Security in the cloud can be a contentious topic. It has been challenging for users to define a set of criteria for cloud computing security and then guarantee its compliance. Over the past five years, cloud computing has become a strategic plan of action for many organizations, combining on-premises infrastructure with a virtual cloud network.
The appeal and value prop of cloud computing is hard to deny. It provides scalable infrastructure, on-demand responsiveness, and (based on the cloud provider) a variety of services that augment the IT landscape. But don’t overlook this key point: security is just as important in the cloud as it is on-prem.
Any strong IT security program should cover the following main areas:
- Governance and policy
- Asset management
- Access control
- System development and maintenance
- Incident response
- Business continuity
No matter the cloud provider, you’ll need to confirm that policies are in place that address the topics above in order to ensure controls and a measurable level of compliance. With a relatively simple approach to each, you can work with cloud providers and maintain a level of compliant and auditable control over your virtual network.
Compliance in the cloud
Let’s examine each of the security topics in more detail and find a way to ensure security is top-of-mind in cloud computing environments.
Governance and policy: As a standard, leading cloud providers maintain compliance and security controls as part of their infrastructure. In some cases, this means the users employ a risk strategy – that is, the user undertakes a certain amount of risk by transferring the security requirements to the cloud provider(s). Check the cloud services agreement for details and don’t be afraid to ask about security processes and policies.
It’s worth noting that the roles and responsibilities for maintaining security will depend upon the platform, infrastructure, and software-as-a-service (SaaS) model selected by the user. This will influence the level of ownership and security responsibility for both the cloud provider and customer.
Asset management: In order to successfully manage your assets, you’ll want a record of deployed systems and any defined security level(s) for those systems. Some tips:
- Manage the addition of new instances through a change control process
- Assign ownership of assets
- Monitor any cloud account(s) through the provider’s management console and with your own organization’s accounts payable group
Access control: As with any system, role-based security is paramount. Nothing changes with a cloud implementation. In this case, you’ll want to audit, review, and control access based on a user’s “need to know” and role-based access controls (RBAC).
System development and maintenance: Start this process by applying secure configuration standards like the CIS BenchmarksTM to any cloud-based environments. CIS Hardened Images are pre-configured virtual machines for a variety of platforms and technologies.
Using pre-configured secure images is faster than manually hardening a virtual machine. CIS Hardened Images let you deploy already compliant systems for a variety business purposes. For those developing software in the cloud, CIS Hardened Images provide convenient security from the start.
Once secure configurations are in place, maintenance to prevent “configuration drift” is the next step; regularly compare cloud configurations to the “golden” hardened image as part of your control framework.
Incident response: Communication is key when there is an incident in the cloud. Be sure to understand what role the user and cloud provider play in a security incident, as well as what the cloud provider can supply in terms of data. This response strategy can be used for testing the incident response process and ensuring all groups know how the cloud provider’s supplied data will be utilized. The response strategy should be approved and documented within your organization’s incident response plan.
Business continuity: Consider what will happen if one or more of your critical systems fails. Using cloud infrastructure enables you to shift data quickly depending on your needs – should a natural disaster strike a main office, cloud-based services will run unaffected.
However, you’ll want to consider your cloud provider’s resiliency and disaster recovery strategy. What are their guarantees and limitations with regard to “up time?” Based on this response, porting data to another cloud provider may be part of your organization’s business continuity strategy.
Don’t go it alone
Working in the cloud provides organizations with flexibility, convenience, and scalability. It also means working with others – such as cloud providers and IT staff – to ensure security measures are implemented on the virtual network.
Helpful resources like the CIS Hardened Images can help your organization stay secure in the cloud. But don’t be afraid to ask questions about your cloud provider’s security processes and procedures. With security in mind, the cloud can be a helpful extension of your organization’s IT infrastructure.
For more information, visit CIS Hardened Images.