When it comes to cloud security, one of the key challenges is that the environments have become so expansive and complex that many organisations don’t know where to start.
Unlike traditional data centres, where security is focused more on the perimeter, the cloud is a perimeterless environment. That expands the breadth of the problem but also provides clues about how to approach resolving it. A different approach to traditional security is required.
Organisations need to implement security best practices across all layers of the cloud, be it infrastructure, services, applications or even other third-party tools that get deployed in the cloud environment. They are also likely to be securing access to workloads in multiple cloud environments, which is part of what makes cloud security such a complex problem to solve.
It can be helpful to consider the challenge of cloud security in five areas, denoted by the 5 C’s: cloud, clusters, containers, customer data and code. The sum of activities in each of these areas can ensure organisations are better placed from a cloud security perspective.
Wherever there is complexity, a learning curve exists that has to be mastered. This is especially true of cloud, where changes, feature enhancements and new services are introduced weekly and even daily.
Cloud also requires a different way of architecting and operating IT workloads. Mistakes happen, so one of the ways organisations improve cloud security is to monitor the cloud infrastructure for any misconfigurations or non-compliant activity. Such monitoring can be configured to auto-remediate most of these security findings, which will help to maintain a compliance posture in real time. In addition, they should have the capability to provide feedback to engineering teams so they can enforce proactive guardrails, which will help prevent many of these misconfigurations from even happening in the first place. For example, this could be a policy to prevent users from attaching a public IP to a VM or preventing users from creating a block storage volume without encryption in place.
Organisations can benefit from working with a partner that can design, build and operate a secure and compliant cloud solution for them. This approach can help them maintain their internal security and compliance posture while having greater control over their security risk.
Clusters and containers
IT development teams moving aggressively to cloud-native operations will often use containers as the form factor to provide application services. Containerised application services are hosted on Kubernetes clusters that run across public cloud, private cloud, and on-premises environments.
There are a number of best practices to follow to protect each cluster of containerised resources. Much of this comes down to how data traffic is sent between the different nodes that make up the cluster. Isolating traffic to known IP address ranges and any other known traffic sources is the recommended approach. Any ingress and egress traffic into and out of the cluster should also be properly protected by policies set in edge routers as well as in the specific container and cluster orchestration ecosystem used (such as Kubernetes).
It is also advisable to isolate Production and Non-Production clusters to separate cloud accounts or subscriptions. Within that, Isolating sensitive workloads to separate node pools within a cluster using taints and tolerations also makes a lot of sense from a security standpoint.
For container security, the key consideration is securing the container image, the static file that contains all the executable code to run the containerised workload or microservice. Keeping images small is important to enabling better performance. Organisations should work to ensure all images are vulnerability scanned before use and enforce requests and limits at the container level to secure the cluster from poisoned images. This may include limiting CPU and memory use: the more of each of these a container can consume, the more capability exists for the code to go rogue. Finally, techniques like container scanning can help identify any issues with images because they get deployed into the prod or pre-prod environment.
Taking a data-centric security approach can be helpful. Protecting data in the cloud is becoming a major compliance requirement for organisations. With the significant increase in ransomware attacks, organisations are worried about protecting their data in the cloud.
Organisations can address this by establishing complete visibility of customer data through the use of machine learning techniques. In addition, enforcing data protection controls using techniques like data encryption and data loss prevention and monitoring cloud-hosted data for any compliance violations ensures the data remains secure and under control.
Securing cloud-hosted code
To run code securely in the cloud requires the cooperation and collaboration of several teams - development, security and operations. DevSecOps is a software engineering culture and practice used to unify these teams and to establish a culture of joint ownership and accountability for code security in the cloud.
A secure by design and/or secure by default approach can ensure that security is integrated across the entire application development lifecycle - from design and build to release into the production environment. Security-as-code adds and enforces proactive guardrails in the IDE and automates security testing so developers can receive feedback on code security issues early in the development process and then multiple times as the code is further refined and strengthened. The final step is to ensure strong security protection at runtime through technologies Dynamic Application Security Testing (DAST) and web application firewall rules. And, of course, the entire process is not complete without monitoring the overall environment on a continual basis.