Cloud Security Best Practices Vol 8 rel 6

So you want to place all your data in the cloud. This seems to be an inevitability; hence, it seems apropos to assist in providing, at the very least, the few tenets of securing a chosen Cloud Service Provider (CSP) offering.  So with your permission, we present, the overarching cloud security best practices. There are numerous factors that alter and impact these practices, including the type of cloud computing model, the CSP, and the size of the organization. 

1. THE RISK MANAGEMENT FRAMEWORK (RMF) 

Security practices for any organization should revolve around risk management. You should assess, address, categorize, and prioritize the security risks associated with the IT system’s connections to the external cloud services and infrastructure.  



Subsequently,  

1. Address methods to reduce the risk by deploying mitigation strategies  
2. Then deploying security controls to adhear to to those strategies 
3. Finally deploy tools to utilize and monitor the ongoing effectiveness of those controls. 

3. 
   

Risk management isn’t confined to IT, it actually spans across all aspects of your organization from finance to marketing.   IT security management must come together with the management team to see how analyzed risks impact numerous aspects of the business for every component. When selecting a CSP, this should be a central discussion point with the management team and CSP contact. 

2. ROLES AND RESPONSIBILITIES 

Defining roles and responsibilities of the IT management and security team members seems to be intuitive; however, not every IT security team has established roles. For example, who manages communication with the CSP security point-of-contact? 

Without precise definition, overlaps and confusion in duties, incompetence and noncompliance of the security policy may result, or worse, breach. Cloud security success depends on the internal as much as the external services and staff of the CSP. Yes, your management may worry about insider attacks or personnel error on the CSP end, but this possible risk exists internally as well. 

As for the CSP, consider the importance of knowing the roles, duties, and names of the CSP’s personnel responsible for your data security. In fact, make sure you know where they draw the line, i.e.,  

1. Who is responsible for the logical components vs the hardware?  
2. Who is responsible for segregating logical from hardware? 
3. Who is responsible for preventing insider attacks, data leakage? 
4. What are procedures documenting what personnel handles the prevention, mitigation, and recovery of data?  

4. 
   

3. SECURITY POLICY 

2. 
   

The policy should contain all aspects of information security.  In fact, for the security policy to be effective, the organizations must not only create a clearly defined and understood security policy, but... 

Should get executive sponsorship to assist the Security Team to promote, review, and enforce its use with the help of the department heads that it’s supposed to protect.    

The policy scope should include whether they exist or not, items for a cloud infrastructure services (SaaS, PaaS, or IaaS), the CSP, and the type of cloud (public, private, or hybrid).This process involves lengthy documentation, collaboration and feedback across all organizational departments, and ongoing reviews for improvement. The security policy should stand as a living, breathing document, well-known throughout the organization, where every person is held accountable for their role and actions. Only when all personnel comprehend the importance of such a policy, will security be taken seriously.    

The security policy’s effectiveness is only as successful as the promotion and organizational awareness. IT management must establish awareness for all employees and ensure they understand their limitations and responsibilities as outlined per the policy. 

The policy should contain documentation and plans for access management, auditing, vulnerability scanning, data encryption, software and hardware intrusion prevention, disaster recovery, business continuity, and even a data loss prevention policy. It’s not enough to state and outline the security controls established. 

The organizational policy must stand separate from or include a section pertaining to the Cloud Service Provider (CSP). You utilize the CSP’s infrastructure, services, and security controls, but you must account for the failure of the CSP’s services and security in case of a data breach, vulnerability, or other critical issues. Include back up plans and documentation for every potential scenario. The CSP may boast a proven track record of protecting company data, they may have a solid defense and DLP policy in place, they may have a clearly stated SLA and security policy that puts the customer first, but you must account for the “what ifs” within your policy. Not all business relationships and services are guaranteed to last. Nothing is absolute. Account for the failure or breach of contract for the CSP. 

When creating or amending the organizational security policy, address how the current or potential CSP affects the policy and present security controls. 

4. PERFORM AUDITS 

Any Virtual hosting organization will tell you that the integrity of the data storage remains the primary responsibility of the CSP and it’s your IT security teams that must secure, protect, and mitigate possible threats on their end. Typically, IT security teams make use of ongoing auditing. In the auditing process, security personnel should verify compliance according the security policy, test and analyze the effectiveness of security controls. 

Exploit the Infrastructure with Penetration Testing 

What’s a smart way to identify system holes? One way to thwart against exploits and vulnerabilities is through penetration testing. However, this auditing practice is costly, nevertheless, essential for cloud security. Independent professionals not connected with your organization perform the best work since they provide an objective fresh set of eyes on the systems. 

Before signing a SLA (Service Level Agreement) with the CSP, check to see that they permit the usage of independent penetration testing, this is key because if they don’t allow it, then find out how they confirm the protection of your data. 

