While many organizations still use on-premises models for network access and management, migration to cloud computing continues to grow as companies leverage the benefits of cloud computing to fit their organization’s unique needs.
Cloud Computing Advantages
Cloud computing implementation provides many advantages with a model for “on-demand” resources for mission-critical operations and services (applications, databases, virtual servers, and other IT services and infrastructure) that are flexible, scalable and can be rapidly deployed with reduced implementation and maintenance costs.
For small and medium-sized organizations, cloud computing provides increased access to high-performance applications without major investment in on-site infrastructure and with remote access to data and applications from almost anywhere.
Cloud computing also has some disadvantages with the main concerns for many organizations being effective security and privacy controls, which means adjusting your organization’s risk management strategy. Protecting cloud computing resources (environments, applications and data) from cybersecurity risks uses strategies, security policies, procedures, technologies and best practices that are unique to this environment and often use cloud-based security tools combined with on-premises hardware and software security measures.
As your organization is considering moving resources to the cloud for cloud computing implementation or expansion, the most important practice to consider in your risk management strategy is thorough due diligence. This practice will ensure a complete understanding of your organization’s networks, applications, data and other resources across the full resource lifecycle so planning, development, deployment, operations and decommissioning are effectively managed.
What is Cloud Computing?
Let’s do a quick summary of cloud computing to understand the different environments and service models available and how these can affect cloud security and your organization’s risk strategy.
Cloud computing is hosted in three primary types of cloud environment, each with unique security challenges:
- Public cloud services are hosted by off-site third-party service providers accessible through web browsers (include Amazon Web Services (AWS), Microsoft Azure, and Google Cloud). Authentication, access controls and identity management are essential security controls in this environment.
- Private clouds are dedicated cloud resources accessible to a single organization (include HP Enterprise, VMWare and IBM service providers). Private cloud environments are still vulnerable to access breaches and other exploits.
- Hybrid clouds leverage a combination of public and private cloud environments that provide an organization increased control of data and resources with a private cloud, and access to flexibility and scalability with public cloud access when necessary. The combination of public and private environments ensures workloads can be run in their optimal environment.
In addition, there are generally three service models for the cloud environment: Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (Iaas).
- SaaS involves software applications hosted by third-party cloud infrastructure generally delivered over a web browser. Your organization does not manage underlying infrastructure including networks, servers, operating systems, storage or individual applications, although administrators often manage limited user configurations. Any organization user can potentially access web services, applications and content, so appropriate visibility and access controls are essential to monitor access and usage in this service model.
- PaaS provides for an organization to utilize cloud resources for developing, running and managing web applications and services. PaaS models generally support DevOps teams, developers and operations with the organization managing dedicated applications and a third-party host providing underlying cloud infrastructure. insecure permissions and self-service entitlements are the main concerns for cloud security in this model.
- IaaS enables automating creation of virtual machines at scale in a virtualized data center infrastructure over the internet hosted by a third-party. Your organization utilizes on-demand access to pre-configured computing resources including networks, operating systems and storage. In this model, critical security concerns include how virtual machines are provisioned, managed and spun down.
Depending on the environment and service model your organization uses or is exploring for cloud computing, there are some common cloud security challenges to consider:
- Massive damage can result from simple errors. Scalability, one of the main benefits of cloud computing, can lead to misconfigurations and vulnerabilities that can rapidly multiply leading to data breaches and service outages. For example, public cloud-based services such as AWS, which enable super users to manage servers in the thousands, with specific access privileges for each server, can lead to access vulnerabilities that can multiply across multiple servers.
- Incompatible on-premises and cloud environments lead to management and security issues: Tools and configurations for on-premises environments may not be compatible with a virtualized cloud environment. If a multi-cloud environment is utilized, cloud environments with different system tools can also be incompatible. Consequently, technology and security processes suitable for on-site environments or for a particular cloud environment may not be portable across multiple environments leading to control and access gaps with risk exposure from data leaks, misconfigurations, excessive access privileges, and security and compliance issues.
- Multi-tenant shared resources blur network boundaries: The benefits of flexibility and lower cost for a shared environment also introduce concerns for segmentation for data isolation and privacy. The main risk with a shared environment is a software bug or poorly managed access controls could lead to data exposure to unauthorized users in a multi-tenant database. Cloud service providers are acutely aware of this risk and generally build and test software and systems to mitigate the risk of data leaks.
- Phishing and social engineering attacks: Cloud computing remote availability makes phishing and social engineering attacks easier. When login or other confidential information is obtained, a malicious user can potentially break into a system remotely with ease as the system can be accessed from anywhere. Employee awareness and training help mitigate these risks to avoid these types of attacks.
