7 Key Best Practices for Cloud Security from Alert Logic
By Dan Pitman, Principal Security Architect at Alert Logic
The financial, technical, and efficiency advantages of moving business critical applications to the cloud are clear, as well as the impact it has on how products and services are developed, purchased, and consumed. But there’s still a lot of debate about whether cloud infrastructure is more or less secure than managing applications in on-premises datacenters.
At Alert Logic, an AWS Partner Network (APN) Advanced Technology Partner with the AWS Security Competency, we’ve concluded that cloud platforms are more secure than on-premises environments. Once an organization understands its role and the role of the cloud provider, you can make informed decisions concerning cloud infrastructure.
Cyber-attacks are going to happen; vulnerabilities and exploits are going to be identified. Having a solid security-in-depth strategy, coupled with the right tools and people that understand how to respond, will put your company in stronger position to minimize exposure and risk.
Amazon Web Services (AWS) has security-in-depth strategies for their global infrastructure that cover processes, people, and technology that protect the physical and foundational layers of their offering. In this post, we will explore seven best practices for cloud security that all organizations should implement.
1. Understand the AWS Shared Responsibility Model
The volume and sophistication of cyber threats continues to grow at an alarming rate, and so does the amount of confusion about who is responsible for the security and compliance of applications and workloads hosted in the cloud.
Through its Shared Responsibility Model, AWS declared the areas of security they are responsible for, but the subtleties can sometimes cause confusion. Here’s a simple way to look at it: AWS is responsible FOR the cloud, and customers are responsible for what they put IN the cloud.
In a nutshell, AWS is responsible for securing the foundational services, such as raw compute power, storage, database, and networking services. Customers, on the other hand, are responsible for the configuration of those services.
At the network layer, AWS is responsible for network segmentation, perimeter services, and external DDOS spoofing and scanning prevention. Customers are responsible for network threat detection, security monitoring, and any incident reporting. This means that AWS will secure against attacks against the shared cloud infrastructure and their perimeter, but they will not look for, or stop, attacks against the instances and applications.
At the host layer, customers are responsible for access management, patch management configuration hardening, security monitoring, and log analysis. The application security components are 100 percent the customer’s responsibility.
Figure 1 – The AWS Shared Responsibility Model outlines who is responsible for the security and compliance of applications and workloads in the cloud.
2. Secure Your Code
Code that has not been thoroughly tested and secured is easier for potential cyber threats to cause harm. Securing code is 100 percent your responsibility, and if you’re developing code even for basic-level websites you should be asking questions about which Security Development Lifecycle (SDL) is being used, be that the Microsoft Security Development Lifecycle or the more web-focused OWASP Secure Development Lifecycle.
The important thing is the SDL aligns with your development and delivery strategy. In reality, most organisations develop their own SDLC that borrows from the standards in the field.
The primary advantages of pursuing a secure SDL approach are:
- Ensuring security is a continuous concern
- Improved stakeholder awareness
- Early visibility into risk
- Overall reduction business risks
By putting a strategy in place to secure your code, your organization will have a methodology to use internally. Using encryption wherever possible also helps to secure your applications and testing libraries, scanning plugins for security bugs that may not have been picked up previously. It’s also important to limit privileges to only those who need access.
To think like a hacker is to know that cybercriminals focus on two things—the easiest thing to attack and the most profitable thing to attack. Web applications are easier to attack than the underlying infrastructure and are therefore an easier target. There has been a 300 percent increase in web application attacks in just the last three years.
3. Create an Access Management Policy
Access Management is the key to keeping your cloud environment safe, but could equally be the weak link that leaves it vulnerable. Make sure you have a solid access management policy in place, especially for those who are granted access on a temporary basis.
Defining roles and responsibilities ensures developers are unable to delete data or shutdown instances in production they shouldn’t have access to. This also lowers the impact of a threat should someone’s login credentials become compromised.
Localized authentication and dysfunctional employee or other user management processes are the dream of attackers. Organizations should integrate internal applications and cloud environment management into the corporate directory using AWS Identity and Access Management (IAM) and make sure customer systems use a centralized authentication model that’s maintained and updated. Two-factor authentication is nearing a mandatory requirement that provides a further layer of security between you and those who seek to harm your company.
Following its recent data breach, Timehop confirmed in a statement that access had been gained to its systems from a compromised account which was not protected by a multi-factor authentication.
4. Adopt a Patch Management Approach
As companies often roll out patches, it’s important to keep on top of your inventory for production systems. Unpatched software and systems can lead to major issues. Keep your environment secure by updating your systems on a regular basis. First, you need the asset inventory, configuration and vulnerability data gathered by your scanner. Without fresh data, monitoring is not continuous, and your systems will be at risk.
