RSA recently published this eBook on three tips to secure your cloud. I like the direction the authors took but want to take things a few steps further.
Before you can protect anything, you first need to know what infrastructure you actually have running in the cloud. This means doing a cloud census. Yes, you probably know about most of your AWS and Azure instances, but probably not all of them. There are various ways to do this – for example, Google has its Cloud Deployment Manager and Azure has an instance metadata service to track your running virtual machines. Or you can employ a third-party orchestration service to manage instances across different cloud platforms.
But these tools are for the infrastructure service providers. There are also dozens of other cloud-like data repositories that your more innovative or insistent users have created. You want to make sure that you can account for all of your Dropbox and Evernote users, along with your other SaaS apps -- whether they are sanctioned "officially" or not.
Here are my suggestions for improving your cloud security posture:
Tip 1 - Implement risk-based access controls: I am glad that the eBook covers this first. This tip mentions that risk-based controls should cover both cloud and on-premises resources. That's great, but you need to go deeper and understand how all your cloud access events will be managed across your entire corporation. For example, does your company support either a single sign-on (SSO) or password manager? If so, has it been set up for all of your on-premises and cloud-based resources? If you skipped the census above, that is where it comes in handy. There might be a few cloud instances that aren't supported by your particular SSO or password management tool, or that require some coding to get their credentials automatically passed back and forth. Maybe you need a Security Assertion Markup Language (SAML) or Open Authorization (OAuth) refresher course to get things configured properly.
One of the things that I like with using these tools is that you can have every user covered consistently and automatically with the same access controls. That automation layer is a nice security boost, because anytime you introduce human activity you introduce the potential for errors. And by saying "same" I don't mean that everyone has the same access rights – nor do I mean that you have the same management framework applied to everyone in your company. Instead, using an SSO means new users can be onboarded quickly, so on their first day – their first few moments, actually – they have signed in to the complete collection of cloud and on-premises resources. They don't even know (or will ever know) their passwords. More importantly, when they are terminated or leave your company, you can sign them off your network with the click of a button, which prevents them from haunting your corporate infrastructure quickly and uniformly.
Tip 2 - Extend network visibility: Once you have done your cloud census, you'll have a better picture of what you see across your monitoring infrastructure and how you create workflows to handle potential security threats. While you might take for granted that you have network firewalls and logs for your on-premises servers, that isn't good enough when you have cloud resources. Some of this can be accomplished with a governance and compliance platform, for example.
But you should ask these questions to get a deeper understanding. For example, do these local firewalls and logs extend to your cloud-based instances? Do your threat detection processes also cover threats that happen in the cloud? Does security figure into your cloud orchestration process whenever you start or stop a cloud-based server? All of this gets to how you manage your cloud instances and how your equipment provides insights when it detects threats. As you are addressing all of these issues, you might have to purchase separate tools for your on-premises and cloud servers, rather than settle for less optimal tools that can examine both locations.
Tip 3 - Actively manage cloud providers: The third tip concerns how you keep track of your cloud vendors. How many different staffers manage the various cloud vendor relationships? Is there a clear business owner per vendor, or is there some overlap and if so, how is it handled? Where are the gaps in your security controls and who enforces closing (and then verifies) these gaps?
As you can see, hybrid clouds create great power in new computing platforms. But with this power comes great responsibility to manage them securely and understand how IT needs to do a better job at using them productively too.
This post was sponsored by RSA, but the opinions are my own and do not necessarily represent RSA's positions or strategies.
# # #
David Strom is an independent writer and expert with decades of knowledge on the B2B technology market, including: network computing, computer hardware and security markets. Follow him @dstrom.
Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity
Author: David Strom
Category: RSA Point of View
Keywords: Cloud Security, Cloud, Digital Risk Management, Digital Transformation, SSO, Network, Hybrid Cloud