In a recent post, we discussed the need for enhanced Azure backup capabilities to address the vulnerabilities created by the shared responsibility model that comes with moving data and applications to the cloud. To focus attention on these issues, we highlighted the work of the Software Engineering Institute (SEI) at Carnegie Mellon University in defining these vulnerabilities and creating for SMBs a series of best practices to counter the exposure businesses face in moving IT resources to the cloud.
The SEI article advised that its best practices should be viewed by SMBs as a baseline set of recommendations for companies that are educating their organizations about the breadth of vulnerabilities created. The author commented: “It is important to note that these best practices are not complete and should be complemented with practices provided by cloud service providers, general best cybersecurity practices, regulatory compliance requirements, and practices defined by cloud trade associations, such as the Cloud Security Alliance.”
The purpose of this post is to provide a reference guide to two of these additional sources of best practices: cloud service providers (CSPs) and the Cloud Security Alliance (CSA). The advice of the market-leading CSPs and CSA is summarized and distilled so that companies that are grappling with deficiencies in their current cloud data protection practices can gain an awareness of the resources and tools available and how well they might apply to their circumstances. A recap of the SEI best practices precedes the CSP and CSA information, so the post is structured as follows:
- Review of SEI Best Practices for Cloud Security for SMBs
- Cloud Services Alliance (CSA) Best Practices Overview
- Security Guidance for Critical Areas of Focus in Cloud Computing
- The Cloud Controls Matrix v4 (CCM)
- CCM Implementation Guidelines
- Cloud Service Provider Best Practices Overview
- Microsoft Azure
- Amazon Web Services
- Google Cloud
SEI Best Practices for SMBs Review
This section extracts all of the recommendations from SEI’s Best Practices for SMBs article and presents them in a quick-read format. Those looking for a fuller discussion of each of these points can refer to the Best Practices for Cloud Security article. Security professionals looking to dig further into the details can access the forty-seven page report titled, Cloud Security Best Practices Derived from Mission Thread Analysis, upon which the article was based. The SEI best practices fall into four categories – Perform Due Diligence, Managing Access, Protect Data and Monitor and Defend – outlined below:
Perform Due Diligence
Planning
- Use a cloud adoption framework to enable efficient use of cloud services and consistent architectural designs.
- Ensure that participants understand the shared responsibility model.
Development and Deployment
- Train your system or application development and deployment team in the details of correctly using CSP services.
- Review your security control implementation approaches and compare them with CSP-provided approaches to determine which best meets your security policy goals.
Operation
- Treat your cloud infrastructure as source code, which you should manage in a source code control system with change control procedures enforced.
Decommissioning
- Understand how data can be extracted from one CSP and moved to another as it may be necessary to decommission a cloud-deployed application or system rapidly.
Develop a Multiple CSP Strategy
- Understand redesign requirements should a deployment have to be moved to another provider.
Managing Access
Identify and Authenticate Users
- Use multifactor authentication to reduce the risk of credential compromise.
Assign User Access Rights
- Use role-based access control to establish privileges for developers and system managers to limit the impact of a credential compromise or a malicious insider.
Create and Enforce Resource Access Policies
- Configure service-specific access policies for different types of storage services, such as virtual disks, blob storage, and content delivery services.
Protect Data
Protect Data from Unauthorized Access
- Encrypt data at rest to protect it from disclosure due to unauthorized access and properly manage the associated encryption keys to ensure effective encryption.
Ensure Availability of Critical Data
- Consider augmenting CSP processes with additional backup and recovery actions.
Prevent Disclosure of Deleted Data
- Understand where sensitive data may be copied or cached and determine what should be done to ensure deletion of sensitive data.
- Understand how your CSP handles storage media removed from production.
Monitor and Defend
Monitor Cloud-Deployed Resources
- Develop an understanding of CSP-provided monitoring data and tools to detect unauthorized access and anomalies.
- Consider augmenting CSP-provided monitoring with on-premises tools.
Analyze both Cloud and On-Premises Monitoring
- In hybrid deployments, consider a cloud-based monitoring enclave drawing from all three monitoring sources (CSP-provided monitoring, consumer cloud-based monitoring, and consumer on-premises monitoring) for data transfer and storage cost advantages and ease of scalability.
Coordinate with CSP
- Assume a collaborative relationship with your CSP to encourage the sharing of information on the detection and investigation of adverse incidents.
