Secure the Cloud—All Hands on Deck

The cloud is storming. There has been intense surge of cloud adoption in businesses throughout every vertical over the past year, but I believe this astonishing trend is only the beginning. I feel that a massive, measured adoption of the cloud will continue, but—perhaps even more shockingly—without the security planning, controls, tools, and skillsets that would be considered standard when protecting a traditional technology infrastructure.

It’s time for all hands on deck when it comes to protecting the critical cloud infrastructure of our businesses. Cloud adoption is forging value propositions that impact every function within an organization and creating larger attack surfaces as a result. Security teams of all types, no matter their background or experience, must now be security champions within every department, including DevOps, HR, Sales, and Finance. Security is now a critical seat at the business table with a lofty goal of protecting everything everywhere—and especially in the cloud. Cloud security requires a major shift in mindset and operational capability to properly secure an organization.

Framework

Most security practitioners recognize from experience that frameworks add clarity and context to cybersecurity program development on many levels. The same is true when selecting cloud-oriented frameworks, and many organizations often mix traditional risk-centric approaches with common threat vectors to formulate a valid framework. A typical approach is to map NIST CSF guidelines and standards, especially if already prevalent in the current framework, to a cloud security provider like Amazon’s AWS or Microsoft’s Azure to bridge language, processes, and expertise back to the business where the security team has already communicated proven value. For security operations specialists, mapping controls around MITRE ATT&CK Cloud Matrix can also be extremely valuable in determining threat vectors and risks to the organization while determining current capabilities or uncovering gaps. But a good framework is only the start for most businesses to secure their digital transformations.

Secure Architecture

Architecting a holistic security implementation in the cloud alongside ever-changing business requirements is an enormous challenge. It’s an art as much as a science. Different skillsets are required for weaving a secure setup in the cloud compared to traditional infrastructure. The security team’s mission is to protect the business, so whether this capability exists in-house (which is rare) or if resources are needed to augment and architect a secure space that can be executed upon, great care should be taken in creating foundations for a successful program. Be sure to account for the breadth of cloud business operations including: CSP (AWS, Azure, GCP, etc.), Applications (both custom and SaaS), Data/DB Repositories (data types and integrations), and Identity and Access Management (IAM/PAM). Gain as much insight over the complete cloud deployment as possible by understanding any current operations through visibility tools that assist in identifying specifics that may help craft a true and potent cloud security plan.

Cloud Security Tools

Knowing which tools to look for and procure is paramount, as many of the security tools utilized today by organizations simply don’t translate—well or at all—to the cloud. This can be frustrating and hard to navigate, especially when leveraging hybrid cloud infrastructures. The list below, while not an in-depth look at the cloud security landscape, is developed from leading organizations in the cloud security space. It’s concise and segmented via overall prioritized categories and can provide a good starting point for your organization.

Identity

• SSO, MFA, PAM (Privileged Access Management)
• API, Non-human Access, Tokens

Applications (a.k.a. DevSecOps or Shift Left Cybersecurity)

• Application Security Testing (SAST, DAST, IAST, RASP)
• Code Vulnerability Remediation
• API, Microservices

Network & Routing

• SASE, WAF
• Microsegmentation
• CASB, SD-WAN, CDN

Data

• DLP (Data Loss Prevention)
• Encryption At-Rest & In-Transit, Key Management

Workloads & Containers

• EDR (Endpoint Detection & Response) & Workload Protection
• Container Orchestration Pre-Deployment & Runtime Security

Security Operations

• CSPM (Cloud Security Posture Management)
• Log Management & SIEM (AWS GuardDuty or Azure Security Center)
• Automation, UBA (User Behavior Analysis), SOAR
• MDR (Managed Detection & Response)

These strategies come directly from successful cloud security implementations both large and small. As you reference this guide in the development of your own cloud security program, be sure to watch for a series of new topics including:

• Zero Trust Cloud Security
• DevSecOps
• CSPM (Cloud Security Posture Management)
• Cloud IR (Incident Response)

These in-depth reviews should provide a solid starting point, but if you need any further clarification on fully integrated toolsets with your cloud security program, please reach out and mention me specifically. It’s an exciting privilege to share more insights around this incredibly important topic!

Mitchem Boles, CCSP, CISSP, AWS

Additional Resources:

Secure your infrastructure. Meet compliance standards. Reduce risk. Learn more about CRITICALSTART’sCybersecurity Consulting Service.

Interested in Vulnerability Management?  Our team will identify, classify, prioritize, remediate, and mitigate software vulnerabilities. Learn more.

Ready to talk to an Expert?  Contact us now.