Scan for Vulnerabilities 

Periodical vulnerability scanning of the cloud infrastructure is critical to maintaining security. Scan the cloud management platform, servers, and network devices to ensure comprehensive system security of the entire infrastructure. Employ software monitoring tools such as: 

• Retina, Retina Security Scanner enables you to efficiently identify IT exposures and prioritize remediation enterprise-wide. Retina Network Security Scanner, the industry’s most mature and effective vulnerability scanning technology, identifies the vulnerabilities – missing patches, configuration weaknesses, and industry best practices 

• Qualys Cloud Platform, The Qualys Cloud Platform helps global businesses reduce cost by consolidating multiple solutions in one portal delivered via the cloud (shared or private). It delivers continuous visibility to on-premise, cloud-based or endpoint assets, and automates the full spectrum of auditing, compliance and protection for Internet perimeter systems, internal networks, and web applications. 

• GFI Lan Guard, GFI LanGuard scans and detects network vulnerabilities before they are exposed, reducing the time required to patch machines on your network. GFI LanGuard patches Microsoft ®, Mac® OS X®, Linux® and more than 50 third-party operating systems and applications, and deploys both security and non-security patches. 

• Nexpose, a vulnerability management software, proactively scans your environment for mis-configurations, vulnerabilities, and malware and provides guidance for mitigating risks. Experience the power of Nexpose vulnerability management solutions by knowing the security risk of your entire IT environment including networks, operating systems, web applications, databases, and virtualization. 

4. 
   

to check for weak passwords, known and unknown vulnerabilities, configuration errors, and other common and uncommon issues.

When performing these scans, you should have different goals. First of all, the scan enables you to catalog all components for the purpose of verifying configuration management data. Secondly, scanning empowers the organization to act from the hacker’s perspectives to review and unearth known and unknown vulnerabilities. 

IT teams should conduct two types of scans.  

1. They should scan the systems from the outside with Risk Grading tools that not only do not require privileged access, but actually have no real estate requirements on your Enterprise.   
2. 
   

2. They should also conduct authenticated scans from the inside where more information about the systems and security can be gathered. 
3. 
   

The final step of vulnerability scanning includes storing the data accumulated from the process. Once stored in a database, auditors can review and analyze the data to recognize attack trends, configuration errors, and additional issues over time. 

5. ACCESS AND LOG MANAGEMENT 

It’s a well known fact that most breaches are attributed to human error, typically due to an end user who lacks security awareness, establishes poor passwords, and does not manage their personal security with adequate attention. Blame for this negligence also falls on the IT security personnel responsible for implementing and educating all personnel about access management. 

Smart access management accounts for human error and convenience at the risk of security. To address this human factor, many choose to deploy automated access management with some form of two-factor authentication 

• physical tokens, 
• digital certificates, 
• biometry, 
• password cards, or 
• SMS passwords 

to strengthen user access. Username credentials and user created passwords are not sufficient in the present age due to the sophistication and patience of social engineering attacks. 

There should be a common understanding regarding access management between the internal IT team and the CSP. The IT team must communicate their access management policy to ensure correct access to sensitive data for their personnel. 

Access should not depend on a person’s priority level, experience, or job title. Even senior members should not have access to data or services unless the IT team and management determine that access as absolutely necessary. 

Delegation of this task of who can access what is tricky, sensitive, and time consuming initially. However, if properly implemented and managed, this prevents security holes and isolates incidents if they occur due to access control. 

Monitor systems logs to ensure data security and further evaluate the success of internal monitoring. By automating this task and pushing the scanning logs to secure databases, this enables auditors to review and analyze data for common configuration errors and attack trends. This analysis proves vital for threat mitigation. 

6. CONFIGURATION MANAGEMENT & CHANGE CONTROL (CC) 

Surprisingly enough, this practice often slips through the cracks and causes substantial problems for security in general. Configuration management and change control prove troublesome when relying on a CSP without clear lines of communication. When employing a CSP, you are responsible for communicating and documenting configuration management and change control for the organization. 

Older and vulnerable configurations often back their way back into production or changes never fully go through due the impact on functionality that’s never addressed by management and end users within the organization. 

Therefore, management and all associated personnel responsible for this practice should take the critical steps to establish processes for configuration management and change control. Since organizations often operate on fast and larger scales, manual processes aren’t realistic. Organizations must rely on automation for these processes that is backed up with manual processes in case of failure. 

7. MAINTAIN A DATA LOSS PREVENTION (DLP) POLICY 

How does your Data Loss Prevention (DLP) policy align with the CSP’s DLP? Do they have an adequate DLP in place to reduce data loss and does not allow compromised data to leave the network? 

With this practice in mind, you must implement disaster recovery plans that correlate with a disaster recovery or compromise management plan of the CSP. Part of planning for cloud security entails preparing for the event of compromised systems. The disaster recovery plan should contain steps for incident response.

References

• https://www.techworm.net/2016/07/top-10-vulnerability-scanners-hackers-researchers.html
• https://phoenixts.com/blog/seven-cloud-security-best-practices/

______________________________________________________

“Once more unto the breach, dear friends, once more;”

___________________________________________

We would like to thank our sponsors, for without them - our fine content wouldn't be deliverable!

Rick's Cafe' American

____________________________________________

About Rick Ricker

An IT professional with over 23 years experience in Information Security, wireless broadband, network and Infrastructure design, development, and support.
For more information, contact Rick at (800) 399-6085 x502