- Update your Standard Operating Procedures (SOPs) to formalize collaborative posture.
Cloud Security Alliance Best Practices
The Cloud Security Alliance is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. The organization serves cloud service providers, companies in the cloud service supply chain, and cloud consumers.
CSA’s best practices research efforts are led by a group of in-house professionals and supplemented by input from a community of security experts including industry practitioners and corporate members. Experts participate in CSA Working Groups that are organized around topics such as Threat Intelligence, Security Services, and Architecture and Components.
The three major tools produced by CSA that can help companies institute best practices for cloud data protection are:
- Security Guidance for Critical Areas of Focus in Cloud Computing
- The Cloud Controls Matrix v4
- CCM Implementation Guidelines
An overview of each of these items follows.
The Security Guidance for Critical Areas of Focus in Cloud Computing
The Security Guidance document is designed to be a practical, actionable roadmap for organizations seeking to adopt the cloud paradigm. It is organized by fourteen domains which address the strategic and tactical security “pain points” within a cloud environment and can be applied to any combination of cloud service and deployment model. The domains and primary areas of focus are provided below:
- Cloud Computing Concepts and Architecture – Provides a common language and understanding of cloud computing, highlights the differences between cloud and traditional computing. Guides security professionals towards adopting cloud-native approaches that result in better security instead of creating more risks.
- Governance and Enterprise Risk Management – Examines four areas impacted by cloud computing: governance, enterprise risk management, information risk management, and information security.
- Legal Issues, Contracts, and Electronic Discovery – Highlights the legal issues raised by moving data to the cloud, contracting with cloud service providers, and handling electronic discovery requests in litigation.
- Compliance and Audit Management – Scrutinizes the assignment of compliance responsibilities between the provider and customer, including indirect providers (the cloud provider of your cloud provider).
- Information Governance – Examines the need to update policies when moving to cloud-based to ensure the use of data complies with organizational policies, standards and strategy — including regulatory, contractual, and business objectives.
- Management Plane and Business Continuity – Focuses on the impact of the centralization of the administrative management of resources and the need to set proper security controls to limit who can access the management plane. Emphasizes the importance of preparing for and managing cloud provider outages to ensure business continuity.
- Infrastructure Security – Discusses cloud considerations for the underlying infrastructure and security for virtual networks and workloads and covers fundamentals for private cloud computing.
- Visualization and Containers – Addresses customer responsibility for properly implementing virtualized security controls and deciding when to encrypt virtualized storage, properly configuring the virtual network and firewalls, or deciding when to use dedicated hosting vs. a shared host
- Incident Response, Notification, and Remediation – Identifies gaps related to incident response that are created by the unique characteristics of cloud computing.
- Application Security – Covers all aspects of application security from early design and threat modeling to maintaining and defending production applications.
- Data Security and Encryption – Outlines a risk-based approach to developing an appropriate encryption option which is based on the threat model for your data, business, and technical requirements.
- Identity, Entitlement, and Access Management – Focuses on the need to develop a comprehensive and formalized plan and processes for managing identities and authorizations with cloud services.
- Security as a Service (SecaaS) – Highlights some of the more common categories in the SecaaS market, such as Cloud Access Security Brokers (CASB), Web Application Firewalls (WAP), and Security and Event Management (SEIM).
- Related Technologies – Spotlights technologies that rely nearly exclusively on cloud computing to operate or are commonly seen in cloud deployments such as Big Data, Internet of Things (IoT), and serverless computing.
The Cloud Controls Matrix
The Cloud Controls Martix is aligned with the Security Guidance document and is composed of 197 control objectives. CSA designed the tool to use as a systematic assessment of a cloud implementation and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. Components of the CCM include:
- The Consensus Assessments Initiative Questionnaire (CAIQ) supplies a way to document what security controls exist in IaaS, PaaS, and SaaS services and provides a set of Yes/No questions a cloud consumer can ask of a cloud provider to ascertain their compliance with the CCM to determine if their cloud services are suitably secure.
- The CCM Implementation Guidelines present guidance on how to interpret and implement each of the CCM control objectives and is available in spreadsheet format.
- CCM Mappings provides mappings to other industry security frameworks such as ISO 27001/27002, NIST, and FedRAMP to reveal the equivalence, gaps and misalignment between the CCM control specifications and other standards/frameworks.
