission is too wide to represent the most common and dangerous cloud security issues.
- Prevent security configuration errors
Frank Dickson, vice president of IDC's security and trust program, said the biggest threat to the cloud environment is misconfiguration.
Dickson said, for example, the open Amazon Web Services(AWS) Simple Storage Service(S3) bucket has become a source of high-profile vulnerabilities, but some organizations choose to keep public cloud storage resources open.
"Although S3 buckets are not opened by default; they are closed," Dickson said. "Customers must decide to open the bucket and expose it. The old adage says that an ounce of prevention is better than a pound of cure. Well, an ounce of investment on the appropriate cloud configuration is equivalent to 20 pounds of cloud security tool."
According to the CSA, cloud configuration errors are the first thing an attacker should check, and small security oversights(such as the inability to delete old accounts) may cause problems within a few seconds. One of the common ways to misconfigure the cloud is the lack of access restrictions. And lack of data protection, especially for personal information uploaded to the cloud in plain text.
CSA said that another reason for misconfiguration is the inability to audit and verify cloud resources. The organization reported that the lack of regular review of resources and configuration may lead to security holes and may be exploited by malicious attackers at any time.
The company can also ignore logging and monitoring. Checking data and access logs in a timely manner is essential to identify and mark security-related events.
Finally, organizations can provide users with "over-authorized" access. CSA said that user access should be limited to applications and data that individuals are allowed to use.
- Reduce the complexity of cloud management
Providing sufficient security for a single cloud service can be a huge challenge for an organization. There will be more and more cloud services and cloud providers added to the portfolio, and the challenge of protecting data is becoming greater.
For more and more organizations, the migration to the cloud ultimately means having a multi-cloud or hybrid cloud environment. This may result in a highly complex infrastructure that includes various public cloud service providers and various types of cloud services, and may pose many security risks.
Dickson said that one of the early steps to solve network security in a cloud-based environment should be to reduce complexity. IDC estimates that 80%of companies have more than one infrastructure-as-a-service(IaaS) provider.
Many organizations also want to use multiple software-as-a-service(SaaS) and platform-as-a-service(PaaS) products from different providers because they want to reduce operating expenses and gain greater agility in providing services to users and users. customer.
Has multiple clouds, each with its own characteristics, which may be difficult to protect. "If possible, please minimize the number of cloud providers," Dickson said. "Fewer cloud providers usually means fewer security providers. Supplier consolidation further reduces complexity."
- Put more emphasis on detection and response
Riley said that due to giving up some control of the cloud, organizations should expect more monitoring of cloud activities to prove that governance procedures are in place and are being followed.
"Most CSPs provide the necessary tools to detect resources, workloads, and applications to collect raw log data, but may limit where log data is stored." "Converting this data to useful information poses challenges, And may require CSP-provided or third-party products or services, especially if the log data needs to be transferred from one geographic area to another. "
Riley said that some Gartner customers prefer to rely on existing security information and event management(SIEM) tools, and many cloud services support more popular services. Other customers report that SIEM tools are clumsy and noisy and prefer cloud-native services.
"However, before investing in another product, the organization should first study the built-in logging, reporting and analysis functions of the cloud service."
SaaS applications tend to provide a collection of various reports that summarize, correlate, and analyze behavior. Riley said:"For organizations that only use one or a few SaaS applications, these may be sufficient." For organizations that subscribe to many SaaS applications, the Cloud Access Security Agent(CASB) or SaaS management platform(SMP) may be a better choice for evaluating SaaS security status and standardized control and governance.
Riley said:"IaaS and PaaS providers provide the primitives required by the instrument and expect their customers to collect the output into a service that can understand the data." "More and more IaaS and PaaS CSPs provide native event analysis and Investigation function. "
In addition, the Cloud Security Status Management(CSPM) tool provides an efficient mechanism that can be used to evaluate the configuration of workloads and detect and remediate non-compliant settings.
- Deploy data encryption
If data falls into the hands of criminals, data encryption is one of the more powerful security tools that organizations can use to protect data.
Dickson said:"By default, data will leave the place, so the protection of data becomes very important in the cloud." "Data in motion and data at rest must be encrypted.
Riley said that encryption provides an additional layer of logical isolation. He said:"For many security teams, the debate about whether to encrypt all content by default has continued." For mass storage in IaaS and PaaS, a reasonable approach may be to do so. It simplifies the configuration process, avoids the inadvertent disclosure of sensitive data, and is useful for destroying data by simply deleting the key. "
Encryption can also be used as a double check of access control policies. "To read an encrypted object, there must be an account on both access control lists:the account of the object itself and the account of the key that encrypted the object." "The mechanism that must reach consensus when granting access rights represents a kind of Effective defense in depth. "
Riley said that for application layer data in SaaS and PaaS, this decision is more complicated. "Encrypting data outside the context of a PaaS/SaaS application reduces the functionality of the application, and organizations must weigh how to balance function and isolation."
Encryption cannot replace trust. He said:"Any useful processing of encrypted data requires decrypting it first and then reading it into memory, making it vulnerable to memory-based attacks."
- Prioritize training and education
Like any other cyber security program, it is essential to educate users on security risks. For many organizations and employees, migration to the cloud is still a relatively new concept, so training and programming guidelines need to be prioritized.
John Yeoh, vice president of global research at CSA, said:"Began to educate yourself and your employees about cloud security." "There are many educational documents and courses for you to learn the basics of security in the cloud."
The basic document of CSA is called "Security Guide for Key Fields of Cloud Computing", and there is also a training course called "Cloud Security Knowledge Certificate".
Yeoh said:"For those who use specific cloud services and tools, it is very important to understand these tools." "Providers continue to add and change features in their services. Proper use of these features and understanding the standard configuration for the safe use of these services Vital. "
Establishing a security culture with basic cloud knowledge is an important step to improve the company s security posture by reducing human error factors and increasing awareness of cloud best practices. Education should also be extended to understand exactly what cloud providers provide in terms of security What's wrong. CSA's cloud control matrix allows you to view and compare how cloud service providers meet or exceed baseline security requirements.
Yeoh said:"Having a common cloud security control framework being implemented in the industry can create trust and assurance for the cloud service provider and its services." "Identify the security requirements that are critical to the organization's use of the service and ensure Meet these requirements with the controls provided in the framework. This approach can speed up the procurement process and improve your security. "