The Internet is full of cloud security best practices. Many are appropriate for most organizations to reduce their exposure to cloud security risks in a number of scenarios; but, without total visibility of the cloud environment – and control over Shadow IT environments – organizations may find some cloud security best practices ineffective.
It can also be the case some cloud security best practices are too complex for the issues organizations are trying to address. This is often because the best practices resolve multiple issues simultaneously – some of which the organization may never encounter, or which it may be prepared to tolerate in order to prevent latency and/or improve the end-user experience.
Consequently, there are no one-size-fits-all cloud security best practices and each organization should determine which best practices are most appropriate for its circumstances. However, to assess which cloud security risks an organization may be exposed to, it is necessary to understand cloud usage; and, in order to understand cloud usage, it is necessary to have total visibility of the cloud environment.
The Issue of Visibility in the Cloud
One of the biggest issues with cloud computing is the lack of visibility. The issue is due to Cloud Service Providers´ servers being multi-tenanted and supporting resources that may be shared by multiple organizations at the same time. Therefore, because of privacy and security concerns, Cloud Service Providers don´t provide visibility into cloud activities below the level of abstraction.
What this means for organizations trying to implement cloud security best practices is that they cannot see how services and resources are interacting with each other below the operating system level (for virtual machines), or even higher up the virtual stack for services such as containers and functions. It is also often impossible to identify server misconfigurations that could be exploited by cybercriminals.
The solution is to implement an agent-based monitoring tool that monitors activity below the level of abstraction. With a tool of this nature, organizations can gather metrics to (for example) understand cloud usage, identify network bottlenecks, and detect cloud security risks – plus have the visibility to isolate the cause of a risk and see how remedial action might impact other resources.
The Issue of Line of Business “Shadow” IT
One of the consequences of having total visibility over a cloud environment is that organizations often find they are using many more cloud services and resources than they think they are – and that many of the cloud services being used are not sanctioned by the IT department. The unsanctioned use of cloud services by Lines of Business “to get the job done” is often referred to as Shadow IT, and it represents a major problem for organizations trying to apply cloud security best practices.
In the context of cloud security, the biggest issue with Shadow IT is that the individuals taking advantage of unsanctioned cloud services and deploying unsanctioned cloud resources do not have the same level of security expertise as colleagues in the IT department. As a result, there is an increased likelihood that (for example) virtual machines will be deployed with unauthorized open ports, sensitive data will be exposed due to a lack of encryption, and gaps will exist in Identity and Access Management controls.
However, it is not a best practice to blanket ban unsanctioned services just because they have not been approved. Many of the services may have been used for some time, and – although they may present a risk to data security in the cloud, increase cloud costs unnecessarily, and create performance inefficiencies – they may now be essential to productivity in certain departments. A better solution to this issue is to create a Cloud Center of Excellence and bring Shadow IT under centralized control.
What is a Cloud Center of Excellence?
A Cloud Center of Excellence is a team with existing IT leaders at its core, but with representatives of all Lines of Business on its periphery. The team is tasked with identifying what cloud services and resources are being used, who is using them, what they are being used for, and how they are being used. The team then has to secure, replace, or block access to any services or resources that are unsecure, and educate users on how to use sanctioned services and resources securely.
This process therefore involves developing cloud security governance policies to apply cloud security best practices that have been identified during a risk assessment. The policies should stipulate what cloud services and resources can be used, who can use them, what they can be used for, and how they should be used. They should also include the procedures for amending or overruling governance policies as necessary, and to add new governance policies as the business objectives of the organization evolve.
The primary purpose of having representatives of Lines of Business involved in the Cloud Center of Excellence is to eliminate Shadow IT and thereby bring all the organization´s cloud activity under centralized control. The secondary advantages of this are that Lines of Business become financially accountable for the services and resources they consume, and performance inefficiencies caused by separate departments utilizing incompatible services are eliminated.
Monitoring Compliance with Cloud Security Best Practices
There is a disadvantage of obtaining total visibility and bringing Shadow IT under centralized control – it significantly increases the management overhead of monitoring compliance with cloud security best practices. This disadvantage can be overcome by using an agent-based monitoring tool with policy-driven automation capabilities that can be customized to apply guardrails to user activity and configured to initiate a function when a user action is attempted that would violate a governance policy.
It is important that the monitoring tool is capable of initiating an automated function – rather than retrospectively notifying IT security teams of a policy violation – as it means the monitoring tool can auto-remediate low-priority violations and leave IT security teams free to investigate high-priority violations. This reduces the management overhead of monitoring compliance with cloud security best practices and significantly reduces the likelihood of a data breach. For example:
- Guardrails can be implemented during the development pipeline to ensure new deployments conform to approved configurations – and deployments blocked if they don´t.
- The monitoring tool can be configured to prevent users launching services not approved by the Cloud Center of Excellence team, or to initiate an approval workflow.
- It is also possible for the monitoring tool to continuously verify the configurations of existing servers in order to prevent configuration drift that might expose vulnerabilities.
- Global tagging policies can be enforced automatically so that sensitive data is encrypted by default and storage volumes containing data are not exposed to the public Internet.
- Policies stipulating that accounts with high privilege levels have multi-factor authentication can be enforced, as can conditional access controls.
- Similarly, account access can be automatically revoked if suspicious activity is recognized – for example logging into an account from an unrecognized IP address.
What May be Cloud Security Best Practices for One, May Not be Best for Another
It was mentioned previously that there are no one-size-fits-all cloud security best practices and each organization should determine which best practices are most appropriate for its circumstances. In order to determine which best practices are most appropriate, organizations need to get total visibility of their cloud environments, address issues relating to Shadow IT, and then conduct a risk assessment to identify cloud security risks and develop governance policies to mitigate them.
Automating the enforcement of cloud governance policies reduces the management overhead of monitoring compliance, but it is important to have procedures in place for amending, overriding, or creating new governance policies as circumstances dictate. The cloud is a dynamic and rapidly-evolving phenomenon, and Cloud Centers of Excellence need to be equally as dynamic and ready to evolve in order to support the organization´s business objectives.