Cloud Service Provider Best Practices
The three major CSPs, Amazon Wireless Services, Microsoft, and Google offer comprehensive resources for cloud data protection. These materials are described below:
Microsoft Azure
As part of its Microsoft Cloud Adoption Framework for Azure, the company offers a 61-page Security Best Practices for Azure Solutions. It advises consumers to prioritize several actions including:
- Upgrade your Azure subscription to Azure Security Center Standard to uncover and fix security vulnerabilities, apply access and application controls to block malicious activity, detect threats using analytics and intelligence, and respond quickly when under attack.
- Store your keys and secrets in Azure Key Vault and not in your source code. Key Vault supports any type of secret: passwords, database credentials, API keys and certificates.
- Install a web application firewall to provide centralized protection of your web applications from common exploits and vulnerabilities.
- Enforce multi-factor verification for users, especially your administrator accounts.
- Encrypt your virtual hard disk files to help protect your boot volume and data volumes at rest in storage, along with your encryption keys and secrets.
- Connect Azure virtual machines and appliances to other networked devices by placing them on Azure virtual networks. Virtual machines connected to an Azure virtual network can connect to devices on the same virtual network, different virtual networks, the internet, or your own on-premises networks.
- Mitigate and protect against distributed denial of service (DDoS) attacks.
- Manage your VM updates as Azure doesn’t push Windows updates to them. Ensure you have solid processes in place for important operations such as patch management and backup.
- Enable password management and use appropriate security policies to prevent abuse.
- Review your Security Center dashboard regularly to get a central view of the security state of all of your Azure resources and take action on the recommendations.
Amazon Web Services
Security best practices as defined by Amazon Web Services are embedded in a larger 81-page resource titled, AWS Well-Architected Framework. The Framework addresses a broader range of topics including operational excellence, reliability, performance efficiency and cost optimization. The security coverage is found on pages 12-18. The framework bases its best practices on the following design principles:
- Implement a Strong Identity Foundation – Implement the principle of least privilege and enforce separation of duties with appropriate authorization for each interaction with your AWS resources.
- Enable Traceability – Monitor, alert, and audit actions and changes to your environment in real time. Integrate log and metric collection with systems to automatically investigate and take action.
- Apply Security at All Layers – Apply a defense in depth approach with multiple security controls. Apply to all layers (for example, edge of network, VPC, load balancing, every instance and compute service, operating system, application, and code).
- Automate Security Best Practices – Automated software-based security mechanisms improve your ability to securely scale more rapidly and cost-effectively.
- Protect Data in Transit and at Rest – Classify your data into sensitivity levels and use mechanisms, such as encryption, tokenization, and access control where appropriate.
- Keep People Away from Data – Use mechanisms and tools to reduce or eliminate the need for direct access or manual processing of data. This reduces the risk of mishandling or modification and human error when handling sensitive data.
- Prepare for Security Events – Prepare for an incident by having incident management policy and processes that align to your organizational requirements. Run incident response simulations and use tools with automation to increase your speed for detection, investigation, and recovery.
Google Cloud
Google Cloud offers a high-level view of cloud data protection with its CISO Guide to Cloud Security Transformaton. Taking the perspective of a Chief Information Security Officer, the guide recommends the following practices to secure company, partner, and customer information. From this vantage point, Google Cloud recommends:
- Engage in security planning early.
- Take a risk-informed, not a risk-avoidance approach.
- Embrace zero trust and forget the perimeter.
- Prioritize automation to reduce manual workload and improve velocity.
- Plan to re-train, re-skill, and reorganize your security workforce.
- Partner with cloud service providers, based on a shared understanding of risk and objectives.
- Challenge existing security assumptions and implement cloud-specific best practices.
For a more granular approach, consumers can access the Best Practices for Enterprise Organizations resource, which offers a step-by-step process for applications and data security structured along the following lines: Organization Setup, Identity and Access Management, Networking and Security, Logging Monitoring and Operations, Cloud Architecture, and Billing Management.
Conclusion – Cloud Data Protection
With the ongoing migration to the cloud, companies are striving to update their practices and procedures to ensure cloud data protection. The fact that CSA has now progressed to its fourth version of the Cloud Control Matrix reflects that the environment is fluid and security professionals continue to develop new approaches. The resources outlined above provide SMBs with a variety of formalized structures to instill these controls and policies in their workplaces. Under these circumstances, an added layer of backup protection to maintain business continuity in the face of current vulnerabilities offers a means for companies to improve their security posture in the cloud environment.