You need to know, in real-time, what vulnerabilities exist and if they affect you. You also need to know how critical they are. Addressing all vulnerabilities at once isn’t impossible, especially in large businesses where the amount of vulnerability data can be immense.
A combination of rolling out automatic patching and vulnerability scanning can lower the impact of any threats. Consider developing a checklist of important procedure and make sure to test all updates to confirm they do not damage or create vulnerabilities before implementation into your live environment.
5. Log Management and Continuous Monitoring
Logs are of high importance, and this is doubly so within the cloud where remote management of systems is inherent. Log management and review of those logs should be an essential component of your security practices.
Logs are useful for more than just compliance and have become a powerful security tool that organizations should leverage to assess access and change against expected behavior, keeping track of who has had access to what in a cloud environment is critical. By continuously monitoring logs, you can pick up on patterns of behavior that can be audited to ensure they’re not out of the ordinary.
Logs can also be used to identify malicious activity and assist in the subsequent forensic investigation. A unified log management approach should deliver a simple and right-sized approach to threat detection. You should be able to track user activity and suspicious behavior in real-time across your AWS environment, and you can only do so if you use tools that spot malicious activity through the consolidation of the logs, log review, and correlation.
If you get hacked and the forensic investigators ask where the logs are, they typically want access to raw, not parsed, log data to use their command line tools on. Forensic investigators need to be able to prove without a doubt where things went wrong.
When AWS introduced Amazon GuardDuty, Alert Logic saw an opportunity to expand on notifications from GuardDuty and improve AWS security to provide critical context.
Alert Logic provides a vulnerability assessment solution that allows customers to continuously find risky configurations that go against AWS Security Best Practices. It also provides crucial, easy to understand security context for GuardDuty findings and guidance for how to address or resolve them.
Amazon GuardDuty will identify a malicious activity like and alert you, but you also need to know how did this attack happen.
6. Build a Security Toolkit
You may think that a toolkit contains only tools, but no collection of software alone is going to deliver a solution to all of your organization’s security needs. It’s important to implement a security-in-depth strategy that covers all your responsibilities in the stack with tools and integrated processes.
Just as we did in the past with on-premises systems, it’s imperative to robust controls though IP tables, web application firewalls, antivirus, intrusion detection, encryption, and log management.
How we manage the input and output of those tools is equally critical. Organizations must implement very clear security processes for staff to identify relevant emerging threats, manage risk inherent in systems through regular assessment and must have a mandate from the very top that prioritizes security above the availability demands of the business.
Figure 2 – The Cyber Kill Chain helps to identify priorities against the stages of a cyber attack.
We can use the Shared Responsibility Model and the Cyber Kill Chain to help identify our priorities against the stages of attack, starting at the top and working down towards a true defense-in-depth through the implementation of tools and processes.
7. Stay Informed
It’s important to stay informed of the latest vulnerabilities and emerging threats that may affect your organization. We also recommend you manage threat detection and response for securing the cloud.
The importance of formal and informal security research and intelligence gathering as a part of an organization’s security toolkit cannot be understated. Understanding the context behind a new vulnerability and acting with confidence depend on knowing the details behind the systems being managed as well as the potential impact of the vulnerability.
Security must be a company-wide concern; restricting it to just IT and Security departments means carrying on the long and dangerous tradition of cyber-ignorance. Keep everyone informed, to keep everyone safe! Recommended resources include:
Cloud procurement isn’t just a platform debate; it’s about understanding your business requirements and thereby the most efficient way to secure workloads and applications based on the risk of data and impact.
Security must be a critical design component at the starting point of any project, so that when you spin up new systems, security controls are already in place.
Where the number one question from project stakeholders in the past was about availability (How do we know it won’t break?), the better question now must be, “How do we know it’s secure?”
Make sure you understand the organization’s role and the role of AWS, and then you make informed decisions concerning cloud infrastructure and its security.
Securing your code and creating an access management policy should form important elements of your security-in-depth strategy. Adopt a patch management approach to further secure your environment. Manage your logs and monitor your environment continuously to be able to spot anything out of order. Be aware of the latest vulnerabilities and cyber threats—you can’t defend against the unknown.
The content and opinions in this blog are those of the third party author and AWS is not responsible for the content or accuracy of this post.
Alert Logic – APN Partner Spotlight
Alert Logic is an AWS Security Competency Partner. They deliver security-as-a-service that combines cloud-based software and threat analytics with expert services to defend applications and workloads in any environment.
*Already worked with Alert Logic? Rate this Partner
*To review an APN Partner, you must be an AWS customer that has worked with them directly on a project.