A cloud environment is dynamic, like the human body. It operates in different states, and is meant to evolve and adapt as external needs change. Some are happy to leave their cloud on auto-pilot, but like your health, unless you actively pay attention to how the environment functions, it can atrophy and ultimately do you harm. Conversely, getting your cloud into shape can prevent all kinds of threats.
This isn't about re-tooling your IT infrastructure or changing your data integration strategy. It's also not about making it any harder to access data and use the cloud functionality you already have. Rather, getting cloud-fit requires a minor tune-up and regular attention that neither disrupts nor distracts from the goal of running an efficient technology operation and maintaining a beach body (and not a breach body).
It's impossible to know where the next attack on your cloud will originate, so a holistic approach is necessary. Know the layers of your cloud stack, apply security best practices, and always, always monitor and maintain visibility across the entire surface of your environment.
Here are five steps that are critical to keeping your organization secure while using public cloud infrastructure. So, stretch out your calves, crank up the jams, and let's get cloud fit.
1. Start with the core: Identity management
Like any thief, hackers seek the path of least resistance; they prefer an open window to a bolted door. In the cloud, an ID and password are like keys to your environment; once a bad actor enters with valid credentials, you're done for. To prevent that, do these things:
- Secure password: Establish policies that require complex passwords (12 characters with mixed case, letters and numbers, at a minimum).
- Require multi-factor authentication (MFA): Having a strong password is not enough these days; you need multiple layers of protection. Using a second validation or authentication method provides another layer of protection around your user login.
- Least privilege roles: Only give users access to the least amount of accounts and systems that allow them to be productive. This limits the damage that can be done if an accident happens or a bad actor gets access to the account.
- Disable dead accounts: When people leave your organization, disable access to all systems and disable their access keys immediately. Dead accounts leave more endpoints and are not monitored the same way live ones are.
2. Pay attention to heart rate: Secure the compute layer
Given access to your systems, hackers will begin to wreak havoc that crosses the compute layer. Do these things to prevent the spread of malware across your business and the Internet:
- Harden the OS: Remove unnecessary programs that only serve to broaden your attack surface. Stay up-to-date on operating system service packs and patches as much as you can. While that doesn't mean you'll be invulnerable to a zero-day attack, it makes it much less likely.
- Enable secure login (issue SSH keys to individuals): This will keep your assets protected when moving across unsecured networks.
- Only use trusted images: Build your images or templates from scratch, or get them from very trusted sources such as Amazon or Microsoft. Don’t use the ones you find on Stack Overflow or on random message boards or communities.
3. Time to get shredded: Protect the perimeter
Here are three ways to confuse the efforts of hackers trying to gain access, and even thwart their efforts once they are in.
- Use a VPN: Protect the connections between devices and the Internet by creating a secure (tunnel), or VPN. You're creating your own version of a network that is more specific to your own security requirements.
- Use jump host: The jump host is placed in a different security zone and provides the only means of accessing other servers or hosts in your system. The security groups for your other cloud assets should be set up to only allow SSH access from the jump host. This extra step is more likely to keep the hackers out of your system.
- Hypervisor firewall rules: The most effective way to manage firewalls is at the hypervisor level because you can restrict or set limits on both ingress and egress traffic. Set definitive rules about what, how much, and who can send, receive, and access both inbound and outbound data.
4. Pay attention to diet: Secure your storage
Bad actors are after data, so you cannot be neglectful of data in any state. If attackers get access to your storage layer, they can potentially delete or expose entire buckets of data.
- Manage data access: Identity and access management (IAM) policies and access control lists help you centralize the control of permissions to your storage. Bucket policies let you enable or deny permissions by account, user, or based on conditions such as date, IP address, or whether the request was sent using SSL.
- Encrypt, encrypt, encrypt: Encrypt your data both in transit and at rest. Note that metadata is often not encrypted, so be sure not to store sensitive information in your cloud storage metadata.
- Versioning / logging: Versioning allows you to preserve, retrieve and restore data if something goes wrong. With versioning turned on, you can always restore from an older version of the data if a threat or application failure causes loss of data.
5. Work, sweat, repeat: Continuous monitoring
The key to being fit is constant attention and awareness. You can reduce the vulnerability of your cloud by applying constant awareness and risk alerts so you know when there's a problem and can put into practice the right steps to fix it.
- Use a continuous monitoring tool: This gives you real-time awareness of issues before they happen. Knowing where the risks are means you can fix them before they become a major problem.
- Compliance reporting: Once you're out of compliance, your security posture is threatened. With continuous monitoring, you know when you're out of compliance (or could potentially be out of compliance), and you can maintain a log of compliance status that will help you determine where issues exist.
- Automate incident response: If you apply automated incident response processes in conjunction with monitoring, you can fight back and remediate issues immediately upon detection.
Practice continuous security
By understanding the need for continuous security and compliance monitoring, your team will be better prepared to protect against human error and encourage a more defensive mindset within your organization. In so doing, you will create the security necessary to ward off hacking attempts before bad actors can find a hole.
This is a quick rundown of the steps to help you get lean and mean, but security fitness is a continuous goal, not a unique state. If you follow through with these exercises, you'll find that your enterprise and all the layers of your cloud will truly become stronger, more resilient, and less vulnerable.
Keep learning
Choose the right ESM tool for your needs. Get up to speed with the our Buyer's Guide to Enterprise Service Management Tools
What will the next generation of enterprise service management tools look like? TechBeacon's Guide to Optimizing Enterprise Service Management offers the insights.
Discover more about IT Operations Monitoring with TechBeacon's Guide.
What's the best way to get your robotic process automation project off the ground? Find out how to choose the right tools—and the right project.
Ready to advance up the IT career ladder? TechBeacon's Careers Topic Center provides expert advice you need to prepare for your next move.