Reach for control to enhance security in the cloud

Cloud-based infrastructure and services have changed the way IT practitioners design enterprise systems.

These changes offer enterprises significant security benefits and pose serious security threats.

Enterprises must take a proactive approach to reap the rewards and reduce the risk. Today, on National Computer Security Day, I’m sharing what you can do (and what you need to consider) to improve your security posture in the cloud.

Beginning with the benefits

For starters, most cloud-based SaaS offerings include an outsourced platform infrastructure. A third party often manages the service, handling operations and system maintenance. Outsourcing allows enterprises to delegate risk and take advantage of shared responsibility models. There’s some loss of configuration flexibility, but much to gain in security.

Large cloud providers have a dizzying array of security and compliance documentation, audit results, and certificates. These cover everything from the physical infrastructure facilities to their processes and technical implementations.

Software-defined networks allow enterprises to segment infrastructure without paying for physical switches and firewalls. Enterprises enjoy in-depth protection around critical resources at a fraction of the cost.

Virtualized computing and pre-packaged virtual machines allow for easy integration of security solutions and tooling for functions such as intrusion detection, application proxies, network management, and name resolution.

Platform-provided storage supports encryption at rest. It also allows fine-grained configuration of keys and permissions as appropriate for each dataset.

Adapting to a cloud-based IT world

Deploying cloud-based services challenges organizations to unlearn established security orthodoxy. Before the cloud, corporate security infrastructure protected every service by default. Enterprises assumed that each resource had its proper place in the logical network architecture. Public access to critical resources was strictly controlled. Unspooling these predispositions is hard, but it’s necessary and there are guidelines that can help.

The Center for Internet Security lists 18 critical security controls (formerly the SANS Top 20 Controls) to “protect organizations from cyber-attacks.” The first, Control #1, requires inventory and control of enterprise assets. It applies to both on-premises networks and cloud-based deployments. Failure to maintain this control often leads to the misuse of cloud services.

Cloud makes rapid deployment easy — through cloud consoles or APIs. However, that ease often leads to provisioning without oversight. It’s a trap that could allow network abuse that wouldn’t have happened if physical hardware was required.

Balance the cloud’s flexibility by adding good practices and policies to the scale. Ensure new resources have a security appropriate configuration, documentation, reproducibility, clear ownership, and a system lifecycle plan. Failing to control the credentials that allow cloud deployment to occur can result in insecure systems and out-of-control costs since cloud providers do not run your workloads for free.

An inventory and control system supports in-depth environmental audits, ensuring that only required services are accruing costs and that resources are not exposed for use by unauthorized parties.

All of that is easier said than done. So, if you’re looking for a place to start, try evaluating your enterprise’s implementation of Control #1 using these questions:

– Is the list of enterprise assets maintained ad hoc, through a manual procedure, or in a specialized system that includes the application of checking for contradictory information and enforcing business rules?

– Is the list of subnets deployed in the cloud well documented, including processes for new allocations, security properties for the subnet, desired reachability, and proper DNS resolution?

– In multi-cloud or hybrid cloud environments, is there a unified set of documentation for all networks regardless of the deployment platform?

– Are all subnets represented in an enterprise network diagram, with appropriate context for each network?

– Are all enterprise assets kept up to date within operational and security monitoring systems?

– Are all changes to the environment tracked with an appropriate degree of change management recording?

It may be time for a reset if you answered “no” or “I’m not sure” to any of these questions. There are steps you can take, each with varying costs and advantages.

Most systems will benefit from improved process documentation and fine-tuning of the change management or ticket-tracking systems. More staff training can improve Control #1 compliance by reinforcing its importance to network reliability.

Finally, there are technical tools to help. These fall under the umbrella of DDI, which stands for Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), and IP address management (IPAM). Adopting or investing in this infrastructure and tools, which route traffic and establish network connections, can restore inventory and control, improving network visibility across multiple environments.

DDI solutions allow for better history retention, access control, and potentially automation or integrations, keeping enterprise asset inventory in sync with, for example, the assets configured in monitoring systems.

What next?

Determining your Control #1 maturity level helps you identify opportunities for improvement. Next, you must marshal the resources needed to address the largest gaps. Any progress helps protect your network from the greatest risks of cloud integrations and lays the groundwork for all other system functionality.

If Control #1 is already in excellent shape at your enterprise, move on to the other 17 CIS Controls.

The bottom line is that knowledge is power, but control of that knowledge is even more power. Effective management and proper inventory controls are the cornerstones for a solid security posture in the cloud. Plan accordingly!

About the Author

David Maxwell is Vice President of Security at BlueCat, a leading provider of DDI solutions that provide visibility and control in the cloud, helping enterprises better secure their networks.

Featured image: ©lassedesignen