12 Cloud Computing Best Practices
Below are 12 cloud computing best practices for adjusting your organization’s risk management strategy as a cloud computing solution is implemented or expanded for your organization’s computer resource requirements:
Implement strong access management policies that restrict access and harden resources by enforcing least-privilege principles. Privileged access should use session monitoring to audit and record access, ensuring privileges are role-based and minimum access necessary to perform an operation is granted. Using a zero-trust model will tightly control access, requiring every user, system or device to be verified and validated before connecting to your organization’s systems inside or outside the network perimeter. Additionally, consider an LDAP-compliant directory service such as Active Directory to manage identity and access management across multiple systems and environments.
What segmentation is in place between your resources and other customer resources in a multitenant environment as well as between your organization’s resources that enforce isolation between environments? Network segmentation that prevents lateral movement can ensure a minor compromise does not progress to a serious multi-system breach. Network segmentation can be achieved through:
- Physically separate servers for each environment in a traditional Application Services Provider (ASP) model.
- Virtual servers individually dedicated to a particular client or environment (e.g. SAN, NAS or virtual database servers).
- Use specialized tools that allow control of network traffic so management and production traffic can be segregated.
- Applications run in separate logical partitions using separate system images that do not share cloud storage or other resources.
- Specialized tools utilized to allow control of network traffic so management and production traffic can be segregated.
Perform regular scans for vulnerabilities and misconfigurations and conduct security audits and testing to identify vulnerabilities and risks. Perform penetration testing of your organization’s network environment (on-premises and cloud) to detect and remediate system vulnerabilities.
Establish proactive processes and use automated tools for scanning and patching known vulnerabilities across your organization’s system infrastructure and ensure your cloud vendor also has a reliable approach to patch known vulnerabilities. Analyze post-patching impacts to address any incompatibilities across systems and environments.
5. Monitor user activity
Track cloud users use of your organization’s cloud environment. Evaluate cloud usage culture in your organization as well. Cloud computing can lead to casual use of data and data sharing compromises when data can be collected, searched and stored anywhere, which can lead to mixed-use data risks that can comprise sensitive data.
Ensure password management best practices are followed including:
- Configure a minimum password length
- Configure settings for password complexity
- Enforce password history with a minimum of 10 previous passwords
- Set maximum password age, recommended every 90 days, and enable email warnings for password expiration.
- Reset local admin passwords recommended every 180 days, and service account passwords recommended once a year during maintenance
- Enable password auditing to track all password changes.
- Synchronize passwords to reduce complexity and security risks using an enterprise password management system to ensure consistent strong security across systems.
Select a console to provide alerts when your organization may be out of compliance with applicable regulations so immediate corrective action can be performed to mitigate risks.
Ensure your organization’s cloud data is encrypted in transit and at rest. Consider using multiple encryption services for encryption at the file, database and network levels.
Ensure your organization and cloud computing vendor have continuous security monitoring enabled for all environments and systems.
10. Manual vs. automated cloud security
Automated scans can help reduce the need for manual security checks and ensure your organization has robust 24×7 security management to protect your cloud data and systems. Automated scanning tools can be used to standardize configurations and detect problems so IT personnel can focus on complex issues and innovation.
Determine what alerts and reporting your cloud vendor provides and use a Security Information and Event Management (SIEM) tool to centralize data from in-house and vendor security reporting so a complete picture is available of the security posture of your computing environment at all times.
12. Learn from publicly disclosed IT failures
Study industry news for IT failures in cloud environments to stay informed as cloud use evolves and becomes more complex. High-profile failures provide critical knowledge to ensure your organization’s cloud security risk strategy is prepared for current threats as well as new, developing security threats in the future.
Organizations that avoid utilizing cloud computing infrastructure and services face a significant business risk as few organizations have the budget or personnel to build and manage data centers with all software and infrastructure housed on-premises. In fact, small and medium businesses with limited IT resources often benefit the most from cloud computing with access to high-performance applications without major on-site infrastructure investment and with remote access to data and applications. In addition, large-scale cloud service providers that provide well-structured cloud architecture implementation, including Amazon, Google and Microsoft, can provide more robust security, privacy and availability for computing resources that can be achieved with limited IT capabilities.
With a soundly-crafted cloud security strategy and discipline that leverages best practices for cloud computing, you can enable your employees to enhance organizational innovation and support workforce productivity, while keeping your applications safe, and your data secure. Read more in our related blog article, 10 Tips For Keeping Private Information Secure on the Cloud
Cloud computing is the future and is a high-value resource for your organization to be innovative and competitive in the evolving high technology business world.